Third-Party Risk Management: 4 ways CISOs can work smarter
Your cyber attack surface no longer has clear boundaries. In a globalised world of interconnected supply chains, there is no singular target for cybercriminals, who work hard to find new security flaws to exploit across your network.
Supply chain security has been recognised as one of the biggest concerns for businesses in 2022 – and quite rightfully. It can be tempting to think attacks only target the most lucrative targets, mostly in the financial sector. But targets are changing, with the IT and Communications sector being under particular pressure in 2021. Put simply: there are no guarantees your industry will be exempt from attack.
Another misconception is that the size of your business means cyberattacks are less likely. This could not be further from the truth. In fact, small businesses are substantially more likely to be targeted – yet are the least equipped to address the problem.
It is therefore essential CISOs at all levels are vigilant, but even the most skilled will find it difficult to keep watch of every potential vulnerability. In fact, almost a quarter of information security and IT professionals believe CISOs are stretched too thinly and are overworked, as well as often being blamed for things which aren’t their fault. Third-Party Risk Management (TPRM) is seen as a complex and unmanageable task, and even if 99% of your network is as secure as can be, a chain is no stronger than its weakest link, and that remaining 1% could be all that’s needed for cybercriminals to disrupt your operation.
How to solve this dilemma? Well, as the famous quote goes, it’s time to work smarter not harder. Here are some tips for how you as a CISO can lighten your load, make your life easier, and impress your colleagues by running a smooth supply chain security programme which allows your business to move forward with confidence.
1. Keep up to Date on Latest Threats
One of the biggest difficulties in cybersecurity is that everything moves fast. Whether that is an attack you didn’t see coming, a new devastating exploit that’s been discovered, or changes to national or international legislation, falling behind can be costly – financially and otherwise. At any moment, an insecure supply chain can lead to a PR disaster as your third-party supplier falls victim to an attack. Suddenly, you wake up to a bad headline, missed calls and hundreds of emails.
In the short term, you face serious disruption across the organisation as clients and customers become jittery and nervous. Projects which took hundreds of hours of work are left hanging in the balance. Stock prices fall. All eyes are on you as to why this has happened, with some awkward questions being asked. In the long term, careful and expensive work is needed to reassert your reputation – but even then, there are no guarantees, and clients who leave may be gone for good.
As CISO, it’s your job to be on top of new developments so you’re never caught unaware. Fortunately, there are some great resources right at your fingertips. Outlets such as Infosecurity Magazine, Help Net Security, and CSO Online (to name just a few) can help you keep up to date with the latest news in the world of cybersecurity, as well as being full of tips for how you can stay ahead of the curve. In particular, Infosecurity Magazine’s annual ‘State of Cybersecurity Report’ is an excellent must-read for CISOs, highlighting the latest key trends across the industry.
In addition; there are also a wealth of smaller independent newsletters which are often the best way to get your snippet of knowledge without drowning in hours of news-site consumption, for example, Robin's newsletter.
To keep on top of specific, active threats or new critical vulnerabilities, it’s worth signing up to a few more operational, timely feeds. For example, the NCSC’s early warning service will notify you of any suspicious activity relating to your external infrastructure. Alternatively, there are a variety of industry-specific threat feeds or information-sharing services you can sign up for - a simple internet search will likely give you what you need!
Connections with other CISOs can’t hurt either. Cybersecurity isn’t a competition, it’s a mutual effort against malignant actors, so make use of your shared knowledge! Consider joining groups like ClubCISO to meet and interact with your peers at events throughout the year. Or, jump into the conversation on social media right now. There’s plenty to be found on Twitter and LinkedIn and following the right accounts can open your eyes to new ideas, perspectives and, most importantly, solutions.
2. Encourage a culture of shared responsibility across your network
No matter how good you are, there’s only so much work one person can do. Trying to keep an eye on your entire network is a nigh-impossible task alone, but recent survey results from the UK government reveal less than one in five businesses provided cybersecurity training or raised awareness about the issue to those not directly involved in security. This creates a huge vulnerability and the perfect recipe for future headaches.
However, when trying to motivate your internal teams try to ensure you focus your training on what is relevant to them. This article from ThinkCyber explains how with a combination of ‘protection motivation’ and simple and actionable guidance you can motivate users to take security and security training seriously.
