This article explores the importance of collaboration with industry peers to advance third-party risk management – helping organisations address fast-growing risks from supply chain cyber-attacks.
Supply chain attacks are fast becoming the foremost cyber threat facing organisations today. Digitalisation has enabled the globalisation of supply chains, and organisations are increasingly relying on external partners and vendors to provide critical functions. Organisations worldwide are now digitally connected to hundreds or thousands of others in complex supply ecosystems. That offers a vastly increased attack surface for cyber criminals.
To counter these threats, industry-wide collaboration between threat intelligence teams has become an established practice. There is close collaboration, for example, between such teams at the largest financial organisations, facilitated by the Financial Services Information Sharing and Analysis Center (FS-ISAC). Similar collaboration exists in other industries.
However, the same level of collaboration does not yet exist between third-party risk management (TPRM) teams, which continue to work in siloes in their own organisations. If you’re part of a TPRM team, how many times have you reviewed a supplier thinking “someone must have done this already”? The solution is to share TPRM efforts with others in your industry. When it comes to cyber security – we are all allies, not competitors.
TPRM in most companies is a reactive, resource-intensive activity that is difficult to scale. TPRM programmes usually involve suppliers filling out risk assessment questionnaires on their security practices, compliance, data protection, and other risk-management capabilities. The process is onerous for suppliers, and only provides a limited snapshot of a company’s risk status at a single point in time.
This common approach to TPRM has many limitations, including:
Inability to scale: As the number of third-party relationships grows, a lack of collaboration with industry peers makes it increasingly difficult for TPRM teams to scale their efforts and assess risks across their entire supply chains.
Point-in-time assessments: Individual assessments only provide a view of a supplier’s risk status at that moment in time, and can be out of date within days. Traditional TPRM makes continuous supplier monitoring difficult, and external scanning alone doesn’t solve the problem, as only external-facing systems are scanned – not internal security processes.
Inefficiencies and duplication: Given that industry peers often share many of the same suppliers, a lack of collaboration means significant duplicated work, both for TPRM teams and their suppliers.
Lack of supplier engagement. The duplication of effort and the burden it places on suppliers also impacts supplier engagement and responsiveness. Suppliers have to fill in so many assessments that they can’t spend enough time on each one to ensure they are completed diligently. Suppliers often regard assessments as a necessary but substantial burden, limiting the time they can spend on actually improving their security postures, and making them less responsive to remediation requests from clients.
Incomplete risk picture: Without industry-wide sharing of supplier data and insights, organisations can’t identify shared risks and systemic issues in their often significantly overlapping supply chains.
Ineffective incident response. Without coordinated efforts, responses to third-party cyber security incidents are slower and less effective because they are carried out by individual organisations alone.
Regulatory and compliance challenges. Lack of collaboration makes it harder to align with industry-specific regulations, increasing the risk of non-compliance and penalties.
Siloed TPRM creates too many burdens both for organisations trying to ensure the security of their suppliers, and for the suppliers themselves that are bombarded with hundreds of very similar assessment requests each year. The way TPRM is widely conducted today is highly inefficient, cost-intensive and difficult to scale up. Moreover, it only allows organisations to assure a percentage of their immediate suppliers, and provides no visibility into wider supply ecosystems.
If TPRM teams began to collaborate with peers at other companies in their sector, they could transform TPRM and significantly improve supply chain cyber security outcomes.
Such industry-wide collaboration has many benefits, including:
Standardised assessment framework. TPRM teams in the same sector could use the same standardised framework for all supplier assessments. Suppliers would only have to complete one assessment for all clients within that industry, significantly reducing their workload. Sharing the assessment with industry peers means there are always multiple eyes on the same supplier, reducing the chance of any security issue being overlooked. Using a standardised assessment framework that is constantly updated to align with new regulations and best practice means individual TPRM teams don’t need to keep updating their own frameworks and re-issuing them to suppliers for re-assessment.
Spread the burden. Given that many organisations in the same industry have the same core suppliers, joining a community of peers enables information on common suppliers to be accessed by all. It means that if risks are identified against a specific supplier, this information can be shared with peers and the risks addressed for the benefit of the whole sector.
Encourage unresponsive suppliers. Collaborating with peers enables organisations to lobby unresponsive suppliers together, increasing the impact of requests and ensuring they are taken seriously.
Enhance supply chain visibility. Collaborating with peers gives organisations a much better understanding of their own and wider sectoral supply chain dependencies, far beyond third parties. It allows organisations to identify shared systemic risks and better understand the security posture of suppliers beyond direct vendors. It enables organisations to reach out to these more distant connections via peers for whom they may be direct suppliers.
Faster response to emerging threats. With multiple TPRM teams monitoring the same suppliers, emerging threats or security breaches anywhere in the supply chain can be more quickly identified. Resources can be mobilised more rapidly across the industry to reinforce security or mitigate the risks.
Risk Ledger is already working to facilitate a new kind of collaboration between TPRM teams across industries. Our cutting-edge TPRM platform empowers security teams within trusted peer communities to Defend-as-One by visualising and managing their entire supply chains in real-time. It enables these communities to gain in-depth contextual insights into the internal security postures of their critical suppliers. Our unique ‘social network’ approach to supply chain risk management makes this possible.
Similar to a social network, each supplier organisation has a profile on the platform, which contains information about the business, its cyber security controls and other relevant risk areas, including ESG and financial risk. The questionnaires used to generate these profiles are based on our standardised assessment framework, mapped against all leading international standards such as NIST, ISO27001 and the NCSC’s CAF. The in-depth supplier profile, controlled by the supplier, is then shared with directly connected clients and customers on the platform. Clients can set requirements against the assessment framework, as well as label suppliers based on factors such as their criticality, whether they handle sensitive data, whether they have system access, and more.
Organisations can interact and collaborate directly with the security teams of their suppliers on the platform, on issues such as remediation and risk mitigation. This helps to build strong relationships over time, which support more effective responses to supply chain incidents.
Crucially, suppliers can also use Risk Ledger to manage their own supply chain risks by connecting with their own suppliers, thus using Risk Ledger as both a supplier and a client. When organisations act as both suppliers and clients on the platform, it uncovers all the hidden connections in supply chains and builds a map of interdependencies within wider supply chain ecosystems.
To build on the benefits of this social network approach, we have introduced a new community feature. Like-minded organisations on Risk Ledger, whether or not they are in the same industry, can now join communities of interest. These are communities that share many of the same problems, or have to comply with the same regulations, and often have significantly overlapping supply chains.
Community members agree to securely share information with each other, including their supply chain network maps. This overlaying of an organisation’s individual maps with those of its peers allows hidden systemic and concentration risks to be uncovered.
Members can also share best practices, see risks raised against specific suppliers by their peers, and mitigate these risks together. Moreover, they can collaborate when supply chain attacks occur, improving their access to up-to-date supplier information and to determine how critical suppliers might be impacted.
TPRM as it is widely practised today is failing to protect complex digital supply chains against cyber-attacks. Greater collaboration and information sharing among industry peers offers the solution.
But there are still challenges to overcome, including hesitancy about sharing information with competitor organisations. However, regulators are encouraging collaboration among peer organisations to tackle growing cyber security threats. The success of organisations already working together on Risk Ledger demonstrates the effectiveness of a more collaborative approach.
Together, we are helping to build a system that improves the resilience of every member of supply chain networks, and therefore improves the resilience of the entire ecosystem. As many organisations are already finding out, we are much stronger when we Defend-as-One than when we work in silos.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
