EP 58: Why some companies are so intense about managing supply chain cyber risk
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
July 21, 2020
Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, discuss why some companies are so intense about managing cyber risk in their supply chains.
Speaker 1: Welcome to the cyber risk management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.
Jake: So Kip what are we going to talk about today?
Kip: Hey Jake. Hey, today let's unpack something that we scratched out a couple of episodes go, which is why are some companies so intense about managing cyber risk in their supply chains?
Jake: Wow, intense, huh? So, okay. Why now?
Kip: Well, I looked back at our editorial calendar and I realized couple episodes go, we were talking a lot about how to overcome objections in the buying process or in the selling process. And I thought we did a pretty good job of describing why it is that some companies have to struggle to provide assurance to their sales prospects, right? Other businesses that they want to sell to. And then I thought well, but what we didn't do is really explain why those hurdles are there. Or I mean why do companies have to surmount them? So I thought well, let's explore that side.
Jake: Well, that's interesting. Can you give a... Let's give a couple examples of some heavily regulated companies.
Kip: Yeah, right. So I mean, as we said in that previous episode, this really comes up when non-regulated, or lightly regulated companies are selling into heavily regulated ones. And I think a bank or an insurance company are two perfect examples of a heavily regulated company. But to be honest, there are many larger companies that are doing this, even if they're not heavily regulated and they really should. I mean, it's the right thing to do because as we've discussed many times on this show, your vendors are a common source of cyber attack.
Jake: Yeah. And this has been going on for a long time obviously, for example, the 2013 Target credit card data breach, that's a classic, they got hacked through their HVAC contractor if I recall, is that right?
Kip: Yeah. Yeah. That's right. I mean, I remember when they first announced that, and I just thought really how? And I had this vision of somebody pulling the side access panel of the air conditioning unit on the roof of on of the stores. But of course that wasn't quite right. No, what happened is that cyber attackers stole a valid user ID and password combination from somebody who worked at a heating and air conditioning company, who was in fact servicing the air conditioners at the retail stores. Anyway, so they took this user ID and password, and they went on to compromise Target's network. They logged in as the HVAC vendor, and ultimately wormed their way through the internal network, and compromised many point of sale devices in the retail stores and stole credit cards. And it was a debacle. I looked it up and the direct cost to Target at this point $300 million plus lost profits, and the organizational trauma of getting a new CEO, and other senior executives and on all the other regulatory fund.
Jake: I think it's worth dwelling for just a moment on the organizational trauma of having your entire executive team shaken up. I mean, I think a lot of times people think, Oh, these companies... Look, their stock is going back up getting hacked, it didn't hurt them at all. And I think that's actually a dangerous perspective because it's not true, right? You don't know the opportunity cost of having your entire executive team turned over because of a breach. You don't know what could have been accomplished. And a lot of these companies that get hit, they're not going to go out of business from a hack like that, right? Small ones sure, but big ones, probably not. And I'm curious, what do people think is appropriate for damage to a company? And I think what you have to look at is that, under corporate law, companies they're legal entities. They only act through people and you know what those people sure got hurt, didn't they?
Kip: The people, yeah.
Jake: I mean, they got fired, they had to resign. I mean, so I think that I just want to push back a little bit on what I call this myth of no harm, no foul to these companies when they get hacked. I just don't find that to be true.
Kip: Well, I also think that people are focused on the wrong measurement. To measure their stock price is interesting. I've done that quite a bit. And I looked at the stock price of Equifax right after its mega breach. And I watched it fall precipitously, I've been looking for an excuse to use that word lately, by the way-
Jake: Ah, good I like it.
Kip: And I've watched it slowly crawl out of the gutter. And in contrast North Hydro, which had a huge ransomware attack and it brought their entire operation to a standstill and forced them back into the pen and paper age of record keeping, well their stock took little tumble, but you know what, the way that they handled public relations downstream of the attack actually enhanced their stock price, but that didn't change the fact that they had an 80% drop in profits, they had a materials financial event. And so I don't think stock price is the way to do it-
Jake: I agree.
