Tutorial 4 Preview: Securing your supply chain
Be empowered as a business executive or senior business leader with practical guidance on how to build risk-based cyber-assurance programs over suppliers, third parties, and business partners. Make risk-informed decisions and promote business agility and innovation, all the while minimizing exposure to third-party-related cyber threats.
https://cyberleadershipinstitute.com/wp-content/uploads/CRF-Phil-Zongo-1.png
During the economic downturn, several enterprises pushed their ancillary or back-office processes to third parties to reduce internal costs. As attractive and transformative business alliances are, they nonetheless carry significant cyber risks. Enterprises get into trouble if they fail to carefully manage cybersecurity within outsourced arrangements. Poorly planned or governed outsourcing can expose the business to threats outside of its tolerance or open backdoors for cyber threat actors to creep in and debilitate high-value digital assets.
4.2. The rising specter of compromised supply chain
https://cyberleadershipinstitute.com/wp-content/uploads/CRF-Phil-Zongo-1.png
Not all suppliers are created equal; some present a much higher level of risk exposure. A key measure to optimize limited resources against a large pool of suppliers is to segment according to their level of risk exposure. Taking a risk-based approach maximizes the value of the security assurance budget and reduces needless audits on suppliers. It also reduces noise, enabling limited security resources to focus on supplier arrangements that present the highest level of risk instead of spreading thinly across all supplier arrangements, each of varying levels of significance.
4.3. The supplier risk segment
https://cyberleadershipinstitute.com/wp-content/uploads/CRF-Phil-Zongo-1.png
The most efficient way to manage third parties is to require them to provide their own industry-standard assurance reports. If you don’t make this contractually enforceable, you will end up sending dozens of questionnaires with hundreds of questions to third parties. Your cybersecurity team will easily get overwhelmed by drawn-out complex reviews. Naturally, high-risk suppliers, such as those handling payment cards and with access to crown jewels, will require a comprehensive set of assurance reports, while low-risk suppliers can self-attest the effectiveness of their controls.
4.4. The security assurance reports
https://cyberleadershipinstitute.com/wp-content/uploads/CRF-Phil-Zongo-1.png
Resources Section
