What do you know about cybersecurity build into products and services you buy?

What’s best way to secure your business with ever increasing use of digital goods and services? In today’s blog I would like to highlight the perspective of integrating cyber resilience into the procurement process, especially for digital goods and services.

This topic brings me back to CGI event on Operational Technology (OT) cybersecurity last year and paper published on this particular topic. One of the keynote speakers was Dr. Konstantinos Moulinos  from ENISA , who discussed latest developments and impacts of the NIS2 directive.

During the round table we tackled the one million dollar question of where to start. In an ideal world it’s easy as you start from scratch an develop a new greenfield environment. The reality is different as most operations take place in existing facilities (brownfield) and sites. Here you cannot replace everything overnight. So, where do you start? My experience and best advice is always to first of all make sure that you don’t introduce new vulnerabilities. Make sure that new systems, products and software that you want to procure are compliant and future proof by design. A good second step would then to review the existing contracts.

Understanding the Procurement vs. Cybersecurity Link

The procurement process involves the acquisition of hardware, software, and technology solutions to meet organizational needs. Traditionally, procurement has focused on factors such as cost, features, and performance. However, in today's ever increasing threat landscape landscape the relevant cybersecurity requirements must also be a top priority in the procurement equation. There’s considerations to taking into account, such as:

1. Starting Secure: The First Line of Defense
   The procurement process is where your cybersecurity journey begins. Selecting suppliers, systems, technology, and software with inherent cybersecurity features significantly help reduce vulnerabilities and risk. This proactive approach minimizes the need for extensive retrofitting or costly security enhancements post-purchase. In a previous blog I talked about the important role of certifications given latest regulatory developments e.g. EU NIS2 Directive.
2. Risk Mitigation and Due Diligence
   Incorporating cybersecurity into procurement practices involves rigorous due diligence. This means assessing potential vendors for their security practices, track record and commitment to addressing vulnerabilities. A vendor's security posture becomes an integral part of their overall credibility.
3. Alignment with Organizational Needs
   Procurement decisions should align with your organization's specific cybersecurity needs. Customizing your purchases to address unique risks and challenges ensures that your security measures are tailored to your operational environment, corporate policy etc. and thus adds value to your organization cyber resilience.
4. Staying Ahead of Regulations
   In many industries, compliance with cybersecurity regulations is mandatory and part of your license to operate. The cybersecurity-enhanced procurement process ensures that the systems and software you acquire are compliant, saving you from potential legal ramifications and hefty fines to be sorted in case of a cybersecurity incident.
5. Holistic Cyber Ecosystem
   An effective cybersecurity environment is an integrated one. The procurement process enables you to select solutions that (by design?) seamlessly integrate with your existing security infrastructure, creating a holistic defense strategy.
6. Future-Proofing
   Digital technology evolves very rapidly, and so do cyber threats. A forward-thinking procurement approach involves selecting solutions that can adapt to emerging threats and incorporate updates to address new vulnerabilities.

Best Practices for cyber-savvy procurement – some tips!

• Involve your cybersecurity Experts: as close collaboration with your cybersecurity team during the procurement process help include their their insights to identify potential risks and ensure that the chosen solutions align with your security strategy.
• Specify relevant security requirements: clearly defining your security requirements in your procurement documentation. This includes outlining encryption protocols, authentication mechanisms, and data protection measures.
• Assess vendors: evaluating their security practices regularly, including any history of security incidents, and adherence to industry standards. E.g. don’t forget that not being able to patch operating system is a huge vulnerability – which is a strong point of attention for operational technology procurement. A thorough vendor assessment can prevent future headaches.
• Audit regularly: incorporating security audits into your vendor relationships helps ensure that vendors consistently maintain their promised security standards. During my audits I often notice that the onboarding and offboarding process is well described for new staff but that there’s no best practices in place with the on-/offboarding of vendor employees. 
• Enhance cybersecurity training: by also equiping your procurement team - as well as all staff regularly - with a foundational understanding of cybersecurity. This knowledge will enable them to make more informed decisions and ask pertinent security-related questions during vendor interactions.

Conclusion

In an era where data breaches and cyber threats are an unfortunate reality, a comprehensive cybersecurity strategy safeguarding privacy and business continuity must encompass every aspect of your organization's operations—including the procurement process. By prioritizing cybersecurity requirements and considerations when acquiring systems, technology, and software, you're not only safeguarding your organization's assets but also contributing to a safer digital landscape for everyone. Remember, a secure cybersecurity environment starts with the right procurement choices.

I can imagine that you don't want to start from a blank sheet of paper and that you would like to leverage available best practices. This is possible by making use of CGI’s experts and their many years of experience. Feel free to reach out to us.