Supply chain cyber security at risk without specialist CISO input

Chief Information Security Officers (CISOs) need to provide specialist cybersecurity knowledge to reduce risks of cyberattacks in the supply chain by becoming a critical component in the procurement of vendors, according to new research revealed by Cyber Security Connect UK.

For those who came in late, Cyber Security Connect UK is a cybersecurity forum that is held annually in Monaco during November.

The findings from the ‘CISO and vendor relationships in the supply chain’ report from Cyber Security Connect UK(CSCUK) indicates that there is a fragmented approach to cybersecurity in the supply chain and that a high level of risks is present which need to be closely monitored and reviewed.

CISOs believe that supply chain cybersecurity should be an integral part of product and service delivery. Business managers are less aware of the weaknesses and threats of cyberattacks. CISOs need to have a higher level of influence in the procurement process to reduce risks.

Mark Walmsley, the chair of the Cyber Security Connect UK steering committee and CISO at Freshfields Bruckhaus Deringer, said: “CISOs believe that businesses need to take stronger steps to establish robust procedures that minimise cybersecurity risks within the supply chain. We found that 97 per cent of CISOs see the supply chain as a source of risk, so there is an urgent commitment needed to mitigate risk exposure when undertaking a procurement exercise.

“CISOs expect vendors to adopt policies and procedures that provide stronger security controls. While the system and network administrators can be guilty of system misconfigurations, poor patch management practices and the use of weak passwords, ongoing auditing and due diligence can guard against potential threats.

“Fragmented standards and cross-border working expose some sectors to greater risk. Ultimately international agreement will be necessary to tighten up on protecting against cyberattacks and theft of data assets and intellectual property.”

Supply chain relationships between CISOs and vendors will feature at CSCUK 2019 in November. CSCUK is a unique cybersecurity conference that allows senior high-level CISOs the opportunity to meet peers from across all market sectors. The closed event is solely for the CISO community and provides a dedicated forum for networking with like-minded peers across multiple industries.