Tuesday, 13 February 2018

SERM - The Domino Effect

Credit Stock Photo

I have two little monsters and like the little monsters they are, they love the whole Disney Pixar thing. One edition of Disney Pixar that we have watched maybe a little over what feels like one or two million times is Robots. For anyone who knows the story behind the film, they will be familiar with the dominoes scene which marks the triumphant return of Bigweld – the company’s missing boss and hero to the main character – Rodney Copperbottom. For those who are not familiar, Rodney causes the crash of hundreds of billions of dominoes by just toppling one. This domino effect, which starts innocently enough, can lead to disastrous effects.

Let’s exchange the Pixar setting for your organisation. Think of your organisation as the last domino, the biggest in the chain, centred in a large circle of a long list of “supplier” dominoes. Would a breach that affects, spreads and ultimatley topples a supplier have disastrous effects for you? The real impact of toppling a supplier is ultimately unknown, unless your organisation has taken steps to adequately asses the risks suppliers present. This process is known as Supplier Evaluation and Risk Management or SERM.

Let’s break SERM down;
  • Supplier Evaluation is;

    • Gathering information on the suppliers we have. First and foremost, we need to determine how many suppliers we have! Many organisations have only a rough head count of suppliers, Supplier Evaluation will give organisations a firm grip on the actual size of their supplier domino chain! From identifying the length of the domino chain, we will be able to accurately gauge the level of risk they present to the organisation.
    • Identifying what these suppliers do.  The risks a supplier presents to an organisation is largely dependent on what that supplier does for the organisation. A supplier that provides office furniture, can be viewed as much less risky than one that provides data analytic services. In the case of the office furniture supplier, an assessment can be considered complete once it’s determined that they pose little risk to the information security of the organisation. Whereas for the data analytics provider, it’s necessary to dig a little deeper and get to the crux of the risk they pose to the business.

    • Assessing how good a supplier is at Security is the deeper digging. This assessment can be conducted via a combination of the following activities,

      • Requesting that the supplier respond to a broad set of short yes or no questions about the security controls they have in place.
      • Requiring evidence (where necessary) that demonstrates that the controls they attest to; are indeed in place.
      • Benchmark the configuration of their estate, highlighting missing patches, outdated OS and Common Vulnerabilities and Exposures (CVE).
  • Risk Management
    After completing the evaluation, we have a clearer view of how dominoes in the chain may fall. Now, we need to weigh the impact of their fall. This helps an organisation determine the risk each vulnerable domino exposes them to. Would the risk be minor, maybe effecting a gentle shake upon our domino or will it be a major, earth shattering crash, that would tumble our organisation completely?
    We can determine the size of the supplier domino by;

    • The supplier’s risk score, based on the Supplier Evaluation.
    • Their impact on our organisation's short and long-term goals and objectives. Imagine we are an organisation that delivers Online Training. As an Online Trainer, we have an online meeting supplier - which we use daily to deliver webinars to our customers across the globe. Our online meeting supplier is hit by a cyber-attack and topples. Unless an alternative can be used, this will result in our inability to deliver Training.... Such an event would be disastrous to our customers and therefore our brand and our organisation, even though we have not been directly hit by the cyber-attack ourselves, our domino has fallen.

We must, at this point have the understanding that SERM is a multiphase process. To adequately measure the risk posed by our suppliers, we need to;
  1. Distribute surveys to all suppliers
  2. Gather those response
  3. Analyse and assess the responses
  4. Distribute follow up surveys if required
  5. Gather those responses
  6. Gauge the level of risk posed by those suppliers
  7. Implement safeguards or take necessary steps to remove or mitigate individual supplier risk.

Take a moment to consider how arduous this process could potentially be. The length of the supplier domino chain could be miles! This doesn’t just depend on the size of your organisation, even the smallest of organisations could have many suppliers. The length of the domino chain largely depends on the nature of the business.

