CISO perspective: Proactive Cyber SCRM to protect your business continuity

Geschrieben von Markus Limacher | 12 Aug 2024

In an increasingly digitally networked world, companies are more reliant than ever on a broad network of suppliers and providers. This dependency increases the risks in the supply chain and makes Cyber Supply Chain Risk Management (C-SCRM) an indispensable task for companies in all sectors. Chief Information Security Officers (CISOs) are therefore required to understand and manage the complex risks of C-SCRM and to act proactively. This article focuses on the most important strategies and best practices from a CISO's perspective, taking into account renowned frameworks and recommendations.

To successfully fulfil his area of responsibility, a CISO must understand the full scope of the extended supply chains and comprehensively protect company information. The measures to be derived from this go beyond simply securing internal systems by encompassing the entire supply chain ecosystem – including third-party suppliers, service providers and customers. This requires a multidisciplinary approach and the identification of all stakeholders involved.

Security and compliance management along the supply chain

By documenting policies and procedures and requirements for contracted service providers (and auditing them), organisations ensure security, integrity, resilience and quality along the entire supply chain.

Compliance with established standards such as ISO/IEC 27001 and 27002, NIST Cybersecurity Framework (CSF with extended weighting in NIST CSF v2.0), CIS Controls, FINMA Circular 2023/1 are of crucial importance.

A complete inventory of service providers, information on outsourced data and a thorough understanding of the procured services and IT components is essential. Regular evaluation of service providers and identification of weak points are essential. Companies must ensure that their contracted service providers implement appropriate security measures and SCRM practices. This requires the introduction of protocols to assess the safety culture and SCRM programmes of suppliers and subcontractors.

A look at real cyber threats and why C-SCRM measures are essential

In the world of Cyber Supply Chain Risk Management (C-SCRM), organisations face a variety of threats that can put their operations and reputation at risk.

Let’s look at some specific cyber risks that illustrate the importance of robust SCRM measures:

Kaseya breach: Ransomware attacks show the vulnerability of global supply chains and the need for effective security measures.
SolarWinds: Software vulnerabilities emphasise the importance of a robust SCRM strategy to protect against systemic vulnerabilities.
Physical and virtual access points can facilitate the compromise of supply chains that favour breaches.
The trade in stolen login credentials on the darknet highlights the threat posed by insiders and the need for comprehensive monitoring.

9-point plan: Structured introduction of a C-SCRM

The effectiveness of an SCRM programme depends on its ability to adapt to changing threats. Regular evaluations are necessary to determine whether the programme is effective and where optimisation is required.

The implementation of a C-SCRM requires a structured approach. The measures go beyond simply securing internal systems.

The key elements of a Cyber SCRM plan include:

Detailed summary:
The C-SCRM plan should include a comprehensive understanding of the ICT supply chain, its risks and a summary of the purpose, objectives and key elements of the plan.
Identification of critical suppliers:
Companies must identify the suppliers (service providers, outsourced functions and data) that are critical to their business operations and regularly assess their importance and the associated risks.
Identification of risks in the supply chain:
A thorough understanding of the data, hardware and software components used in operations is essential for identifying and prioritising risks in the supply chain.
a) Identification of changes in supplier status (criticality).
b) Verification and checks to ensure that suppliers fulfil all legally binding requirements.
c) Regular reassessment of suppliers' compliance with safety practices in the supply chain.
Implementation of supplier diversity:
Maintaining a diversified supplier base reduces dependence on a single supplier and minimises the associated risks.
Development of a supplier evaluation:
Promoting transparency and information sharing between organisations and suppliers ensures quality and supplier compliance.
Development of an emergency plan:
Companies should develop contingency plans to respond effectively to supply chain disruptions, including identifying alternative suppliers and mitigation strategies. Emergency plans should be based on the worst-case scenario.
Staff training:
Training programmes should include C-SCRM elements to ensure that employees understand the importance of supply chain risk management and their role in the process.
Continuous monitoring and optimisation:
It is critical that an effective SCRM programme is maintained through continuous monitoring and reassessment of the risks associated with suppliers in order to incorporate improvements based on new knowledge and experience.
Supplier on-boarding and off-boarding process:
a) Implementation of an effective supplier on- and off-boarding process to ensure that only trustworthy partners are granted access, and risks are minimised.
b) Review of security practices and immediate deactivation of access rights upon termination of the business relationship.
c) Ensuring the security practices of service providers, outsourced functions and data.

4 concrete steps for implementation

The first steps are always the most difficult. To make this easier for you, we have formulated a pragmatic approach that provides you with clear recommendations for action and concrete measures:

The first steps	What needs to be done in detail:
1. Carry out an as-is analysis by thoroughly analysing the supply chain and identifying the players involved. a) Was an important supplier recently the victim of a ransomware attack? b) Is the issue of security and reliability actively managed? c) Is there security governance?	Inventory of service providers, outsourced data, services and IT components: suppliers external service providers subcontractors external hardware/software development CI/CD pipeline third-party providers used by your suppliers repositories and their connections developer access to systems tool configuration and integrations
2. Develop clear policies and procedures based on best practices and industry standards.	guidelines for handling sensitive data (remote) access to systems communication with suppliers
3. Carry out regular supplier and component assessments and checks in order to recognise and address potential risks at an early stage.	internal audits external audits regular vulnerability scans
4. Create SCRM awareness in your organisation and sensitise employees to the need for supply chain risk management.	information on potential threats understanding the role of each individual in the SCRM process training on phishing attacks

Conclusion: Successful Cyber Supply Chain Risk Management thanks to proactive SCRM practices

The complexity of C-SCRM requires a holistic and proactive approach. C-SCRM presents companies with complex challenges that require proactive action and continuous care.

As CISOs, the responsibility lies with us to implement robust SCRM practices that protect our organisations' assets and ensure business continuity. By adhering to established frameworks and implementing best practices, organisations can navigate the complexities of the digital supply chain landscape with confidence.

Optimise your cyber security strategy with expert help

Cyber risks are often complex and not recognisable at first glance. Ensuring robust operational continuity through effective Cyber Supply Chain Risk Management should therefore not be left to chance.

Our team of cyber security experts is at your side with its expertise – offering comprehensive support in the areas of risk management & compliance to implement customised security solutions and thus ensure a proactive response to potential threats.

Vollständigen Beitrag anzeigen