ERM
Friday, April 16, 2021
By Marianne Bailey, Jason Dury and Kate Sylvis
The recent SolarWinds incident served as a wake-up call: Having separate cybersecurity, supply chain, and enterprise risk management (ERM) disciplines and units within an organization is increasingly untenable. Today's reality is that these are all intrinsically linked, interwoven and, as a result, interdependent.
A robust cybersecurity posture requires a foundation built on trusted, validated supply chain systems, with effective ERM capabilities and practices supported by relevant business activities, governance and culture. At a minimum, these important components that should be evaluated are training, standard operating procedures and governance. These core capabilities must be melded and merged, not just treated as add-ons or separate units, with direction to “collaborate” with the hope that this approach could save an agency or private company from the sorts of supply chain attacks that are felling others.
Several key lessons are emerging as investigations by government and cybersecurity experts continue into the SolarWinds intrusion. Some are, unfortunately, the same lessons learned from previous cyber exploitations and attacks. Many of these have their origins in weak cyber hygiene and the lack of effective IT process controls. Other lessons, for many, are newer and, significantly, reflect that the intrusion occurred through a supply chain access point, an increasingly targeted vector into public and private entities' operations.
Entity-wide Vulnerabilities
These types of intrusions, like other cyber and supply chain attacks, can not only prevent or obstruct mission-execution and business-operation successes, but they can also damage the brand and reputation of government organizations and companies, along with the protection these entities seek to provide to their customers, employees, data and systems.
The sophistication of the SolarWinds attack demonstrates the need for an effective, integrated security program that addresses risk specific to your organizational strategies and objectives. Organizations should take an integrated view of these opportunities through the lens of ERM, cybersecurity and supply chain risk management.
Finally, it cannot be stressed enough that paying heed to the automated warning systems that have been set up and any suspicious oddities reported by humans is a fundamental control that underpins effective cybersecurity, supply chain and enterprise risk management. The reason that SolarWinds was discovered when it was, related to double-checking that a request to register a new phone, laptop or other device was legitimate. It was not, which triggered an investigation and everything else that followed. If not for that system warning and its being heeded, SolarWinds could still be undiscovered. Therefore, the little things - warning signs, anomalies, and double-checks - can make a big difference.
As unfortunate as SolarWinds is, it continues to serve as an urgent wake-up call and opportunity to assess or reassess supply chain risk management and cybersecurity practices, including how they are integrated and fit within broader ERM capabilities.
On a specific level, this includes assessing current cyber practices against appropriate standards, such as those of the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS) and International Organization for Standardization (ISO), and ensuring that best practices are being followed in areas such as Vulnerability/Patch Management, Identity and Access Management, Least Privilege, and Configuration Management. When it comes to supply chains, it means having a risk management program to illuminate and identify risks in products, tools, and vendors, including vendors' controlling parties, operations in high-risk environments, foreign government touch points, adverse information, and financials, so that the risks are understood and can be managed appropriately.
Marianne Bailey (mbailey@guidehousefederal.com) is a partner and Cybersecurity Solutions leader, Jason Dury (jdury@guidehouse.com) is a director in Open Source Solutions, and Kate Sylvis (ksylvis@guidehouse.com) is a director and Enterprise Risk Management Solutions leader at Guidehouse. To learn more about the firm's expertise and experience on supply chain issues, cybersecurity and resilience, and enterprise risk management, visit www.Guidehouse.com.
•Bylaws •Code of Conduct •Privacy Notice •Terms of Use © 2024 Global Association of Risk Professionals