Maintain a diversified supply chain: Organizations that source from international technology suppliers need to ensure they are not overly reliant on a single vendor, single region or even a single technology. Maintaining a diversified supply chain can mitigate costly disruptions from a cyberattack or vulnerability involving a key supplier, or from disruptions tied to regulatory shifts, trade restrictions or geopolitical conflicts.”What we’re talking about here is business resiliency or, more narrowly, supply chain risk management,” says Bruce Jenkins, CISO at Black Duck. “One must identify the likelihood and impact of supplier disruption and identify the alternatives.” Security leaders should make sure to include these risks and potential impacts in their overall enterprise business impact analysis (BIA) process”, and the alternative plans for addressing them, in their business continuity plan (BCP), Jenkins recommends.Strategically sourcing from multiple suppliers and regions where possible can enable better resilience and adaptability to emerging threats or unexpected geopolitical shifts. “If you’ve got key technology partnerships with access or delivery sourced in geographies of concern it is worth cultivating alternatives that are warm,” recommends Ford at Bugcrowd. “If you’ve got regions all served or accessed through common undersea cable connections understand what disruption could look like, and how you’d address an outage or degradation of service.”
Implement robust risk assessment and monitoring: Implement a risk assessment and monitoring program for your global IT supply chain, or review”, and update where necessary”, any such program you might have in place already. Organizations with suppliers in geopolitically volatile areas should consider developing an early warning capability that combines external threat intelligence feeds, news monitoring and regional business analysis. The goal should be to anticipate potential disruptions before they impact operations. “CISOs must adopt a proactive, risk-based approach when managing suppliers, especially in regions with complex regulatory or geopolitical dynamics,” says Darren Guccione, CEO and co-founder at Keeper Security. “Understanding the risks posed by suppliers in high-risk areas is critical.”Continuous tracking and monitoring of global and regional tensions is especially crucial in regions where key suppliers operate or where critical technologies are sourced. The goal should be to understand how evolving trade policies and sanctions might affect access to security tools, updates, and services, especially when these policies target technology sectors or specific companies. One example is the US government’s 2024 ban on the use of Kaspersky’s security products in the US.”If there is a sanction event that results in your inability to leverage your supplier’s solutions, I recommend attempting to maintain open and honest communications with your supplier,” Jenkins from Black Duck says. “Your contracting and export compliance legal teams should be leveraged for this,” he notes. If sanctions or regulatory actions directly or indirectly impact your ability to maintain communications and fulfill due diligences obligations it’s best to follow the mitigation route in your BCP, he advises.
Maintain ongoing visibility over your supplier’s compliance obligations: IT suppliers, even reputable and large ones, can sometimes fall afoul of international and export control regulations. In 2023, for instance, Microsoft had to pay a fine of $3.3 million to the US Department of Commerce’s Bureau of Industry and Security (BIS) and the Department of the Treasury’s Office of Foreign Assets Control (OFAC) for allegedly selling its software to a Russian company on a US sanction list. In another incident, virtual currency exchange Kraken had to pay a fine of over $360,000 to settle US charges that the company had violated sanctions against Iran.Sometimes, non-compliance by a supplier can lead to restrictions that may impact your organization’s ability to operate globally, so it’s vital to continually monitor your supply chain to ensure ethical sourcing.Be consistent, methodical and regular with your third-party risk management (TPRM) practices. Ensure that your suppliers meet recognized security certifications such as SOC 2 Type 2 and ISO 27001, Guccione says. “Clear contractual agreements outlining cybersecurity standards and data handling protocols are essential to ensure that suppliers meet the organization’s security requirements,” he notes. Establish a strong governance framework that includes regular audits, compliance checks and continuous monitoring.At the same time, be aware of the limits of your efforts within the context of a specific geopolitical or regulatory environment, Jenkins cautions. “Understand and work within those constraints, whatever they are, and don’t waste your time pushing back unless there is indisputable business value in doing so.”. Document your efforts for audit purposes and use the outcomes of your efforts for future risk-based decision-making around procurement and business resiliency programs, Jenkins noted.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3819136/how-to-evaluate-and-mitigate-risks-to-the-global-supply-chain.html