Kip: What I do think makes sense though, is things like opportunity cost, which you're talking about. And then another thing is, if you look at the Ponemon studies about, what are the effects of a data breach? Well, one of the effects is abnormal customer churn, which is to say, you're always losing customers as a company you're gaining and losing all the time for different reasons. And abnormal customer churn is when you lose a greater number of customers than you otherwise would have. And that is hella expensive. It is really, really expensive for companies to acquire new customers. So when you get one, you want to keep it. And so if you're losing customers above and beyond your normal churn, well that's going to hurt you financially because now you've got to go out and replace them. That's hard.
Jake: That is hard. And I think that's a really good point. So, okay that was a little bit of a diversion, but let's look at this through the lens of the supply chain, risk management activity, specifically in the NIST Cybersecurity Framework. You and I are big fans of the CSF. So what does the CSF here say about this?
Kip: Right. So this activity, is at the second level of detail in the framework. The framework has three levels of detail, and supply chain risk management is actually nested underneath the identify top level function of the framework. And there's five actual top level functions. Do you remember the other four, Jake?
Jake: I do. I do. I'm not sure I could say them all in exact order, but you've got protect, detect, respond and recover. Is that right? Is that even in order? I think it might be.
Kip: Yeah, those are the other four. You put identify first and then you run the other ones out and those are the five and it turns out that's the order in which a security incident is typically... That's the life cycle of a security incident. So I think that's why they put them in that order.
Jake: I think that's right. I think it makes perfect sense-
Kip: Yeah. Well, I like it. It helps me think about risk management, but yeah, so those are the five top level functions. There's 23 second level functions and supply chain, risk management is one of them. And in fact was not in the original version 1.0 of the framework. It actually showed up in version 1.1 of the framework. So it's relatively new. And here's the main question that it poses to framework users, which is how well has your organization established and implemented processes to identify, assess and manage supply chain cyber risks.
Jake: So that sure gets right to the heart of the matter, doesn't it? So that means that all your vendors to play a large role, delivering results to customers must be actively included in your cyber risk management activities. Which of course makes perfect sense, right? I mean, that's a critical component so what else does it say here?
Kip: Right. Well, so that's a summary of what this activity is prompting you to do. Now, I said there's three levels of detail in the framework. So that's the second level of detail. So if we unpack this activity, there's actually five sub-questions in there. Now by the way, the framework doesn't use questions, it makes statements. But I like to convert those statements into questions, because what I've noticed is that, when I'm sharing with customers, what's needed to be done statements come off flat to them. But if they're questions, I find that, that makes the standard feel way more personal to cyber risk managers.
And I think that encourages them to take action. Anyway, that's what I've seen. So anyway, for purists out there in the audience who say, "That's not exactly right, Kip." You're right, I've made a little change, so bear with me. So let's unpack the five questions inside this activity. So the first one is how well does your organization identify, establish, assess, and manage cyber supply chain, risk management processes. And I think processes is really the key term on this one.
Jake: It certainly is. And I think that, what does a process look like in this particular instance? And I think it starts with, do you have a process for evaluating new potential supply chain components. And I think that it is unfortunately fairly common for people to maybe skip over that part and to dive right into trying to perform an assessment on a specific vendor. And I think that's a mistake. I think if you have a process that is truly soups and nuts, I think you'll be better off overall.
Kip: Well, right. Because I mean, think about it. Target is a great example here who would have thought, I don't think I would've, who would've thought that the heating and air conditioning contractor would represent a $300 million risk to Target's wellbeing. And so, without a systematic approach to looking at your vendors, categorizing them into maybe two or three buckets, low, medium, high, low, high, whatever it is, you can miss some stuff. And so I think that's what this first question gets to, is be systemic about this and vendors are coming and going all the time as well. And you and I have helped customers set up these things. So we definitely are familiar with what it's like to be on this side of the negotiation.
