The race to transform digitally continues to be a high priority for enterprises, large and small. Becoming a digital-first organization implies a data-centric approach in which data is shared on a near-constant basis throughout a complex and connected ecosystem of partners and suppliers. This data fluidity between third, fourth and fifth parties creates numerous opportunities for cyberattackers to compromise systems and data. How can CISOs help secure their own organizations, while encouraging their broader ecosystem to be cyber secure?

Ecosystem security: The current state of solutions and obstacles

Most organizations are no longer the single, monolithic entities many customers have long believed them to be. They’re deeply operationally dependent on a robust supply chain, as well as a myriad of traditional and non-traditional partners that often have direct access to business systems and data. Although regulatory standards and mutually agreed-upon security frameworks can help minimize the impact of third-party cyber threats, there are situations where the participants in these complex ecosystem structures — cloud providers, SaaS companies, Internet of Things (IoT) device manufacturers, etc. — may not have clear obligations for establishing adequate controls to protect their partners’ data, leaving the entire network vulnerable to cyberattacks.

From a contract negotiation perspective, there should be proper vetting of all potential vendors’ organizational security policies, as well as the security built into the products and services to be accessed. Currently, this requires tremendous and perhaps infeasible due diligence by each ecosystem partner. In most cases, point-in-time, periodic assessments are conducted manually by third-party security programs managed internally or outsourced.

Some organizations, particularly in regulated industries, are also making better use of security-ratings companies, whose services supplement point-in-time assessments by providing security risk scores against a set of pre-defined parameters. This helps to determine whether an ecosystem partner’s security is ‘good enough’ by offering detailed qualitative and quantitative analysis.

Unfortunately, this approach is no longer fit-for-purpose in today’s ever-evolving digital environment. Although this form of trust — or lack-of-trust — framework can provide near-real-time risk visibility it’s simply too time consuming and costly for the majority of organizations. As a result, many businesses, third-party vendors, and even regulators are under increased pressure to provide continuous assurance over the security of their ecosystems. This is only going to become more challenging as the complexity of the supplier ecosystem increases, and fourth parties, shadow-IT, and a lack of SaaS provider oversight demand more and more attention. As a result, CISOs are faced with the difficult task of transitioning away from the compliance-based strategy to a much more proactive approach that puts continuous monitoring, usage of AI/ML-based solutions, threat intelligence, and zero trust at the heart of their ecosystem security model.

With cloud and digital technologies creating a hyperconnected, multi-partner ecosystems, there’s new willingness to proactively address the associated risk. Automation will continue to play an important role in activating appropriate corrective measures in these environments across third, fourth and fifth parties.

Atul Gupta, Global Cyber Security Lead for TMT
KPMG International
Partner, KPMG in India

What’s your move?

Regulations relating to cyber security will likely continue to tighten and expand, as exemplified by executive orders from the US White House on supply chain, as well as the European Union’s continuously evolving Network and Information Security (NIS) Directive, which has drawn clear lines around how member states, industries and organizations should enhance their inward and outward cyber security policies, especially in a post-pandemic world.

A strong risk management framework that looks both inward and outward is key especially for high-risk industries, such as financial services, energy and healthcare. A future-proof approach should also be applied across key industries around the world, in an effort to help ensure that all ecosystem partners follow a clear path in protecting their own organizations, as well as the broad ecosystems within which they operate.

Another key area of focus should be on automation, including the use of AI/ML across the ecosystem. AI/ML can be applied to security policies to address shadow IT issues and provide better oversight of third-party SaaS products, as well as to implement self-service chatbots and automate many aspects of the organization’s third-party risk management processes.

Continuous controls monitoring (CCM) takes this a step further, moving security assessments away from point-in-time activities that become obsolete quickly. CCM can expedite vendor cycles through the use of machine-readable assessments, which ultimately enhance risk and control oversight. To be effective within the context of a partner ecosystem, CCM requires vendor participation and acceptance of this type of assessment. This model can inspire ecosystem partners to move from a compliance-based approach to a more operational focus that allows for corrective measures in real time with or without human intervention.

Alongside a move toward continuous assurance, regulators and even large organizations may look to adopt a more active approach to building ecosystem security. In an interconnected business world, companies are realizing they have a responsibility to protect their supplier ecosystem, particularly partners that don’t have the same level of resources. This could mean providing a monitoring/threat intelligence service across their supply ecosystem and collaborating with partners to defend against identified threats. While in its infancy, regulators and national bodies are increasingly taking this approach, and larger, more mature organizations could follow suit.

Many companies are looking at machine-readable assessment formats, which help cyber teams think about third-party risk assessment as part of continuous controls-monitoring. The mindset here is no longer compliance-based, it's now operations-based. Existing third-party risk programs in virtually every industry aren’t prepared for this transition.

Jonathan Dambrot, Global Third Party Security Leader
KPMG International
Principal, KPMG in the US

Some key actions to consider for 2022

  1. Keep a close eye on regulatory requirements as they continue to evolve and focus on supply-chain security.
  2. Consider continuous controls monitoring as a way of moving ecosystems from compliance to a more operationally based view of security.
  3. Explore opportunities to automate and leverage AI/ML in supply-chain security approaches to enhance security and enable skilled security workers to focus on more strategic activities.
  4. Don’t overlook the operational technology (OT) supply chain; as IT and OT systems continue to converge, attackers will likely seek to exploit OT systems in an effort to compromise business data.
  5. Larger, more resourceful organizations should seek to take a capacity-building approach by applying security measures to protect their broader ecosystem, in addition to their own environment.