Contact Us
Kogod Cybersecurity Governance Center
4400 Massachusetts Avenue NW
Washington, DC 20016
KSB - Kogod School of Business on a map
4400 Massachusetts Avenue NW Washington, DC 20016 United StatesWritten by Rebekah Lewis
Published
The impact of cybersecurity incidents on large-scale business transactions (e.g., Verizon-Yahoo) and increasingly rigorous cybersecurity requirements for federal contractors are just two examples of the rising importance of cybersecurity risk management across the supply chain. At a recent event co-hosted by A.T. Kearney and the Kogod Cybersecurity Governance Center (KCGC), expert participants shared their insights and recommendations regarding supply chain risk management (SCRM). This installment of KCGC | In Practice reviews some of the key insights drawn from this discussion, including important areas of consensus and debate.
Practitioners and scholars approach cybersecurity from different perspectives - one reason why findings on which they agree may be particularly compelling. At the recent discussion, "Resilient Cybersecurity Operations for Today and Tomorrow," KCGC and A.T. Kearney (a KCGC sponsor) brought together academia and industry to discuss cybersecurity risk management and the supply chain. A number of common themes and areas of agreement emerged, including the critical importance of a clear and coherent strategy and the role of leadership. Read on for analysis and on-the-ground tips, keying off of this discussion, on how to make more effective and responsible cybersecurity SCRM a reality.
Cybersecurity SCRM is a hot topic. Recently proposed updates to the Cybersecurity Framework (CSF) issued by the National Institute of Standards and Technology (NIST) incorporate an entire section devoted to SCRM and President Donald Trump's recent cybersecurity Executive Order highlighted the importance of supply chain risk. But, despite all the hype, participants cautioned that it may be useful to take a step back and consider whether cybersecurity risk requires new and different solutions to SCRM.
In addition to modifying the implementation of traditional SCRM strategies for a cybersecurity world, participants also stressed the importance of maturity to successfully managing cybersecurity risk across the supply chain.
Many organizations may not sufficiently prioritize cybersecurity SCRM maturity because they believe that the risk can be transferred via contract to supply chain partners and other parties. But, despite common misperceptions, both practitioners and scholars agreed that ultimate accountability for supply chain risk cannot be outsourced.
In fact, even if they carefully allocate risk via contractual arrangements, organizations that outsource production of goods and services will still be held accountable for the cybersecurity of their supply chain, both through formal mechanisms as well as in the less formal, but very powerful, court of public opinion.
Outsourcing certain operations and supplies may be a responsible and unavoidable business decision, and it may be possible to allocate specific risks within the contours of supply chain. But, in the end, offloading the actual accountability regarding the security of those goods and services is not a viable option. Accordingly, as with the enterprise's own internal security practices, partners' security practices should be vetted, documented and confirmed with regularity.
Participants also underscored the importance of quantifying cybersecurity risks in the supply chain, with a few key nuances.
Cybersecurity measurement and metrics have been topics of ongoing debate for a number of years, and progress towards finding the "right" metrics and measurements has been, by some estimates, excruciatingly slow. In the interim, organizations may find it helpful to focus less on finding the "perfect" metrics and measurements, and more on simply identifying some quantifications that are organization-specific and may help leadership better understand and manage risk. While the metrics debate marches on, knowing that the mere fact of quantification, even if imperfect, can achieve some strategic goals (namely, engaging top leadership), is an important data point in itself.
Participants observed that the human component is one of the most important but often overlooked elements of cybersecurity SCRM.
Organizations' supply chains will continue to grow as a potential source of cybersecurity risk due to their increasing complexity and interconnectedness. But supply chain risk is not a new concept, and many strategies already exist for mitigating a variety of risks, including those related to cybersecurity.
Organizations should take advantage of existing principles of SCRM, management solutions and strategies, while also modifying traditional implementations to address new challenges. As generally agreed by both scholars and practitioners at the recent seminar, success will depend on the following:
Kogod Cybersecurity Governance Center
4400 Massachusetts Avenue NW
Washington, DC 20016