Sometimes the problem for organizations is not the absence of a risk assessment, or not having a thorough enough one. It’s the fact that separate business units assess the materiality of risks differently.
As a CISO, you were probably taught, told by someone in authority, or perhaps read from a textbook written by someone claiming authority, that there are no fewer than three disciplines for risk management: IT risk management (ITRM), supply chain risk management (SCRM), and operational risk management (ORM). Indeed, there are three separate classes of professional certifications for each of these disciplines. For example, respectively: the Certified Risk and Information Systems Control (CRISC) professional, the Supply Chain Risk Management (SCRM, not to be confused with Scrum) professional, and the Operational Risk Management (ORM) professional.
In organizations everywhere, perhaps including yours, the chain of reporting for a CRISC certified risk manager leads to the CISO. An SCRM certified risk manager’s reporting chain leads to the COO, or in a growing number of large enterprises, to a new role called the Chief Supply Chain Officer (CSCO). And the chain for an ORM certified risk manager leads maybe to the COO, but often to the CFO.
What you have just read is, in and of itself, the source of a glaring security vulnerability afflicting countless organizations today. The attacks that make news headlines, that have led to billions in losses and whose impact has been felt throughout the entire global economy, have been centered on this weakness: a continuity gap between the disciplines of risk management and risk awareness, exacerbated by a disconnect between the professionals in an organization whose jobs are to evaluate risk.
The high cost of risk aversion
Risk refers to the probability of adverse outcome. It’s the characterization of such outcomes as “adverse” that often precludes us from comprehending their full depth and breadth, and how statistically likely they may actually be. One way difficult topics are typically made easier to digest is through subdivision. If we can take a subject, break it up into three roughly equivalent chunks, and delegate each chunk to a different department, as organizations are often advised, the task of risk assessment and everything that flows from risk assessment may be expedited.
This is where the defect in the system is seeded. Here are three equally, vitally necessary perspectives on the risk assumed by organizations simply by being in business in the modern world. They all are tasked with exactly the same first step: risk assessment. Any proper risk assessment includes an inventory of every asset belonging to an organization that is exposed to any risk whatsoever, a general classification of what the risk or risks are for each asset, and a declaration of the scale of impact to the organization should a risk event occur. All these roles are trained and certified in doing this task, and if they all perform that task well, they all assess the same organizational assets.
Yet because their roles are divided and their chains of reporting lead to individuals with different goals and objectives, how they perceive the same risks may differ, often vastly. Specifically, they utilize the principle of materiality in different ways. Once a risk is assessed, perhaps even very accurately, there’s a consideration of whether that risk is material — whether it really matters — to the department that’s evaluating the assessment value. Here’s where the conclusion that a risk to the supply chain does not constitute a risk to IT infrastructure, or at least not so much of one, is typically drawn.
This is the exploitable vulnerability: the presumption that different perceptions of risk equate with variable levels of adversity with respect to adverse outcomes. Here is where this precise vulnerability has been successfully exploited in recent years, with disastrous consequences:
- The Target data breach (November 2013) — Some two-thirds of the retailer’s point-of-sale terminals in North America became infected by credit card data-stealing malware, through an attack vector that risk assessors never considered: the ability for a third-party HVAC systems supplier to log onto Target’s network and leave its logon data exposed by way of unprotected browsers. IT systems assessments made it appear Target’s POS terminals were inaccessible, but that was only from the perimeter of Target’s own systems, not from a system belonging to a supply chain partner. Impacts to the broader economy included settlement fees paid by payment processing firms, costly investigations launched by payment networks and insurance providers, and liability charges paid by card issuers and banks.
- The Colonial Pipeline ransomware attack (May 2021) — After a series of exposed passwords were acquired from a supply chain partner by malicious actors, they attempted using the same passwords to gain access to other systems belonging to companies with which it was partnered. These attempts gave actors access to the network for Colonial Pipeline, the U.S.’ single largest refined petroleum products transport system, running from New Jersey to Texas. After President Biden declared a national emergency, risk management professionals were advised, if they weren’t doing so already, to begin assessing operational technology and information technology as a connected system.
