Derisking the supply chain

Manuel Sanchez at iManage advises that security technology consolidation can help reduce supply chain risk – but only if it’s done thoughtfully

 

IT teams have an array of tools to protect their organisation – and with that array comes a whole host of vendors to deal with. Unfortunately, there can be weak links in the chain, as headlines around the supply chain attack on SolarWinds and the Log4j vulnerability amply demonstrate. 

 

These supply chain complexities – and the inadvertent loopholes that they present to criminals – make a technology consolidation strategy more important than ever. A 2022 survey from Gartner found that 75% of organisations were pursuing security vendor consolidation, up from 29% in 2020. But it’s critical to approach it in a thoughtful manner – otherwise, CIOs and CISOs might simply be trading one set of problems for another.

 

A weak link emerges

It’s surprisingly easy for organisations to accrue a large number of technology vendors over time. For instance, they might initially identify a need around preventing phishing attacks and engage with an email filtering vendor. This may be followed by further engagements with other vendors around mitigating malware and so on.

 

This is on top of existing relationships with vendors providing more “foundational” offerings, from email to productivity applications to document management.

 

Before long, the organisation could be dealing with as many as 20 or more different technology vendors. And that’s where problems can arise.

 

A security vendor that was considered “best of breed” ten years ago might not have been investing in their people or technology over the years or otherwise keeping up with the requirements of an ever-evolving threat landscape. 

 

Alternately, maybe the vendor that looked “rock solid” back then has been recently experiencing significant lay-offs due to financial difficulties, bringing its long-term stability into question. Or – most concerningly – maybe it has been involved in a headline-generating breach scandal of its own.

 

No matter the underlying cause, the end result is the same: Suddenly, an organisation that thought they had a strong security posture has a weak link in their chain that bad actors can target. 

 

Consolidation done properly

When weak links emerge, security leaders need to ask themselves: Is it possible for us to remove this potential risk through consolidation?

 

A natural first step is for organisations to perform a Know Your Third-Party assessment to evaluate their current relationships with the different security vendors and assess where it makes sense to consolidate and move to an integrated service provider who can provide similar functionality as part of a consolidated platform. (Given the amount of consolidation that has occurred in the technology space in recent years, with larger companies acquiring smaller specialised technology companies, this is the reality. Think: Cisco buying Splunk).

 

A few considerations when it comes to consolidation. Organisations should ensure that vendor services that need to connect with internal systems comply with the security requirements that have been implemented within the organisation – for example, do these services leverage zero trust principles that eliminate implicit trust? 

 

Vendor services should only require limited access to the essential elements they need in order to perform their specific function, rather than require full access to network resources. 

 

When it comes to an integrated service provider approach, it is worth considering the benefits. If you have multiple vendors providing different components that form part of an integrated custom solution, chances are one or two could fall behind on software maintenance cycles, which could affect the integration itself and provide a back door to cyber-attacks.

 

At the same time, it is also worth assessing if a single provider can offer multiple solutions that are fully integrated with one another. For instance, can security teams have a comprehensive view of access management controls that is closely aligned with threat monitoring analytics? 

 

Focus on reducing risk and complexity

One more word of advice. There can be a temptation within organisations – particularly if there is pressure coming from the finance department – to view technology consolidation solely as a cost-cutting exercise. 

 

While it’s true that there can be financial upside in consolidating multiple products or services with a single vendor, it’s worth underlining that consolidation should be viewed as a way of reducing risk and complexity throughout the supply chain.

 

As such, CIOs and CISOs should be playing an active role in how that consolidation takes place. After all, if cost cutting were the only objective, organisations could aim to shave costs by renegotiating their contracts with all their different vendors.

 

Instead, organisations should be focusing on working with the best service providers that are fully able to meet their changing requirements. “Culling the herd” through a careful technology consolidation is a way to accomplish this goal and eliminate the weak links in the supply chain that could inadvertently create disruptions and leave the organisation vulnerable to attacks.

 

---

 

Manuel Sanchez is Information Security and Compliance Specialist at iManage

 

Main image courtesy of iStockPhoto.com