It Isn't Easy


August 20, 2021

A couple of weeks ago I wrote about the expected fourfold increase in cyber-attacks through the supply chain. A consequence of this is that procurement teams are now at the forefront of cyber-risk management, previously the purview of IT, InfoSec & the CISO.

Managing supplier risk isn’t new for procurement. However, there’s a huge difference between understanding the risk to your supply chain caused by a strategic vendor going bankrupt and the potential issues with their DNS being poorly configured. Yet the consequences can be equally disruptive. Production could be interrupted, reputation damaged, costs incurred and so on.

By being on the front-line of supplier risk management and now, by extension, supplier cyber-risk, procurement has to be aware of a whole new lexicon of terms such as: DNS, HTTP, SSL, Blacklists, Permutations etc. As the title to this blog suggests, it isn’t easy. And I know this from personal experience having recently moved from a procurement technology company to a cyber intelligence one. Fortunately, I was able to sheep-dip myself into this new world but that’s not a luxury that most procurement managers have.

If you’re reading this, you are probably already aware that the Darkbeam solution automates the process of auditing your supplier’s cyber-risk posture. As the supplier of the solution we believe it is our responsibility to make the information gathered by our product as comprehensible and actionable as possible. This isn’t necessarily easy since we have to try to convert complex and specialist knowledge into something a layman can understand.

The first place to start is with the risk score and the category risk score which, simplistically tells you: High score = bad and low score = good. This alone is actionable intelligence. If you have two potential suppliers for the same thing and, all other factors being similar, one has a significantly higher risk score than the other, it makes sense to work with the low-risk vendor.  The score also allows you to track change over time. Hence, if you have a vendor with a worrying score and you have relayed the issue to them, it is possible to see if they are taking action to remediate the issue.

Secondly, the Darkbeam report highlights the worst problems. This makes it easy to have a conversation with the supplier to specify the problem. However, what becomes more difficult at this point for a buyer speaking to a seller, is understanding and relating to the issue. Whereas an infosec expert will understand the implications of misconfigured HTTPS Headers, the most common response we get from the non-expert is “so what”. We are trying to address this through providing access to a comprehensive Knowledge Base. When the new release of Darkbeam (called Horizon) is available users will have access to a much more comprehensive set of information about the tests we do. This covers: What a particular test is looking for. The security vulnerabilities this exposes. How those vulnerabilities may be exploited by a hacker. The cost and disruption potentially caused by common exploitations and more comprehensive remediation advice.

Finally, we have taken much of this information and written a “Procurement Managers Guide to Digital Risk in the Supply-Chain” document. This is still in draft but when published will be made available from the website. Written by a layman, we hope that it will be a handy reference to all things digital-risk related, where possible using non-technical and relatable language.

Andrew McConnell

Articles you might enjoy

View All

Colonial Pipeline: Cyber attacks are States of Emergencies

The importance of looking at the horizon