Modernizing the NIST Cybersecurity Framework
Written by Kelly Wasileski
Supply Wisdom’s Three Recommendations for a Stronger NIST CSF
At Supply Wisdom, we keep a close eye on the risks businesses face daily. Based on that knowledge, we have three recommendations for how the NIST can modernize the CSF for 2022.
Make the supply chain a key part of the updated framework.
Risk professionals have been paying attention to the vulnerabilities of the supply chain for years, but the impacts of the COVID-19 pandemic have forced supply chain concerns into the mainstream. Chances are that your teenage cousin and great aunt alike are talking about “supply chain issues” these days. But while they’re mostly concerned about the consumer end of the supply chain—which products make it to their local stores or front porch—organizations are aware of every step.
The existing version of the CSF addresses cyber risk management for third-party relationships. That’s one component of creating a strong supply chain—and an important one, for sure. But it’s only one part of the larger picture.
Don’t stop at addressing the cyber risks of the supply chain—go broader.
The CSF’s focus is on cybersecurity risks—it’s right there in the name. But modern risk management requires a broader approach. Cybersecurity risks should be treated as part of a full-spectrum approach to risk. To truly minimize and prepare for supply chain risks, organizations need to account for an array of considerations, including:
- Financial health – Do your third parties have a good credit profile and a secure enough financial situation to fulfill your contract and deal with adversity?
- ESG (Environmental, Social, and Corporate Governance) – Do your third parties have responsible policies and practices in terms of environmental impact? Are they addressing sustainability? What about their diversity and inclusion practices? As more ESG mandates unfold, there will be greater emphasis on due diligence and disclosure.
- Operational issues – Are your third parties experiencing significant employee attrition? Do they face staffing concerns, trouble hiring, and a negative reputation with former employees? What about their resilience posture?
- Geography – Where are your third parties based? Are local laws, weather trends, or political realities likely to impact business in that location? The Russia-Ukraine conflict has highlighted the importance of understanding location-based risk and the cascading effects.
- Compliance – Are our third parties in compliance with laws and regulations relevant to their industry and location? This is a rapidly changing dynamic.
- Nth Parties – Do you have visibility into the vendors and suppliers of your third parties? Identification of your Nth parties helps to better quantify risk and mitigate potential disruptions.
These issues can be as disruptive to a business as a cybersecurity event and can often be an early indicator of challenges at a third party. A comprehensive risk framework should address them all.
Recommend organizations incorporate real-time monitoring into their supply chain risk management processes.
Information that impacts the supply chain will change fast. When Russia invaded Ukraine earlier this year, people around the world watched with shock. But beyond their concern for the many people hurt by the war, organizations worldwide also had to consider how the war would affect various supply chains. As one example, Russia and Ukraine combined export over a quarter of the world’s wheat production, meaning the war has made a notable and sudden impact on the world’s food supply. For the many businesses that produce wheat products, the sooner they learn about a shift in its global production, the faster they can adapt their strategy to account for it.
The world doesn’t stand still, and organizations need the agility to recognize and address changes and potential disruptions as they happen. That’s the power of real-time monitoring.
How Organizations Can Reduce Supply Chain Risks
The CSF has been a useful guideline for organizations across industries for years. Regardless of whether NIST takes our recommendations in creating its updated version, organizations should consider supply chain risks beyond cyber. Staying on guard against cyber-attacks should absolutely remain a priority. But in addition, take steps to look at the bigger picture of how your supply chain works and the kinds of issues that could cause disruptions in each link in the chain.
Make a point of fully understanding who you work with. Determine which of your vendors are the most critical so that you can keep a close eye on them. And set up continuous monitoring for all crucial third parties, so you get an early warning when an issue arises and can proactively work to minimize problems. Organizations are learning, often the hard way, about the real financial stakes of not being prepared. Reacting to something you didn’t expect is far more costly and disruptive than handling a problem you predicted was a possibility. There are many risks your organization can’t prevent entirely, but you can make sure you’re better prepared for them.