{"id":17934,"date":"2022-05-16T17:40:00","date_gmt":"2022-05-16T16:40:00","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=17934"},"modified":"2022-06-20T16:55:23","modified_gmt":"2022-06-20T15:55:23","slug":"cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/","title":{"rendered":"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses"},"content":{"rendered":"\n

Introduction<\/strong><\/h1>\n

Cyber Supply Chain attacks are a growing trend amongst cybercriminals where one attack can leave countless organizations vulnerable and potentially damaged.\u00a0 You\u2019ve seen the headlines following a number of high-profile incidents in recent months.\u00a0 The European Union Agency for Cybersecurity (ENISA) warns that these types of attacks are now growing 400% year-over-year as cybercriminals are shifting to larger, cross-border targets.<\/p>\n

Attackers\u2019 main motivations remain to gain access to source code and customer data, and now they can do so across multiple target organizations by first compromising vendor software being deployed to those companies and government agencies.\u00a0 This is an ingenious (and nefarious!) approach on a few fronts:<\/p>\n

    \n
  1. This type of attack can generally get around any target company\u2019s strong cybersecurity posture, particularly related to its perimeter security; the attack is brought into the target environment via a trusted vendor\u2019s product.<\/li>\n
  2. Such an unsuspected attack vector (a form of \u201cfriendly fire\u201d) means that the attacker\u2019s \u201cdwell time\u201d within the target can be quite long before discovered (or revealed in the form of ransomware!). Quite a lot of damage can be done during this time. \u00a0\u00a0<\/li>\n
  3. The shear breadth in number of targets that can be addressed via a single attack is immense; the economies for a cybercriminal vastly multiply their criminal profitability.<\/li>\n<\/ol>\n

    About 50% of these attacks can be attributed to known advanced persistent threat (APT) organizations (e.g., the Russian state-sponsored threat group APT29, a.k.a. \u201cCozy Bear\u201d, responsible for the 2020 SolarWinds attack).\u00a0 These APT groups have access to many resources and much funding enabling their creativity for damage and not getting caught. \u00a0Hence, these attacks are growing rapidly and more complex with such backing; and this trend will continue, enlarging the gap between such risks and an organization\u2019s ability to detect and remediate them in a timely fashion.\u00a0 \u00a0 \u00a0<\/p>\n

    Some most notable recent cyber supply chain attacks include:<\/p>\n

      \n
    • SolarWinds \u2013 Where attackers in 2020 exploited known vulnerabilities in its IT software Orion (used to manage servers in many organizations, including large businesses, several arms of the U.S. government, threat response firm FireEye, and Microsoft.<\/li>\n
    • Kayesa \u2013 More recently in 2021, the notorious REvil ransomware gang (another APT organization) exploited known vulnerabilities in IT management platform Kayesa VSA, which ultimately compromised an estimated 1,000 organizations that use the platform.<\/li>\n<\/ul>\n
      \n

      C-SCRM Survival Tip #1<\/em>: <\/em><\/strong>In terms of your organization\u2019s vendors for software or hardware, etc., it turns out that their risk model is now your risk model!\u00a0 Frankly, it always has been, and attackers have evolved to take advantage of this existing threat vector.<\/em><\/p>\n<\/blockquote>\n

      \u00a0<\/p>\n

      \"\"<\/p>\n

      Graphic #1: Unavoidably Intertwined Operational Models in Managing Cyber Supply Chain Risk <\/em><\/strong><\/p>\n

      \u00a0<\/p>\n

      Hence, the complete Cyber Supply Chain lifecycle for all your business applications and IT tools must be considered within your Cybersecurity strategy and practices.\u00a0 This means that before you choose a vendor, you should assess their security posture and security & incident management processes BEFORE you allow them to contribute software, tools, or equipment to your otherwise secure enterprise.<\/p>\n

      More so, beyond an initial assessment and acceptance of a vendor\u2019s software, etc., the acceptability of a vendor\u2019s continual access to your environments via releases and patches of their products needs to be continually monitored and assessed. \u00a0\u00a0\u00a0\u00a0<\/p>\n

