Bernard Munyaradzi Chadenga, founder and CEO of The Cimplicity Institute, hates checklists. Largely because they are just a box-ticking exercise that means very little when something goes wrong and don’t hold any weight when someone needs to be held accountable.
Closing out track two at the ITWeb Security Summit in Cape Town on Wednesday, Chadenga’s talk was about the risks posed by third parties and supply chain partners. He explained that he had given a very similar talk at the ITWeb Security Summit several years ago and, sadly, not much has changed.
“Third-party security risks arise when you have outsiders connected to your business in some shape or form. And let’s face it, who doesn’t?” he said. Yet far too many businesses tick a few boxes when they enter into relationships with these external vendors, partners and service providers simply so they can say they did their due diligence. And also so they can blame someone else when a breach occurs. But we can no longer separate ourselves from our partners and assume that what’s happening to our vendors and suppliers isn’t our concern, he said.
According to Chadenga, if you’re not thinking about your value chain and what could happen to your business if one of your suppliers were to go offline, you’re not truly thinking about resilience.
For him, approaching third parties and asking them for the required reports and certificates might meet requirements on paper, but in the real world, it’s an inadequate approach to cyber risk management.
Do you track third-party stability, he asked. “If one of your third parties has changed CEOs every three months for the last year, this could become your problem and you need to take note of it. If a vendor’s credit score drops, you need to be aware of it and put processes in place to protect your business from disruption in case this supplier can no longer provide you with the goods or services you rely on."
To boost resilience, Chadenga suggested that businesses group their third parties in different categories – high, medium and low. “With high category third parties, if they go down, you go down. Medium means if they go down, you'll feel the effects and may have to do a few things differently, but you’ll keep going. And low is for the partners who could disappear entirely, and you’d hardly notice.”
When it comes to your high priority vendors, you need to have a backup plan in place or an in-house capability that you can rely on should this vendor go offline. And you need a backup plan for your backup plan, he joked.
When it comes to third parties, they’re your partners but they’re not actually part of your business, he said. You can’t walk into their house and tell them to cook chicken for dinner if they want beef. But you can, and should, keep a close eye on what’s happening in the kitchen.
Share