For the program, the CISO partnered with the Office of Management Budget and their agency procurement office to rank the larger corporate acquisition projects by their level of cyber risk—low, medium or high. “Obviously, for some items you might buy, you don’t need to do a risk assessment,” Gregg explained. “But what we did want to do was if it was a big project, if it was something that impacted security in some way, we were able to evaluate it by looking at their security compliance and other factors to make sure that it was a good choice for the state before we [proceeded] to get into a risky situation.”
Another way the supply chain risk management program tackled reducing cyber risks was to examine the total number of vendors that served the state. “Because when you can reduce down the number of vendors, then you have bigger voice with the ones that remain,” he stated. “I would say we changed those relationships from being just transactional to being a partner with a vendor. What we have looked for is to develop partnerships with these individuals where we can look for longer-term solutions and not just transactional solutions.”
That construct has also…
