In this and the upcoming article, we will talk about Secure Forte, why we came to the market and what is different about us.
Let us start with the fact that we are not another GRC platform. This is because there are several great platforms in the market serving the customers in managing their policy framework and offering excellent risk management capabilities.
What we found lacking in the market was a comprehensive solution that could do end-to-end management of risks associated with cyber and privacy across the supply chain. When it comes to supply chain, we mean upstream customers, the organisation, and third and fourth-party suppliers.
This is where Secure Forte will come into play. We provide a supply chain risk management platform focusing on identifying, communicating, and proactively monitoring cyber and privacy risks across the supply chain.
This article will focus on our approach and differentiation in managing risks across the downstream suppliers using the Forte Vendor Risk Management solution.
We are starting with a review of typical audit findings regarding the management of risks over third-party suppliers, even across those companies that are overly confident in this area. That includes insufficiently contractually protected supplier relationships as well as poor processes to cover the roles and responsibilities, the impact criteria and due diligence requirements for assessing suppliers’ risks.
On top of the above typical gaps, we should talk more about a few contemporary issues that primarily affect the accuracy and reliability of the supplier’s due diligence exercise:
Irrelevant scope
Your suppliers may share a report that was completed for one of the Big four banks. Everything looks fancy there, but there is one issue: is it relevant to your environment?
We are a big fan of improving audit efficiency by trusting the job performed by other competent auditors. However, the audit scope must be checked to ensure it covers your organisation’s environment that the supplier manages.
Lack of proactivity
With the significant increase of discovered zero-day vulnerabilities used by government-supported cybercriminals, how do you know that your suppliers are not vulnerable and your data is secure?
The fact that matter is that you cannot rely only on the due diligence exercise performed against your supplier as part of your compliance arrangements. You should be able to monitor the supplier’s risk profile proactively. That means, when a new zero-day vulnerability such as Log4Shell is discovered, you will be informed which suppliers of yours are vulnerable and whether your crown jewels are safe or (god forbid) for sale on the dark web.
Fourth party suppliers (supplier of suppliers)
Apart from what we said above, some companies correctly manage their third-party suppliers’ risks. They are able to show us an inventory of their suppliers, the data they have access to, and their impact on the organisation. However, we learned from the recent pandemic and the current Ukraine war that “the reliability of the supply chain is at stake”.
We observed several gigantic technology companies were not able to meet their SLA due to their outsourced arrangements with development companies in Ukraine. So, whether your third party supplier is a reseller, managed service provider or software company, it is essential to identify their suppliers’ dependencies and determine whether they are performing due diligence exercises against those suppliers that could impact your services and data.
At Secure Forte, our development is based on the customer feedback loop. Yes, we work collaboratively with our partners, advisors and security experts to better understand the requirements of landscape and design solutions. However, all these ideas would be pointless if not used by customers.
Our platform is built to solve the typical issues of vendor risk management but, at the same time, provides contemporary measures based on the recent changes in the landscape. Main features include:
Governance
The platform can adopt your supplier governance model. Whether your organisation relies on one person to do everything, or the responsibilities have been divided between contract owners and relationship managers to add, assess and monitor the supplier’s performance. You can also include your suppliers’ tiering model and continuously manage the suppliers’ risks based on suppliers’ tier and the effectiveness of their Cybersecurity, Privacy, Quality Management and Compliance capabilities.
Data
As a data-driven solution, you tell the platform what type of data the supplier has access to. The platform will check the protection applied to your data compared with various standards and best practices and track its journey across your supply chain. Data would be the focus here, and everything we check with the supplier is about you and your data.
Due diligence exercise
You can leverage Forte assessment libraries containing our scenario-based questionnaires and/or include your customised questions. The platform will communicate the questionnaires with suppliers, and the supplier will complete the questionnaires and should provide acknowledgement of the accurate information and right to audit.
Let’s bring this to the next level: You may have various suppliers with different impacts on your organisation. Completing a questionnaire and managing their acknowledgment is enough for most of your low or moderate impact suppliers. But when it comes to high impact suppliers, you need to verify the evidence of existing controls.
The Secure Forte platform can be run in audit-driven gear. Once the supplier completes the assessment, the platform will generate an audit control panel that advises on the supplier’s evidence to your dedicated auditor team. Your dedicated auditors will verify the evidence list and finalise the assessment. The platform will then generate the supplier assessment reports, management dashboards and issue management capabilities for ongoing management of supplier relationships. In the end, our aim is not to do a witch-hunt but to provide a centralised point of communication platform where you and your suppliers can set expectations and work together towards those expectations.
Fourth-party suppliers
As discussed above, we need to find out more about your third parties’ controls against their suppliers that have access to your data or can impact the reliability of your supply chain. Using the Forte Vendor Risk Management platform, we can identify those suppliers that have a high impact on your supply chain and find the control gaps that can potentially impact your organisation. Important to note that we will not generate unnecessary noise here and will only show you the relevant parts; thus would be a matter to you.
Threat Intelligence
And finally, it is time to be proactive about your cyber supply chain security. Secure Forte can further monitor your high impact suppliers using our threat intelligence feeds. We will automatically collect and generate intelligence about your Supply Chain to identify attacks that may be used to compromise your high-impact third-party suppliers. This will ensure that your incident response team will not lose crucial moments when detecting and responding to zero-day vulnerabilities that could largely impact your data assets.
For press comment or additional information please contact
Mani Amini at Secure Forte