The Cyber Readiness Institute is focused on developing cyber risk management content and tools to help small and medium-sized businesses (SMBs), in order to secure global value chains. This Q&A explores and explains the concept of the ‘value chain’ with insights from Craig Moss, director of content and tools for the Cyber Readiness Institute and chief operating office at the Center for Responsible Enterprise And Trade (CREATe.org). Moss has extensive experience working with global value chain companies to assess and mature the business processes necessary to better manage risks and improve governance and compliance.
Q/ What is a value chain? How does it differ from a ‘supply chain’?
A/ A value chain is more comprehensive than a supply chain. A supply chain is traditionally product-focused and usually just encompasses the production and transportation of goods from the supplier to the customer. A value chain is a holistic system that covers the full range of activities a company does or orchestrates to deliver a product or service to a customer. It includes design, production, marketing, distribution and after sales support. For example, a company’s value chain includes third parties like advertising agencies, cloud service providers or customer support services. In today’s increasingly digital business environment, it is important for companies to think about their broader value chain, especially in the context of cybersecurity. Every company, regardless of its business, has a value chain.
Q/ The Cyber Readiness Institute is focused on ‘securing the value chain’ – what does this mean?
A/ Securing the value chain means making sure that there is a collective cybersecurity program in place that goes beyond any one company. Today, every organization is connected via computers and networks, which creates easily-accessible vulnerabilities to expose a company’s data. The weakest link within an enterprise can be exploited via phishing, malware, or hacking, and then go on to impact the entire value chain. It is important to establish strong cybersecurity risk management practices throughout the value chain. Every entity in the interconnected value chain shares the responsibility for cybersecurity and putting effective controls in place to reduce risks.
Q/ Why is it important to understand how your partners in the value chain are protecting against cyber threats?
A/ Cybersecurity in the value chain is only as strong as its weakest link. One company may have robust cyber-hygiene programs, but if another company in the same value chain has poor cyber-hygiene then everybody is at risk. No company is an island when it comes to cybersecurity.
Q/ Given all of the other business pressures, how important is it for small and medium-sized businesses (SMBs) to work on cyber readiness?
A/ Increasingly, large companies are evaluating the cyber readiness of all of the companies in their value chain – from suppliers, to service providers, to distributors. Here is an eye-opening stat from the Gartner Group’s research: by 2018, 50% of the organizations in supply chains said they will assess the cyber readiness of a third party before doing business with them – up from only 5% in 2015. Clearly, if you have a strong cyber readiness program, it can be a competitive advantage and if you have a weak program, it could hurt your ability to get customers.
Q/ What should SMBs be thinking about when they get started on their cybersecurity programs?
A/ Like all companies, SMBs should focus on key elements involving “people, processes, and technology.” Initially, SMBs need to take stock of what they have – data, intellectual property, trade secrets, and other confidential information – and where that sensitive information is located (e.g., hardware, software, networks) to determine what to prioritize for protection. Once that has been completed, there are four key focal points for improving cyber readiness: senior management commitment; workforce awareness; a cross-functional cybersecurity team; and basic preventative actions. The basic preventative actions are around password management, phishing, software patches, and having an incident response plan, to name a few.
Q/ Based on your experience, where do SMBs fall short when it comes to the business processes necessary for effective cybersecurity?
A/ In general, most SMBs haven’t thought about incorporating cyber readiness into their overall business operations. In some cases, it is a silo in the IT department. In other cases, no one is really responsible due to a lack of senior management commitment to cyber readiness or because of a lack of resources. We often see that the lack of senior management commitment results from a lack of understanding on how important cybersecurity is to doing business today. Finally, it is often difficult to get employees to follow cumbersome and complicated policies that are seen as getting in the way of doing their job. These policies usually end up being ignored or circumvented. It is important that senior management understands what a crucial role strong cybersecurity plays in doing business and the negative impact that can result from poor cybersecurity. Cybersecurity is not optional; it is critical to executing the mission of any organization, regardless of size.
Q/ What else should we know about securing value chains?
A/ Every company has their own value chain. It is important for each company to understand the cybersecurity maturity of the companies in their value chain. This is true whether you are a multi-national company or an SMB. Understanding the cyber readiness of value-chain companies makes it easier to make risk-informed decisions about what access and information to share. Ultimately, cybersecurity risk management is a collaborative effort. At the Cyber Readiness Institute, our mission is to de-mystify and simplify cyber readiness. We help companies shift their approach from reactive to preventative through establishing practical programs that promote cyber readiness and resiliency.