Welcome to ThatThirdPartyGuy.com – my website highlighting my journey in third party cyber-security.

The Case For Supply Chain Cyber Security – Part 2


27 May 2023

In the last blog, I mentioned that we as practitioners tend to focus on the “defended castle”.  We tend to do so to the exclusion of the supply chain.  That is wrong thinking in my opinion.  What we should do instead is focus on both and consider the defended castle the entrance fee vs. the end of the journey.

The next question that interests me is ‘how can we quantify the impact of not paying enough attention to supply chain cybersecurity in a way business leaders can internalize and support?’

Let’s apply it to a model that considers primary (residual) and secondary risk.  I won’t add dollar figures in this case because I believe while we can certainly put a dollar figure against the risk of not paying enough attention, I think we also need to change the conversation to recognize that cybersecurity is a baseline requirement for doing business in today’s world.  Those companies that do cybersecurity well will continue to be competitive.  Those that do not, will face serious and distracting difficulties executing their business plans. 

Primary Risk

What is the primary risk of not having an effective cyber security program? I can think of several items in today’s economies including:

  1. Higher risk for data breaches
  2. Higher cost of selling or merging your business when the time comes
  3. Higher likelihood of going out of business if a victim of a cybersecurity event

The list goes on, but let’s be clear – a good cybersecurity program won’t keep you from being a victim. It can however help you to minimize the blast area and subsequent damage.  That may be the edge your company needs to stay in the fight. 

Secondary Risk

Secondary Risk is often not explored nearly as much but it can be very expensive.  I can think of a few secondary risks:

  1. Reputation – your company’s reputation could be irreparably damaged especially if you’re customers require high levels of trust
  2. Data quality issues
  3. Inability to provide services for extended periods of time

There are certainly more.  The cost of a data breach was estimated to be up from $146 dollars per record to $161 dollars per record in the U.S. in 2022.  Some estimate the event cost on average to be up 2.6 percent from 2021 to 4.35 million in 2022. No wonder cyber insurance is harder to get!

All of those risks above apply in some way, shape, or form to your supply chain and directly affect your ability to succeed in business.  Your supply chain is after all, an extension of your company as far as customers are concerned.  You can transfer the work, but you are not transferring the risk nor the impact. 

The supply chain is part of your business and must be protected with the same effort and diligence as your defended castle. 

For more ideas and information, check out my friend and fellow podcaster Greg Rasner’s book CYBERSECURITY & THIRD PARTY RISK: THIRD PARTY THREAT HUNTING and his new one ZERO TRUST AND THIRD-PARTY RISK .  You can also find some great and freely available resources at TPRA’s website (it’s a great organization – you should join).