Mani Keerthi Nagothu is a cybersecurity professional with global work experience, currently based out of Vancouver,Canada. She worked with consulting firms before her current role as Security Lead at Ballard Power systems.Her experience comprises building cybersecurity strategies, developing security initiatives, incident response, risk assessments and frameworks implementation.Her research areas include emerging technology and cybersecurity related risks. Most recently, she started Women in Cybersecurity(WiCyS) Western Canada affiliate to encourage the advancement of women in cybersecurity.
Cyber Supply chain risk has become the most discussed topic in late 2020.The increased use of suppliers for various functions in the organization has made this even more important than before and, in this process, there is a loss of visibility of technology that is being integrated into the Organization. Discussions on supply chain risk date back to two decades, the well known standard is NIST 800-161 publication. The current challenge faced by most organizations is that supply chain risks are not well understood and most importantly not assessed before using them for critical functions. The increased use of suppliers for various functions in the organization has made this even more important than before and, in this process, there is a loss of visibility of technology that is being integrated into the Organization.
The perception that the Supplier chain is primarily an IT issue is making us vulnerable and susceptible to various cyber-attacks. Supply Chain is a connection between the supplier and organization, and the existence of the free flow of information and operations makes the output seamless. Connectivity and flow are important for the business operations but it also gives rise to the risk of cyberattacks in the chain. The solution to this challenge is by approaching it in two-fold processes (Internal to an organization and External to Organization) and looking at it at an enterprise level. Within the organization, there needs to be visibility and understanding of what our critical processes are, how they interact Cross department wise, who are our suppliers, what is the supplier role and what's the impact in case of a compromise. At the supplier end, did we evaluate suppliers for the security processes such as governance, incident management, Information protection, sub-partners/service and did we include these details as part of the contractual agreements? As we finalize our supplier, have we evaluated them against organizations' requirements? How do our security requirements integrate with the suppliers? This could give us a holistic picture of how well we can manage any supplier risks and impact on the Organization - a more proactive approach than a reactive approach. As mentioned by NIST, supplier risk management lies at the intersection of security, integrity, resilience and quality. Currently, there are many standards for C-SCRM such as NIST, ISO, and sector-specific relevant to your organization. It is through a series of questionnaires and risk assessment the standard that fits in is chosen for the organization. So, have you performed a risk assessment of your suppliers? How do they fare in terms of security requirements?