NIST Key Practice 1: Integrate C-SCRM Across the Organization

The interconnectedness of the business ecosystem has accelerated growth and efficiency, but it has also increased cyber risk, according to the National Institute of Standards and Technology (NIST). Rather than directly launching an attack on your network, bad actors often attempt to exploit weaknesses in third-party security to breach systems that manage critical processes and store data related to your IP, customers, and/or employees. Pointing to the widespread incidence of these supply chain attacks, NIST recently published the report “Key Practices in Cyber Supply Chain Risk Management: Observations from Industry.”

Designed to help organizations of all sizes and industries ensure business resilience by building a robust program for what NIST terms Cyber Supply Chain Risk Management (C-SCRM), the document lays out eight Key Practices.

1. Integrate C-SCRM Across the Organization
2. Establish a Formal C-SCRM Program
3. Know and Manage Critical Suppliers
4. Understand the Organization’s Supply Chain
5. Closely Collaborate with Key Suppliers
6. Include Key Suppliers in Resilience and Improvement Activities
7. Assess and Monitor Throughout the Supplier Relationship
8. Plan for the Full Life Cycle

This Blog Series dives into each of these key practices in more detail, and provides insight on how technology can support each of these.

Because C-SCRM emphasizes a multi-disciplinary approach to identifying, assessing, and mitigating cyber supply chain risks, it’s no surprise that the first Key Practice is “Integrate C-SCRM Across the Organization.”

Collaboration Begins with Centralization

NIST points out that mature C-SCRM programs are those that facilitate better cross-functional collaboration between cybersecurity, physical security, enterprise risk management, and supply chain/procurement.

They suggest forming a Supply Chain Risk Council/Supply Chain Leadership Risk Council with executive representation from each of these functional areas and any others that make sense for your business. The council should review relevant risks and risk mitigation plans, set priorities and share best practices across the enterprise. This council will foster trust, collaboration and alignment between these groups as well as enable the organization to take a more holistic view of risk.

How Technology Supports This

Too often, disparate technology solutions that don’t integrate hinder an organizations’ ability to deliver a holistic, cross-functional approach to how risk is managed in supply chains. To overcome this:

• Make sure your system provides a single inventory of all your suppliers (including nth parties) and supplier relationships.
• Your system should support multiple user roles with role-based views and functionality specific to procurement, supply chain, cyber risk experts, compliance, business users and more.
• Use a standardized and shared process for onboarding that provides transparency for all stakeholder functions.
• Make sure that your system has a flexible integration framework. It will need to be able to integrate with business systems (like ERP, P2P) and ERM systems, as well as third-party risk intelligence providers. These may include cyber security ratings providers and hazard tracking that could reveal other risks to your cyber-supply chain, such as threats to server locations.
• Ensure that your system has robust reporting and dashboards, including program metrics, that can be shared across functions. This transparency will help business executives better understand cybersecurity risks.
• As part of your process of centralization, make sure that you cover all the cyber supply-chain risks that come with these engagements. You’d expect the “usual suspects” like cyber security, information security, and data privacy, but have you considered operational risks, geographic risks, concentration risks, and compliance risks too?

Of course, there’s also the practical efficiency of a centralized system to manage risk across functional areas, which eliminates a number of unnecessary challenges, such as:

• Identifying which system is the system of record for third party data
• The costs of purchasing, managing, and maintaining multiple systems
• Weeks spent trying to consolidate risk data to identify potential exposure and report to senior management or auditors
• The danger of onboarding a vendor that hasn’t completed all of the required due diligence
• Delays in onboarding as vendors complete multiple disjointed assessments, potentially creating missed opportunity costs.

The first key practice that NIST recommends makes it clear that an integrated approach is a core foundation. Our next post will be about the second key practice which is to “Establish a Formal C-SCRM Program.”

Share with Your Friends: