Supply Chain Security – Sex Appeal, Pain Avoidance and Allies

Every security professional and every privacy professional understands that supply chain security is as important as in-house security. (If you don’t understand this, stop and read Maria Korolov’s January 25, 2019 article in CSO, What is a supply chain attack? Why you should be wary of third-party providers.) So how do you marshal the resources that you need to implement effective supply chain security? Borrowing from the same motivation techniques that we use to keep ourselves going to the gym, I recommend a combination of sex appeal (highlighting attractive benefits), pain avoidance (highlighting the painful risks) and recruiting allies (finding support within and outside of your organization).

Sex Appeal

Your company is a supplier to your customers. If those customers are security- or privacy-aware, your company is undoubtedly already on the receiving end of a steady stream of vendor security questionnaires from your customers. These customers take their supply chain security seriously; they are measuring you (your attractiveness) based on the information that they collect about your security practices, including whether you actively manage your supply chain security. What do your responses to the supply chain security questions look like? Are your practices as soft and flabby as a couch potato’s beer-belly? Or can you show off your company’s (toned and fit) SOC 2 Type 2 audit results that demonstrate your organization’s commitment to the security and privacy of your customers’ data? Effective supply chain security can help strengthen your customers’ trust in you and can help your company to be a market driver. Ultimately, effective supply chain security helps increase sales and profitability.

Pain Avoidance

Effective supply chain security is preventive medicine in that it helps your company reduce the likelihood of incurring the pain of fines and legal settlements, loss of intellectual property, diversion of scarce resources for breach response and remediation efforts as well as suffering reputational harm including loss of sales and a hit to your company’s stock price. If your company does business in the European Union, touches protected health or financial information or is in a regulated industry, your company is already subject to significant fines (possibly to the extent of posing an existential-threat) if you fail to take effective steps to manage your supply chain security. Do you have customers in California? The California Consumer Privacy Act will come into effect in less than a year and will require your company to manage all of the locations, recipients and usage of personal and household information collected from California residents, including data accessed and used by your suppliers. According to the data collected by the Ponemon Institute, as cited in the Korolov article:

• The average number of third parties with access to sensitive information at each organization has increased from 378 to 471.
• Only 35% of respondents had a list of all the third parties they were sharing sensitive information with.
• Only 18% of respondents said they knew if those vendors were, in turn, sharing that information with other suppliers.

As a colleague recently warned for companies doing business in California, “winter is coming.”

Recruiting Allies

Effective supply chain security benefits your entire organization. Use this fact to build support from allies outside of the information security function to raise executive-level awareness and attention for supply chain security.

• Your in-house or outside legal team can help promote the importance of supply chain security if they are aware of the scope of the risk. Are they aware of how many vendors have access to your customer information and where those vendors store the information?
• Your procurement team doesn’t want to be blindsided by a breach at a key supplier. When your suppliers are in the news (in a bad way), it’s easy for you to be in the news (in a bad way) as well.
• Who responds to RFPs and vendor security questionnaires that your company receives from your customers? They can highlight the areas that customers are asking about (and areas where your company’s responses are not as favorable as your customers would like).
• Your compliance team has information on supply chain security requirements for compliance reporting.
• Who manages your company’s liability and cybersecurity insurance policies? They can identify the questions regarding supply chain security that insurers are asking at policy renewal. Stronger answers mean lower risks to insurer.

Effective supply chain security is a team sport, which is played out over the long-term. I’ll address tips for doing vendor security assessments in a follow-up blog post.