As CISO, you can set the culture across your network by insisting on the importance of cybersecurity. Emphasise the interconnectedness of every part of your business and resist the idea that security is just your area. As a business, you succeed – and sometimes fail – together and creating a culture of this shared responsibility can do a lot to lighten your workload.
This is especially the case for your supply chain. Encourage effective cybersecurity training across your network. Sometimes this may not be easy – how to convince others to focus on this security aspect and how to measure its impact are just two sticky issues – but the cost of ignoring it is far too high to pay.
3. Champion Open Communication Between You and Your Vendors
One way around at least some of these issues, and a key part of TRPM, is to insist on transparency and open communication across your network. Your supply chain is an extension of your business, not something external and separate, and communication across it should be the same as with any department.
But how? Build relationships! Get to know the security teams within your suppliers’ organisations, so if ever a problem does arise, you’re not the last one to find out. Security professionals are often some of the worst for cross-organisational communication, wanting to keep themselves to themselves and not admitting their failures. For those that do make connections, they quickly learn that everyone is working through the same challenges, and the sharing of hints and tips can make a huge difference. You might be the only CISO in your organisation, but you’re part of a team and a network, and collaboration is the name of the game. By working closely with your network, you can share the burden of security defence, and gain insight into not just your third-party connections, but also their connections, giving you access to vital information which can uncover risks that might otherwise have gone unnoticed. So don’t dictate – communicate!
Make the most of TPRM tech
Ultimately, the best way of addressing all of the above and managing your workload effectively is to get a TPRM tool. Returning to our earlier example, even if a CISO can watch 99% of their network, there’s still the chance something will be missed. Communication with vendors is all well and good, but how long will it take to find out all their onward connections? How long to test all their controls? How long to build those essential relationships? And even when that’s all in place, it’s only human for something to slip through the cracks.
Good TPRM tech can provide an essential foundation so that you can focus on the difficult problems. Platforms such as Risk Ledger can provide visualisations of your entire network, including fourth, fifth and sixth party connections to ensure all bases are covered and your supply chain security can be continually monitored. Not only does this help you build a close relationship with your suppliers, but this unprecedented mapping of your network also makes a CISO’s job of monitoring simple. With all the data at your fingertips, you can have an instant snapshot of your supply chain ready to take to your next meeting.
While it might be time-consuming completing third-party risk assessments and security questionnaires for your clients, requiring hours of data entry as you negotiate complex spreadsheets and answering the same questions over and over, TPRM tools can also make your life easier by standardising this process. With Risk Ledger, suppliers and clients simply create a profile with all of their information which they then update as is necessary. When it comes to connecting, profiles can then be shared between suppliers and clients with ease. You can then be notified of any changes in a supplier’s profile as and when they arise.
By providing useful features to complement CISOs duties and enhance the amount of data on your supply chain, adopting a tool means more of your time can be spent looking to the future of your business rather than worrying about the present.
Interested in learning more about what TPRM tools are on the market? Click here to check out our comprehensive guide.
So there are our tips – now where do you start?
First off, open your social media of choice and get looking for accounts to follow. Keep an eye on who/what other CISOs or security experts are following. If you’re on Twitter, make use of lists to group different experts together. Tailor your feeds so every casual scroll is meaningful, giving you new information to think about.
Secondly, think about those connections you could make or enhance. Do you feel integrated with your CISO peers? If not, consider groups like ClubCISO. What about your work colleagues, or vendors? It’s worth the time to touch base with those you haven’t interacted with in a while, and a few minutes today could avoid a disaster tomorrow.
Next, review your cybersecurity training across your organisation. Remember you are not in this alone – every person in your network is a vital resource and defence against bad actors. Put out the message: security is everyone’s responsibility.
And finally, consider a tool to make your life easier. A good piece of TPRM tech can extinguish that spreadsheet horror as it minimises bureaucracy, provides reassurance and ensures you are as connected as possible with your third-party vendors.
Risk Ledger has experience confronting supply chain security challenges head-on. With over 10,000 users, and 3,500 organisations sharing their supplier profile – including 12 FTSE 100 companies – Risk Ledger can be an essential tool for CISOs looking to improve their supply chain security.