Written by Rebekah Lewis

Published June 16, 2017

The impact of cybersecurity incidents on large-scale business transactions (e.g., Verizon-Yahoo) and increasingly rigorous cybersecurity requirements for federal contractors are just two examples of the rising importance of cybersecurity risk management across the supply chain. At a recent event co-hosted by A.T. Kearney and the Kogod Cybersecurity Governance Center (KCGC), expert participants shared their insights and recommendations regarding supply chain risk management (SCRM). This installment of KCGC | In Practice reviews some of the key insights drawn from this discussion, including important areas of consensus and debate.

---

Practitioners and scholars approach cybersecurity from different perspectives - one reason why findings on which they agree may be particularly compelling. At the recent discussion, "Resilient Cybersecurity Operations for Today and Tomorrow," KCGC and A.T. Kearney (a KCGC sponsor) brought together academia and industry to discuss cybersecurity risk management and the supply chain. A number of common themes and areas of agreement emerged, including the critical importance of a clear and coherent strategy and the role of leadership. Read on for analysis and on-the-ground tips, keying off of this discussion, on how to make more effective and responsible cybersecurity SCRM a reality.

Cybersecurity SCRM - What's the Big Deal?

Cybersecurity SCRM is a hot topic. Recently proposed updates to the Cybersecurity Framework (CSF) issued by the National Institute of Standards and Technology (NIST) incorporate an entire section devoted to SCRM and President Donald Trump's recent cybersecurity Executive Order highlighted the importance of supply chain risk. But, despite all the hype, participants cautioned that it may be useful to take a step back and consider whether cybersecurity risk requires new and different solutions to SCRM.

• The Basics Are Still the Same

  The basic concepts and core challenges of SCRM for manufacturing and operations have existed as long as goods and services themselves and throughout previous periods of technological change. Supply chain vulnerabilities today may be novel, but the foundational strategic management and governance principles addressing physical or cyber risk (e.g., trusted partnerships, diversification, personnel management, access control, accountability and tamper detection) are largely the same.
  
  Properly vetting suppliers and cultivating strong partnerships built on trust will support any number of operational goals, including the reduction of cybersecurity risk. Accordingly, enterprises should not overlook the fact that many existing SCRM solutions and strategies can be used to manage supply chain cybersecurity risk.

• New Approaches to Traditional Principles

  While the core concepts of SCRM may still apply, cybersecurity presents new challenges that require organizations to reevaluate implementation. In particular, cybersecurity and related technologies require organizations to manage a more complex and interconnected supply chain. At the same time that interconnections and communications increase, practitioners noted that the visibility along the chain decreases due to the number and diversity of entities, jurisdictions, technologies and practices involved, as well as the sheer physical distances that supply chains can now span. In light of these changes, event participants debated how the basic principles of trust, access and accountability should be implemented in today's environment, agreeing on key technological and governance solutions.
  
  From a technological perspective, the same capabilities that increase supply chain complexity and dependence may be utilized to collect and share data about other supply chain actors to better impose and monitor compliance. Entities wanting to take a more cautious approach, including those that rely on secure outsourcing to remain competitive, may consider using a closed network architecture that itself prioritizes security by limiting the number of participants and access points.
  
  A closed system, by its very nature, limits innovation and interactions. This reliance on a smaller set of trusted providers also increases the potential impact if one of those suppliers were compromised or unavailable. But a more closed architecture may still be worth the tradeoffs, and is more practical than trying to solve the fundamental issues of anonymity and interdependence that accompany a connected, Internet-based world. In the end, reducing vulnerabilities in so-called "container communities" - microcosms of the larger connected ecosystem with limited access points and known participants - may be a more realistic way to manage security.
  
  From a governance perspective, organizations should use clear and enforced policies and procedures to evaluate, limit and manage both the number of parties and the number of access points in their supply chain. In addition, organizations should implement policies and execute/enforce agreements to collect and share information about entities up and down the supply chain. Ultimately, new data collection and processing technologies cannot be used to effectively increase supply chain visibility unless organizations can actually use the data collected in a meaningful way. To do this, organizations need strong governance practices, including policies, procedures and collaboration with various levels of management as well as legal counsel.

Maturity Matters

In addition to modifying the implementation of traditional SCRM strategies for a cybersecurity world, participants also stressed the importance of maturity to successfully managing cybersecurity risk across the supply chain.

• Maturity v. Strategy

  Participants agreed that the exact choice of strategy is not terribly important. Rather, a bigger problem is that both academic research and practitioner experiences indicated not only a widespread lack of SCRM maturity, but also a more fundamental lack of recognition that maturity matters. In other words, many organizations are both immature and ambivalent about improving SCRM maturity.
  