      \n

      C-SCRM Survival Tip #2<\/em><\/strong>:<\/strong> Shift Security Left. The only way to fully secure your enterprise continually is to ensure the sanctity of anything that comes into it.\u00a0 That includes all vendor products that would integrate into your IT environments, etc., and the vendor\u2019s lifecycle for development and deployment of their products.\u00a0 You can only be as secure as they are! \u00a0\u00a0<\/em><\/p>\n<\/blockquote>\n

      C-Supply Chain Risk Management \u2013 Definition and Scope<\/strong><\/p>\n

      Attacks on Cyber Supply Chains continue to take advantage of ongoing disconnects in an organization\u2019s understanding of the related supply chain risks and how to deal with them:<\/p>\n

        \n
      • Most organizations have a false sense of security (\u201cblind spots\u201c) based on assumptions that their vendors are already secure, and their products can be trusted in the organization\u2018s environment. They believe their recognizable \u201cbrand name\u201c vendors are at least as diligent and proactive about cybersecurity as their organization.<\/li>\n
      • Many organizations also lack continual robust monitoring and reporting, particularly around their vendors\u2018 software product interactions within their environments; they\u2019re simply not looking here with sufficient focus based on current events.<\/li>\n
      • 82% of organizations believe their executive teams and boards are confident in their approach to measuring and managing Supply Chain Risk.\n
          \n
        • Yet only 44% regularly report on their supply chain risks and related industry events to senior leadership. This is clearly a blind spot for leadership.<\/li>\n<\/ul>\n<\/li>\n
        • Looking at financial services firms, for example, 79% say they would decline a business relationship due to a vendor\u2019s cybersecurity performance.\n
            \n
          • But lack the data to make such decisions.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

            \u00a0<\/p>\n

            \"\"<\/p>\n

            Graphic #2: Today\u2019s Growing C-SCRM Threat Definition and Scope \u00a0<\/em><\/strong><\/p>\n

            \u00a0<\/p>\n

            This false sense of security that most organizations have about their vendors\u2019 software, etc. is based upon a (unverified) trust of a vendor\u2019s own security diligence.\u00a0 But we cannot assume this anymore, and perhaps never should have.\u00a0<\/p>\n

            This is one big reason driving a growing need for:<\/p>\n

              \n
            1. More continual and robust assessment of software (and hardware, firmware, etc.) providers\u2019 cybersecurity performance.<\/li>\n
            2. Improved monitoring and reporting from both: a) upstream software vendors\u2019 environments; as well as b) the downstream software buyers\u2019 environments.<\/li>\n<\/ol>\n

              These may seem to be separate issues at first, but they ultimately compound to corrupt downstream customer environments prolifically.\u00a0 Hence, we must \u201cShift Left\u201d and go upstream into the vendor\u2019s cybersecurity practices in order to manage our own Supply Chain risks.<\/p>\n

              \n

              C-SCRM Survival Tip #3<\/em><\/strong>:<\/strong>\u00a0 Both initial and continual assessments of a vendor\u2019s cybersecurity practices and incidents should be analyzed to ensure the security of an organization\u2019s global supply chain before the vendor\u2019s products or services touch their enterprise, and then continually throughout the relationship (and related product updates, patches, etc.).\u00a0\u00a0 <\/em><\/p>\n<\/blockquote>\n

              Another growing need is for the establishment of cybersecurity consortiums of industries and organizations (\u201dIT ecosystems\u201d) to share vendor and product risk data, and to quickly and continually inform partner organizations of new risks and mitigations to ensure fewer downstream surprises.\u00a0 Whether performed per organization or through a consortium information sharing, there is (for the first time) a recognized need for continual assessments of many vendors\u2019 cybersecurity practices before and throughout an organization\u2019s relationship with these providers of solutions within their enterprise.\u00a0 This is an emerging best practice for maintaining your environments\u2019 security. \u00a0<\/p>\n

              Because these types of attacks have proven very successful (and profitable) to cybercriminals over the past few years, organizations should expect more and larger cyber supply chain attacks in 2022 and beyond.\u00a0 Hence, the cost of the supply chain status quo is going up and this trend cannot be allowed to persist.\u00a0 This is causing organizations to embrace stronger operational resilience strategies and emerging approaches like never before.<\/p>\n

