Understanding and Managing Supply Chain Risk (with Michael Caruso)

In this episode of State of Security, Geoff Hancock, Global CISO and Deputy CEO at Access Point Consulting spoke with Mike Caruso, Director of Supply Chain Security Management at Access Point Consulting about managing supply chain risk. Understanding and managing third-party risk can be complex and critical -- Caruso had thoughts about the steps companies should take to go beyond the basics of regulatory compliance to effective third-party risk management.

Caruso begins by introducing himself; most of his career was spent at insurance companies running computer operations, networking, and security teams. In the last company he worked for he helped develop the third-party risk management program and then ran the programs to ensure compliance with NYDFS security regulations when they came into effect.

Hancock began by asking Caruso how he defines "third-party risk management." Caruso began responding, "Breaking it down simply, it's identifying all the vendors you're doing business with -- third-party suppliers -- taking a look at each one and identifying the risks associated with each." He continued by saying that the risk analysis would include understanding what the vendor does for your company, understanding the data they have access to as part of their role, and calculating how strategic they are to your company's continued functioning.

Once the risk has been roughly calculated the third-party suppliers can be ranked by risk and then reasonable actions can be taken to control and manage the specific risk of each third-party and the overall risk to your organization.

From Knowledge to Action

What kind of actions can be taken to manage the risks? Caruso lists specifics like contract changes, more frequent audits, and continuous monitoring as options that might be reasonable in a given circumstance. Hancock then began drilling into specifics, asking Caruso how he might balance managing technical risks versus business risks in a relationship.

One of the key issues, Caruso noted, is that the security or risk management team can evaluate and rigorously report on the level of business risk, but making decisions on mitigating that risk falls to corporate management -- especially if the third party in question is a strategically critical partner to the organization. Some of the dynamics of these decisions are changing, he said, because recent enforcement actions and legal decisions have left corporate officers personally liable for errors in judgment. The result has been more careful consideration being given to risk mitigation in situations where, a decade ago, "good enough" might have been the decision.

Caruso and Hancock agreed that in the past, and to an extent, in the current environment, there are risks that simply go unmanaged because of corporate policy decisions. In some cases, they noted, it's because the risk was not brought to the attention of executives. In others, it is

because the risk was brought to management's attention but, for many different reasons, it never rose to a level of attention sufficient to cause action. And sometime, each admitted, it's because the company feels that it has no leverage with the third-party partner -- no point of pressure big enough to force the supplier to change.

Yet another barrier to third-party risk management, one exemplified by the Change Healthcare breach, is the multiple layers of suppliers that can exist in the modern supply change. While the phrase "third party" implies a direct relationship, suppliers that introduce significant risk can be three, four, or ten layers removed from the immediate relationship and beyond the normal span of control.

Concentrated Risk

Change Healthcare also points out a new risk, Caruso said, "risk concentration" when many different customers use a common platform. While many professionals are used to the idea of companies like SAP or AWS providing services to many customers, there are smaller companies that also have significant customer bases and large business communities that could be harmed through a supply chain breach.

Hancock and Caruso also talked about the recent hack of the company providing back-end services to auto dealerships across the US. A single point of entry has resulted in scores of dealerships being unable to conduct business in any meaningful way -- an impact that goes far beyond the direct damage to the company that was the immediate target of the attack. Current trends in business, they agreed, make this type of scenario more likely rather than less, and something that executive teams must figure out how to mitigate for their own business, even if that mitigation cannot involve changing technology or behavior at the third-party service provider.

A Mitigation Process

Hancock next asked a critical question: What should the process be for mitigating and managing risk in a risk universe that see more reliance on third parties? The key, Caruso said, is to know which third parties are part of your supply chain and further, to know ALL of the third parties that are part of your supply chain. This piece means knowing not only the suppliers that come into the organization through a standard contracting process but those that come in through the "back door" of shadow IT and unauthorized purchases.