Jake: Absolutely. Okay. So let's do the second one here. How well does your organization identify, prioritize and assess suppliers of information systems, components, and services? So, I have an initial thought on this which is, first of all, this is a process, right? It's not a mistake that the first question is about process. This one here is a more specific question about a first process, which is going through an assessment of a supplier. And this can be as simple as does this company represent a significant risk to us? Yes or no. That's probably not going to cut it for most of us. And it can go all the way through a much more, in-depth almost a mini NIST CSF assessment in and of itself, right?
Kip: Right. Yeah, yeah. Because those five top level functions, you would like to know that your vendors are capable of performing those as well. Because if a security incident occurs with a vendor and it bleeds over to you, you would like them to, protect, detect, respond, and recover so that it doesn't actually affect you. Could you imagine if the HVAC company had somehow been able to detect that the credentials for that account had been stolen and misused, and if they had reported that to Target, perhaps that incident would have never happened.
Jake: Yeah. I mean, it's certainly possible right.
Kip: Now. I also think the second question is interesting because it gets to something that I am constantly harping on, which is prioritization. You have unlimited risks coming at you. You have a limited budget of time and money and people to manage those risks. So, which one are you going to manage first? Is that the one that is the loudest? Is that the one that you can see most clearly when you sit at your desk? Is it the one that just ended up in the newspaper headline? Or is it the one that you've identified through some systemic process and I know you can imagine which way I prefer, but I just love the focus on prioritization.
Jake: Yeah. I think that's really a good thing, because if you don't have a priority system set up then one, you may treat everything as the same priority and that's a big mistake. And then two, I think there's two main risks here of not having a system like that is, the second one is you might prioritize poorly and that's almost as dangerous.
Kip: Yeah. And that sometimes looks like whack-a-mole, right? Like, okay, whoever's bugging me lately, I'm just going to smack them on the head with a hammer. And yeah. So the silent killers who never bug you are the ones who are going to take you out. Okay, so those are the first two. Let's look at the third one. How well does your organization implement contracts with suppliers and outside partners to meet the objectives of your organizations cybersecurity objectives. Contracts, contracts-
Jake: Guess what Kip, I have some things to say about this.
Jake: Are you surprised?
Kip: Do tell.
Jake: Okay. So contracts are... It's the core of everything period, period. Do you see that?
Kip: All commerce.
Jake: All the way from the social compact, and the social contracts to actual written legal contracts.
Kip: Oh, the Mayflower Compact. Thanks for bringing that up.
Jake: Everything is contracts. I remember in law school after I finished the first year or so, I would walk around and imagine these invisible lines of liability between people based on contract and taught law.
Kip: Little threads of obligation?
Jake: Yep. Yeah, little threads of obligation and duties. And now if that doesn't scare you away from law school, I don't know what will.
Kip: You remind me of a junior psychology student going around into diagnosing everybody-
Jake: Yep. That's exactly right. Okay. So without exception and [inaudible 00:00:16:44] that I can say that, but this is the case without exception, a contract is going to essentially govern the relationship between your company and your company's suppliers and outside partners. There is a lot that a contract can do for you. And one of the biggest mistakes I think I see is when people in a company, try to have a one size fits all contract. And, I know that it can be a pain to manage a whole bunch of different internal documents and make sure that sales, and marketing, and operations are all making sure they use the right contracts, but it makes such a big difference. And a simple example is a service that several of our mutual clients have requested over the years, which is we'd like a tiered system of contract based of supplier risk level.
And what I've done with that is, I've done three tiers, tier one, two, and three, and tier three is like you've given someone the keys to your kingdom and you need to hold them to the highest possible standards and have the most controls. Whereas tier one tends to be something like, well they deliver something to us, but they're not connecting to our data network, or if they do, they're sending us an email, something really incidental. And so, those are two very different types of vendors, right? And the risk of having the same contract for both of them is either increased transactional costs in either direction. You might be asked to remove a whole bunch of language for the tier one, whereas you might have to add a whole bunch of language for the tier three.
Again, if you're trying to use just a one size fits all, and then even worse is if you don't customize. You have contracts that just are not doing their job appropriately to the risk that your company is facing. So I could probably talk for the next 30 minutes on this, but I think that's pretty clear. Do you have any additional comments or questions that you think I should address Kip?