              Noted that it is not only financial damage that companies must avoid (or remediate!) in the case of these attacks that often end in data exfiltration and\/or ransomware.\u00a0 83% of compromised organizations have also experienced reputational damage to their brand and public perception of their company. \u00a0This \u201cups the ante\u201d for proactive avoidance of such attacks and more work to do if you are attacked. \u00a0<\/p>\n

              \n

              C-SCRM Survival Tip #4<\/em><\/strong>:<\/strong> Supply Chain attacks do more than financial harm to a company; in many cases these may also cause long-term reputational damage!\u00a0 Hence, managing to reduce such attacks but also in robustly handling such attacks is vital to an organization\u2019s survival. \u00a0\u00a0<\/em><\/p>\n<\/blockquote>\n

              In response to the increasing waves of Cyber Supply Chain attacks, it is no surprise that a global approach to securing their supply chains as well as increasing their operational resilience will be the top priorities for 50% of organizations by 2023.\u00a0 This is survival of the cyber-fittest.<\/p>\n

              To accomplish this, 88% of companies state that visibility into their global supply chain is more important now than it was 2 years ago. \u00a0But unfortunately, 74% of organizations are still using inefficient and less adaptable manual methods to ascertain and manage their supply chain risks.\u00a0 Such approaches cannot persist while such risks are increasing at an exponential rate.<\/p>\n

              For an example of where improved C-SCRM approaches and processes are heading, consider the emerging security ratings services that customer organizations can utilize to initially (and continually) assess the cybersecurity practices and incident management of their vendors.\u00a0 This is another emerging best practice, yet only 22% of organizations are using these resources to continually monitor their vendors\u2019 cybersecurity performance.\u00a0 Expect this utilization to grow and for such services to become more robust with available security tracking data for vendors. \u00a0<\/p>\n

              C-SCRM \u2013 Current Challenges and Opportunities<\/strong><\/p>\n

              The vast number of Cyber Supply Chain attacks are being enabled by many challenges affecting organizations that utilize vendor software. \u00a0Yes, you are right; this means almost all organizations.\u00a0 Try imagining an organization that does not use vendor software; then pause to think about the many(!) types of vendor software your organization relies on.<\/p>\n

              \n

              C-SCRM Survival Tip #5<\/em><\/strong>:<\/strong> Everyone has a cyber supply chain that can be corrupted!\u00a0 There are very few exceptions.\u00a0 In sort, every organization has a cyber supply chain whether the know it or not, complete with risks that can be exploited, and threats brought into their environment unexpectedly \u2026 EVEN IF the organization is highly secure in its perimeter defenses.<\/em>Hence,<\/em>cyber supply chain risks must be proactively managed by your organization. <\/em><\/p>\n<\/blockquote>\n

              It\u2019s quite clear what the breadth of target organizations can be for cybercriminals when they devise such supply chain attacks.\u00a0 They only need to breach a small number of the right vendors to indirectly gain access to their preferred (many!) target organizations amongst a vendors\u2019 customer list.\u00a0<\/p>\n

              Some of the current challenges that organizations face in trying to regularly assess their vendor and supply chain cyber risks include:<\/p>\n

                \n
              1. Lack of data that is readily available related to such risks, including its timeliness, accuracy, and actionability. Organizations have had to develop their own data for such analysis and decision-making to select or continue with a particular vendor or product.\n
                  \n
                1. This can be (too) time-consuming and resource-intensive for organizations.<\/li>\n
                2. Such data, when possible, is intended to help organizations to identify as early as possible any potential risk exposure when using a particular vendor\u2019s product<\/li>\n<\/ol>\n<\/li>\n
                3. Even when such data is sufficiently available (rarely), most customer organizations have had little sway to force vendors to remediate their internal and supply chain processes to a point that they can regularly be confident in consuming their products as cyber-safe.<\/li>\n
                4. Such data would need to be refreshed frequently to be effective; but even where there are useful data points, these are generally not monitored continuously as would be needed based on today\u2019s changing and escalating threats.<\/li>\n
                5. All this lack of actionable data from the above challenges means that the speed of any assessment is simply too long a cycle.\n
                    \n
                  1. Especially true for continual monitoring where the threat is potentially already in your enterprise (vs. an initial assessment before bringing in a product).<\/li>\n
                  2. But the only way an organization could previously speed up such assessments was to invest more of its resources into such focused efforts; but it generally didn\u2019t have the capacity to do so.<\/li>\n<\/ol>\n<\/li>\n
                  3. Lastly, how an organization would address its 3rd<\/sup> Party risk management is strongly determined by its structure, and defined roles and responsibilities for managing this. Most organizations have not made it clear who (what person or team) would own the responsibility for Cyber Supply Chain Risk Management.\u00a0 This will have to change before many of the challenges above can be addressed considerably.\u00a0 \u00a0\u00a0<\/li>\n<\/ol>\n

