Whether or not you are part of the Australian Critical Infrastructure, if you’re in business, you need to be sure that you have strong chains of mutual trust throughout your organisation, your suppliers and beyond. In my opinion, this is key to your cyber and physical security. As a senior influencer, it’s part of your job to ensure that all the right choices are being made at all the critical points of your business infrastructure. Your business continuity will need to incorporate availability, integrity, reliability, safety and confidentiality values. Depending on your business, some values will require greater focus than others. Failure of any of these could cause significant harm to your business.
Let’s take a closer look at how you choose the right teams to support you, not just internally, but all the way from the board to the outer reaches of your supply chain…
Your teams are broader than you think!
Physical and cyber threats come from inside and outside the company, some will be deliberate while others will be accidental. As a supplier to others, or as part of Australia’s critical infrastructure, you have to make sure your own operations can be completely trusted.
This means a collective capability team, dealing with internal and external risk, is required. You may already have many of these capabilities in place – for example: legal, financial and cyber security, etc.
All risk owners will need to become involved with this cross-functional collective team that not only deals with, but anticipates and pre-empts, threats by imagining them in advance and putting in place understandable and readily available action documents – your response management plan.
Everyone in the organisation that bears any responsibility for cyber or physical security needs to be trustworthy. Otherwise the trust chains may break before they even reach the edges of the company. Beyond this, you have a massive issue concerning your many suppliers, especially those that have a direct physical or digital connection with your organisation.
Are you certain that your immediate suppliers cannot compromise your operations, either directly or via their deeper connections?
Leveraging your broader teams to boost your resilience
We’ve already hinted at one of the key measures – a silo-busting cross-functional collective team. This enables every risk relating to business continuity to be examined from the point of view of all involved departments. These teams and their desktop ‘dry run’ exercises quickly reveal the skills and resources that might be missing. This is an opportunity to recruit, skill-up or bring in external help.
CGI is often called in to orchestrate and participate in these teams, helping with supply chain vetting, desktop exercises, or advising on how to satisfy the requirements of external auditors with minimum pain. I’ve previously given major organisations effective approaches for handling audits, based on establishing provable best practice within organisations.
You probably have systems for protecting your organisation against internal ‘bad apples’ and for isolating customer-interaction systems from the core IT system. But how about the machine-to-machine communications which are becoming more prevalent, for example CAD to robot control, and remote access (or, indeed, physical access) by equipment service personnel?
And then, there’s the big one mentioned earlier – your supply chain. Your continuity and security of supply depends on them. It’s not just the (usually digital) paperwork, or the integration of your operational technology, it’s the supply of raw materials, components, finished goods and services. Apart from conventional contract terms, do you make clear their responsibilities to protect your organisation from harm, to ensure that they pass the same requirements through to their own suppliers, to agree what happens to information or materials exchanged prior to the termination of a contract?
You have influence only over your direct suppliers, every supplier at every level in the chain must agree to terms that, ultimately, do their best to protect your organisation and its board. For a large company, this may require the synchronisation of thousands or tens of thousands of external organisations. At least certified adherence to standards such as ISO/IEC 27001 would make a major contribution towards a supplier’s credibility.
As you may have realised I have, to a certain extent, skimmed across the scope of your responsibilities when it comes to establishing the chains of trust for Critical Infrastructure.
If you and your board members require external intelligence to help complete the necessary processes, then my own organisation can draw on deep experience and good practice to help you. You might also find that our sponsored THINGUIDE to Securing Critical Infrastructure provides a terrific business-level synopsis of the subject matter. It is available both online and in print at various CGI events.
I hope I’ve given you some food for thought and look forward to seeing you again in the next post which will be all about embracing future innovation.