Strengthening the shield: Procurement’s partnership with information security to mitigate cyber risk
This content does not express the views or opinions of Spend Matters
In our previous installment on Spend Matters, we discussed the rapid evolution of Supply Chain Risk Management happening within procurement organizations. As the risks that trigger supply disruptions, regulatory non-compliance and missed corporate objectives continue to gain visibility, an ‘eyes wide open’ attitude towards supplier risk assessment and mitigation strategies has become imperative to improve operational resilience.
Cyber security — across both the digital and physical supply chain — is a risk area where procurement has traditionally taken a back seat to subject matter experts often led either by the Chief Information Security Officer or, in the absence of one, the IT department. However, as procurement has been increasing its influence and credibility across many departments and risk management initiatives, the scope of its role in cyber security within the extended supplier network is growing.
And so it should.
Cyberattacks increasingly emanate from outside of an enterprise, with supply chain partners connected to enterprise networks and data via software, IT services, data centers and even non-technical business service providers (legal, financial, marketing, customer service, etc.). Yet, in many organizations today, neither the information security nor the procurement function fully owns this source of supplier risk. This leaves it unclear who is responsible for proactively strengthening the organization’s operational resilience in the face of data loss, service interruption or compliance.
Cyber ranks at or near the top of supply chain risks and disruptions on the mind of corporate leaders across most industries. The results of our forthcoming global supply chain risk survey (Resilience 2023, The Interos Annual Global Supply Chain Report) showed that organizations that had experienced cyber security events (data leakage/loss, ransomware, service disruptions) were impacted to the tune of $43 million each year on average.
But what is procurement’s role in managing something as technologically complex as cyber risk across the supply chain? More importantly, how can procurement gain the credibility necessary to effectively partner with the CISO/IT department?
In our 2022 Interos report, we reported that more than 80% of 750 IS/IT leaders and 750 procurement leaders surveyed agreed that cooperation between their respective functions was vital to protect their organizations against supply chain disruptions. At the same time, more than three-quarters of both sets of executives agreed they needed to improve the way their teams share information and collaborate when it comes to supply chain risk.
Procurement’s primary contribution is expertise in commercial activities, including supplier evaluations, performance and risk management and strategic sourcing while the CISO’s office has subject matter expertise in security standards and technical details. Collaboration between these two groups is important to define the standards and processes for:
- Assessing new and existing suppliers for cyber vulnerabilities, regulatory compliance, security protocols, past cyber events and even sub-tier supplier risks that contribute to the overall security of the supply network.
- The ongoing monitoring of suppliers to identify the vulnerabilities, attacks, breaches and even subtle indicators that suggest that some type of unannounced cyber event has happened.
- Developing the mitigation and remediation playbooks necessary to increase recovery speed and reduce the impact of a cyber event.
At Interos, we are seeing the fruits of this collaboration in real-time as our procurement customers take a more proactive role in partnering with our CISO customers to better manage cyber risks and build resilience into their digital supply chains. With their assistance, we’ve deployed a new methodology for our cyber risk scoring that enables non-technical procurement teams to utilize state-of-the-art cyber assessments without being cyber experts and to better support the IT department’s requirements for ensuring a strong cyber security profile.
Cyber security and digital supply chain risk will continue to be top of mind, especially with increasing regulatory requirements in critical industries (financial services, energy, healthcare and defense, to name a few) focused on digital operational resilience and data security. The relationship between procurement and information security is critical to managing that risk and will shape how they collaborate, communicate and learn from each other’s insights in the shared outcome of operational resilience.