Once suppliers are identified, Caruso said, it's critical to get the proper information on each. This should start with an understanding of the data they need to get their work done, followed immediately by an understanding of the data they have access to. Once these are all understood, he said, then processes can be developed to ensure that each supplier has the

proper security programs in place, with necessary certifications, recent audit results, and modifications for the client's specific needs in place to meet mitigation requirements.

Caruso reminded Hancock that an on-going program of monitoring and audits is required because both threat and risk landscapes are constantly changing. Third-party risk management, he said, is not a "one and done" activity -- it requires constant work to keep it up-to-date and effective.

From Compliance to Operations

Hancock next asked Caruso about making the step from regulatory compliance to risk and security operations -- activities that can be separated by a significant action gulf. Caruso admitted that the real question at the heart of this issue is whether the company is getting correct, necessary, and sufficient information from vendors. This is, he said, the hard part at the crux of the issue. Timing is often critical in getting the information.

"I find in the onboarding process, before the contract's signed, they're usually pretty quick to comply. On an ongoing basis, it gets a little tougher," Caruso explained. This is why, he said, he's a fan of using automated tools to continuously monitor compliance with regulations and contract provisions. In the long run, though, even continuous monitoring can fall short of bringing the necessary level of third-party risk mitigation.

"With the key vendors what you really need to do is build a relationship," Caruso said, adding, "You both have the same goal which is securing the environment. Then you can share with them what your scanning tools show. They might not be seeing the same thing so if you can have some back and forth with them and they're agreeable that's kind of The Best of Both Worlds ."

Caruso admitted that developing this kind of relationship can take time and involves everything from learning to trust the data that comes from other sources to getting people to pick up the phone when a caller might not be in their contact list. It's possible, he said, to include provisions on contact names and resource availability in contracts, but even there it can take time to get the process as smooth and non-disruptive as possible.

The Levels of Third Parties

When Hancock asked whether a third-party risk management program should be considered a "must" for companies of a certain size, Caruso's answer was emphatic: "Yes." He continued, "In some way or another you need to control the risk or at least identify the risk." Without a third-party risk management program in place you are, he said, simply rolling the dice on security. Hancock kept pressing Caruso, though, asking about the necessity for fourth-party management

in a functional risk management program. "Your third parties are using third parties and it just branches out like a spiderweb ," Caruso explained.

This is, Caruso said, where the relationship with a third-party supplier is so important. Your third parties have third parties, he explained, saying that it could be almost impossible to understand what all those second-hand third parties are without a good and productive relationship. Even with that relationship, though, solid contract language on the disclosure of and limits to third party contracts held by your third parties can help make the process of discovery faster and more complete.

It's not realistic, Caruso said, to think that you will know every third-party supplier used by your third-party suppliers. You can ask, and will get a response, but it's up to your company to have controls in place to limit the data that's shared with organizations outside your company and severely limit what can be done with the data that might travel beyond your corporate perimeter. To achieve this, companies should have multiple layers of security including automated monitoring and data-loss prevention (DLP) tools that help limit how quickly and completely an attacker can exfiltrate data.

Staying Threat Aware

When all of the tools discussed so far are put together the total, Hancock said, begins to look a lot like threat intelligence. So how should a company without a threat intelligence program begin to put a formal threat intelligence program in place? Caruso said the place to start is right out there on the web: Start with the news to see which threats are being seen and which are actively compromising companies across all industries. A net news aggregation service can help make the daily search easier, or professionals can simple save searches on topics that relate to cyber security and their own market segment. Searches are important, Caruso said, especially if you remember to search on product and service names in addition to company names when looking for vulnerabilities and remediations.

The number one suggestion for companies, Caruso said, is gaining executive support. To be effective, there must be a top-down approach. Understand who your third parties are, and who their third parties are. And with that, understand which company has responsibility for which part of the application infrastructure. It's also important to understand who within each of the third parties has responsibility for acting in an emergency, and who in your organization they shoul work with to protect your data.

Finally, this should not just be a compliance exercise; it should be a constant monitoring process that works to protect data throughout the organization.

Resources

Trending Articles & Security Reports