David Norton, Executive Director, CISQ
It is clear most organizations in the UK are using hope as strategy when it comes to their digital ecosystem, and it’s probably not just the UK.
Only 18% of organizations require their third-party suppliers to use cyber security and software quality standards (UK Cyber Security Breaches Survey 2019). That means 82% of organizations are trusting to luck, but now it seems their luck has run out.
Last week the BBC and FT both carried stories on the sharp increase in cyber incidents in the UK, a 1087% increase year on year (see table 1 from RSM research). The articles are based on research by RSM using Financial Conduct Authority (FCA) data obtained by Freedom of Information requests.
Just over one fifth of reported incidents, 21%, are related to third-party failure, i.e., systems the reporting organization did not control. However, many of the other incidents had their origins in third-party developed software now owned by the reporting organization.
With the average cost of a cyber incident around £9.9 million ($13 million) per organization (Accenture Ninth Annual Cost of Cybercrime Study) plus fines, and loss of customer trust, these figures represent considerable business impact. And note I said business impact, not IT, as ultimately the cost is borne by the business units in lost revenue and capital.
Although part of the sudden increase is due to GDPR and improved reporting, the figures are still alarming and reflect the upward trend in cyber-attacks and outages seen over the last 5 years.
Table 1
|
Root Cause |
2019 |
2018 |
% of Incidents |
|
Hardware and software issues |
157 |
64 |
19% |
|
Change management |
146 |
53 |
18% |
|
Third-party failure |
174 |
79 |
21% |
|
Cyber-attack - Distributed denial of service (DDoS) |
10 |
2 |
1% |
|
Cyber-attack - Malware |
16 |
5 |
2% |
|
Cyber-attack - Ransomware |
19 |
0 |
2% |
|
Cyber-attack - Phishing or other compromise of credentials |
48 |
29 |
6% |
|
To be confirmed |
93 |
82 |
11% |
|
Human error |
47 |
24 |
6% |
|
Process/control failure |
45 |
17 |
5% |
|
Failure to manage adequate IT capacity |
25 |
4 |
3% |
|
External factors |
17 |
3 |
2% |
|
Theft |
11 |
3 |
1% |
|
Cause unknown |
11 |
5 |
1% |
|
819 |
370 |
100% |
So, why are so many organizations taking it for granted their partners and suppliers have secure systems, or their sourcing partners can deliver systems with no vulnerabilities? The answer may be in the attitude of senior leaders, paraphrasing one comment from a CIO in the RSM report:
“At some point you have to trust your suppliers. We do not have the time or budget to audit them all, and why should we when they are professional organizations.”
Although I have sympathy with the CIO in question, their statement shows a naivety of the new dynamic organizations now operate in.
Individual business capabilities, and indeed whole business models, are based on complex permanent or semi-permanent relationships with varying degrees of trustfulness, that together provide the desired outcome. This is what is meant by the digital ecosystem, and this is what senior leaders need to understand – success based on the ‘system of systems.’
Applying a System of Systems (SoS) governance mindset to the enterprise forces us to think about business risk in the wider context, and the role of third-party suppliers – we start to talk about trustworthiness of the ecosystem as a whole.
When it comes to cyber security and software quality best practices and standards, we can learn from System of Systems Engineering (SoSE). Assessing the business capabilities and associated systems, we can determine which SoS governance situation we are facing and then act accordingly.
Table 2 Adapted from SEBoK
|
SoS Governance Model |
Standards Approach |
|
Directed - The SoS is created and managed to fulfill specific capability and the other systems are subordinated to the SoS. The component systems maintain an ability to operate independently; however, their design and operationalization are subordinated to the central SoS goal. |
Mandate – The client security architects and QA mandate the relevant software quality and cyber security standards with their suppliers. Vendor management formally contract with suppliers using mandated standards. |
|
Acknowledged - The SoS has recognized and agreed objectives, joint governance mechanism and resources for the SoS implementation; however, the supporting systems retain their independent ownership, objectives, funding, and development and sustainment approaches. |
Cooperate - The client’s security architects and QA work with their suppliers and agree the relevant software quality and cyber security standards. Vendor management should formally contract with suppliers using relevant standards once agreed. |
|
Collaborative - The component systems interact more or less voluntarily to achieve agreed upon central purposes. The central players collectively decide how to provide value and desired outcomes. |
Trust but Verify - Confirm with your suppler organization and partners they have taken the necessary steps to safeguard the SoS. Suggest and influence when you see gaps. |
|
Virtual - The SoS has no central governance authority or a centrally agreed upon purpose for the SoS. Large-scale behavior emerges — and may or may not be desirable. |
Defensive – Do not assume you know all the parties in the SoS. Architect capabilities based on the premise of low levels of trust. |
Like all things, it’s never as simple as reading an article then applying the advice. We have multiple stakeholders to bring together -business, QA, security, vendor management, suppliers and partners.
Business capabilities need to assessed as to their susceptibility to third-party outages and cyber-attacks, and this has to be balanced against the cost and effort of mitigating the risk with the third party.
But it all starts with senior leaders acknowledging that trustworthiness is not the same as blind faith in partners and third parties to do the right thing. Trustworthiness requires a risk-based approach with clear cyber and quality standards policy all in the ecosystem agree and use (see CISQ Trustworthy Systems Manifesto).
Cookie Policy is something every business needs to comply with. It used to be a hassle & cost a fortune. We've solved that.
Posted by: ellisa grant | 02/23/2021 at 04:56 AM