RIMS Australasia 2020 Virtual Summit: DAY ONE: 3. Shining a light on the unseen – managing supply

The “full steam ahead”charge to the cloud during the Covid-19 pandemic has highlighted the challenges risk managers now face when trying to manage complex supply chains and rapidly-developing cyber risk.

It used to be so simple. Until recently the route from maker to market was straightforward for most companies.

But the increasingly long, just-in-time supply lines now needed to be competitive, along with the rapid shifting of IT capacity onto the cloud – particularly since the arrival of Covid-19 – have created a hugely significant suite of new challenges for risk manages in all sectors.

“For most companies their supply chain is the most externally focused network they have,” Dave Spence, security lead at Accenture told an audience at The RIMS Australasia 2020 Virtual Summit.

“Getting visibility and understanding of how those risks play out is increasingly challenging.”

For example, the “full steam ahead charge” towards a handful of operators for cloud services – primarily Google, Amazon and Microsoft – is consolidating risk with organisations that present a “valuable and enticing target to threat actors”, bringing with it the potential for direct or collateral damage, he says.

Given this situation risk managers need to accept that cyber breaches are inevitable. “It’s not a matter of if but when,” says Spence.

As a result it’s vital to fortify your IT ecosystem.

Spence advises working closely with supplier and contract management to identify threats, establishing a “business-driven” cyber security model that incorporates strategic governance, aligning risk management with the cyber threat profile and operationalising an attack-resistant supply chain through assurance and active collaboration.

When it comes to supply chains, the key risk is that many firms – some of whom may have many thousands of direct suppliers in multiple geographies – often struggle to know who they are working with beyond tier one or two, according to Spence.

In this situation he advises empowering suppliers and ensuring an active “flowdown of controls to the Nth tier” similar to that practiced by the UK Government’s Ministry of Defence (MOD).

“The MOD understand risk,” he says. “They look at their suppliers, identify high risk and mandate a flowdown of controls. They make it incumbent on their suppliers to understand their suppliers and ensure flowdown.”

The aim is to ensure true visibility of threats and security hygiene across the supply chain that allows the delivery of un compromised products and services.

In the end a firm is only as strong as its weakest link.