A Journey in Organizational Resilience: Supply Chain and Third Parties

November 8, 2021
| |
4 min read

The next stop on our journey focuses on those that you rely on: supply chains and third parties.  Working with external partners can be difficult. But, there is a silver lining. Recent attacks have resulted in an industry wake-up call when it comes to cybersecurity resilience.

You see, the purpose of using external partners is to take advantage of a capability that your organization did not have, or the vendor was just better at than you. In turn, there was an offering or efficiency incentive where, for an exchange, your organization could operate more productively. Call it the trade-off.

It’s no different than any sports team looking to make a trade. When an organization is looking to partner with an external group, it will perform:

  • Risk analyses
  • Cost/benefit studies
  • Return on investment assessments.

In essence, the organization goes through a process to determine whether they will give up something of value today in return for some future benefit (e.g., contractually and confidentially sharing your intellectual property in exchange for some better performance). Call it the business case.

For many organizations, this arrangement has generally worked well for some time. However, cracks are beginning to show. Therefore, it is worth asking: is the risk worth the reward?

Inheriting the Vendor’s Cybersecurity Resilience Vulnerabilities

Working with external partners has become a riskier business. That is not to say organizations should cease these partnerships. Candidly, without external partners, it is quite possible most organizations would not be able to run, especially if they are heavily reliant on services and platforms (think ‘as-a-service’ models). Therefore, organizations need to be cognizant of the risks they take on, as the calculus has recently changed a bit. Namely, an organization is more likely to inherit the vulnerabilities of its external partners in the effort to transfer risk or offset inefficiencies.

Supply Chain Standards

There is a lot going on in the supply chain space these days in regards to working with partners. For example, the May 12 executive order 14208, Improving the Nation’s Cybersecurity, tasked NIST with identifying existing or developing new standards, tools, best practices and other guidelines to enhance software supply chain security.  Also in 2021, ISO reviewed and made current ISO 28001: Security management systems for the supply chain — Best practices for implementing supply chain security, assessments and plans — Requirements and guidance. And for some extremely detailed guidance, including some control mapping back to NIST SP 800-53, those concerned with supply chains can reference NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

All these information security and cybersecurity frameworks and standards can help improve your organizational resilience. Instead of doing deep dives into these documents, let us focus on some key considerations to help minimize your organization’s risk.

Trust and Verify for Cybersecurity Resilience

In an ideal world, you would have the opportunity to validate your vendors’ security reports (such as penetration test results and SOC II reports, business continuity plans, disaster recovery strategies, crisis management protocol and independent certifications and confirmation of testing).

News flash: do not expect you will get all this information. Look at this from the perspective of the vendor: wouldn’t it be a risk to share all this information with all its customers? Indeed, it would. So, how do you balance this conundrum?

Well, the first thing you should do is to start splitting off your vendors into two groups. How you label them is strictly up to you, but think in terms of major and non-major as reference points. That’s not necessarily in the sense that they are major or non-major to you and your organization. You will see in a moment a non-major vendor may be critical to your cybersecurity resilience. Concurrently, a major vendor may not be critical at all to your operations.

Building Confidence Through Evidence, Artifacts and Confirmation

Think of a major vendor as a very large one, likely to have hundreds, thousands or more customers. These types of organizations likely have tremendous resources (and leverage), so verifying information may be limited. But that is not necessarily an impediment. You may not get access to specific reports. Instead, you may have attestations or certified documents from independent assessors attesting that the major vendor is up to snuff. If you are lucky, you may even get some blacked-out report results. The point is to get some type of evidence or artifact that gives you the confidence that the major vendor can manage a disruption well.

Also, you must absolutely keep this in mind: make sure you review your contracts and service-level agreements. Your vendor keeping their lights on does not necessarily translate to the vendor keeping your lights on. Many of these arrangements have shared responsibilities.

Non-Major Vendors Are Still Important

On the flip side, a non-major vendor may not have the resources of a multinational enterprise. That makes them no less important to your operations.  For example, a regional player could be crucial to you delivering your products and services. If you lose them, you cannot serve your customer base. Or, they are highly specialized. This example is a perfect case of why you should be identifying dependencies, not only for assets, but also for processes and product and service delivery.

For non-major vendors, you may have some leverage in extracting security- and resilience-related information. You are more likely to be able to demand evidence of testing, proof of remediation and contingency plans. The threat of walking away for another service provider certainly can stimulate cooperation. But, that is not an excuse to bully them. Remember, the end state is no different than that of a major provider. You need something tangible to gain your confidence.

Vendors as Partners in Cybersecurity Resilience

As you inherit the vulnerabilities of your supply chain and third parties, the relationship is likely to shift away from being transactional to something that resembles more like a partnership. That’s why you need confidence in that partnership. If confidence is lacking, it may be time to look for a new partner. Keep in mind that an external vendor nowadays can, and likely will, increase your risk profile.  Choose wisely and, like all things with cybersecurity resilience, still be prepared to weather a storm.

Next step: the data life cycle, from creation to usage and handling to destruction.

George Platsis
Senior Lead Technologist, Educator and Author

George Platsis works with the private, public and nonprofit sectors to address their strategic, operational and training needs, focusing on projects related ...
read more