Businesses reevaluate their approaches to third-party risk control measures

In the ever-evolving digital landscape, a question lingers: Are we a target? As the manufacturing industry becomes increasingly reliant on technology, the importance of securing assets has never been greater.

Ron Bradley, a governance, risk & compliance leader at Bradley Consulting, underscores the need to protect assets in the manufacturing environment similarly to those inside corporate networks. He emphasizes the significance of having a clear understanding of what's happening on systems, enabling better protection, response, and recovery from incidents.

The third-party risk in the manufacturing industry has historically been less prioritized compared to IT and other departments within U.S. companies. However, this is starting to change. Corporate stakeholders are focusing on understanding the risk calculus of their technology stacks, a trend that has been accelerated by the SolarWinds attack, which has forced companies to reevaluate their third-party vendor relationships.

Victoria Yan Pillitteri, a cybersecurity engineer at NIST, echoes these sentiments. She stresses the importance of knowing what's happening on systems, a key component in protecting, responding, and recovering from incidents.

The National Institute of Standards and Technology offers publications to help companies develop a strong continuous monitoring program. However, the question remains: What demands do third-party vendors place on their fourth-party vendors in terms of reporting incidents and transparency?

Some incidents have not been directly from third parties, but from third parties of third parties, fourth parties of BlackRock. This highlights the growing importance of monitoring Nth party risk, not just direct third-party relationships.

BlackRock, a global investment firm, is continuously monitoring critical and high-risk vendor populations in real time, using multi-layered monitoring with dedicated oversight teams. Similarly, companies like financial institutions and IT firms managing complex cloud infrastructures (AWS, Azure) are focusing on optimizing security, backup, and monitoring processes to better control potential dangers.

Collaboration between IT and Operational Technology (OT) is crucial in managing third-party risk, according to Ron Bradley. As the gap between managing third-party risk in the manufacturing space and the corporate space closes, officials are taking a closer look at potential threats to the production environment.

The evolving role of Chief Information Security Officers (CISOs) is to better understand the risk calculus of their technology stacks. This includes not only direct third-party relationships but also Nth party risk, as complex cyber incidents often start with Nth party risk, as highlighted by the speaker.

In conclusion, the trend is changing towards protecting assets in the manufacturing environment as equally as those inside corporate networks. Companies are evaluating how closely they evaluate and monitor third-party vendors they regularly do business with, recognising the critical role of Nth party risk in protecting their assets from potential threats, particularly in the cybersecurity space.