There has never been a more important time for organisations to pay closer attention to the security of their supply chains.
For IT hardware and software products as well as non-IT related products, the supply chain represents an intricate ecosystem of providers or suppliers that can be regarded as potential entrance points for hackers looking to target a business. With recent research finding that 64% of businesses outsource a large proportion of their daily tasks to third-parties, the supply chain threat landscape is widening significantly.
And unfortunately, by relying on a third-party supplier to create and provide hardware, software and services, an organisation also takes on the risk of that supplier. As a result, if a company experiences a supply chain cyber attack, the onus falls on them to deal with the consequences – whether that be steep regulatory fines or reputational damage.
Determining supply chain risk – the challenges
Supply chain attacks continue to rise, and it is undeniable that malicious actors are deliberately using third-parties as a means to breach an organisation. As a result, both security teams and procurement leaders need to be aware of the varying types of supply chain attacks out there, such as targeting suppliers of ICT hardware and software or compromising networked third-parties. However, when it comes to actually determining the amount of risk that third-parties bring to a business, the answer is not straightforward.
The current methods deployed for assessing supply chain risk present a number of challenges to businesses. Organisations often rely on point-in-time assessments based on questionnaires. But for consumers of hardware, software or services, comparing risks from multiple potential suppliers is a problematic process, preventing them from independently measuring risk in these third-party suppliers. This means that it nearly impossible for companies to have sufficient visibility into their real-time risk posture.
Enabling quantitative risk analysis
The measurement and management of risk is not a new concept – it has long been seen as a core organisational responsibility. However, the increasingly complex nature of today’s businesses has recently made it a central priority for decision-makers. And when it comes to securing the supply chain, quantitative risk analysis is crucial for managing risk efficiently.
Open standards can be used to deliver a recognized consensus-based methodology for applying quantitative risk analysis from a cybersecurity perspective. Essentially, this allows for effective measurement that delivers greater validity. Taking a look at open standards more broadly, these are publicly available and designed to provide requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose. In brief, standardisation ensures compatibility across many platforms by providing a level of openness which those without the standard cannot deliver.
The UNIX operating system is a great example of this in practice, demonstrating the real value of openness. As a truly open standard, it enables a focus on driving innovation within the ecosystem around the platform, rather than driving competition at the core operating system level.
Open standards and the supply chain
The open trusted technology provider standard is one example of how open standards can work within the supply chain, helping providers of IT products to execute a quantitative approach to risk analysis. As a result of the standard being in place, the manufacturer is better positioned to identify how much risk exists within their supply chain, enabling them to understand exactly which third-party is the weak link.
Bringing rigor to risk analysis ultimately leads to more accurate insights and improved decision making. In the same vein, it also enables clearer communication between procurement leaders, security teams and the C-suite. By applying quantitative methods to supply chain security, made possible by using open standards, a company can gain a more holistic view of their exposure to risk – and, in doing so, build a safer, more transparent business.
☛ Jim Hietala is VP Security at The Open Group