  This consensus comes with both good and bad news. The bad news: organizations are not paying enough attention to SCRM, including allocating the resources (time and authority, not just budget) needed to monitor the supply chain and implementing mechanisms to confirm and incentivize that monitoring. But, the good news is that there appears to be significant room for improvement if organizations will better prioritize SCRM maturity - a more hopeful outlook than the alternative world in which all efforts have been exhausted to no avail.

• Due Diligence and Follow-Through

  Participants highlighted a number of key steps that organizations can take towards cybersecurity SCRM maturity. First, organizations must have a coordinated, enterprise-level process for conducting due diligence of potential suppliers and managing contract negotiation, requirements and modifications. Rigorous due diligence is a critical first step in identifying reliable supplier partners. Strategic negotiation of third-party service provider and supplier agreements is an equally important step in determining the allocation of risk between parties up and down a supply chain.
  
  But, it is not enough that contracts include the right language and specifications regarding access control, training and other security procedures and requirements. Organizations must also prioritize formal policies and adopt reliable, iterative procedures to ensure that the execution and deliverables reflect compliance with the negotiated requirements throughout the course of any supplier engagement.
  
  Organizational leaders should play a key role in this process, which requires real, on-the-ground investments of time and attention, by sending a clear message from the top that the hard work of creating procedures and processes matters and will be recognized and rewarded. Executives can also explicitly communicate that verified implementation of these requirements - as opposed to mere "papering" - is a corporate standard for securing operations.
  
  Both public and private sector entities alike should take heed of this practitioner-scholar consensus: In cybersecurity, as in life, maturity goes a long way. With respect to cybersecurity SCRM, maturity requires both establishing contract requirements and monitoring and enforcing those requirements to drive real change and improvement.

Outsourcing Accountability is not an Option

Many organizations may not sufficiently prioritize cybersecurity SCRM maturity because they believe that the risk can be transferred via contract to supply chain partners and other parties. But, despite common misperceptions, both practitioners and scholars agreed that ultimate accountability for supply chain risk cannot be outsourced.

In fact, even if they carefully allocate risk via contractual arrangements, organizations that outsource production of goods and services will still be held accountable for the cybersecurity of their supply chain, both through formal mechanisms as well as in the less formal, but very powerful, court of public opinion.

• Laws and Regulations

  Existing statutory and regulatory requirements may either explicitly or implicitly hold covered entities accountable for the security of their suppliers. For example, Massachusetts state law requires organizations that own or license state residents' personal information to "oversee service providers," including vetting providers' security measures and ensuring that their providers both implement and maintain appropriate security measures.
  
  At the federal level, a number of mechanisms require many organizations to maintain a level of accountability for supply chain cybersecurity risk even as they outsource operations. Two examples relate to government contractors and health-related information. First, regulatory updates over the past few years have increased security requirements for government contractors, as well as their subcontractors, while also increasing the government's ability to consider supply chain risk in procurement decisions. Second, requirements under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act obligate covered entities not only to implement contractual provisions regarding security but also to take reasonable steps to cure any known material breach of those provisions before terminating a business associate contract.

• The Cybersecurity Framework (CSF)

  Looking ahead, and as discussed in a prior In Practice posting, President Trump's recent Executive Order requiring all executive agencies to implement the CSF also will likely increase pressure for government contractors to step up their SCRM.
  
  Implementing the CSF will require departments and agencies to take a strategic look at cybersecurity risk across their supply chain. In its current form, the framework addresses SCRM and procurement through several of the categories and subcategories included in its core functions. In the future, the CSF may likely include even more explicit emphasis on SCRM, with a particular emphasis on procurement and purchasers' ongoing monitoring of suppliers and partners compliance.

• Insurance is Not a Panacea

  Despite common misperceptions, participants emphasized that cybersecurity insurance is not an escape route for SCRM. Insurance companies have begun to ask much more in-depth and rigorous questions regarding current and prospective policy holders' cybersecurity practices and SCRM. Applicants' cybersecurity SCRM strategy and maturity will likely impact not only premium size but, more fundamentally, insurability.

Outsourcing certain operations and supplies may be a responsible and unavoidable business decision, and it may be possible to allocate specific risks within the contours of supply chain. But, in the end, offloading the actual accountability regarding the security of those goods and services is not a viable option. Accordingly, as with the enterprise's own internal security practices, partners' security practices should be vetted, documented and confirmed with regularity.

