Our PROMISE: Our ads will never cover up content.
Our children thank you.
Dane Warren
Published: Monday, October 23, 2017 - 12:02 Sponsored Content As businesses become increasingly dependent on an effective supplier network, more data must be shared with these suppliers to support business goals and delivery business value. This gives rise to the need for a more robust, next-generation approach to supplier assurance and oversight—especially in the realm of cybersecurity. A robust cyber-assurance program can help you be sure that your business is adequately supported, and that your cybersecurity risks are identified. In 2014 the retail giant Target fell victim to a heinous cyber attack that cost them more than $150 million. The attack originated at the supplier of Target’s air conditioning, and compromised the Target network. In 2017, we are seeing hacking groups evolve and adapt to increasing security within organizations, favoring suppliers of large organizations that may not have similar levels cyber-security sophistication. Although leading studies have seen cyber-attack costs decrease over the last year, businesses are still facing an average breach cost of more than $7 million, which is almost a two-fold increase against 2016 estimations. In addition to this, if a third party is involved in the breach, the cost of the breach can increase by up to 11 percent. Whether beginning from scratch, or if your organization already has a cybersecurity program already in place, knowing its scope and testing its effectiveness is key to understanding your current risks. Implementing a program to assess your current cyber risks will also help to mitigate future risks as well. The following five risk assessment exercises can provide clarity to better understand cyber risks to business value and outcomes. 1. Internet hunting assessment: See what a hacker sees from outside. 2. Internal compromise assessment: Determine if a hacker is already inside due to lack of controls during previous years. 3. Internal application risk assessment: Understand the business-driving applications and their associated risks. 4. Supplier-assurance program: Investigate business risks within your supplier base. 5. Internal controls assessment By conducting an internal controls assessment, you can see where your strategic gaps exist. You can use this information to intelligently invest in controls that will cover more risk per dollar spent. By combining these five assessment exercises you can begin to intelligently invest in risk reduction. The outcome is clarity about your company’s cyber risks, which leads to investments in your cybersecurity program that are effective and drive accountability. This means taking care of the right risks at the right time. You can apply the assurance activities to your supplier network; you can understand—in a single view—where your risks are across your entire technology system. When your view on business via your supplier lens is clear, you can approach your suppliers in a strategic manner commensurate with your business risk appetite. Assurance in isolation is only a part of the journey; the findings need to land somewhere so that activities can be developed. The most logical landing place is a risk-governance management committee, forum, or group. Your teams can use the data collected through these assessment activities to be better informed on how to direct strategic funding to the most serious risks. Sign up for the free webinar: Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Dane Warren is currently the Global Head of IT Security (CISO) at Intertek. Warren also spent several years as a Director of IT Security at Zurich Insurance Company, in charge of business information security for several APAC, European and Middle Eastern countries. His earlier roles include Head of Information Risk and Security at Virgin Mobile (Australia), and CSO - Financial Services (APAC) at EDS. Dane has over 15 years of experience in IT Security, and holds a Master in Business IT Management from the University of Technology Sydney and several security certifications and accreditations. Warren was recently recognised as a top 100 global CISO, the list was generated by a nomination process that ran from the beginning of 2017, which culminated in an expert judging panel curating the top 100 CISOs for 2017.A Proactive Approach to Cybersecurity
Locking down your cyber-assurance program
The cost of security failure
Inside a cyber-assurance program
Five cybersecurity assessment exercises
Your first task is understanding what your organization’s exposure is from the internet. Without spending any money on additional tools, attempt to download and use what is freely available online. Your goal is to imitate the behaviour of hackers as best you can. If you can find a way in to your company’s applications from the outside, be assured a hacker can too. Third-party assistance can be invaluable here. Small blind spots can be big liabilities.
One effective tactic for assessing internal security risks is to partner with a leading next-generation cybersecurity vendor to confirm the scope of the assessment, and perhaps install a small application on some of your organization’s IT endpoints. This is an effective method to determine the level of compromise, if any, that has already incurred.
The idea here is to better understand the business, income generation, and supporting applications used within your company. Interview your technical and business teams to understand the business impact and technical likelihood of any security issue or incident occurring within each application. This ensures that the output of the assessment is a business-risk view, underpinned by the technical integrity of the supporting hardware and software. This directly links cyber risk to business outcomes.
Nearly 20 percent of businesses are concerned about cybersecurity within their suppliers. With a large number of high-profile breaches being attributed to third-party suppliers, it’s incumbent upon all organizations to assess the top percentage of their suppliers to better understand the additional business risk being introduced by using third parties to store and process their data. If you store your data with 20 different suppliers, your cyber risk can be amplified by more than 20 times.
With your security assessment done, controls must be developed—primarily adapted from industry best practices—and the highest risk applications assessed, so that your organization can better understand the supporting reasons for the applications to be in the state they are.Next steps
"Intelligent Assurance Cyber Risk Assessments"
to help you identify where your risks and vulnerabilities are, and implement a total cyber-security assurance plan.
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Dane Warren
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.