Who Owns Cybersecurity in Supply Chain Risk Management?

It seems like a pretty straightforward question. But so is ‘where do you want to eat dinner tonight?’ Just because it’s a simple question, doesn’t mean there is a simple answer. Over the summer, I was a panelist on a webinar on supply chain risk management with the IT-GRC Forum. The session was really fun and valuable. I love to hear what other folks are seeing, doing, and struggling with in supply chain risk management.

During the session we asked this polling question:

Where Does Cybersecurity Assessment Accountability Reside in your Organization?

We got 212 responses and as I expected, the answers were a bit all over the place. While not surprised, I am somewhat dismayed. Why, you may ask? I’m going to answer even if you don’t ask. There are two main issues for me.

1. While a slight majority of the respondents point to the CISO, the fact that there is a disparity of answers indicates a lack of maturity in the function. If we polled and asked ‘who has accountability for contracts, or compliance, or IT, within the supply chain,’ I am fairly sure we would have had a better consensus.
2. Most CISOs I’ve worked with in the past 20 years don’t have the authority to say ‘no’ to a vendor or partner relationship.

See the issue? The CISO oversees assessing the cybersecurity posture of supply chain partners, but generally doesn’t have the authority to stop, or pause an engagement.

Imagine a scenario where a critical partner is being onboarded.

The CISO does an assessment or uses the Black Kite platform and notices that the partner is missing a whole bunch of controls, is very susceptible to ransomware, and has had four data breaches in the last 18 months.

That is some serious red flag stuff. The CISO takes this information to the business leader, who sits and waits for the CISO to finish her readout of the risk in engaging with said partner. The leader steeples his hands together, looks pensively at the CISO and says something like, ‘That is very interesting. We already signed the contract, and the engagement starts Monday. Thanks for coming.’ and goes back to his address book to see if he knows anyone that can get them a reservation to the hot new Italian, Albanian, kosher vegan place that just opened up downtown.

Three months later, the partner gets hit with ransomware, they are down for a week, causing a  revenue shortfall for the quarter and a 30% drop in share price. The CEO’s hair is on fire, customers are screaming, and the business leader, who did not in fact get into the restaurant, says, ‘why didn’t the CISO do something about this in the first place?’

The moral of the story, well three morals of the story –

1. Organizations must have a documented process for assessing risks within their supply chain that includes ownership and accountability.
2. If the CISO is accountable for conducting the assessment, then they must have some authority to shut it down if it’s really bad.
3. The decision maker needs to be accountable for the risks they accept.

By the way, the Italian, Albanian, kosher vegan place was really good. Try the Byrek.

Stay safe, stay healthy, stay secure!

Wheatman out!