Quantifying the Risk

Participants also underscored the importance of quantifying cybersecurity risks in the supply chain, with a few key nuances.

• Imperfect Numbers Are Better Than No Numbers

  According to participants, much of the available research suggests that a very small percentage of companies are actually actively managing and formally assessing supply chain risks (and not just those related to cybersecurity). Many practitioners are just not attempting quantifiable assessments (e.g., the likelihood of suffering a breach through specific suppliers, the estimated costs associated with breaches through those suppliers, etc.). Participants emphasized that such quantifications, even if rough estimates, would be a vast improvement to the color-coded, scale of 1-10 or "heat maps" charts that are often used, but provide a false sense of risk quantification.
  
  The process of attempting to quantify these risks would likely require more focused consideration of the specific characteristics and concerns of a particular company, as opposed to generalized estimates. The act of quantification will help to prioritize concerns and resources more realistically. But, more importantly, establishing even rough estimates will provide leadership with a meaningful and tangible access point into the conversation about cybersecurity SCRM, with specific decision points and concrete, comparable figures as potential bases for those decisions.

• Measurement as a Form of Engagement

  For senior leadership and even middle management, measurement is useful not only to demonstrate progress towards greater SCRM maturity but also to obtain and maintain Board-level interest. Participants noted that using statistics, budget figures and other measurements to quantify the risk - in some form (with the specific form being less important than the fact of quantification) - is an effective way to make the continued case for investment in security.
  
  The bottom line: When it comes to cybersecurity SCRM, money and numbers talk - and they are more persuasive than fear. What exactly those numbers say may be less important than the fact that they are being used to do some of the talking.

Cybersecurity measurement and metrics have been topics of ongoing debate for a number of years, and progress towards finding the "right" metrics and measurements has been, by some estimates, excruciatingly slow. In the interim, organizations may find it helpful to focus less on finding the "perfect" metrics and measurements, and more on simply identifying some quantifications that are organization-specific and may help leadership better understand and manage risk. While the metrics debate marches on, knowing that the mere fact of quantification, even if imperfect, can achieve some strategic goals (namely, engaging top leadership), is an important data point in itself.

The Human Element in the Supply Chain

Participants observed that the human component is one of the most important but often overlooked elements of cybersecurity SCRM.

• Prioritizing Cybersecurity SCRM

  How specific levels of personnel within an organization and through the supply chain are managed, incentivized and trained has a significant impact on supply chain risk. This is especially true when visibility becomes more obscured as the supply chain grows longer and more complex.
  
  For example, participants observed that there is often a disconnect between high-level leadership who are beginning to view cybersecurity as an important, priority risk and those lower in an organization who are more focused on other, seemingly more immediate and tangible operational risks. Educating personnel at all levels about how cybersecurity risk impacts other operational risks and priorities will help to intrinsically motivate employees rather than relying solely on external compliance checks.

• Empower Human Detection

  Organizational culture and environment is critical. Even where top-down visibility and oversight of the supply chain may be limited, well-trained employees can play a key role in preventing incidents through the detection and reporting of malicious and benign insider threats. This can only occur if the organization provides effective and accessible reporting mechanisms.
  
  Training midlevel managers in supply chain risks and implementing appropriate processes that will empower those managers are two important ways to establish a healthy cybersecurity governance environment.

Organizations' supply chains will continue to grow as a potential source of cybersecurity risk due to their increasing complexity and interconnectedness. But supply chain risk is not a new concept, and many strategies already exist for mitigating a variety of risks, including those related to cybersecurity.

Organizations should take advantage of existing principles of SCRM, management solutions and strategies, while also modifying traditional implementations to address new challenges. As generally agreed by both scholars and practitioners at the recent seminar, success will depend on the following:

• Effective use of technological solutions, including a network architecture that aligns with risk appetite and appropriate network monitoring techniques;
• Enforcement of clear policies and procedures, including those related to vetting and monitoring supply chain partners' cybersecurity practices;
• Leadership's ability to take full ownership and accountability for cybersecurity risk in the supply chain and pursue a meaningful commitment to maturity, regardless of the specific cybersecurity SCRM strategy used;
• Implementation of a coordinated, enterprise process for conducting supplier due diligence and managing contract negotiations, requirements and modifications;
• Quantification of cybersecurity supply chain risks, even if as rough estimates, using input that is relevant to the organization and providing output that is meaningful and accessible to top-level leadership;
• An organizational culture that promotes responsible cybersecurity practices throughout the supply chain and encourages employees to report concerns, including to mid-level management.