Maksim Kabakou - Fotolia

Consider governance, coordination and risk to secure supply chain

A recent ISACA study found myriad factors that give good reason to be concerned about supply chain security. Cyber adviser Brian Fletcher recommends three areas to zero in on

The Covid-19 pandemic, shifts in the global economy and the Ukraine conflict have further strained an already imperfect global supply chain. Based on a recent ISACA survey of more than 1,300 IT professionals, there is reason to be concerned about any supply chain-reliant organisation’s ability to fulfill business objectives.

Myriad global, geographic and geopolitical factors increase an already dynamic threat landscape, making governance, coordination and risk management all the more important. However, implementing, executing and optimising strategies, plans and processes are challenging with an increasingly complex global supply chain. Three of the top concerns from the ISACA survey are highlighted below, with recommendations on how to tackle each.              

84% of respondents say their organisation’s supply chain needs better governance

To improve your organisation’s supply chain governance, identify critical business functions and how your particular supply chain impacts them. To do this:

  1. Perform a business impact analysis and determine the potential cost and impact of not having these resources.
  2. Develop a roadmap to prioritise your efforts on these critical parts of your supply chain. Be honest: can your organisation function without these resources, and are there other sources or suppliers for like items? Improve confidence in your supply chain by mapping it out, identifying key stakeholders, and regularly communicating with them.
  3. Develop contingency and communication plans. By working with your suppliers and identifying critical points of contact and contingency plans, your organisation will have workable controls to improve your supply chain.
  4. Finally, ensure all stakeholders are engaged. The biggest surprises happen when all stakeholders are not involved, and suddenly an essential resource runs low or out. Overcommunicate with your stakeholders the importance of understanding their vital resources and what supplies they need to continue to operate. Only then can your organisation’s management plan and prioritise what needs to be done. We no longer have the luxury of a quick turnaround on needed supplies and resources.

66% of respondents were concerned about poor information security practices by suppliers

Governance is all about prioritisation, communication and responsibility. Recommendations include:

  1. Meet with critical suppliers and have them demonstrate their information security practices. If they fail to do so, determine whether other suppliers can provide a similar product. Ensure your current suppliers understand that their lack of cooperation is endangering your business relationship.
  2. Ensure future contracts with all suppliers include methods for assessing the information security posture of a supplier, methods to verify the information security maturity of a supplier, and processes for information sharing, especially during incidents or crises.
  3. Prioritise onboarding and offboarding processes for all suppliers/vendors.
  4. Finally, have recurring meetings with your critical suppliers. Establish methods to plan and randomly test your supply chains with your suppliers. These tests can be walkthroughs, vulnerability assessments, security audits or penetration tests. Have agreements with the suppliers on how they will address or mitigate issues discovered during the testing. Have processes to verify that controls and mitigations are relevant and maintained for the current shared risks.

60% of respondents have not coordinated and practised supply chain-based incident response plans with their suppliers

Supply chain incident response can be addressed through governance, planning and risk management. Tabletop exercises are useful exercises and should include critical suppliers to review your supplier’s incident response plan alongside yours. Key outputs may include:

  1. Identify common themes and potential issues, conflicts or concerns with each incident response plan. Work with your suppliers to document how your suppliers and your organisation will deal with everyday incidents.
  2. Develop playbooks to address these common incidents.
  3. Develop responses to the loss of resources, attacks against the supply chain, or breakdowns in shared areas of responsibility.
  4. Develop secure methods of communication, including out-of-band methods that can be used if your supplier’s system or your organisation’s system is compromised.
  5. Finally, the most critical step – practise these playbooks with your suppliers.

Tabletop exercises should begin as basic common theoretical incidents. These initial exercises can help to identify concerns and issues, especially with roles, responsibilities and the incident management chain of authority. After completing several tabletops, conduct planned and unplanned walkthroughs of the shared incident playbooks. Walkthroughs help to identify potential issues before an actual incident, such as who the backups are if the primary contacts are not available or in what circumstances should you and your supplier switch to alternative means of communication.

Of note, there are incident scenario vendors in the market that produce and facilitate training incidents, which increases the realism. In these situations, clearly scoped and approved rules of engagement make the training as authentic as possible without impacting operations. The key output is a list of lessons learned to improve the resilience of your supply chain.

Good governance, secure, frequent communications and solid risk management are three basic components available to enterprises to improve the strength of their supply chain. Communication is key – with suppliers/vendors, stakeholders and decision-makers to identify critical services and resources. Documentation is important to outline and carry out activities necessary to protect critical services and resources. Establishing and maintaining clear communication channels with critical suppliers is paramount. Frequently review risks to your organisation, especially critical services, resources and supply chains. Contingency processes and procedures improve response and should be developed and handy when real-world events occur.

Good governance, communication and risk management will improve the resilience of your supply chain and better prepare your organisation for the next global crisis.

Brian Fletcher is a cyber assessment practices advisor for ISACA.

Read more from the June Think Tank series

Read more on Business continuity planning