Q: How realistic is it for CSCOs to mitigate cyber risks of third parties such as suppliers and software providers, given the complexity of most supply chain ecosystems?
A: Third-party risk management is crucial to supply chain cybersecurity. Earlier this year, Gartner predicted that 60% of supply chain organizations will use cybersecurity risk as a key buying criteria by 2025. That growing level of awareness is encouraging, but CSCOs need to do more to actively manage risks presented by their ecosystem partners.
To address the exposure third parties present and build a more resilient supply chain, CSCOs should execute a four-step supply chain cyber TPRM program:
- Identify organizational value drivers and the supporting operational assets by conducting a business impact analysis (BIA).
- Develop a business continuity plan (BCP) detailing how to protect, defend, recover and/or replace partner critical assets in the event of a cyberattack.
- Work with procurement and other CSCOs to develop the appropriate contract language to flow down the organization’s supply chain cyber standards to the partners.
- Develop a risk-based capability to select partners initially and then continuously…