If you apply the manual approach of SERM, which traditionally includes delivering excel based or telephone call questionnaires to all of your suppliers, will not only incur exponential costs in terms of man hours and material costs, but think about the level of expertise your team will need to have. What if you have a supplier that is not the most, let us say, “responsive”. Your SERM team will need to spend the extra time in chasing down supplier responses to capture an adequate Supplier Risk picture. Cast your eyes back to the sheer number of phases SERM has, the manual approach is usually a lengthy, laborious and error-prone process.

Yes, you will have a process in place, but is it effective? Can you adequately perform a comprehensive examination of your suppliers? To the point where you can identify the risks within your supplier domino chain and track remediation efforts? As the saying goes, do it nice or do it twice. For these reasons, among others - automation is a must.

The NotPetya outbreak which dominated the news last year is a case study that underpins the benefits of SERM. Perhaps..... If the clients of MeDoc had an automated SERM process in place, they would have been able to adequately weigh the risk MeDoc posed as their supplier. This could have resulted in the prevention or at least mitigation of the outbreak we saw spread throughout the Ukraine way back in June. Automated SERM would have highlighted the insecurities in the supply chain by automatically distributing surveys, allowing for real time status of surveys as well as providing automated reminders sent to those suppliers who have not completed the survey in a given timescale. Upon survey completion, automated SERM allows for immediate report provision which eliminates gap between time survey submissions and risk visibility.

Allowing the clients of MeDoc to weigh the risk to them would give them the choice of whether to keep trusting MeDoc as their supplier. For those conspiracy theorists out there, who will say to me “ah yes but the NotPetya attack was not about Cyber”. Firstly, I agree! There is indeed evidence that suggests NotPetya was more than just Cyber-Attack. Secondly and most importantly, what about Equifax? Or Uber? Or ? Almost all damages associated with breaches could have been severely mitigated or at least prevented if automated SERM were to be in place. By highlighting the risks to the business 3rd party suppliers pose and ascertaining exactly what those risks mean will ultimately allow the decisions to be made to prevent our domino from tumbling. 

Now, impressive as it may seem, we have come a long way without a mention of the feared EU GDPR, but... we would be neglectful to not discuss the requirements of SERM under EU GDPR. Article 4 defines the role of the data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data...” In the context of a SERM project, your organisation would be considered as the data controller. The suppliers you evaluate will fall under the role of data processor, who would be “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” 

Between you and your supplier, right from the very beginning of your working relationship, there must be a clear understanding on what Personally Identifiable Information (PII) each party will be processing. This must include the metrics used to gauge how sensitive it is. Classification of sensitive data (e.g. gender and marital status etc.) should be clearly defined so when SERM is applied, we will have an accurate, clear picture of what risk they present to the business should a supplier be breached.
As we have alluded to, the primary purpose of SERM is to survey your suppliers and gauge the level of a risk (how big of a domino) they pose to your business. Automated SERM surveys will enable your organisation to ascertain the level of protection your suppliers currently have in place and provide you with a clear risk picture of your supplier chain. If the level of risk is not acceptable by your organisation, it may be that you may need to call a cease to your business relationship with that supplier, effectively removing them from the chain of dominoes to prevent yours from falling.
Without doubt, the absolute best way to acquire an accurate risk picture of your supplier chain is through using automated SERM. ZeroDayLab would be pleased to demo our automated SERM process, please contact us for more information.

What we know is a drop, what we don’t know is an ocean
Isaac Newton


  1. Very good info. Lucky me I discovered your blog by chance (stumbleupon). I have saved as a favorite for later!

  2. Best Corporate Video Production Company in Bangalore and top Explainer Video Company in Bangalore , 3d, 2d Animation Video Makers in Chennai.

    Thank you for your informative post!!!

