2020 was a challenging year which stretched many organisations financially and operationally. Forcing many to make snap decisions about how they were going to continue to operate, in some cases this has meant taking shortcuts on processes that introduce new risks. As we move into 2021 with the stark reminder that the SolarWinds news has brought, it is worth taking some time to evaluate your 3rd party risk position – as it will almost certainly have changed since your last review. Architecture risk and governance processes should not be a ‘one and done’ exercise – that occurs at the point of onboarding a new 3rd party. As we enter 2021 you should need to regularly review your 3rd party governance. This issue has become increasingly important in recent times as organisations have moved to ecosystem architecture (leveraging a collection of products and services delivered outside the enterprise – for example cloud services).
So what due diligence should you be doing on your supply chain?
- Financial risks
- Tech / cyber hygiene
- Software / virtual supply chain
- Ethics and sustainability
- Physical risks
- Readiness for post CV19 “business as usual”
3rd parties in financial trouble means more than just operational risk from them disrupting your ability to serve customers – it also means they could be cutting corners on their technology. This corner cutting could then leave you exposed to security risks as budgets for technology and security are cut.
The challenge in this area is that it’s not always straightforward to assess – how solid are the financials of a supplier or partner? Considering how tough this year has been on some sectors, many organisations will have burned through cash reserves and may be struggling financially. If they are a publicly traded company then you can find annual or quarterly reports from auditors, otherwise you may be reliant on analyst / news reports. Does a supplier’s cash flow present risks to your ability to operate?
Technology and cyber hygiene
Much like how neglecting personal hygiene can result in illness, neglecting technology and cyber security hygiene can result in digital infection. In a world where everyone’s personal endpoint (be that a corporate or personally owned laptop computer, tablet or phone) has become the front line of cyber security, ensuring these are well managed is vital. After all, the “castle wall and moat” of the office firewall and physical security provided by the office isn’t terribly effective – therefore the endpoint really matters.
Your suppliers must have an accurate inventory of their IT assets, they must know their patch status and what software versions are installed. They must also be able to patch, update quickly and close down any issues on those endpoint devices in order to keep on top of the ever changing digital risk landscape.
Software / virtual supply chain
Something that has been bubbling under the surface until very recently is how vulnerable organisations are to digital supply chain risks. What does this mean? It means that digital processes such as the software development lifecycle of suppliers can directly impact your own organisation. Complex automated DevOps setups, use of open source software code, insecure cloud computing configuration and unpatched basic vulnerabilities leave holes open that criminals can exploit with often massive consequences. Ensuring that your ecosystem has adequate risk mitigation plus compliance with standards and controls in place is vital if you want to avoid reputation damage linked to your own organisations use of these potentially compromised tech platforms.
No longer is it enough to be concerned about your own internal security, you need to be confident in your end to end ecosystem architecture security. To achieve this you need to carry out end to end risk assessments of (but not limited to): source code repositories, cloud services, the DevOps tool chain, deployment and testing processes. Digital business means moving at pace, but this can’t be done at the expense of security. Testing through the lifecycle and embracing DevSecOps are key.
Ethics and sustainability
2020 has reconnected many people with the natural world and politicians are talking about ‘building back better’ once the pandemic has relented. Make sure that your suppliers haven’t cut corners in their operations this year to stay afloat. Customers will not look favourably on brands that don’t look after, customers, staff and the environment.
Is social distancing being followed at places of work? For those that need access to PPE – is it available in sufficient quantities?
What parts of your suppliers operations have been mothballed or now have limited personnel on site? Potentially leaving those locations exposed to social engineering, physical network intrusion and risks to your component parts or finished stock in these locations.
Readiness for post CV19 “Business as usual”
The vaccination programmes that are now starting to roll out should in the next few months reopen parts of the economy. This includes business travel and hospitality. But many of these suppliers haven’t been used to the same level over the last year – can they ramp back up when required or have they laid off staff and shut locations that you previously relied on for events and meetings? What risks will need to be assessed as your operations adapt and continue to adapt to the rather unpredictable future that will unfold?
2021 – the year for effective architecture and governance in a time of budget cuts and uncertainty
2021 will need to be a year of further adaptation; with even more focus on longer term technology management and risk mitigation measures. Making sure the organisation thinks about your new ecosystem architecture footprint and considers the topics discussed above. It also means asking your suppliers and ecosystem some tough questions including – where have you made changes in your use of technology and what impacts to security does this have.
Above all else it reinforces the need for good IT governance and security hygiene across the ecosystem which starts with having a reliable inventory of your assets. Endpoints have become far more critical – and knowing the status of these across the extended enterprise is critical to effective risk management in 2021 and beyond.
Oliver Cronk is the Chief IT Architect for EMEA at Tanium. Previously the Chief Architect for Deloitte – Risk Advisory in the UK. Oliver’s role is to advise customers on IT strategy and architecture across all their environments – to ensure they are effectively managing operations, risk and security across their technology estate. Tanium is an endpoint management, risk and security platform.