Last Updated on March 16, 2023
John Verry, Pivot Point Security CISO and Managing Partner, invokes his Nostradamus avatar on a recent episode of The Virtual CISO Podcast to foretell 2022’s key cybersecurity and privacy trends and drivers.
“I don’t think it’s that crazy to play Nostradamus if you base your predictions on where we are today,” John quips.
Based on current trends, John’s #3 prediction is a slam dunk: supply chain risk management is going to become a bigger factor than ever in many of our lives.
What is Supply Chain Risk Management?
Supply chain risks run the gamut from geopolitical instability to natural disasters to public health crises to suppliers who get hacked and leak your data. Supply chain risk management is the process by which you identify, evaluate and mitigate risks in your supply chain. In this context, that pertains particularly to the risks your vendors pose to your sensitive data—and that your company, in turn, poses to its customers.
How do you reduce cyber risk from vendors (aka third-party risk)? Some basic approaches include:
- Rating your vendors according to potential risk (e.g., Low, Medium, High)
- Using detailed due diligence questionnaires to confirm that each vendor has implemented cybersecurity and privacy controls that align with your policies (i.e., they can protect your data about as well as you can)
- Putting language in your contracts to hold vendors financially accountable for breaches involving your data, including notifying you immediately if this occurs
- Checking on how well each vendor manages the risk from its own vendors (aka fourth-party risk)
Why is Supply Chain Risk Management More Important than Ever?
While nobody loves doing it, managing third-party cyber risk is critical to both your security program and compliance with demands from regulators, your clients, partners and other stakeholders.
As John notes, paying closer attention to supply chain risk is “the only logical response” to these overarching factors:
- Cyber risk is relentlessly and universally on the rise.
- Companies are putting more and more sensitive data and workloads in the cloud, and thus into the hands of third parties.
- Privacy regulations are growing in number and importance, which broadens the “playing field” of supply chain risk to encompass not just cybersecurity but also privacy. (Are you even inquiring about your vendors’ privacy programs today?)
- The recent presidential executive order 14028, on “Improving the Nation’s Cybersecurity” from May 2021, explicitly calls on government agencies to tighten up software supply chain security.
- Cybersecurity requirements are “flowing down” from government agencies to their vendors through clauses in contracts, such as the DFARS “interim rule” clauses impacting defense contractors and subcontractors.
Increasingly, businesses across sectors will face mounting pressure to focus on these supply chain cyber issues. There’s just too much at stake not to.
As John so eloquently puts it,
“You will be ‘due diligencing’ your third-parties and being ‘due diligenced’ by your third parties more frequently.”
To hear all of John’s 2022 predictions, click here.
Wondering if your current vendor risk management program is getting the job done? Here’s a related post: Why Your Vendor Risk Management Program Won’t Protect You from Supply Chain Risk Like the Wipro Breach