Mitigating digital risk
From the April 2023 print edition
The World Economic Forum’s Global Cybersecurity Outlook report indicates that cyberattacks increased 125 per cent globally in 2021, with the uptick expected to continue.
And while cybersecurity related issues are not new, what has changed in recent years is that there has been a massive move to utilizing the Cloud, IoT, e-commerce, remote accesses, and overall digital transformations, that ultimately led procurement teams to rethink their skills and their approach to their vendors.
Every day we are witnessing more and more cyberattacks, data-breaches and privacy concerns. The rising access of AI-powered technology that enables the development of malware, scripting, and other tools, provides hackers with the ability to manufacture near perfect ways to execute on their plans, and with very little effort. The ultimate goal of these hackers is highly lucrative ransom. With our reliance on technology, the ransomware industry has grown into a multi-billion-dollar global criminal industry. There are no indications that industry is slowing down.
Total value of ownership
So, what role does procurement play in mitigating this risk? The answer is in a robust due diligence process, and third-party risk management (TPRM). This is potentially the biggest change that will transform this profession, as we completely shift the procurement conversation from cost savings and cost avoidance to the total value of ownership with a heavy weight placed on business continuity, information security, financial stability, and vendor concentration. The elevated due diligence and TPRM process begins at the vendor evaluation phase and onboarding stage and is managed through a structured, well-defined vendor governance process and continuous risk monitoring.
Arguably, among all of the TPRM components, information security requires the most attention, as it is the biggest threat to any organization. Your organization’s information security is only as good as your weakest vendor.
Fortunately, there are many InfoSec tools available to monitor vendor risk profiles continuously, based on data breaches and/or cyberattacks. However, by the time an organization is made aware of them, it might already be too late. The best defense remains a comprehensive vendor due diligence process, including reviews of the independent InfoSec audits and vendor SOC reports, at different stages of the engagement, starting with the evaluation and onboarding phase, and then annually throughout the lifecycle of the relationship.
Procurement should be partnering with IT, in performing due diligence, and the ongoing monitoring of all critical vendors with the low or fluctuating risk profiles, to gain a better understanding of the trends, and what to look for when evaluating vendors. Some vendors risk profile may be impacted by things such as IaaS shared responsibility models they have with other customers, or even the nature of their business (e.g. ISP). And while the InfoSec tools will show this as risk, a detailed internal review can segment it out, focusing the conversation on the actual threats that should be managed.
As the first line of defence, procurement has a huge role in protecting the organization. By further broadening their scope, the procurement function is moving from an enablement to a strategic function, further forging the way for collaboration between the organizations and their most important vendors. By understanding and sharing vendor risk profiles with vendors, procurement teams can ensure that both organizations are working together to address any gaps and investing in stronger security. This further creates an opportunity to exchange best practices, new ideas and lessons learned between both parties.
It is time well spent, and ensures strong strategic partnerships between the two companies. Nevertheless, even if all the due diligence checks out, all organizations, in partnership with their procurement teams, should have a well-established and documented exit strategy for each of their critical vendors. This practice will force the organization to think about their relationship with their vendors, avoid concentrating massive scope on one vendor, and remove sole-sourcing practices all together.
A matter of time
The question is not if an attack happens, but rather when. Depending on the nature of the attack and the information that is compromised, organizations might not only have their customer base impacted, resulting in financial loss and a tarnished reputation, but can also be subject to regulatory fines and penalties.
As cyberattacks become more sophisticated, our defence also needs to become more sophisticated, forcing procurement to act as the first line of defence, to evolve from the traditional roles that it once played. This will require investing in people with elevated skills, processes, and technologies, all focused on a first-line-of-defence mandate, and less on pricing. Failing to plan is planning to fail, and with an ever-increasing reliance on IT, procurement teams must be prepared.