The Other Side of Supply Chain Security: Tips for Organizations Being Assessed by Enterprise Clients

Suppliers are increasingly being asked to comply with information security requirements as a condition of doing business. Larger enterprises are starting to focus more attention on vendor security, an area you might also hear referred to as supply chain security or third-party security.

But what if your organization is the supplier? If that is the case, having good security in place is not only about protecting your own organization from cyber threats—but also about keeping and landing sales.

How to Respond to Supply Chain Security Assessments

While there is no shortage of resources for enterprises assessing their own suppliers, little exists to help those on the other side of the equation (i.e., the supplier whose security is being assessed by an enterprise client). That’s particularly true for small to medium size organizations whose security maturity falls below the supplier security requirements they are being asked to meet.

This post is intended to provide tips to suppliers who need to meet a client’s supply chain security requirements but are unsure where to even begin. It covers common mistakes made by suppliers, and it provides advice on how to understand the requirements in terms of their practical applications.

Common Mistakes Made by Suppliers

Organizations attempting to meet an enterprise client’s supply chain security requirements can sometimes make mistakes, which lead to delays or even failure to meet the requirements. Here are some key mistakes to avoid:

• Underestimating the amount of time required: Some vendors mistakenly assume they can comply with a client’s supply security requirements in a relatively short time. Depending on the circumstances, meeting the requirements can sometimes require a significant amount of internal staff time. If, for example, you need to obtain a third-party certification, the process could take several months.
• Underestimating the costs involved: Meeting certain supply chain security requirements might require technology upgrades. Other expenditures might include increasing cyber liability insurance coverage, investments in security training, and fees from outside parties such as consultants and legal counsel.
• Incorrectly assuming this is a job for IT (and only IT): Although IT can take the lead on a number of areas, do not assume your IT staff (whether internal or external) can tackle all requirements on their own. Tackling a comprehensive list of security requirements requires a team effort from individuals in a variety of roles, not just IT.
• Not achieving internal alignment: Given the time and resources needed, the organization must be fully aligned and committed to meeting the requirements. If key stakeholders disagree as to the importance of meeting the client’s requirements, there is a good chance your efforts will ultimately fail.
• Mistakenly assuming the client will overlook their non-compliance: In some cases, a client might be willing to give you an extension to meet their supply chain security requirements; however, you need to demonstrate that you are making a good-faith effort to meet the requirements and that you are making progress. If you fail to comply with the requirements, expect to lose the client’s business.

Understand the Practical Implications of the Requirements

Find out what satisfying the client’s supply chain security requirements would actually look like from a practical standpoint. For this step, be sure to ask for input from individuals such as your legal counsel or a trusted consultant who can help clarify the requirements and explain what meeting them would look like for your organization.

Here are some key questions to ask:

• What is the overall difficulty level involved? Based on the client’s supply chain security requirements and your organization’s unique circumstances, be sure to know the overall difficulty involved. Does the client simply want a self-attestation that you meet their requirements? Are they asked you to complete a security questionnaire such as the SIG? Do you need to provide some type of evidence that you are in compliance, such as copies of your written security program or other artifacts? Or do they want you to work towards an ISO 27001 certification or SOC 2 Type II certification? Each will have different hurdles and costs involved.
• Who will need to participate? Key participants typically include individuals in IT, HR, legal/compliance, operations, and even facilities services (for physical security). Upper management might also need to be involved on issues relating to governance and enterprise risk management.
• Will we need to retain outside help? You might need assistance from outside parties such as a security company (e.g., for technical testing and policy development) or IT vendors for technology upgrades. If you need a certification, you will need to retain a certifying body and perhaps a different outfit to help you get prepared for it.
• What are the timelines? Note any deadlines your client expects you to meet. If applicable, factor in the time it will take to obtain a certification.
• What are the costs involved? Do your best to calculate the costs you think might be involved. Get quotes and estimates from all outside parties whose assistance you might need along the way.

If the real-world implications of meeting the requirements are still unclear, be sure to get outside help as early as possible.

Conclusion

If your organization is attempting to address an enterprise client’s supplier security requirements, it can sometimes be difficult to know what the requirements mean and where to begin. Take the time to understand what it will take your organization to meet the client’s supply chain security requirements, including the amount of effort involved and who might need to participate internally and externally.

If you need help managing your clients’ supply chain security assessment requests or you would like to outsource vendor vetting of your suppliers, please contact us.