Addressing Supply Chain Cyber Risk Beyond the Executive Order

Written by Robert Vescio, Chief Analytics Officer SSIC.

Over the last couple of months, cybersecurity has taken center stage in the news – including the Colonial Pipeline Company ransomware, SolarWinds back door into government and corporate servers, and Microsoft Exchange attacks against small and mid-sized businesses. It seems that every day there are new insights and emerging details. Last week, the federal government dipped its toe in the proverbial cybersecurity waters with President Biden’s “Executive Order on Improving the Nation’s Cybersecurity” targeting secure software coding standards and enhanced transparency (among other items).

Software developers and other third-party organizations across a corporation’s vendor and supply chain ecosystem have been ubiquitous sources of cyber exposure for decades. While it is great that cybersecurity is getting the increased attention from the White House and the nation, there is much more work to do to understand and manage supply chain cyber risk than to simply create an “’energy star’ type of label” for software products. Supply chain cyber risk needs to be characterized economically and be descriptive of the type of exposure each supplier relationship presents to a company to be able to manage the risk effectively. It also needs to be aligned to business priorities and enterprise risk tolerances. When business leaders can see the monetary impact of cyber risks due to their suppliers and vendors, proven fiscal strategies can be applied to cyber risk management decisions.

Applying Cyber Economics to Supply Chain Cyber Risk

Cyber economics is an economic theory with specific statistical methods and data that specify cyber-based events that can cause financial harm. Foundationally, this includes financial impacts (losses) due to data breaches, business interruptions, misappropriations of funds, intellectual property, ideas, and services, and ransomware.

In the context of a vendor and supplier ecosystem, the focus of these cyber economic exposure calculations is turned to the interaction of digital exchanges of information, processes and activities with third parties that organizations rely on to conduct their business. Email, payroll, manufacturing, facilities maintenance, fiscal management, treasury, customer relationship management, eCommerce, IT, etc. – it would be challenging to identify any business activity or process that is now void of some type of third-party digital interaction.

It is within these interactions – known and unknown – that cyber risk lives. Businesses need a structured and scalable approach to answer these questions:

  • Which vendors and suppliers are creating the most cyber risk to my business

  • What new cyber risks exist because of my vendor relationships?

  • How much cyber risk is being added to my business from to my supplier and vendor ecosystem?

There is a better way to understand and manage third-party and supplier cyber risk. Built on the patented X-Analytics industry leading cyber risk decisioning application, X-Analytics Supply Chain revolutionizes third party cyber risk management to third-party supplier vendor risk management by providing true financial exposure context by:

  • Presenting the financial and business impacts businesses are accepting because of supplier and other third-party relationships,

  • Reducing the third-party review/assessment timeline by streamlining the cyber risk assessment process with an intuitive and effective approach,

  • Aligning projected cyber risk exposures to individual business units or departments for cross business understanding and distributed risk management activities,

  • Providing dynamic insights over time on supplier and vendor-related cyber risk because of modification within the business profile, emerging threat conditions, and shifting cyber insurance coverage,

  • Enabling vendor and supplier-related risk management decisions supported by data science and analytics.

About the author

Robert Vescio is recognized globally as the leading innovator and visionary of Categorical Outcome Analysis, an emerging leading approach for cyber risk decisioning. He is the Chief Analytics Officer for Secure Systems Innovation Corporation (SSIC) and is the inventor and patent holder for several patents for X-Analytics, SSIC’s state-of-the-art cyber risk decisioning application. In his role, Robert continues to drive innovation in cyber risk decisioning solutions to enable organizations to make better cyber risk decisions using the power of data science and analytics.

To learn more about X-Analytics, visit

Addressing Supply Chain Cyber Risk Beyon
Download • 191KB

Recent Posts

See All