News

EXPERT OPINION: It’ll never happen to us

Alex Jordan, Head of Tools & Methodologies, ISF
Published 07 - August - 2024
risksupply chainpeople

It’ll never happen to us.

So started the first of these expert opinions. As Paul Watts made clear, most security practitioners have faced this argument at some point in their careers. It will resonate up and down the conference halls hosting security events, pervade the conversations at water coolers near employees’ desks, and be infused into conversations on LinkedIn, X (previously Twitter) or Reddit.

Without a doubt, this argument has been largely defeated. There have been too many cyber security incidents to count. The team responsible for the Data Breach Investigations Report (DBIR) 2025 will probably deserve a medal of some sort by the time they’ve compiled the data from 2024. Cyber security incidents are pervasive and increasing, and that isn’t going to change.

But what if we were to analyse “It’ll never happen to us” a little more?

Right now,

And perhaps that is the crux of the matter.

Businesses around the world look at their perimeter, their systems, their configurations. They design them in a secure manner, they build out resilience, and they test them to the point of breaking. That’s not to say it’s perfect by any means, but it’s a lot easier to secure your own infrastructure.

Securing things you don’t have direct visibility or control of, on the other hand, is hard work. Third party suppliers are their own independent businesses. They have their own security concerns. And just like you, they look at their perimeter, their systems, and their configurations, and do their best to meet the demands of modern cyber security.

Also, just like you, they are not perfect.

Suppliers run a business, which will, in many ways, be just like yours. They depend upon people, just like you do. They answer to a higher authority, whether that be shareholders, boards, CEOs, or similar – just like you do. They have their own immature business processes that feel like they’re held together with spit and glue. And possibly, some tough decisions may have been made. Risks have been accepted. Nth parties have been engaged.

And so the cycle repeats, culminating in a race to the bottom, as supplier after supplier is stacked up, each with varying commitments to security. Some will be excellent. Some will be fine. Some may be lacking in a few places. And regardless of the efficacy of any supplier and their security posture, mistakes will still happen, and gaps will have been left. This has been seen in two recent, separate examples where industry-leading technology companies have caused significant disruption to their clients – not because of anything malicious, but simply because someone somewhere configured something incorrectly.

Importantly, in both situation, controls intended to prevent these disruptive outcomes have failed – this is a technology-dominated industry, but that technology can – and will – fail. And when that technology is so deeply embedded, the dominos start to fall.

So I’m just a falling domino?

Not quite.

Management of third parties does not start and end within an assurance activity. The cyber security industry loves a good security assessment. We profile suppliers, ask them some questions, ask a few more questions about the responses to our original questions, and then follow up with some further questions for good measure. We slap a few conditions on the supplier, and then, once done, we move on to the next. For many businesses, this is such a significant part of managing their security posture that entire departments are dedicated to performing this role, just so that the business understands the posture of its suppliers.

But, as mentioned, suppliers aren’t always top-tier security practitioners. They do what they can with what they’ve got. This is why some suppliers need not just an assessment, but the option of ongoing support and engagement from the business. This holistic, all-encompassing nature of supplier management can be found embedded within the ISF’s Supplier Security Suite, which touches not just on supplier assessment, but complete management of suppliers throughout their lifecycle. Whether this be when initially engaging a supplier and opening discussions with the business, ongoing monitoring and support when securely embedded into the business, or when ending a relationship and ensuring assets are secured during this process, the Supplier Security Suite has it all, maintained within a robust framework and online web application.

This approach enables organisations to not just conduct a point-in-time security assessment, but also understand the implications of supplier mistakes, breaches or failures. Critically, these implications can then be fashioned into something the business understands: risk.

Risk is a message the business understands

Businesses are more than comfortable with risk. Every business decision is taken with an understanding (acknowledged, inherent or otherwise) of risk. And as with all risk, some risks can be positive, and some can be negative. Predicting a market shift and pivoting to exploit that position was a risk-based decision that paid off for Nvidia, but, in the same market, sticking to their tried-and-tested business model was a risk-based decision that has left Intel floundering.

In much the same way, every supplier is a risk. They introduce their own nuances, their own ways of working, and their own security strategies. And try as we might, we cannot manage everything. We can heavily limit chance of things going wrong (think preventative controls) and try and limit any damage if controls fail. But to suggest that things will never go wrong would be negligent.

So sometimes, rather than purely managing technical controls, we need to manage risk instead. That’s where proven methodologies, such as the ISF’s IRAM2 and QIRA, come into play. Being able to communicate risk in a language that the business will understand (either qualitatively or quantitatively) can simplify the conversation significantly. Not only does effective risk management result in conversations the business can understand, it also enables security practitioners to think like the business.

Every business is built on a balance of risk and reward. And when it comes to third parties, security risk is no different from other risks that may be introduced to a business. An operating system failure may stop your workstations, servers and factories from running, but if a third party supplying your raw materials goes out of business, those factories will also stop running. You have contingency plans for one, so why not the other?

No singular product can solve this. Instead, businesses need a holistic approach that targets several problems spaces simultaneously, which draw on industry best practices to engage with the business, manage suppliers and communicate associated risk. The ISF’s Tools and Research, complemented by our award-winning consultancy services, are one such holistic approach.

 

For further guidance  on how to improve your business’ resiliency  against future threats to your business please visit :ISF: Your first line of defence in incident response management