- The Kaseya VSA ransomware attack (July 2021) — Here, a virtual systems administration service provider became the delivery source for malicious ransomware payloads, after it was discovered that an authenticated session ID could be copied and leveraged for use by a malicious actor without first having to generate that session ID through the login mechanism. Luckily downstream customers were able to install patches and thwart exploits before serious damage was done, although the attack once again exposed enterprises to the fact that when supply chain partners have access to critical systems, their own security is only as good as that of their partners.
A fault line as big as the planet
Global supply chains (as opposed to “software supply chains,” which are not nearly as macroeconomic) are experiencing levels of disruption unseen since the last world war. Automated AI agents are being leveraged for use in deploying novel exploits and attacks on a massive scale. The current geopolitical landscape is warping the profile and dynamics of the public cloud. Brutal conflicts between nations are bleeding into the realm of technology, and exploits of potential fault lines in the world’s infrastructure are being leveraged to exploit similar infrastructural fault lines for corporations and organizations.
What you don’t know about the resilience of your enterprise may already your greatest vulnerability, and could very well be exploited at this very moment. The knowledge gap is the biggest gap you can have at this point in history.
Having been awakened by the pandemic of 2020 to new dangers to the global supply chain, the U.S. National Counterintelligence and Security Center released a resource guide in September 2024 stating that a supply chain weakened by the convergence of global events is easier for adversaries to exploit, especially through cyber methods. Since supply chain partners often have access to their own partners’ sensitive data, especially through shared databases and SaaS applications, the guide asserted, an organization may be exposed to possible cyber espionage through exploitable weaknesses not in its own systems, but those of its partners.
States the report:
Full supply chain risk assessments will assist organizations in determining their supply chain risk tolerance. Organizations need to know what’s the higher risk: exposure to the supply chain threat or not receiving the goods and services. Such determinations cannot be made in a vacuum. Organizational stakeholders must understand their role in addressing supply chain risks at the enterprise level.
The key phrase here is, “at the enterprise level.” Historically, cybersecurity risk assessments are conducted by ITRM teams reporting to the CISO, who are skilled with computer science, threat intelligence, and incident response. If you’re one of these people, you can probably confidently assert that you understand risk at the enterprise level.
An SCRM — again, historically — has been trained in operations research, logistics, international trade policy, procurement, and industrial engineering. It’s a different mindset and discipline than what the CISO may be accustomed to. A certified SCRM is trained to comprehend risk at an economic level, and on occasion a macroeconomic level.
Meanwhile, although the name “operational risk manager” would appear to apply to operations assessment like what Colonial Pipeline was lacking, a certified ORM is trained to understand fraud, internal financial auditing, and financial reporting standards.
One risk assessment
Certified practitioners in all three disciplines maintain that the first step in any risk assessment process is the identification and inventory of company assets. Not just those assets that are most obviously susceptible to risk — all assets, including buildings, financial accounts, human beings, intellectual property, and by no means least important of all, company reputation.
What the most recent spate of cyberattacks is teaching us is that malicious actors will exploit weaknesses in ecosystems and economies, particularly in their supply chains, as a means of effectively targeting organizations. They’ll assault governments, banking systems, oil pipelines, payment networks, and air conditioner repair facilities, if in so doing they can swipe a token with which they can identify themselves as you.
All of these weaknesses could have been illuminated through comprehensive risk assessment, if the people with disciplines in the global supply chain and the networked enterprise could work together. A single lunch date could have awakened these people to the reality that the assets they’ve identified and inventoried are the same assets, although their relationships to the outside world from which attacks are launched may seem foreign to one or the other discipline.
Your organization needs one up-to-date, comprehensive risk assessment. It still needs all the risk management professionals it can afford. It still requires the enterprise view, the ecosystem view, and the financial view. But the big picture of risk only emerges when those views are superimposed upon each other to reveal the full truth.
SimpleRisk provides risk management professionals with a single, comprehensive tool for quantitatively and qualitatively assessing risk throughout the enterprise and into the supply chain. With templates, reusable questionnaires, and a variety of respected framework standards, SimpleRisk takes care of the heavy lifting in risk assessment, giving you the space and time you need to focus on mitigating risks and responding to risk events. Register now for a 30-day free trial of SimpleRisk.
