Interos CISO Insight Series: 6 Vital Findings into Supply Chain Security

Interos recently hosted a roundtable for financial services industry (FSI) security professionals to discuss supply chain challenges. The event included 30 FSI participants and several of Interos’ supply chain security experts. The six most important findings of the event are below:

1: Only 10% of participants monitor their supply chain past the first level.

We see this all the time: most organizations have little or no visibility past their direct, first-tier suppliers. This lack of awareness can be challenging when dealing with a cyber breach such as Kaseya. The chief information security officer (CISO) has no idea how such an event could impact their organization. The CISO must wait for a vendor to notify them of a breach or detect an attack in progress. Which forces them to be reactive in a potentially catastrophic situation.

2: Most do not continuously monitor first-tier suppliers or only use third-party risk software for annual reviews.

This feedback was disappointing but expected. Many participants said they employed third-party risk software but had not actively used it to make changes. If the organization is not actively mapping and monitoring the supply chain, it can be challenging to understand the bigger picture and anticipate future risks.

3: Many don’t know what to do with the information they receive from third-party risk tools.

More information does not necessarily help the CISO if they cannot use it to make proactive decisions to improve security posture. Much of the risk scoring uses past events or surveys. While third-party risk scoring solutions can be helpful, they often don’t provide real insight into the bigger picture of the risks in an organization’s supply chain. A CISO trying to be proactive and remediate issues will need an awareness of the entire supply chain to understand potential weaknesses.

4: Very little supplier vetting is done during onboarding, which takes 4-6 weeks on average.

This area was the most crucial topic for attendees. All agreed vetting of new or existing suppliers is the most common supply chain task given to a CISO organization, and the most frustrating. The cyber team may have no onboarding requests this week and five next week. This variance is disruptive to planning and staffing efforts. Vetting is usually done by sending and correlating surveys. The challenge is getting surveys back quickly and completely. At Interos we use public sources of information to build the risk score of a potential supplier which dramatically reduces the workload on cyber teams.

5: Many feel pressure to speed up onboard checking, especially for critical suppliers.

If suppliers don’t complete or bother to return the survey, it can cause issues for the CISO. With the recent supply chain disruptions caused by trade disputes, COVID-19, the Suez Canal, etc., the need to onboard suppliers quickly and correctly has never been more critical. A CEO telling the CISO that the company is shut down until they complete the risk report is an all too uncommon experience. There is unrelenting pressure to pass suppliers regardless of holistic vetting. 

6: Little or no ability to remove a supplier for cyber reasons if they were in good standing otherwise.

The importance of properly screening new suppliers is often only realized months later. Interos gives cyber teams more time to analyze the situation. For example, Interos checks U.S. federal and EU sanctions lists automatically in the risk profile to detect if the new supplier is using a sanctioned entity. With this extra time, a CISO would guide the purchasing team to include language in the contract that this forbidden entity cannot be used in products. Therefore, a CISO would avoid a future problem instead of telling the factory to scrap the entire production line.

Conclusion: Visibility, automation, and better insights help everyone 

The stress on cyber teams to onboard and monitor suppliers will worsen as supply chain disruptions continue. CISO and cyber teams need to get it right, in the beginning, to avoid future disruption and breaches. Interos empowers the CISO to correctly score the risk promptly, reducing the stress on them and their teams. In turn, benefiting the organization and its customers.

Interos Operational Resilience solution can provide the CISO a vital advantage in dealing with supply chain issues. Please see it in action at https://www.interos.ai/resources/interos-product-overview/