How many partners are in your supply chain? What about your digital supply chain?
More importantly, how confident are you in their practices and ability to protect the information and reputation of your company?
I recently talked with Patrick Gorman (LinkedIn), Head of Strategy & Product, CyberGRX, about how our approaches to the digital supply chain lag behind the physical realm -- and what we can do about it today.
As Head of Strategy and Product, Patrick is responsible for developing CyberGRX’s strategy and overall product design. Previous to CyberGRX, Gorman served as Chief Security Officer (CSO) at Bridgewater Associates, Chief Information Security Officer (CISO) at Bank of America, and Associate Director of National Intelligence (ADNI) for technology and strategy at the Office of the Director of National Intelligence (ODNI).
We talked about our efforts to know (or try to) who touches what in the physical supply chain. We even touched on how we’re using digital elements and even the “Internet of Things” (IoT) to improve how we track and protect the physical supply chain.
Yet in the digital realm, we struggle to know ourselves, our products, and our partners. And the IoT elements and advancements improving our physical supply chain are about to make the digital supply chain even more complicated.
That’s why it’s time to adopt a better approach. And Patrick shared a wealth of ideas - including insights on what got us stuck in the first place. Including our complexity problem.
What does it mean that security has a complexity problem?
The combination of outsourcing, globalization and the digitization of business has created new security and resiliency risks that many businesses are just now beginning to address. Large companies often have tens of thousands of suppliers, vendors, and affiliates while even smaller, start-up companies can have dozens of suppliers and vendors. Managing this digital ecosystem is a real challenge. It’s a board-level issue now. The question that everyone’s asking is, “What are you doing about your suppliers and vendors?” At the same time, most companies are imposing recursive, inconsistent assessment standards on their third parties. And each third party has their own customers that have the same needs. All of this is creating a level of complexity that we tried to tackle years ago through shared assessments.
This approach has seen a certain level of success, but it has created a lot of overhead.
There are thousands of questions third parties have to answer and everyone’s tailored their own version to include what they need. It was a step in the right direction, but it’s fueled a lot of the current complexity.
What is the downside to approaching security with a compliance mentality?
The basic model of security should be based on evolution and speed. Compliance is an assessment at a point in time based on criteria that was developed through a deliberative process that often takes years. This is how most government- and industry-driven standards and assessment criteria are developed. We need to get past episodic assessments to continuous evaluation and evolution through a risk-based approach. Two things come out of that. The first is by continuously looking at yourself and evolving your capabilities, you avoid surges around annual assessments. The second is that a company may fix five things from a compliance-based assessment, but there’s no correlation with the reduction of risk.
That’s a problem. The plethora of regulations and compliance requirements caused an expensive shift where companies favor compliance checklists over looking at this from a threat, vulnerability and risk point-of-view. They need to ask, “What are the value drivers in my business? What does my digital ecosystem look like? What are my most critical digital assets? What am I exposed to? How do I need to mitigate against that? And what’s the next thing I need to be worried about?” That context is key to staying current and dynamic.
Does that mean the problem of complexity and the compliance mentality is cost?
With Sarbanes-Oxley and all the new regulations since then, it’s only giant companies who can afford a small army of compliance professionals and consultants who can compete globally. I don’t have a problem with consultants, but companies should be repurposing that talent to mitigating and implementing changes based on risk.
Once they understand the problem, their focus should be – as an example -- engineering, implementing and running a company’s identity and access management system. That is value-added to me. Running expensive, episodic security assessments of the problem is not. When I was in the intelligence community years ago, we had the “bathtub problem.” We spent all of our time collecting and processing information, but little time analyzing and disseminating it. We need to invert the curve where we spend more of our time on design and solving the problem rather than conducting expensive surveys and overly ornate strategies.
There’s also a need for a platform to automate this as much as possible. Consider how Intuit simplified tax preparation through great design and accessible content. We think of it like Uber’s platform where both the drivers and riders benefit. In this case, the platform should link customers and third parties together to address the problem through technology and collaboration, driving down cost while mitigating risks.
So security leaders need to focus on adding value instead of increasing cost?
When we’re talking about the vendor-customer relationship, it needs to move from adversarial to collaborative. The best security leaders I know act as partners to their vendors and guide everyone involved, as opposed to saying, “You didn’t become compliant, so you won’t get a contract.” Engagement and collaboration is key. That’s how it becomes a value-added ecosystem.
What’s also critical is changing our mentality and culture to being more open and collaborative, helping those in our ecosystems solve problems and identify best practices. This goes beyond information sharing, which is mechanical. Collaboration is human and high-value. If we can get security leadership to think and act this way, there will be a quantum leap in terms of our ability to defend ourselves.
What can a security leader do to get started?
The first is to know your business and your industry. That’s the context that most security leaders don’t have. Without that context, it’s hard to understand the threats and what matters and doesn’t matter.
Second, know your ecosystem. Your business operates within an ecosystem. You have customers, suppliers, partners and subsidiaries – all of which touch your digital assets in some way. You need to take time to understand who they are, where they are and how they work with you.
The third piece is to understand where your risks lie within your ecosystem and tailor your controls according to those risks.
Once you’ve done that, you’re in a better position to work with your third parties to mitigate those risks in a collaborative way as we talked about earlier. For example, if your third party needs to implement multi-factor authentication before you work with them, and you’ve already done it, guide them through how you did it.
Finally, trust but verify. Check back with them in three to six months to see if they’ve remediated the risks you’ve identified. If they haven’t done it, they’ve exposed you to risk.
If you do those things in that order, you won’t need to hire an army of consultants and you will add incredible value.