Just like most of you, we hear from many experts, and we listen to their cyber ideas. However, when you sit down with a CISO that has had a breach, there is a common thread. Non-compliant vendors in their Supply Chain. Third-party data breaches have affected 51% of all businesses, according to a report by Ponemon Institute. This is an issue with our major OEMs and IT Support in Ohio and in the US as they even display non-compliant vendors on their own partner webpage. So how do we fix this problem in the US Supply Chain? The US government has already started it with the CMMC program. It is basically built on the NIST 800-171 CSF where the organization has an external auditor verify your compliance. That is designed to affect the entire supply chain of hundreds of thousands of businesses.

Next, top level executive education. When you have a serious discussion with an OEM executive, they do not know about the third-party vendor problem in their own organization. That they are violating their own written cybersecurity policies. This happens in both private and government offices. Then lastly, legal and procurement. In 2021, you would expect legal to review Service Agreements for cyber compliance, but as we review RFPs, it is rare to see the CSF certification requirement with the bid submittal. To recap, start the process to implement a NIST CSF, educate top executives how to spot noncompliant partners in their own organization, and add third party CSF certification to contracts. These three initiatives will close many data security holes in our leaky defensive posture.

Related article: June 2021 Vendor Management News (venminder.com)

TechR2 is NIST CSF compliant for years, and we realize we need to help our clients in their efforts to become CSF compliant. It is about leadership.