DetailsAbout the article
Security Assurance and improving your ROI
- Up Next
MEET THE SPEAKER
The risk from supply chain cyber-attacks is significant and growing. A recent Ponemon Institute report found that fifty-nine percent of companies surveyed had experienced a data breach caused by one of their third parties1 says Haydn BrooksFounder: Risk Ledger Computer & Network Security companyand included in Forbes 30 Under 30 Manufacuturing & Industry 2019
The risk from supply chain cyber-attacks is significant and growing. A recent Ponemon Institute report found that fifty-nine percent of companies surveyed had experienced a data breach caused by one of their third parties1 says Haydn Brooks Founder: Risk Ledger Computer & Network Security companyand included in Forbes 30 Under 30 Manufacuturing & Industry 2019
High profile supply-chain breaches, such as TicketMaster’s breach2 in June of this year, have plagued the news, and all of this has culminated in supply chain security being a hot topic amongst CISOs and boards.
Assurance programmes are the gold-standard tool adopted by risk management functions to mitigate this risk. A well-run assurance programme allows a business to gain comfort that the suppliers it’s choosing to work with take security seriously and have implemented an appropriate suite of controls to protect any trust that the company may place over that supplier. Trust usually comes in the form of sharing data with the supplier, giving the supplier access to a company network or physical building, or letting the supplier run a function or service that your business relies upon.
A typical assurance programme (depicted in figure 1) is split into two parts, an assessment of each supplier’s criticality and an assessment of each supplier’s security maturity. Criticality is a measure of how much trust a company has placed on a particular supplier, with suppliers trusted to run business critical services or trusted to look after highly confidential data being rated higher than those who aren’t. This is typically judged using a business impact assessment and is done internally by a company’s risk management team.
A tiered approach, based on each supplier’s criticality, is then used to assess each supplier’s security maturity. Low and medium criticality suppliers are subject to a self-assessment of their information protection controls using a security questionnaire. High criticality suppliers are subject to an onsite review to evidence the presence or effectiveness of their security controls. A company may also document baseline security requirements that its suppliers must meet in a Supplier Security Policy, and these form the security framework against which the security questionnaire and onsite review assessments are built.
A risk is made up of two components, an impact and a probability, and assurance gives us a measure of both of the components that make up a supplier’s security risk. The criticality score of a supplier is related to the impact a breach of trust would have on a company. An assumption is made that the higher a supplier scores against a security assessment, the lower the probability of a security breach occurring. Therefore, the higher a supplier scores on the supplier security assessment the lower the probability of the impact occurring. Thus, a combination of both measurements gives you the risk.
Assurance programmes are highly effective tools at measuring and reducing security risk in supply chains, but they are not without their challenges. Over the past ten years supply chains have been growing in length and complexity, and now most large companies have well over a thousand suppliers, with some having over 100,000 scattered across the globe. Assurance programmes don’t easily scale to these numbers, as more suppliers means that you need more risk managers to run the programme, and this drives up cost. Due to this most companies struggle to cover their whole supply chain with an effective assurance programme. Technology tools such as vulnerability scans for your supply chain can’t provide insight into more than one domain of information security, and as such don’t provide the comfort most corporates need, or regulators want, and so aren’t a suitable replacement.
The pain on the supplier side is worse, with some suppliers having to fill in over 500 questionnaires a year, and handle about as many onsite reviews. This burden of work is considerable, and larger suppliers typically hire full time members of staff just to respond to all the questionnaires and onsite reviews that they are subject to.
Risk Ledger has been created to address this pain and to allow assurance programmes to scale efficiently and affordably. Companies running an assurance programme join our platform and input their security policies. These are the requirements they expect their suppliers to meet and different requirements can be set depending on a supplier’s criticality, classification of data shared with the supplier, and by different supplier types. They then invite their suppliers to the platform, or if the supplier is already on Risk Ledger, simply send them a connection request.
Suppliers join the platform and assess themselves against our framework. The platform automatically measures compliance between the policies set by the client and the assessments completed by the suppliers, and all of the remediation actions are tracked using our remediation tool. Suppliers can also see all of their Clients that are using Risk Ledger and can see the exact minimum-security requirements they have to be comply with.
By using our platform companies running assurance programmes save money, time, and get visibility of more risk. From the supplier’s point of view, they experience the exact same workflow as a traditional assurance programme, but they can now complete one assessment and share it across multiple clients, saving them work.
Risk Ledger are launching the platform in January with 3 clients. Alongside this Risk Ledger will be launching our Supplier Assessment Framework and assurance tools pack as an open source tool to help companies run assurance programmes more effectively. To find out how Risk Ledger can help your company to an efficient and effective assurance programme contact firstname.lastname@example.org.
- Ponemon Institute. Data Risk in the Third-Party Ecosystem: Third Annual Report. Available from: https://www.opus.com/ponemon/#ponemon_form [Accessed 25th November 2018].
- Information website on the data breach. Available from: https://security.ticketmaster.ie/[Accessed 25th November 2018].