                    \u00a0<\/p>\n

                    \"\"<\/p>\n

                    Graphic #3: Current C-SCRM Challenges and Potential Solutions <\/em><\/strong><\/p>\n

                    \u00a0<\/p>\n

                    There are emerging opportunities and options in addressing the challenges listed above and related ongoing Supply Chain concerns. For example:<\/p>\n

                      \n
                    • New technologies are becoming available to organizations that wish to be more proactive and quickly adaptive to their supply chain risks.\n
                        \n
                      • 3rd<\/sup> Party Security Ratings \u2013 Services are becoming available where an organization can purchase one-time or recurring ratings for a particular vendor or set of products it wants to purchase (or already has).<\/li>\n
                      • Advanced Monitoring and Detection Tools and Services \u2013 Continued advancement and maturity of monitoring, detection, and action-oriented tools and services is enabling earlier detection and appropriate actions than ever before.<\/li>\n
                      • AI and its behavior analysis capabilities \u2013 This is one important advancement amongst monitoring and detection tool improvements; but this technology is also becoming engrained within many other aspects of cybersecurity\n
                          \n
                        • Wherever unusual patterns can be recognized by AI and enacted on appropriately far more quickly than a human could.<\/li>\n
                        • Expect AI to become a primary underpinning to many cybersecurity automation tools, not just C-SCRM.<\/li>\n<\/ul>\n<\/li>\n
                        • For supply chains, Blockchain is an emerging technology that will enable better security management in terms of a product manifest\u2019s chain of custody and that it has not been tampered with during the supply chain deployment.\n
                            \n
                          • Note, however, that this doesn\u2019t solve the issue of a vendor\u2019s software development process being breached to inject a threat for downstream users; this risk would need to be assessed as part of the vendor\u2019s security practices (see the 3rd<\/sup> Party Security Ratings services above).<\/li>\n<\/ul>\n<\/li>\n
                          • Perhaps most importantly, new organizational roles (and responsibilities) are being created to enable greater focus and proactivity in assessing and managing supply chain and other 3rd<\/sup> Party risks. This is long overdue, and a promising development in appropriately applying all the risk mitigation options listed above as needed for a particular organization\u2019s target security posture.\u00a0 \u00a0 \u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

                            If Every Organization has a Cyber Supply Chain that Can Be Corrupted to Create Extensive Damage <\/strong>\u00e0<\/strong> What are you going to do about it? <\/strong><\/p>\n

                            Every organization has a supply chain with risks that can absolutely be exploited; there are no meaningful exceptions to this rule.\u00a0 Hence, there is no room for a false sense of security, and no excuse to not address this immediately (and ongoing).\u00a0 After all, you do not want to be the next cautionary tale about an organization in industry news!<\/p>\n

                            To get started with your organization\u2019s C-SCRM strategy, first consider these Success Factors in developing your overall approach.\u00a0 Remember these factors as the \u201cB-O-O-M\u201c strategy to pursue when ensuring C-SCRM success:<\/p>\n

                              \n
                            1. B<\/u>oth internal and external supply chain processes and security checks require focus.\n
                                \n
                              1. There are clearly a number of processes and capabilities that an organization has direct influence on immediately; start there, but do not end there.<\/li>\n
                              2. Be sure to also include external forces, such as suppliers, where the organization has only indirect influence; but where failure to implement such influence creates greater risk.<\/li>\n
                              3. Manage all threat vectors associated with your cyber supply chain risks; hence manage your supply chain vendors as well as your own organization.<\/li>\n<\/ol>\n<\/li>\n
                              4. O<\/u>ptimize Your Organization and related processes to stay aware of current cyber events, industry trends, issues, and best practices.\n
                                  \n
                                1. Ensure sufficient focus by your organization on these items, including assigned roles and responsibilities for coverage.<\/li>\n
                                2. Partner with industry organizations and vendor partner organizations to stay informed and influential for managing supply chain risks.<\/li>\n<\/ol>\n<\/li>\n
                                3. O<\/u>ptimize Your Data for cyber supply chain and vendor risks, and extensively analyze these to be data-driven in your C-SCRM capabilities prioritization as well as your vendor selections and ongoing risk management.<\/li>\n
                                4. M<\/u>ature your organization, data, and tailored best practices to keep pace with (or preferably ahead of!) the continually growing and evolving cyber supply chain threats you must manage. This is far from a static set of threat vectors in this cybersecurity space and may just be in its infancy in terms of the future number of threats and types of complexity to be managed! \u00a0<\/li>\n<\/ol>\n

