Immovable Flattery vs Unstoppable Imitation: Cyber Security and Supply Chains

“Integrity is the ability to stand by an idea.” ―  Ayn Rand,  The Fountainhead 

Leading up to the 2008 credit crisis, most firms followed ‘best practice’ credit models with validated ‘risk thresholds’, all confirmed by regulators.  Credit derivatives would, of course, deal with any ‘outliers’ and historical trends clearly showed that, more or less, over the long term housing prices always went up around or above inflation.  3rd world credit disasters, while interesting for an MBA thesis, really were not relevant for the enlightened Western World and tail risk was imagined to be ‘under control’. 

 Now fast forward to 2018 and imagine, if you will, finishing the final touches on your various Cyber security investments for your budget cycle.  Imagine following best practice, hiring the best consultants, deploying only Gartner magic quadrant leaders, and implementing ‘the best’ security control standards.  Consider that you also attended many conferences with other CIOs and CISOs, where they, seemingly rightly, reinforced your views that you were ‘a thought leader’ and ‘doing everything right’, it of course being pure coincidence that you happened to be following the same approach as them.  Assume that cyber insurance would cover any ‘outliers’, and that CRO's were starting to claim 'its all just Operational Risk and easy to model'.

Envision this world two years from now where almost all major firms follow the same blueprint for cyber defense – the same vendors, the same controls, the same standards.  Oh, and of course imagine someone from these firms did just attend a breakfast briefing on 'Blockchain's replacement!', just to show they are open minded.

 Now consider two words: Systemic Risk. 

With those two words in mind, imagine a firm that is creative or at least a fashionable non-conformist. A firm that stands on the shoulders of giants – never discounting what came before, and that follows best practice, but equally is not fully aligned to a ‘standard’ cyber security strategy nor approach re fighting last battles based on older hacker tactics.  A firm which gives new startups a chance.  A firm that openly tries to measure the value of cyber security investments based on new threats, and is willing to quickly flag up previously effective solutions as sunk costs and change tactics as these threats change. 

Now consider this question: Which of the above would a hacker prefer to go after?  Equally, which vendors would organised crime or national states prefer to focus efforts on for the next ‘zero day’?  The one used by 480 of the Fortune 500, or a collection of startups and mid-sized firms, complementing ‘top’ firms, following a defense in depth model?

Of course, regardless of which approach a firm elects to follow, their wider issue is likely their 3rd party suppliers, especially those that process or store data.  Larger Fortune 500 or FTSE 100 firms likely have 200+ suppliers of significance, if not far more, that either process or store data for them.  Equally, they no doubt have many other suppliers that have elevated access rights or direct connections to their systems – HR systems, payroll systems, financial systems, etc.

How can a firm provide assurance over these 3rd parties?

 Again, the approach taken often mirrors that of how a traditional firm defends itself.  The firm may ask or insist that a supplier is ISO 27001 certified.  If they are, a lighter touch, primarily ‘tick box’ review is probably done.  If not, they will destroy that firm with paperwork and tick box questions.  Standard questions may be asked, and standard answers of course received.  Do they patch regularly?  What systems do they run?  What is the makeup of their security team?  Somewhere, a question about crown jewels will come up too. Yet regardless of these questions, the scale of this assurance, along with the irregular frequency of reviews (often 1 or 2 years depending on the value of the supplier) mean that true assurance is challenging.  Additionally, more rigorous checks on smaller suppliers or expectations that they deploy similar protection to a firm worth tens or hundreds of millions is not realistic either. 

Ironically, most large firms likely have a treasure trove of paper based reviews and validation based on ISO 27001 or other standards without a true sense of ‘protection’ from their suppliers who often have key data and/or key access to systems.  What can a firm do?

In my view, firms should attempt to be creative in how they protect their suppliers.  For example, if assurance for a smaller yet key supplier for your firm requires four weeks of on site audits and 1 week annually, variously ‘compliance’ checks, and an annual pen test at a cost of say 50,000 USD in real terms and lost opportunity, why not consider deploying that investment in a way that actually helps that smaller firm better protect itself (which, in turn, protects your firm)?  Simple examples could be deploying simple WAF protection for them – perhaps even making investments in basic – but useful – core protective technology as part of any investment or deal?  If more radical, they might even offer to deploy some of the firms in house cyber team for a couple days in a partnership, vs adversarial, role to help the smaller firm improve their baseline. 

A more radical view could be extending a core, baseline level of protection to any smaller firm you deal with in your firm.  For instance, if Barclays, Prudential, and Goldman all happened to deal with a smaller vendor that processed HR data for them, they could each through the book at them re ‘paper based’ compliance, questionnaires, and on site audits, OR, they could be more proactive re helping smaller firms. Ultimately they would be improving their security posture as well as the smaller vendor too and, most importantly, reducing the systemic risk to a wider supply chain that smaller vendors introduce.

Then again, perhaps the current approach is fine, just as the approach to credit risk in 2006 and 2007 was - before it wasn't.