Cybersecurity Supply Chain Risk Management (C-SCRM) deals with more than protecting an organization from cyber-attacks on third parties. It also addresses third parties to those third parties (known as “fourth parties”). Further still, a vendor to your vendor’s vendor is a fifth party, then a sixth party, etc. Your SCRM should involve knowledge of how far, complex and even convoluted your supply chain is. Then measure this complexity with your risk appetite.

(You might wonder, “What happened to the second-party?” Those are your members and customers.)

What really makes the difference between C-SCRM and any other kind of technical vulnerability management (VM)? There really isn’t much difference in the tactics used. What becomes essential in C-SCRM is that the technical aspect of VM gets done and gets done well. With C-SCRM, managing and monitoring aren’t optional. If a company has a relatively small number of third-party vendors, then there may not be too much more to do than a typical VM program. But if one has a multitude of third parties, then it’s inevitable that the total number of suppliers increases exponentially. This factor immediately leads to numerous vulnerabilities for which your company is responsible to manage. While it may seem unfair that you have to manage those vulnerabilities, in the end, your customers are relying on you to provide a solid product and service.

Digital transformation imposes and increases third-party risk. Two primary threats in the increasingly outsourced digital economy are:

  1. Lack of full control
  2. Lack of full visibility

Is there any data to show that third-parties are really such a serious risk? According to Verizon’s 2019 Insider Threat Report’s “5 Types of Insider Threats,” the 5th type of insider threat is the Feckless Third-Party, described as follows: “Business partners who compromise security through negligence, misuse, (Read more...)