How many partners are in your supply chain? What about your digital supply chain?More importantly, how confident are you in their practices and ability to protect the information and reputation of your company?I recently talked with Patrick Gorman (LinkedIn), Head of Strategy & Product, CyberGRX, about how our approaches to the digital supply chain lag behind the physical realm -- and what we can do about it today.As Head of Strategy and Product, Patrick is responsible for developing CyberGRX\u2019s strategy and overall product design. Previous to CyberGRX, Gorman served as Chief Security Officer (CSO) at Bridgewater Associates, Chief Information Security Officer (CISO) at Bank of America, and Associate Director of National Intelligence (ADNI) for technology and strategy at the Office of the Director of National Intelligence (ODNI).We talked about our efforts to know (or try to) who touches what in the physical supply chain. We even touched on how we\u2019re using digital elements and even the \u201cInternet of Things\u201d (IoT) to improve how we track and protect the physical supply chain.Yet in the digital realm, we struggle to know ourselves, our products, and our partners. And the IoT elements and advancements improving our physical supply chain are about to make the digital supply chain even more complicated.That\u2019s why it\u2019s time to adopt a better approach. And Patrick shared a wealth of ideas - including insights on what got us stuck in the first place. Including our complexity problem.What does it mean that security has a complexity problem?The combination of outsourcing, globalization and the digitization of business has created new security and resiliency risks that many businesses are just now beginning to address. Large companies often have tens of thousands of suppliers, vendors, and affiliates while even smaller, start-up companies can have dozens of suppliers and vendors. Managing this digital ecosystem is a real challenge. It\u2019s a board-level issue now. The question that everyone\u2019s asking is, \u201cWhat are you doing about your suppliers and vendors?\u201d At the same time, most companies are imposing recursive, inconsistent assessment standards on their third parties. And each third party has their own customers that have the same needs. All of this is creating a level of complexity that we tried to tackle years ago through shared assessments.This approach has seen a certain level of success, but it has created a lot of overhead.There are thousands of questions third parties have to answer and everyone\u2019s tailored their own version to include what they need. It was a step in the right direction, but it\u2019s fueled a lot of the current complexity.What is the downside to approaching security with a compliance mentality?The basic model of security should be based on evolution and speed. Compliance is an assessment at a point in time based on criteria that was developed through a deliberative process that often takes years. This is how most government- and industry-driven standards and assessment criteria are developed. We need to get past episodic assessments to continuous evaluation and evolution through a risk-based approach. Two things come out of that. The first is by continuously looking at yourself and evolving your capabilities, you avoid surges around annual assessments. The second is that a company may fix five things from a compliance-based assessment, but there\u2019s no correlation with the reduction of risk.That\u2019s a problem. The plethora of regulations and compliance requirements caused an expensive shift where companies favor compliance checklists over looking at this from a threat, vulnerability and risk point-of-view. They need to ask, \u201cWhat are the value drivers in my business? What does my digital ecosystem look like? What are my most critical digital assets? What am I exposed to? How do I need to mitigate against that? And what\u2019s the next thing I need to be worried about?\u201d That context is key to staying current and dynamic.Does that mean the problem of complexity and the compliance mentality is cost?With Sarbanes-Oxley and all the new regulations since then, it\u2019s only giant companies who can afford a small army of compliance professionals and consultants who can compete globally. I don\u2019t have a problem with consultants, but companies should be repurposing that talent to mitigating and implementing changes based on risk.Once they understand the problem, their focus should be \u2013 as an example -- engineering, implementing and running a company\u2019s identity and access management system. That is value-added to me. Running expensive, episodic security assessments of the problem is not. When I was in the intelligence community years ago, we had the \u201cbathtub problem.\u201d We spent all of our time collecting and processing information, but little time analyzing and disseminating it. We need to invert the curve where we spend more of our time on design and solving the problem rather than conducting expensive surveys and overly ornate strategies.There\u2019s also a need for a platform to automate this as much as possible. Consider how Intuit simplified tax preparation through great design and accessible content. We think of it like Uber\u2019s platform where both the drivers and riders benefit. In this case, the platform should link customers and third parties together to address the problem through technology and collaboration, driving down cost while mitigating risks.So security leaders need to focus on adding value instead of increasing cost?When we\u2019re talking about the vendor-customer relationship, it needs to move from adversarial to collaborative. The best security leaders I know act as partners to their vendors and guide everyone involved, as opposed to saying, \u201cYou didn\u2019t become compliant, so you won\u2019t get a contract.\u201d Engagement and collaboration is key. That\u2019s how it becomes a value-added ecosystem.What\u2019s also critical is changing our mentality and culture to being more open and collaborative, helping those in our ecosystems solve problems and identify best practices. This goes beyond information sharing, which is mechanical. Collaboration is human and high-value. If we can get security leadership to think and act this way, there will be a quantum leap in terms of our ability to defend ourselves.What can a security leader do to get started?The first is to know your business and your industry. That\u2019s the context that most security leaders don\u2019t have. Without that context, it\u2019s hard to understand the threats and what matters and doesn\u2019t matter.Second, know your ecosystem. Your business operates within an ecosystem. You have customers, suppliers, partners and subsidiaries \u2013 all of which touch your digital assets in some way. You need to take time to understand who they are, where they are and how they work with you.The third piece is to understand where your risks lie within your ecosystem and tailor your controls according to those risks.Once you\u2019ve done that, you\u2019re in a better position to work with your third parties to mitigate those risks in a collaborative way as we talked about earlier. For example, if your third party needs to implement multi-factor authentication before you work with them, and you\u2019ve already done it, guide them through how you did it.Finally, trust but verify. Check back with them in three to six months to see if they\u2019ve remediated the risks you\u2019ve identified. If they haven\u2019t done it, they\u2019ve exposed you to risk.If you do those things in that order, you won\u2019t need to hire an army of consultants and you will add incredible value.