How useful are certifications when figuring out supply chain security risk?
Recently, I took part in a panel discussion hosted by InfoSecurity Magazine with the title:
Securing the Supply Chain: You Are Only as Secure as Your Least Secure Supplier!
One of the polls asked during the session was:
What method have you found most effective in engaging with suppliers on risk management?
37% of participants (a majority) responded with:
Requiring suppliers to maintain an independently audited information security management system (e.g. ISO27001 certification)
Does this surprise you? It surprised me.
Any number of things could be going on here – there are a lot of unknowns. We don’t know who was responding to the poll, we don’t know what people would have answered were they given free text, we don’t know if the sense of confidence given by an ‘official’-feeling certificate is the main driving factor.
Or, most disappointingly, it could be that this option is the best of a bad bunch – that people feel there just aren’t many effective, practical options when it comes to managing supply chain security.
Why am I skeptical that requiring suppliers to maintain an independently audited information security management system (ISMS) is the most effective method in engaging with suppliers on risk management? There are a few key reasons:
- The scope of the ISMS is often narrow, poorly defined, or doesn’t cover the bits you care about.
- When being audited, you put your best foot forward. Attackers look for your worst foot (the bit not shown to the auditor).
- Any auditor will tell you (when being honest) that an audit can be gamed and the result manipulated. Ok, this sounds bad. What I really mean is: auditors are humans, security professionals are humans and we all want to look good (see above ☝️) and help each other out, so an audit result is leaning towards a pass from the outset.
- Once an organisation has received an ISO certification, it is very unlikely they’ll lose that certification within the three year validity period (unless they really let things go…). 3 years is a long time in cyberworld - a lot can change.
I had a quick search for whether there was any analysis on past cyber breaches, looking for a correlation between certification(s) held and likelihood of suffering a breach, but unfortunately found nothing (if you know of this research or fancy conducting it – please let me know!).
I actually think some certifications (ISO27001, Cyber Essentials Plus) are often good exercises for an organisation to go through; they guide you through some of the most important things you need to think about to protect your business, and they give you a nice shiny piece of paper at the end which helps with trust / sales and therefore makes it easier to justify the spend to senior management. But they are just a small part of the puzzle.
It is frustrating that supply chain security is seen as such a difficult and time consuming problem that a large proportion have resulted to their best solution being to check a supplier’s certifications.
We can do better 💪
If you want to watch the full panel discussion on demand, you can do so here: https://www.infosecurity-magazine.com/online-summits/spring-online-summit-emea-2022/auditorium
(You’ll need to register for an InfoSecurity account and then ‘Launch Auditorium’)