This guidance goes beyond just knowing which suppliers are important to your organization to rigorously vetting your suppliers. This takes two primary forms:
A deep understanding of the people and processes at your supplier to ensure they meet the standards you set for your organization and can evaluate any inherent risks
Documenting what suppliers your supplier relies on and the nature of those relationships.
Understanding Subcontractor Relationships
Supply chain risk aren’t limited to your suppliers, but often extend throughout a global ecosystem to include their suppliers, partners, and other third parties – in other words, your fourth- and nth party suppliers. But according to a 2020 survey by Deloitte, only about 20% of organizations reported that they are performing any risk assessment of fourth parties.
That leaves the majority of organizations vulnerable to unforeseen risks that can impact the security of their systems and data. Do those sub-contractors process your data or have access to your supplier’s network? Could they present a compliance risk, such as providing component parts from a sanctioned or embargoed company or country? Can you be certain that your supplier’s critical third party is financially viable?
How the Technology Can Support This
Without an automated, centralized C-SCRM system, managing and analyzing the volume of data associated with vetting suppliers and sub-suppliers can be overwhelming. When over-burdened team members have to rely on manual processes, they can easily miss risk indicators and may not be able to give high-risk or critical suppliers the attention they deserve. Technology can help improve control and visibility teams with capabilities such as:
Robust assessments that can look deeply into your supplier’s people and processes. Built to reflect best practice and alignment to regulatory and other industry guidance, assessments should be very comprehensive, but provide the opportunity to scope the content based on the supplier and the product/service to ensure the appropriate due diligence and prevent “survey fatigue.”
The ability to gather data on fourth and nth parties. Understand which partners are critical to your suppliers and identify any partners that may have access to your data to conduct additional due diligence into those sub-suppliers that pose the greatest risk to your organization.
Map critical fourth and nth parties to understand overall risk exposure. Without this kind of analysis, teams may have unrecognized exposure, such as concentration risk if multiple suppliers rely on the same sub-supplier(s).
Integration with third-party cyber risk data intelligence providers, such as SecurityScorecard and BitSight. These products typically provide proprietary data analysis to assign a score to your suppliers based on their risk posture, processes, and other factors. Systems can use the scores as part of an overall risk score, identify suppliers that require additional due diligence, or continuously monitor suppliers for changes in their cyber risk profiles.
Assess multiple risk domains for a more complete view of supplier risk. The are many indicators of the resilience of suppliers beyond their cyber security profile. For instance, lack of financial viability, regulatory non-compliance, and ESG (ethic, sustainability, corporate governance) violations can all impact operations and continuity of supply.
Vetting suppliers and their third parties is just one of NIST’s recommended Key Practices. This blog series explores the entire list, which includes:
Include Key Suppliers in Resilience and Improvement Activities
Assess and Monitor Throughout the Supplier Relationship
Plan for the Full Life Cycle
Jackie Risley
Head of Product Marketing at Varis
Jackie serves as the Head of Product Marketing at Varis. Previously she spent 3 years serving as Senior Director of Product Marketing for Aravo partnering with customers and prospects to architect their TPRM solution to build value and mature their program. Jackie has held marketing leadership position at Nomis Solutions, Upland Software, ABBYY USA and Hyland Software.
Head of Product Marketing at Varis
Jackie serves as the Head of Product Marketing at Varis. Previously she spent 3 years serving as Senior Director of Product Marketing for Aravo partnering with customers and prospects to architect their TPRM solution to build value and mature their program. Jackie has held marketing leadership position at Nomis Solutions, Upland Software, ABBYY USA and Hyland Software.
