Once upon a time, the vendors that your company chose to work with were your own business. There was little pressure to disclose supply chain vendors to the world at large.
Those days are gone. Today, businesses face pressure from a variety of sources to establish a vendor and vulnerability disclosure policy in order to maintain a transparent supply chain.
Government regulators are demanding vulnerability disclosure policies in the wake of initiatives like the White House’s call for more stringent supply chain cybersecurity protections. Partners expect transparency, too – which is why companies like Palo Alto Networks and Nestlé detail their suppliers on their websites.
From the perspective of consumers as well, vulnerability disclosure policies have become a priority. Alexis Bateman and Leonardo Bonanni note in the Harvard Business Review, “researchers at the MIT Sloan School of Management found that consumers may be willing to pay 2% to 10% more for products from companies that provide greater supply chain transparency.”
For all of these reasons, now is the time for company shareholders and security teams to establish strong vulnerability disclosure policies and supply chain transparency, if they have not already. While it’s important to avoid giving away too much information – because doing so could harm your competitive advantage – CISOs also don’t want to be left playing catchup when a vulnerability arises within their supply chain. They don’t want regulators, partners, customers and shareholders asking questions about why there wasn’t more transparency and disclosure before an incident, especially in situations where proactive disclosure could have helped to mitigate the impact of a rapidly spreading attack or threat.
Of course, establishing and managing a vulnerability disclosure policy is easier said than done. To help with this mission, we are unpacking the five critical steps they should be taking to establish supply chain transparency and ensure effective disclosure of vulnerabilities (Also known as VDP).
Step 1: Set vendor disclosure goals
Supply chain transparency doesn’t mean disclosing every detail of your supply chain to the world. Instead, CISOs should set goals about how much information to disclose. Their policies should reflect the level of risk that each supply chain component or vendor poses to stakeholders.
For example, a vendor that supplies software that your business uses internally poses less of a risk than one who helps to provide customer-facing systems., A security issue in the latter is likely to be harder to contain and to have a bigger impact on your users and business. For that reason, a vulnerability disclosure policy might treat suppliers for line-of-business apps and customer-facing apps differently.
Keep in mind, too, that risks constantly change, so you should revisit your vendor disclosure goals at least yearly.
Step 2: Map suppliers and flow
Supply chain transparency is about more than just listing who your vendors are. It’s equally critical to understand how information flows between vendors, and how a vulnerability in one part of the supply chain impacts the rest of the chain.
CISOs can unpack this information by mapping suppliers to the ‘flow of information’. From there, look for gaps where failure to contain a vulnerability or disclose it quickly could impact other vendors or customers.
Step 3: Optimize reporting systems
A strong vulnerability disclosure policy requires effective reporting about where vulnerabilities like to hide and which vendors they involve. Since it’s not practical to generate this information manually at any kind of scale, CISOs should leverage automatic vendor disclosure reporting systems that can generate disclosure information automatically.
Baking vendor disclosure into existing business processes, can also help to make reporting more systematic and automated. Supply chain transparency is an important component of corporate responsibility. Many businesses are also considering ESG as an integrated part of their cybersecurity risk management, so including it in your vendor disclosure policy just makes sense.
Step 4: Gather information continuously
Again, risks change constantly. So do the vendors within your supply chain and the role they play in it. That’s why security teams must continuously gather and update information about vendors and vulnerabilities, then adjust vulnerability disclosure policies accordingly.
They should also make sure that information is available to all stakeholders. Every person in the organization should be able to see whether there is a supply chain risk and report it to the security team.
Step 5: Report findings and engage vendors
Vulnerability disclosure shouldn’t be a passive affair. You can’t just list vendors or report vulnerabilities periodically on your website.
Instead, you should engage actively with your vendors to report findings, make collaborative decisions about vulnerabilities and address specific risks as quickly as possible.
The point of vulnerability disclosure policies, after all, is to lower risk for everyone. You can do that only by acting on the information you discover.
Continuous monitoring for vendor disclosure is essential
You may have noticed a theme running throughout the vulnerability disclosure steps described above: The importance of continuous monitoring and disclosure.
Continuous monitoring and disclosure means the ability to detect, report on and react to supply chain risks in real time. They’re critical because, once again, risks and vendors constantly change, so continuous monitoring is the only way to ensure you never miss a threat. Periodic audits or one-off reports are not enough to stay on top of risks or demonstrate a genuine commitment to your supply chain security.
Keep in mind, too, that continuous monitoring and reporting will support the image of your business as one that takes supply chain security seriously. In turn, it helps you to gain a competitive advantage, since partners and customers will see continuous transparency and reporting as a positive quality.
While continuously monitoring risk across your supply chain may seem daunting, Findings makes it easy with automated supply chain security, and our innovative continuous and cloud monitoring apps to support and scale your entire supply chain.