InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
In an increasingly digitally networked world, companies are more reliant than ever on a broad network of suppliers and providers. This dependency increases the risks in the supply chain and makes Cyber Supply Chain Risk Management (C-SCRM) an indispensable task for companies in all sectors. Chief Information Security Officers (CISOs) are therefore required to understand and manage the complex risks of C-SCRM and to act proactively. This article focuses on the most important strategies and best practices from a CISO's perspective, taking into account renowned frameworks and recommendations.
To successfully fulfil his area of responsibility, a CISO must understand the full scope of the extended supply chains and comprehensively protect company information. The measures to be derived from this go beyond simply securing internal systems by encompassing the entire supply chain ecosystem – including third-party suppliers, service providers and customers. This requires a multidisciplinary approach and the identification of all stakeholders involved.
By documenting policies and procedures and requirements for contracted service providers (and auditing them), organisations ensure security, integrity, resilience and quality along the entire supply chain.
Compliance with established standards such as ISO/IEC 27001 and 27002, NIST Cybersecurity Framework (CSF with extended weighting in NIST CSF v2.0), CIS Controls, FINMA Circular 2023/1 are of crucial importance.
A complete inventory of service providers, information on outsourced data and a thorough understanding of the procured services and IT components is essential. Regular evaluation of service providers and identification of weak points are essential. Companies must ensure that their contracted service providers implement appropriate security measures and SCRM practices. This requires the introduction of protocols to assess the safety culture and SCRM programmes of suppliers and subcontractors.
In the world of Cyber Supply Chain Risk Management (C-SCRM), organisations face a variety of threats that can put their operations and reputation at risk.
Let’s look at some specific cyber risks that illustrate the importance of robust SCRM measures:
The effectiveness of an SCRM programme depends on its ability to adapt to changing threats. Regular evaluations are necessary to determine whether the programme is effective and where optimisation is required.
The implementation of a C-SCRM requires a structured approach. The measures go beyond simply securing internal systems.
The key elements of a Cyber SCRM plan include:
The first steps are always the most difficult. To make this easier for you, we have formulated a pragmatic approach that provides you with clear recommendations for action and concrete measures:
The first steps |
What needs to be done in detail: |
1. Carry out an as-is analysis by thoroughly analysing the supply chain and identifying the players involved. a) Was an important supplier recently the victim of a ransomware attack? b) Is the issue of security and reliability actively managed? c) Is there security governance? |
Inventory of service providers, outsourced data, services and IT components:
|
2. Develop clear policies and procedures based on best practices and industry standards. |
|
3. Carry out regular supplier and component assessments and checks in order to recognise and address potential risks at an early stage. |
|
4. Create SCRM awareness in your organisation and sensitise employees to the need for supply chain risk management. |
|
The complexity of C-SCRM requires a holistic and proactive approach. C-SCRM presents companies with complex challenges that require proactive action and continuous care.
As CISOs, the responsibility lies with us to implement robust SCRM practices that protect our organisations' assets and ensure business continuity. By adhering to established frameworks and implementing best practices, organisations can navigate the complexities of the digital supply chain landscape with confidence.
Cyber risks are often complex and not recognisable at first glance. Ensuring robust operational continuity through effective Cyber Supply Chain Risk Management should therefore not be left to chance.
Our team of cyber security experts is at your side with its expertise – offering comprehensive support in the areas of risk management & compliance to implement customised security solutions and thus ensure a proactive response to potential threats.
Contact us for a detailed consultation and find out how we can optimise your cyber security strategy.