Supplier Stranger Danger – Cybersecurity Spotlight

Does your organisation have excellent cyber security while your third party suppliers are open wide to cyber attacks? Here’s how you can clamp down on supplier cyber risk.


Recent trends indicate that it’s no longer enough just to address cybersecurity internally. Your organisation itself may have comprehensive cybersecurity controls in place – but can you say the same about your third parties?

Cybercriminals are rapidly advancing their tactics by targeting an organisation’s third parties, vendors and suppliers – and it’s working! So while you may already have verified the authenticity of your third parties, how can you be sure they can provide adequate protection for your data?

Todd Boehler, Senior Vice President of Strategy at Process Unity, and Karen Sutton, Supply Chain Intelligence Pty Ltd, joined Procurious founder Tania Seary to discuss the best strategies for managing third-party cyber risk, tier by tier. Hear their full conversation in the ProcessUnity webcast, Are Your Suppliers Putting You At Risk?

Come together, right now

Karen has dealt extensively with cyber security teams internally, and external providers. A united front is the key to success. “It’s when all the core components come together,” she explains, “so we’ve got a strong governance relationship with the supplier, and with the cyber security team.” It’s not just a case remediating immediate problems, but looking beyond. “We’re not just addressing the symptom but treating the organisation holistically.”

Todd reinforces the need for unity, emphasising the importance of bringing Procurement and IT together to discuss supplier risk in the formative stages. This is where robust, reliable contracts are built. “It’s so important that they don’t silo into different groups,” Todd stresses. “Our most advanced customers have really tied their control backbone and their risk management process together for the benefit of the third party and the Information security team.”

This is also the time to consider what regulations apply, based on geography, service type and industry standards. Build relevant compliance standards into your contracts from the get-go.

It takes a whole village

While security may be the providence of the CSO, Procurement has the vital subject matter expertise. “The CSO has to worry about cyber all over the place – then they’ve got this big juggernaut of third-party risk to deal with!” Todd champions the harvesting of expertise across all departments: “it’s a really strong value proposition for an organisation to address and connect with.” He cites numerous examples of this approach reducing cost, thrashing, and onboarding cycling times. It also leads to stronger SLAs in contracts, identifying more risks, and correcting more issues.

“Cyber security becomes a roadmap in an organisation. Some companies have 70 projects laid out over 5 years that they’ve identified through baseline maturity assessments!” And it’s inextricably a mix of both internal and external affairs, Todd observes. “It’s a forever thing! Risk and compliance don’t go away.”

Build transparency around your supplier’s third-party risk management programs to understand your fourth-party risk. Understand how far your control policies will extend to nth parties to ensure adequate controls always protect your data.

Any questions?

What questions should we be asking vendors to define their cyber security performance?

Todd has routinely seen organisations send the same questionnaire to all their suppliers. It’s the questions you don’t ask that count! “That inherent risk assessment and understanding the nature of the product or service really gives you value. You can really target relevant questions.” It would be better to ask 40 specific questions than 400 generic ones.

Some common key questions include:

·         Does the organisation staff a function to centrally govern cybersecurity and privacy controls?

·         Does the organisation facilitate the implementation of asset management controls?

·         Does the organisation develop, disseminate, review and update procedures to facilitate the implementation of maintenance controls across the enterprise?

·         Does the organisation implement a threat awareness program that includes a cross-organisation information sharing capability?

Even with detailed and specific questionnaire answers in your arsenal, avoiding risk depends on one critical consideration arching beyond a detailed contingency plan: “it takes buy-in from the top down. If your management team thinks this is a ‘check the box’ exercise, that’s the first mistake. You’ll be in trouble,” Todd warns. “It takes awareness at the top level.”

Get the complete picture on all aspects of supplier risk management: sign up now for the webcast, Are Your Suppliers Putting You At Risk?