Cybersecurity compliance frameworks and standards are a great starting point for managing supply chain security risks. But if your security strategy hinges solely on frameworks, you’re doing it wrong.
Indeed, while embracing a cybersecurity framework is an important — and, for many organizations, necessary — first step toward securing the supply chain, businesses shoot themselves in the foot if they stop with framework adoption alone. No matter which framework you use internally, or which frameworks you require your vendors to comply with, the framework on its own is of limited value. You must also implement processes that actually operationalize the framework, allowing you to enforce compliance among your vendors.
Let’s take a look at what goes into a complete supply chain security strategy. As we’ll see, it starts with cybersecurity frameworks like NIST and ENISA, but it extends far beyond those frameworks alone.
The core components of a cybersecurity framework: The NIST example
Cybersecurity frameworks are an excellent foundation that helps businesses define overarching supply chain security principles.
For example, the NIST framework, which is popular among U.S. companies (European companies tend to use ENISA, which is similar to NIST), defines rules designed to help businesses achieve four key goals:
- Identify: NIST requires processes that allow organizations to identify and understand their cybersecurity risks.
- Protect: After risks have been identified, NIST requires businesses to take steps to mitigate them in order to improve their cybersecurity posture.
- Detect: As not all risks can be identified and mitigated, NIST also requires ongoing efforts to detect active threats.
- Respond: When active threats have been detected, NIST requires responses that can contain and eliminate them.
By adopting a framework like NIST or ENISA, then, businesses gain a high-level architecture that helps them plan a cybersecurity strategy.
Processing tools for supply chain security
The main limitation of frameworks alone is that they provide little if any specific guidance on how to turn high-level cybersecurity principles into practice. As a result, businesses also need to implement security processing tools that allow them to operationalize cybersecurity practices in ways that align with framework requirements.
Processing tools do this in the context of supply chain security by providing:
- Vulnerability assessment: Processing tools identify risks within the products and services that third-party vendors supply to a business.
- Coverage assessment: Processing tools help identify situations where vendors lack effective cybersecurity coverage.
- Visibility assessment: Processing tools enable businesses to profile their vendors and suppliers in order to understand which risks exist within their systems — and which risks could, by extension, flow down the supply chain.
- Business alignment: With processing tools, businesses can determine which risks in the supply chain pose the greatest threats to their operations. This context is essential because not all vendors and risks are of equal importance within a supply chain.
By providing this functionality in an automated way, processing tools go far in closing the gap between principle and practice. Indeed, as the SANS Institute says, automation is the only way to enforce security compliance mandates in complicated contexts like supply chains.
Managing contractual requirements
What do you do when processing tools reveal that vendors are not fully adhering to your cybersecurity requirements?
That’s where contracts and evidence come into play. Companies must maintain documents and signatures related to the security frameworks they adopt within their supply chains, then use them to enforce compliance when violations occur. Contracts also play an important role in determining which disclosures are required in the event of a supply chain breach.
Remember to update your contracts if, for example, you adopt a newer version of a cybersecurity framework or change your supply chain in a way that imposes new compliance requirements or verifications.
Most large organizations manage contractual requirements through a dedicated security team or CISO. At smaller organizations, a procurement team or IT team typically handles this responsibility. Your specific approach to vendor contract management is not as important as ensuring there is a systematic process in place for defining and enforcing contractual security agreements across your supply chain.
Supply chain security management: Responding to a crisis
The final key step in managing supply chain risks is having a plan in place to respond to incidents when they occur. You don’t want to wait for a breach to decide what to disclose, or how to contain the threat and so on.
Your response plan should define the following points:
- Who will perform which tasks in response to an incident. Remember that many incidents require responses not just from technical stakeholders, but from other departments such as the legal, PR and others.
- Which vendors you will use as a backup in the event that one key vendor is breached.
- How the response will be documented.
- How you will determine whether public disclosure of a breach is required, and how you will manage that disclosure.
In addition to developing a response plan, run drills so that your team can practice responding to a supply chain breach, before a real-life incident occurs. You should also strive to keep your team focused on the big picture. As you can’t predict the exact nature of a breach, it’s best to learn how to think holistically and creatively about managing incidents, rather than investing in rote reaction plans that may be too specific to apply to a given incident.
Last but not least, ensure that you have a response plan that will allow you to react quickly and effectively when a major security incident occurs within your supply chain. Your goal should be to resolve the incident in a way that protects your operations, customers and reputation, while also demonstrating to partners that supply chain security is a key priority.