This CISO cites five factors that leaders may be too embarrassed or denialistic to address when tackling a global problem…
Going by various reports, an average of around 15% to 30% of reported cybersecurity breaches involve a third party vendor.
This is a stark reminder that supply chain security vulnerabilities can reverberate throughout entire industries, especially as global supply chains become increasingly digitalized. It is no longer just about protecting individual organizations; it is about securing the entire ecosystem.
Yet, current practices fall short of international ambitions to build cyber resilience throughout supply chains, in particular, involving a lack of established guidance for collaborative information sharing.
Supply chain security should no longer be seen as just an IT issue; it should be a matter of collective defense. The true question now is: Why are we still operating in silos? The answer is not just rooted in technology or capability — it is a complex web of gaps in trust, varying legal frameworks, and traditional competitive approaches.
Challenges to information sharing
Supply chains are a symbiotic network, dependent on the combined strength of vendors, suppliers, and partners.
However, current cybersecurity practices are far from collective. Despite the clear benefits of collaborative defenses, resource and intelligence sharing remain scarce practices. This has proved increasingly dangerous: when a supply chain attack strikes, the impact ripples far beyond the initially compromised target.
Several factors can hinder effective information sharing, including:
- Commercial, regulatory, and legal concerns: Firms may hesitate to share details of their vulnerabilities due to fears of reputational damage, competitive risks, or legal liabilities, especially with evolving regulations.
- Silos: Information flow is often limited by organizational and sectoral silos, excluding smaller or non-traditional players that could benefit most from collaboration.
- Timing: Information is often shared reactively after an incident, leaving businesses with little time to respond proactively.
- Workforce shortages: Smaller organizations, lacking cybersecurity expertise, are often the most vulnerable, yet the least equipped to share or act on critical information.
- Human factors:Trust is essential for effective information sharing, but factors like enforcement and the reluctance to appear vulnerable can inhibit transparency.
Ways forward in information sharing
To build a resilient digital ecosystem, the focus should shift to proactive collaboration, where larger organizations with robust security capabilities take the lead in helping smaller counterparts and third parties enhance their defenses.
This new model emphasizes inclusivity, where smaller players are not left out but actively supported through shared best practices, security controls, and early engagement before incidents occur.
Key principles for this new approach include:
- Proactive capability building: Large entities, including governments and enterprises, should take the lead in sharing actionable security insights and tools with their suppliers, especially focusing on vulnerability management, incident response planning, and identity access controls.
- Inclusivity across networks: Information sharing networks must become more inclusive by fostering connections within supply chains and creating opportunities for smaller organizations to contribute and benefit from shared knowledge. This could involve forming new supplier communities or improving collaboration across sectors.
- Leveraging technology for scale: This means moving towards a ‘digital commons’, where common standards for information sharing and real-time monitoring can create a shared view of security postures across networks, allowing for more efficient allocation of security resources and minimization of duplicated efforts.
In our view, achieving true cyber resilience across supply chains requires more than mere compliance; it demands a fundamental shift in our approach to security and collaboration.
Leading organizations must drive this change by sharing not only threat data but also actionable insights to strengthen the entire ecosystem. This evolution from reactive to proactive, from siloed to integrated, is essential. A unified approach, leveraging real-time collaboration and shared standards, will revolutionize our ability to manage and mitigate risks.
The stakes are high, and the time for change is now. By committing to transparency and mutual support, we can build a robust, resilient digital infrastructure that can withstand the rapid pace of cyber threats.
