Responsible InfoSec is the Hot New Purpose
Digital transformation is the phrase on everyone’s lips – for good reason. It enables organizations to better manage operations, enhance profit margins, and ensure the efficient transfer of goods and information between supply chain nodes. As a procurement professional, you’re on the front line of this process. This is also why you need to be the first line of defense.
As your supply chain becomes more interdependent and complex, the more exposed your business becomes to risk. In the race to maintain that competitive edge, you risk outpacing the methodologies that should be undertaken in order to protect your information assets — as well as those within the wider supply chain.
The trade-off for immediate efficiency at the potential expense of long-term business resilience has never been more apparent than in micro-business and SMEs trying to stay afloat in the turbulent landscape of the COVID-19 economy. But for all of its pressure, the pandemic has given us valuable lessons in the importance of business continuity — and this gives us additional ways we can operate with purpose.
Prior to the pandemic, purpose-driven procurement was primarily centered on one of these common themes:
- Having a positive effect on the working conditions of those within your supply chain
- Helping supply chain communities thrive economically
- Ensuring an environmentally responsible approach to operations
These are certainly worthwhile areas of focus for the procurement agenda. But organizations need expert help to protect their supply chains from the growing information security and cybersecurity threats.
Finding the Weakest Link in the Supply Chain
According to IBM, the average cost of a data breach in 2020 was a staggering $3.86 million. Hits like that would quickly put a smaller player out of business, and let’s face it, put a pretty major dent in the bigger ones. While there are no guarantees in the world of information security, data privacy and business continuity, there are strong and internationally recognized standards and frameworks that, when adhered throughout the supply chain, can give maximum assurance to all concerned.
Bad actors have the skills and technology to seek out the weakest link in a supply chain. In-house information security or an external consultant can be costly, so it’s likely the weakest supply chain link is one that devalues this investment.
As a naturally risk-averse procurer, it probably feels like quite an easy decision to simply dismiss potential contracts based on the comparative strengths of their information security posture. However, in taking this decision, you also risk sacrificing value that contract may bring in other ways. An alternative to dismissing these contracts is to implement a "responsible program” that financially and operationally supports the improved posture of new partners.
Any governance, risk management and business continuity specialist will tell you the best way to ensure you have an adequate information security posture is to build an information security management system (ISMS). An ISMS is a tool you use to protect all forms of information valuable to your business including personal data, financial information, contracts and intellectual property rights. With the right application of technology, an ISMS can be expanded to include supporting less powerful players in your supply chain until they’re able to go it alone.
To ensure your ISMS is the most effective it can be, build it using frameworks recognized and valued by the International Standards Organization (ISO). While the ISO has standards and frameworks for data privacy (27701) and business continuity (22301) the best foundation is built with the ISO 27001 - information security.
What to Look for in an ISMS Solution
Supporting the compliance of your supply chain should be part of your organization’s purpose-driven procurement agenda in 2021. Several things must be considered to ensure you’re not just limiting the burden of certification expense for your smaller partners, but also helping them find a sustainable solution. The solution should meet the requirements of global and local standards and frameworks, while continuing to meet their infosec needs into the future.
There are a number of key characteristics that you should look for in an ISMS solution that will deliver consistently secure behavior across a supply chain. It should be an all-in-one-place and always accessible, and flexible enough to manage multiple complementary standards and frameworks as they evolve – not just ISO 27001. You want a system that can grow as your organization and supply chain does, so it continues to meet the infosec needs for the foreseeable future. And finally, because at first, your smaller supply chain partners won’t have the necessary skills or confidence internally to build an ISMS and manage their infosec program, you’ll want a system that can give easy and controlled access to infosec consultants or third-party specialists.
I’ve helped organizations all over the world gain and maintain ISO 27001 certification and, in my experience, the return on investment far outweighs any initial outlay. Fostering a responsible program of infosec, data privacy and business continuity should play a part in the purpose of your organization.
Start up a conversation with your internal stakeholders who are responsible for governance, risk management and compliance. Get everyone on board with the idea of maximizing your potential for good while maximizing your business resilience. It’s a win for all concerned.