Question: What are some foundational ways to protect my global supply chain?
Rick Holland, CISO, Digital Shadows: Assessing supply chains is one of the more challenging third-party risk management endeavors organizations can take on. A global company can easily have more than 1,000 firms in its supply chain. In the age of digital transformation, much of the supply chain consists of SaaS providers that are easier to replace than the traditional on-premises vendor. The result is a transient supply chain that continually evolves. To add even more complexity, the more mergers and acquisitions activity a firm undertakes, the more complicated its supply chain becomes. All of these factors make supply chain risk management a daunting task.
Two common deficiencies of cybersecurity supply chain programs are a lack of understanding of the types of data and access the third party possesses, as well as a prioritized list of suppliers. This is why security teams need to have robust processes in place that include both the lines of business that leverage supply chain providers and the procurement teams that handle the logistics of assessing and onboarding the vendors. The security and privacy teams must have questions that can be inserted into assessments. They should include items that give insights into what data a third party has access to, where that data resides, and who has access to it. Once an organization understands the criticality of the data a third party has access to, it can then prioritize the risk around a supplier based on the classification of that data.
With today's technology and complexity, it isn't pragmatic for a cybersecurity supply chain program to monitor "all the things." However, it becomes more feasible with a prioritized list of vendors that have data or access to data that could represent a material risk to the business if stolen or abused.