                                  \u00a0<\/p>\n

                                  \"\"<\/p>\n

                                  Graphic 4: Success Factors for Managing Cyber Supply Chain Risk<\/em><\/strong><\/p>\n

                                  \u00a0<\/p>\n

                                  \n

                                  C-SCRM Survival Tip #6<\/em><\/strong>:<\/strong> Drop the \u201cBOOM\u201d to be successful in your C-SCRM strategy and approach:\u00a0 Both internal and external forces need to be managed; Optimize your organization for C-SCRM coverage; Optimize your C-SCRM data for analysis, selection, and monitoring risks; and Mature the above as organizational-specific best practices to stay ahead of the curve!\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0<\/em><\/p>\n<\/blockquote>\n

                                  Defining & Implementing C-SCRM Best Practices for Your Organization<\/strong><\/p>\n

                                  The previously listed success factors for C-SCRM lead directly to the following best practices and capabilities for an organization to implement (shown here in a step-wise approach):\u00a0<\/p>\n

                                    \n
                                  1. Identify \/ Inventory all your types of vendor suppliers and service providers.<\/strong><\/li>\n
                                  2. Define risk tolerance criteria for each type of relevant vendor and service for critical business processes.<\/strong>\n
                                      \n
                                    • Including important vendor dependencies, their critical software dependencies and single points of failure, etc.)<\/li>\n<\/ul>\n<\/li>\n
                                    • Assess each supply chain risk (e.g., a vendor or product) according to their specific business continuity impact assessment and requirements.<\/strong><\/li>\n
                                    • Define initiatives and best practice procedures based on industry best practices tailored for your organization and assessed risks.<\/strong><\/li>\n
                                    • Establish your organizational teams and roles for ownership and maturing these critical C-SCRM responsibilities, including \u2013<\/strong>\n
                                        \n
                                      • C-SCRM Leadership and Communications<\/em> \u2013 Report to Executive Team & Board regularly about risks and threats to the organization and identified in the industry (that may become threats which can be proactively avoided).<\/li>\n
                                      • Risk Identification and Monitoring<\/em> \u2013 Continually assess prospective and current vendors via software and service types with their risk profiles and requirements.<\/li>\n
                                      • Cyber Supply Chain Requirements<\/em> \u2013 Actively manage each vendor\u2019s adherence to the organization\u2019s C-SCRM established requirements; and hence, their incorporation into vendor contracts.<\/li>\n
                                      • Cybersecurity Knowledgebase \/ Data Repository<\/em> \u2013 This resource should be maintained to be more broadly used than just for C-SCRM scenarios; but this is where business line managers as well as technical integrators can access requirements lists, contractual provisions, and ratings data associated with vendors and their products.<\/li>\n
                                      • Supply Chain Risk Liaison to the rest of the organization<\/em> \u2013 In the case of insufficient data available for a vendor-related cybersecurity decision, or the needed investigation into a new vendor, product, or incident. \u00a0<\/em><\/li>\n<\/ul>\n<\/li>\n
                                      • Continually monitor supply chain risks and threats, based on internal and external sources of data.<\/strong>\n
                                          \n
                                        • Including findings from suppliers\u2019 performance monitoring and reviews.<\/li>\n
                                        • Maintain historical and trend data as long as relevant.<\/li>\n<\/ul>\n<\/li>\n
                                        • Make vendors aware of perceived or discovered risks or weaknesses associated with their products and processes.<\/strong>\n
                                            \n
                                          • g., managing such vendors throughput their entire product lifecycle, including procedures to manage releases, patches, and end-of-life considerations.<\/li>\n
                                          • In some cases, you can help them improve their cybersecurity capabilities to advance your own security posture.<\/li>\n
                                          • But if they fail to adhere to your supply chain security requirements or attempt to remediate based on findings you share, all bets are off. \u00a0<\/li>\n<\/ul>\n<\/li>\n
                                          • Continually use and enhance data to optimize your C-SCRM strategy and approach.<\/strong>\n
                                              \n
                                            • Strive for C-SCRM process and data maturity in both selecting vendors as well as strengthening these relationships (and your trust in them) over time.<\/li>\n
                                            • Also use data to build an appropriate operational resilience strategy that will take over in the case of a vendor\u2019s failure \u2013 via an attack needing remediation and\/or the subsequent removal of such a unacceptable vendor or product.<\/li>\n<\/ul>\n<\/li>\n
                                            • Grow your C-SCRM Optimization maturity. <\/strong><\/li>\n<\/ol>\n
                                                \n
                                              • This will never be a static set of vulnerabilities or threat vectors; stay diligent at continual improvement and maturity in your organization\u2019s capabilities to actively avoid supply chain risk and to remediate it quickly if encountered.<\/li>\n<\/ul>\n

