Tuesday, 13 February 2018

SERM - The Domino Effect

Credit Stock Photo

I have two little monsters and like the little monsters they are, they love the whole Disney Pixar thing. One edition of Disney Pixar that we have watched maybe a little over what feels like one or two million times is Robots. For anyone who knows the story behind the film, they will be familiar with the dominoes scene which marks the triumphant return of Bigweld – the company’s missing boss and hero to the main character – Rodney Copperbottom. For those who are not familiar, Rodney causes the crash of hundreds of billions of dominoes by just toppling one. This domino effect, which starts innocently enough, can lead to disastrous effects.


Let’s exchange the Pixar setting for your organisation. Think of your organisation as the last domino, the biggest in the chain, centred in a large circle of a long list of “supplier” dominoes. Would a breach that affects, spreads and ultimatley topples a supplier have disastrous effects for you? The real impact of toppling a supplier is ultimately unknown, unless your organisation has taken steps to adequately asses the risks suppliers present. This process is known as Supplier Evaluation and Risk Management or SERM.


Let’s break SERM down;
  • Supplier Evaluation is;

    • Gathering information on the suppliers we have. First and foremost, we need to determine how many suppliers we have! Many organisations have only a rough head count of suppliers, Supplier Evaluation will give organisations a firm grip on the actual size of their supplier domino chain! From identifying the length of the domino chain, we will be able to accurately gauge the level of risk they present to the organisation.
    • Identifying what these suppliers do.  The risks a supplier presents to an organisation is largely dependent on what that supplier does for the organisation. A supplier that provides office furniture, can be viewed as much less risky than one that provides data analytic services. In the case of the office furniture supplier, an assessment can be considered complete once it’s determined that they pose little risk to the information security of the organisation. Whereas for the data analytics provider, it’s necessary to dig a little deeper and get to the crux of the risk they pose to the business.

    • Assessing how good a supplier is at Security is the deeper digging. This assessment can be conducted via a combination of the following activities,

      • Requesting that the supplier respond to a broad set of short yes or no questions about the security controls they have in place.
      • Requiring evidence (where necessary) that demonstrates that the controls they attest to; are indeed in place.
      • Benchmark the configuration of their estate, highlighting missing patches, outdated OS and Common Vulnerabilities and Exposures (CVE).
  • Risk Management
    After completing the evaluation, we have a clearer view of how dominoes in the chain may fall. Now, we need to weigh the impact of their fall. This helps an organisation determine the risk each vulnerable domino exposes them to. Would the risk be minor, maybe effecting a gentle shake upon our domino or will it be a major, earth shattering crash, that would tumble our organisation completely?
    We can determine the size of the supplier domino by;

    • The supplier’s risk score, based on the Supplier Evaluation.
    • Their impact on our organisation's short and long-term goals and objectives. Imagine we are an organisation that delivers Online Training. As an Online Trainer, we have an online meeting supplier - which we use daily to deliver webinars to our customers across the globe. Our online meeting supplier is hit by a cyber-attack and topples. Unless an alternative can be used, this will result in our inability to deliver Training.... Such an event would be disastrous to our customers and therefore our brand and our organisation, even though we have not been directly hit by the cyber-attack ourselves, our domino has fallen.

We must, at this point have the understanding that SERM is a multiphase process. To adequately measure the risk posed by our suppliers, we need to;
  1. Distribute surveys to all suppliers
  2. Gather those response
  3. Analyse and assess the responses
  4. Distribute follow up surveys if required
  5. Gather those responses
  6. Gauge the level of risk posed by those suppliers
  7. Implement safeguards or take necessary steps to remove or mitigate individual supplier risk.

Take a moment to consider how arduous this process could potentially be. The length of the supplier domino chain could be miles! This doesn’t just depend on the size of your organisation, even the smallest of organisations could have many suppliers. The length of the domino chain largely depends on the nature of the business.

If you apply the manual approach of SERM, which traditionally includes delivering excel based or telephone call questionnaires to all of your suppliers, will not only incur exponential costs in terms of man hours and material costs, but think about the level of expertise your team will need to have. What if you have a supplier that is not the most, let us say, “responsive”. Your SERM team will need to spend the extra time in chasing down supplier responses to capture an adequate Supplier Risk picture. Cast your eyes back to the sheer number of phases SERM has, the manual approach is usually a lengthy, laborious and error-prone process.

Yes, you will have a process in place, but is it effective? Can you adequately perform a comprehensive examination of your suppliers? To the point where you can identify the risks within your supplier domino chain and track remediation efforts? As the saying goes, do it nice or do it twice. For these reasons, among others - automation is a must.

The NotPetya outbreak which dominated the news last year is a case study that underpins the benefits of SERM. Perhaps..... If the clients of MeDoc had an automated SERM process in place, they would have been able to adequately weigh the risk MeDoc posed as their supplier. This could have resulted in the prevention or at least mitigation of the outbreak we saw spread throughout the Ukraine way back in June. Automated SERM would have highlighted the insecurities in the supply chain by automatically distributing surveys, allowing for real time status of surveys as well as providing automated reminders sent to those suppliers who have not completed the survey in a given timescale. Upon survey completion, automated SERM allows for immediate report provision which eliminates gap between time survey submissions and risk visibility.

Allowing the clients of MeDoc to weigh the risk to them would give them the choice of whether to keep trusting MeDoc as their supplier. For those conspiracy theorists out there, who will say to me “ah yes but the NotPetya attack was not about Cyber”. Firstly, I agree! There is indeed evidence that suggests NotPetya was more than just Cyber-Attack. Secondly and most importantly, what about Equifax? Or Uber? Or ? Almost all damages associated with breaches could have been severely mitigated or at least prevented if automated SERM were to be in place. By highlighting the risks to the business 3rd party suppliers pose and ascertaining exactly what those risks mean will ultimately allow the decisions to be made to prevent our domino from tumbling. 

Now, impressive as it may seem, we have come a long way without a mention of the feared EU GDPR, but... we would be neglectful to not discuss the requirements of SERM under EU GDPR. Article 4 defines the role of the data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data...” In the context of a SERM project, your organisation would be considered as the data controller. The suppliers you evaluate will fall under the role of data processor, who would be “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” 


Between you and your supplier, right from the very beginning of your working relationship, there must be a clear understanding on what Personally Identifiable Information (PII) each party will be processing. This must include the metrics used to gauge how sensitive it is. Classification of sensitive data (e.g. gender and marital status etc.) should be clearly defined so when SERM is applied, we will have an accurate, clear picture of what risk they present to the business should a supplier be breached.
As we have alluded to, the primary purpose of SERM is to survey your suppliers and gauge the level of a risk (how big of a domino) they pose to your business. Automated SERM surveys will enable your organisation to ascertain the level of protection your suppliers currently have in place and provide you with a clear risk picture of your supplier chain. If the level of risk is not acceptable by your organisation, it may be that you may need to call a cease to your business relationship with that supplier, effectively removing them from the chain of dominoes to prevent yours from falling.
Without doubt, the absolute best way to acquire an accurate risk picture of your supplier chain is through using automated SERM. ZeroDayLab would be pleased to demo our automated SERM process, please contact us for more information.

What we know is a drop, what we don’t know is an ocean
Isaac Newton

No comments:

Post a Comment