________________________________________________________________________________________________________________________
them , and turning them into something of higher value .
In the 21 st century , amidst global networks of third-party suppliers and point in time ordering , and the corresponding high demands of customers wanting fast delivery , the risk ( and cost ) of disruption is high .
Digital risk
The infusion of technology into processes that span these networks has made supply chain cybersecurity threats the biggest risk faced by manufacturers .
There is the immediate increase in risk , as a supply chain presents more targets for would be attackers , compared to a single manufacturer .
But there is also the increased risk of diverse types of threat . It is a sad truth that the bad guys have gotten smarter : they have evolved from simple cyber-vandalism to ransomware , data theft , financial fraud , extortion and in some cases , advanced persistent threats that are built over months to compromise the entire research and development of a company .
You cannot defend against what you cannot see
To combat this increased risk – be it cyber risk or otherwise , the first step is visibility of all the relevant assets and entities . This is typically in the form of data , which is then used to assess performance against frameworks of best practice and establish a control or metric .
The objective of this visibility is continuous monitoring , rather than a periodic assessment – in order to deliver a completely up-tothe-minute picture of the risk profile of a manufacturer . Ideally this monitoring should be automated , with reports available without the risk of human intervention .
In order to span complex supply networks , the platform for visibility needs to be data agnostic , capable of monitoring any data source , ‘ out of the box ,’ as well as framework agnostic , capable of delivering compliance with frameworks such as NIST , PCI , MITRE , COBIT , ISO 27001 , SOX , CIS , and HIPAA - either individually or in combination .
Lastly , this should be available as a managed platform or service . Few organizations have the necessary skills and resources to manage their risk across cyber security and beyond .
Addressing the problem with CCM
When this exercise is first undertaken , the initial picture that is often revealed is a dense threat map . This may highlight users who have not been offboarded , high numbers of vulnerabilities throughout the organization and partners , excessive systems administrator rights , and unpatched applications and outdated firmware . This is often a moment of sober realisation for manufacturers as they see the poor state of their security posture ,
20