Tuesday, 20 February 2018

Automating SERM to protect our Domino

Credit - VideoBlocks

In my previous blog - The Domino Effect, we explored what SERM is, what the process entails, and we briefly touched on why Automation is preferred. In this instalment, we will expand on exactly why Automation is a must and what organisations can do to significantly reduce the risks presented by 3rd party suppliers.

The NotPetya outbreak which dominated the news last year is a case study that underpins the benefits of SERM. Perhaps….. If the clients of MeDoc had an automated SERM process in place, they would have been able to adequately weigh up the risk MeDoc posed as their supplier. This could have resulted in the prevention, or at least mitigation of the outbreak we saw spread throughout the Ukraine way back in June. Automated SERM would have highlighted the insecurities in the supply chain by automatically distributing surveys, allowing for real time status of surveys, as well as sending automated reminders to those suppliers who have not completed the survey in a given timescale. An extremely efficient SERM solution would also have highlighted the insecurities of the hardware and software assets, missing patches for example. Upon survey completion, automated SERM allows for immediate report provision which eliminates the gap between survey time submissions and risk visibility. Allowing the clients of MeDoc to weigh up the risk to them would give them the choice of whether to keep trusting MeDoc as their supplier.

For those conspiracy theorists out there, who will say to me “ah yes but the NotPetya attack was not about Cyber”. Firstly, I agree! There is indeed evidence that suggests NotPetya was more than just a Cyber-Attack. Secondly, and most importantly, what about Equifax? Or Uber? Almost all damages associated with breaches could have been prevented or at least severely mitigated if automated SERM were to be in place. By highlighting the risks to the business 3rd party suppliers pose, and ascertaining exactly what those risks mean, will ultimately allow decisions to be made which will prevent our domino from tumbling.

Not many readers among you will like the term automation. Subconsciously do you gravitate toward a Skynet landscape, where robots rule supreme? This frightful thought being reinforced by the rising levels of an insecure IoT…(Look back to “Secure Coding – The foundation on which we must build our future empire”) If so, I’m glad I’m not the only one. That being said, automation in SERM is an absolute must have. We must use automation to give us a real time risk picture our suppliers, highlighting our riskiest suppliers and therefore, where to implement safeguards.

Now, impressive as it may seem, over the two instalments of discussing SERM - we have come a long way without a mention of the feared EU GDPR, but… we would be neglectful to not discuss the requirements of SERM under EU GDPR. Article 4 defines the role of the data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” In the context of a SERM project, your organisation would be considered as the data controller. The suppliers you evaluate will fall under the role of data processor, who would be “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

Between you and your supplier, right from the very beginning of your working relationship, there must be a clear understanding on what Personally Identifiable Information (PII) each party will be processing. This must include the metrics used to gauge how sensitive it is. Classification of sensitive data (e.g. gender and marital status etc.) should be clearly defined so when SERM is applied, we will have an accurate, clear picture of what risk they present to the business should a supplier be breached.

Over these the two instalments relating to SERM, we have seen that the primary purpose of SERM is to survey your suppliers and gauge the level of a risk (how big of a domino) they pose to your business. Automated SERM surveys will enable your organisation to ascertain the level of protection your suppliers currently have in place and provide you with a clear risk picture of your supplier chain - built using real time information. This will allow organisations to take immediate action on their suppliers. Automated SERM will highlight a supplier’s inefficiencies relating to information Security, leading to the enhancement of a working relationship through helping them improve the Information Security posture, or even the possibility of ceasing an organisations relationship with a supplier, effectively removing them from the chain of dominoes. Remember, this is your Domino to protect, to prevent from falling.
Without doubt, the only way to acquire an accurate, real time risk picture of your supplier chain is through using automated SERM. ZeroDayLab would be pleased to demo our automated SERM process, please contact us for more information.


What we know is a drop, what we don’t know is an ocean
Isaac Newton

No comments:

Post a Comment