                                                The listing above of C-SCRM best practices was laid out in a suggested chronological order (do this first, second, and so on).\u00a0 However, for further elaboration on implementing your best practices, the list below in Graphic #5 shows these same best practices in relation to achieving organizational C-SCRM strategic objectives.<\/p>\n

                                                \u00a0<\/p>\n

                                                \"\"<\/p>\n

                                                Graphic 5: C-SCRM Best Practices to Implement Now and Ongoing<\/em><\/strong><\/p>\n

                                                \u00a0<\/p>\n

                                                \n

                                                C-SCRM Survival Tip #7<\/strong>: Implement your C-SCRM Best Practices in the order that makes most sense for your organization\u2019s transformation into C-SCRM maturity; but ensure these accomplish the strategic objectives above as you mature.<\/em><\/p>\n<\/blockquote>\n

                                                Conclusion & Next Steps<\/strong><\/h1>\n

                                                So, to what extent do you need a C-SCRM strategy?<\/em> \u00a0By now you should understand the value for any organization to have such a strategy and accompanying best practices.\u00a0 But the extent to which SCRM should be aligned with and support your business and IT strategies will depend on your business model, vendors profile, cybersecurity capabilities, and risk tolerance.<\/p>\n

                                                How important are your vendors\u2019 products (e.g., software, tools, hardware, or firmware) to your critical business operations?\u00a0 Or to your potential growth?\u00a0 How fragile are your business operations if a vendor in your supply chain was no longer a secure option? \u00a0\u00a0What is your feasible risk tolerance for such external disruptions to operations? \u00a0<\/em>Think about these questions regarding your supply chain, vendor and product choices, and ongoing operational resilience requirements to determine how to develop your specific C-SCRM strategy for current and future needs.<\/p>\n

                                                Once you\u2019ve determined the next steps that are appropriate for your organization, here are a few ways that Wavestone can assist you when you\u2019re ready to build out your Cyber Supply Chain Risk Management optimization approach to enhance, baseline, or continually improve your C-SCRM capabilities:<\/p>\n

                                                  \n
                                                1. Develop a customized C-SCRM strategy for your organization.<\/li>\n
                                                2. Establish a Cyber Supply Chain Center of Excellence (CSC-CoE) with robust C-SCRM capabilities for vendor-related decision-making as well ongoing monitoring and reporting at all organizational levels.<\/li>\n
                                                3. Execute a C-SCRM (Vendor & Product) Capabilities Maturity & Risk Management Assessment to identify any vulnerabilities, risks, or threats; as well as to enable targeted decision-making about selected vendors or products of interest.<\/li>\n<\/ol>\n

                                                  Feel free to reach out to us if you\u2019d like to discuss your Cybersecurity journey and capabilities, and how to get started towards supply chain risk management success.<\/strong><\/span><\/p>\n

