One of our members recently asked for advice about how to ensure that their supply chain is cyber-proof, and also how procurement teams keep their cybersecurity policies up-to-date to take effect of the ever-changing technology risks. The responses provided food-for-thought on an issue that is increasingly falling into procurement’s domain.
Having a rigorous policy is key it seems. One member noted that at their company all desktops are secured through group IT policies (which also limit the use of flash drives and installation of any applications), and all applications are strictly controlled and approvals must come from process area governance and IT governance. They described how they regularly test the security of systems through in-house cyber checks but also through third party paid confined intrusions to test the robustness and strengths of all out protective systems.
These steps seem increasingly important, but it shouldn’t be overlooked how difficult it is to match the scale of risk with an effective policy that can be implemented easy.
The difficulty of mitigating supply chain risk was perfectly summed up by one member we spoke to who said it is "perhaps easier said than done given the vast plethora of outsourcing, the cloud and mobility elements being the way of life and still evolving, and the more and more sophisticated threat landscape that keeps evolving and challenges in overcoming security checks and measures."
A risk audit is also of clear importance to these plans. From this base, members pointed out, a recommendation can then be provided based on the assessment rating and prioritised accordingly, detailing the cost associated with cyber security in time for the annual Budget review.
Such activities should not be limited to internal-facing efforts. "Require your suppliers to adhere to equivalent standards to those applied by your own organisation to its own operational activities," advised one procurement chief. "Unless you had a prohibitively expensive approach in this area, I would also expect the price of such compliance to be covered within the pricing of the supplier."
Half the battle seems to be to have an all-encompassing policy for internal use, then this policy can then be applied to suppliers. The ISO 27001 & APQC standards were cited by one, with use of e-...