  3. Such a very useful article. Very interesting to read this article. I would like to thank you for the efforts you had made for writing this awesome article.
    Data Science Course in Pune
    Data Science Training in Pune

  4. Nice blog. I finally found great post here Very interesting to read this article and very pleased to find this site. Great work!
    Data Science Training in Pune
    Data Science Course in Pune

  5. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.
    Data Analytics Course in Pune
    Data Analytics Training in Pune

  6. Thumbs up guys your doing a really good job. It is the intent to provide valuable information and best practices, including an understanding of the regulatory process.
    Cyber Security Course in Bangalore

  7. Very nice blog and articles. I am really very happy to visit your blog. Now I am found which I actually want. I check your blog everyday and try to learn something from your blog. Thank you and waiting for your new post.
    Cyber Security Training in Bangalore

  8. I am impressed by the information that you have on this blog. Thanks for Sharing
    Ethical Hacking in Bangalore

  9. After reading your article I was amazed. I know that you explain it very well. And I hope that other readers will also experience how I feel after reading your article.
    Ethical Hacking Course in Bangalore

  10. Wow! Such an amazing and helpful post this is. I really really love it. I hope that you continue to do your work like this in the future also.
    Ethical Hacking Training in Bangalore

  11. Hi buddies, it is great written piece entirely defined, continue the good work constantly.

    Data Science Course

  12. It is extremely nice to see the greatest details presented in an easy and understanding manner.

    Data Science Training

  13. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post.

    Data Science Courses

  14. I'm hoping you keep writing like this. I love how careful and in depth you go on this topic. Keep up the great work

    Data Science Certification

  15. Very interesting blog. Many blogs I see these days do not really provide anything that attracts others, but believe me the way you interact is literally awesome.You can also check my articles as well.

    Security Guard License
    Ontario Security License
    Security License Ontario
    Security License

    Thank you..

  16. I have to search sites with relevant information ,This is a
    wonderful blog,These type of blog keeps the users interest in
    the website, i am impressed. thank you.
    Data Science Course in Bangalore

  17. I have to search sites with relevant information ,This is a
    wonderful blog,These type of blog keeps the users interest in
    the website, i am impressed. thank you.
    Data Science Training in Bangalore

  18. I like this post and there is obviously a lot to know about this. I think you made some good points in Features also i figure that they having a great time to peruse this post. They might take a decent site to make an information, thanks for sharing it to me Keep working, great job!
    Braces in Bangalore

  19. wonderful article contains lot of valuable information. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
    This article resolved my all queries.good luck an best wishes to the team members.continue posting.learn digital marketing use these following link
    Digital Marketing Course in Chennai

  20. Excellent blog with very impressive content found very unique and useful thanks for sharing,
    Invisalign in Bangalore

  21. Actually I read it yesterday I looked at most of your posts but I had some ideas about it . This article is probably where I got the most useful information for my research and today I wanted to read it again because it is so well written.
    Data Science Course in Bangalore

  22. Fantastic blog extremely good well enjoyed with the incredible informative content which surely activates the learners to gain the enough knowledge. Which in turn makes the readers to explore themselves and involve deeply in to the subject. Wish you to dispatch the similar content successively in future as well.

    Data Science certification in Raipur

  23. Truly incredible blog found to be very impressive due to which the learners who ever go through it will try to explore themselves with the content to develop the skills to an extreme level. Eventually, thanking the blogger to come up with such an phenomenal content. Hope you arrive with the similar content in future as well.

    Digital Marketing Course in Raipur

  24. Terrific post thoroughly enjoyed reading the blog and more over found to be the tremendous one. In fact, educating the participants with it's amazing content. Hope you share the similar content consecutively.

    Data Analytics online course

  25. Highly appreciable regarding the uniqueness of the content. This perhaps makes the readers feels excited to get stick to the subject. Certainly, the learners would thank the blogger to come up with the innovative content which keeps the readers to be up to date to stand by the competition. Once again nice blog keep it up and keep sharing the content as always.

    Data Science Course in Bhilai

  26. Wonderful blog found to be very impressive to come across such an awesome blog. I should really appreciate the blogger for the efforts they have put in to develop such an amazing content for all the curious readers who are very keen of being updated across every corner. Ultimately, this is an awesome experience for the readers. Anyways, thanks a lot and keep sharing the content in future too.

    Digital Marketing Course

  27. Terrific post thoroughly enjoyed reading the blog and more over found to be the tremendous one. In fact, educating the participants with it's amazing content. Hope you share the similar content consecutively.

    Data Analytics training in bhilai

  28. Thank you for sharing such nice content so keep posting.
    microsoft solitaire online