                                                  About Wavestone US<\/strong><\/em><\/p>\n

                                                  Wavestone US is the North American arm of global management and IT consulting firm Wavestone. We have supported the transformations of more than 200 Fortune 1000 companies across a wide range of industries, leveraging a strong peer-to-peer culture, offering a practitioner\u2019s perspective on IT strategy, cost optimization, operational improvements, cybersecurity, and business management. It is our mission to help business and IT leaders successfully deliver their most critical transformations and achieve positive outcomes. We drive change for growth, lower cost, and risk, and create the trust that gives people the desire to act.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

                                                  Introduction Cyber Supply Chain attacks are a growing trend amongst cybercriminals where one attack can leave countless organizations vulnerable and potentially damaged.\u00a0 You\u2019ve seen the headlines following a number of high-profile incidents in recent months.\u00a0 The European Union Agency for…<\/p>\n","protected":false},"author":1411,"featured_media":17933,"comment_status":"open","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3270,3974],"tags":[4070,4068,4069],"coauthors":[4065],"class_list":["post-17934","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyberrisk-management-strategy-en","category-how-to-en","tag-bestpractices","tag-cybersupplychain-2","tag-supplychain"],"acf":[],"yoast_head":"\nCyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses - RiskInsight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"Introduction Cyber Supply Chain attacks are a growing trend amongst cybercriminals where one attack can leave countless organizations vulnerable and potentially damaged.\u00a0 You\u2019ve seen the headlines following a number of high-profile incidents in recent months.\u00a0 The European Union Agency for...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-16T16:40:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-06-20T15:55:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1040\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Keith R. Worfolk\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Keith R. Worfolk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/\"},\"author\":{\"name\":\"Constance Francois\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8f34ed4a34586eb58d8e05e7688fde5e\"},\"headline\":\"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses\",\"datePublished\":\"2022-05-16T16:40:00+00:00\",\"dateModified\":\"2022-06-20T15:55:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/\"},\"wordCount\":3639,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg\",\"keywords\":[\"BestPractices\",\"CyberSupplyChain\",\"SupplyChain\"],\"articleSection\":[\"Cyberrisk Management & Strategy\",\"How to\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/\",\"name\":\"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg\",\"datePublished\":\"2022-05-16T16:40:00+00:00\",\"dateModified\":\"2022-06-20T15:55:23+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg\",\"width\":1040,\"height\":720},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity & digital trust blog by Wavestone's consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8f34ed4a34586eb58d8e05e7688fde5e\",\"name\":\"Constance Francois\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/constance-francois\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses - RiskInsight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/","og_locale":"en_US","og_type":"article","og_title":"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses - RiskInsight","og_description":"Introduction Cyber Supply Chain attacks are a growing trend amongst cybercriminals where one attack can leave countless organizations vulnerable and potentially damaged.\u00a0 You\u2019ve seen the headlines following a number of high-profile incidents in recent months.\u00a0 The European Union Agency for...","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/","og_site_name":"RiskInsight","article_published_time":"2022-05-16T16:40:00+00:00","article_modified_time":"2022-06-20T15:55:23+00:00","og_image":[{"width":1040,"height":720,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg","type":"image\/jpeg"}],"author":"Keith R. Worfolk","twitter_misc":{"Written by":"Keith R. Worfolk","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/"},"author":{"name":"Constance Francois","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8f34ed4a34586eb58d8e05e7688fde5e"},"headline":"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses","datePublished":"2022-05-16T16:40:00+00:00","dateModified":"2022-06-20T15:55:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/"},"wordCount":3639,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg","keywords":["BestPractices","CyberSupplyChain","SupplyChain"],"articleSection":["Cyberrisk Management & Strategy","How to"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/","name":"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg","datePublished":"2022-05-16T16:40:00+00:00","dateModified":"2022-06-20T15:55:23+00:00","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/05\/cybersupptychain.jpg","width":1040,"height":720},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/05\/cyber-supply-chain-risk-management-best-practices-operationalizing-your-proactive-c-scrm-defenses\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity & digital trust blog by Wavestone's consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8f34ed4a34586eb58d8e05e7688fde5e","name":"Constance Francois","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/constance-francois\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/17934","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1411"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=17934"}],"version-history":[{"count":5,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/17934\/revisions"}],"predecessor-version":[{"id":18063,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/17934\/revisions\/18063"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/17933"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=17934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=17934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=17934"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=17934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}