When new vulnerabilities are discovered and threats emerge, organisations have to quickly figure out to what extent their supply chain is affected.
Emerging threats are unpredictable. In cyber security, we’re used to things de-railing our productive workday plans. When something needs dealing with, it needs dealing with. It’s how we deal with it that will make the difference between slight inconvenience and major incident.
So you’ve just been made aware of a new emerging cyber threat, whether that’s a technical software vulnerability...
...or a changing political landscape,
you need to act quickly.
As responsible security professional, you check your internal position: your asset register, network diagram, a few conversations with key people in the business to understand how vulnerable you are and what you can do to mitigate. You understand the extent of your exposure, you make a plan, start actioning and present back to your team. Sorted. Then you’re asked a dreaded question: Any exposure through our supply chain?
Getting accurate, timely information about how vulnerable your supply chain is to a specific threat is notoriously difficult. In most cases, this particular threat is not something you or your suppliers were thinking about yesterday. Your suppliers have spent the day scrambling around to figure out their exposure, just like you have.
At the moment, for the vast majority of security teams, this effort goes something like:
Meanwhile, the attackers are filling their boots, exploiting the situation left, right and centre.
No wonder cyber crime is such a lucrative business if this is the best kind of agility we can muster up in our defence.
Organisations are now so interconnected and dependent on each other that we need to start taking down some of those human, bureaucratic barriers that prevent an effective response. We need to start making meaningful connections between security teams in supplier-client organisations before an incident happens. We need to start sharing information about IT infrastructure and network activity with trusted partners as a daily norm so that when sh*t hits the fan, we can deal with it quickly and effectively.
The community we’re building at Risk Ledger is enabling these connections and starting to blur the lines between third party risk management and operational security in the supply chain.
The image above shows the interconnectedness of organisations using Risk Ledger for their supply chain security. Each dot is an organisation, with a security team sat behind it maintaining their control profile and collaborating with security teams in client and supplier organisations to better defend as one.
We noticed that clients and suppliers struggled to respond effectively when a new, urgent threat was discovered - so we created a tool to fix this.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.