Kip: Well, no. I think you've done a really nice job of summarizing, the opportunity to prioritize and to use contracts, to reinforce that prioritization and layering on the right amount of controls, depending on how much risk is facing you. But the comment that I would like to make is the perception that I sometimes run into is other people who talk about NIST Cybersecurity Framework, talk all about the technology. Technology, technology, and they think that the framework is nothing but a framework about how to control your technology. And I just want to take a moment and point out, here's one of actually many, many cases where this isn't about technology primarily this is about a contract. And so, this is a data point in support of something we always say, which is cybersecurity is a team sport. You're not going to succeed as a cyber risk manager. I don't think ultimately, unless you have a good relationship with your contracts manager, or your in-house counsel, or whoever it is that is negotiating these contracts with your suppliers, you've got to team up with them if you're going to do this well.
Jake: That's, that's totally true. This is not something you can do in a vacuum.
Kip: Nope. I don't think so. Well, so that's number three, number four. How well does your organization routinely assess suppliers and third-party partners to confirm they are meeting their contractual obligations. This is a tough one. Most companies sign contracts, file them, and never look at them again.
Jake: And I mean, this is a major issue, and unfortunately I don't have a great answer because the expense that would be necessary to check in on all of your suppliers is probably prohibitive.
Kip: Right. Which is why you prioritize them.
Jake: That is why you prioritize them, absolutely-
Kip: So you can figure out which one should I really... Okay, I have only enough budget and energy to conduct one assessment this year of a supplier or a third-party partner, which ones are going to be? You don't have to struggle with that if you've done the things we've talked about, you're going to know which one it is.
Jake: You will. And I think the other thing that this might encourage is, vendor bloat it's probably an issue for a lot of companies. Do you really need to have four different social networking style apps within your company? Do you really need to have five different cloud storage services? If the answer should be and likely is no, again, prioritize and then clean out. Clean out your organization's vendor cruft, which is an interesting little concept, but-
Kip: I want to ask you another question. So don't you think that somebody should reserve the right in their contract to assess a supplier, even if they never do?
Jake: So. Yes, but it's complicated because let's say that you... I mean, let me step back. This also could take up the rest of the podcast episode Kip.
Kip: All right. I'm going to counsel brevity.
Jake: At a high level the answer is yes. You should put in the right to audit and assess. The issue is, let's just say you unthinkingly add that to everything. And then something bad happens with one of these vendors and, you know darn well, you didn't ever exercise that right. If I'm the vendor and I'm looking for any defense, right? Any defense at all, any way to at least just share blame with you.
Kip: So you're grasping for straws here-
Jake: I'm grasping for straws, it's a pretty decent size straw to grab onto that you put in your contracts that you're going to audit and assess all these vendors, and yet you didn't do it once. Did you? That makes-
Kip: Now why is that a problem?
Jake: Because makes you... That's going to introduce some level of doubt about your competence and your desire to take this seriously. In other words, if I put in this right, but I never exercise it. Then the fair question to be asked is, well, do you have a real cyber risk management program, or are you doing the proforma style over substance thing that so many do where, you put it in there-
Kip: So you work a lot but you don't actually back it up.
Jake: You're toothless. Exactly. And I don't have a good answer for that because the law can go either direction based off the facts and circumstances. Certainly I would never counsel someone to deliberately leave out an assessment or audit except possibly for a tier one, right? This goes back to the previous discussion about having different tiers of contracts. I think it does become easier if you can say to yourself, no, actually we don't put these in every single contract when they're not necessary. And we just didn't get around to auditing you, that begins to help. But it does raise the broader issue of does anyone use that as the assessment audit authority? And my impression is it does happen, but it's pretty rare still. How about you, what's your impression of this?
Kip: So I think that the easiest thing in the world to do on this is if you've reserved the right, I think some people believe that in order to exercise that right, you need to buy a plane ticket, fly to the suppliers place of business, and start whipping out your checklists. And the reality is, is that an assessment could be as easy as opening up a survey monkey account for free, putting in a little five question questionnaire, and then blasting it out to all your tier one vendors, right?
