Securing beyond the boundaries

< Back to Cyber security considerations 2022 page

The race to transform digitally continues to be a high priority for enterprises, large and small. Becoming a digital-first organization implies a data-centric approach in which data is shared on a near-constant basis throughout a complex and connected ecosystem of partners and suppliers. This data fluidity between third, fourth and fifth parties creates numerous opportunities for cyberattackers to compromise systems and data. How can CISOs help secure their own organizations, while encouraging their broader ecosystem to be cyber secure?

Most organizations are no longer the single, monolithic entities many customers have long believed them to be. They’re deeply operationally dependent on a robust supply chain, as well as a myriad of traditional and non-traditional partners that often have direct access to business systems and data. Although regulatory standards and mutually agreed-upon security frameworks can help minimize the impact of third-party cyber threats, there are situations where the participants in these complex ecosystem structures — cloud providers, SaaS companies, Internet of Things (IoT) device manufacturers, etc. — may not have clear obligations for establishing adequate controls to protect their partners’ data, leaving the entire network vulnerable to cyberattacks.

From a contract negotiation perspective, there should be proper vetting of all potential vendors’ organizational security policies, as well as the security built into the products and services to be accessed. Currently, this requires tremendous and perhaps infeasible due diligence by each ecosystem partner. In most cases, point-in-time, periodic assessments are conducted manually by third-party security programs managed internally or outsourced.

Some organizations, particularly in regulated industries, are also making better use of security-ratings companies, whose services supplement point-in-time assessments by providing security risk scores against a set of pre-defined parameters. This helps to determine whether an ecosystem partner’s security is ‘good enough’ by offering detailed qualitative and quantitative analysis.

Regulations relating to cyber security will likely continue to tighten and expand, as exemplified by executive orders from the US White House on supply chain, as well as the European Union’s continuously evolving Network and Information Security (NIS) Directive, which has drawn clear lines around how member states, industries and organizations should enhance their inward and outward cyber security policies, especially in a post-pandemic world.

A strong risk management framework that looks both inward and outward is key especially for high-risk industries, such as financial services, energy and healthcare. A future-proof approach should also be applied across key industries around the world, in an effort to help ensure that all ecosystem partners follow a clear path in protecting their own organizations, as well as the broad ecosystems within which they operate.

Another key area of focus should be on automation, including the use of AI/ML across the ecosystem. AI/ML can be applied to security policies to address shadow IT issues and provide better oversight of third-party SaaS products, as well as to implement self-service chatbots and automate many aspects of the organization’s third-party risk management processes.

Continuous controls monitoring (CCM) takes this a step further, moving security assessments away from point-in-time activities that become obsolete quickly. CCM can expedite vendor cycles through the use of machine-readable assessments, which ultimately enhance risk and control oversight. To be effective within the context of a partner ecosystem, CCM requires vendor participation and acceptance of this type of assessment. This model can inspire ecosystem partners to move from a compliance-based approach to a more operational focus that allows for corrective measures in real time with or without human intervention.

Alongside a move toward continuous assurance, regulators and even large organizations may look to adopt a more active approach to building ecosystem security. In an interconnected business world, companies are realizing they have a responsibility to protect their supplier ecosystem, particularly partners that don’t have the same level of resources. This could mean providing a monitoring/threat intelligence service across their supply ecosystem and collaborating with partners to defend against identified threats. While in its infancy, regulators and national bodies are increasingly taking this approach, and larger, more mature organizations could follow suit.

1. Keep a close eye on regulatory requirements as they continue to evolve and focus on supply-chain security.
2. Consider continuous controls monitoring as a way of moving ecosystems from compliance to a more operationally based view of security.
3. Explore opportunities to automate and leverage AI/ML in supply-chain security approaches to enhance security and enable skilled security workers to focus on more strategic activities.
4. Don’t overlook the operational technology (OT) supply chain; as IT and OT systems continue to converge, attackers will likely seek to exploit OT systems in an effort to compromise business data.
5. Larger, more resourceful organizations should seek to take a capacity-building approach by applying security measures to protect their broader ecosystem, in addition to their own environment.