Jake: Yep. That is true.
Kip: And if they don't respond, well that tells you something and if they respond and everything is roses and perfume, but then something bad happens, well now you've... Maybe the due diligence that you did on them wasn't tremendous, but you did something.
Jake: Yeah. I think that's right. I think that's a good point.
Kip: So that's how I deal with that one. Okay. You ready for number five? Let's do it. Okay. Here's the fifth one. How well does your organization conduct response and recovery planning and testing with suppliers and third party providers. This is a really call to action.
Jake: It is. It is. And I think this one requires a fair amount of inter organizational and sometimes even inter entity cooperation. You can't really do any planning and testing unless you're in constant contact with a company. And I think this is another one where you need to prioritize, you need to use the tear to contract system. You're not going to engage in cybersecurity response and recovery planning and testing with the company that delivers the weekly water refill, right?
Kip: Right, you're right.
Jake: On the other hand, if you have a critical supplier who is providing your hybrid cloud backend, then you probably need to be in very regular contact with them, because if they go down or they suffer some event, your justice, your toast, right? So it comes back to the same principles we've been discussing. Doesn't it?
Kip: I think so you can't do response and recovery planning and testing with everybody that you work with. So who are you going to do it with? And another wrinkle here is I've been on the receiving end as a virtual Sozo working with my customers, FinTech customers for example, I've been on the receiving end of requests to participate in a disaster recovery exercise. And my first reaction was, Oh, cool. This is the thing that is good to do. And then my next reaction is, Oh my goodness. They are expecting us to put in 40 to 50 hours of our time into this exercise for them. And when I think about what they're actually purchasing, they're paying a monthly fee to access a SAS.
Okay, well, where's the margin in that, for this small FinTech to dump 50 hours, 40 or 50 hours of engineering time or management time into this exercise. And so the practical reality is that if you're large enterprise and you want your vendors to participate, you need to think about the cost and what can they really afford to do. And you may need to actually pay a little bit to insure their participation, but however you do it, it's a consideration, don't be surprised.
Jake: Yep, exactly. Yeah. There's just not a ton of good solid guidance on this because of the level of effort that it takes on multiple parties front, right?
Kip: Yeah. Yep. And a lot of the guidance that we use in our work as cyber risk managers is older guidance, right? So I think of NIST Cybersecurity Framework is pretty new, but I think about ISO 27,001 or COBIT, or other guidance that's been around for a long, long time. I don't think that guidance has done a very good job of keeping up with the evolving business models. They arose at a time when outsourcing wasn't as prevalent, particularly technological outsourcing. And I don't think any of them are really up to speed with cloud and how that's computing as a utility. I don't think any of them-
Jake: No, they're pretty old. I mean, a lot of them are, I would say, quite old honestly.
Kip: 27,001, originally came out in the 1980s as a company specific standard out of Northern Europe. I think it was Shell oil. And then it was adopted by the UK, and it became a British standard. And then the ISO organization took it over and made it an international standard. It hasn't changed much. And I think the last time they did any updating to it was 2013 and it wasn't much of an update.
Jake: Yeah. I think that's an accurate statement of where things stand right now and it's definitely a problem.
Kip: Yeah. So we've got some real issues with this fifth one here, but that doesn't mean that the need isn't present. I think the need is very present.
Jake: It's absolutely present.
Kip: Yeah. Okay, Jake, any final thoughts on supply chain management and why some companies are so intense about it?
Jake: So it's really, really important if you're not intense about it, you should be. And in order to do it efficiently, you need to prioritize, you need to organize your vendors in some tiered system. And if you're not doing it, then you're relying on hope and a prayer that nothing bad is going to happen. And that's it.
Kip: Well, it didn't work for Target, it didn't work for Home Depot. There's actually a long, long list of companies that it didn't work well for. So hope and a prayer. Okay. Well that wraps up this episode of the cyber risk management podcast. And today, of course, we talked about why some companies are so intense about managing cyber risk in their supply chains. We'll see you next time.
Jake: See you next time.
Speaker 1: Thanks for joining us today on the cyber risk management podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities