The Official Baldrige Blog
by Motivational Speaker Harvey Mackay
Two lumberjacks are cutting wood. One of the men worked hard all day, seldom took a break, and took only 20 minutes for lunch. The other man took several breaks a day, spent 45 minutes for lunch, and even took a 15-minute nap before going back to work. The first man became increasingly frustrated because, no matter how hard he worked, the other man's pile of chopped wood was always much bigger than his at the end of the day. "I don't understand how you do it," said the first man one day. "Every time I look around, you are sitting down, and yet you cut more wood than I do. Why is that?" With a smile, the second man replied, "Did you also notice that while I was sitting down, I was sharpening my ax?"
Here’s another way to look at “sharpening one’s ax.” Is your organization just reacting to problems once they occur, or are you anticipating, mitigating, and improving risky scenarios for your organization? Certainly, in the world of cybersecurity, one can only imagine the state of your data, secrets, and sustainability if you do not prepare for future scenarios and assess the risk. This blog looks at one area within cybersecurity that many organizations forget to include in their risk assessments—their supply chains.
Paul Myerson, in his recent Industry Week article “Can’t Turn Back Time: Cybersecurity Must Be Dealt With,” includes the statistics that “80% of all cyber breaches occur in the supply chain, and that 72% of companies don’t have full visibility into their supply chains. . . . Organizations—supply chain and otherwise—need to identify the potential risks (information security included), estimate both their potential impact . . . and the likelihood of them occurring, and put together a mitigation strategy to avoid the most likely high-impact risks.”
Myerson cites Jon Boyens of the National Institute of Standards and Technology (NIST) who points out that three trends exacerbate cyber risks to supply chains:
He offers examples to illustrate the risk:
In "Supply Chain Cybersecurity: Supply Chain Contractors Need to Improve Cybersecurity Risk,” Megan Ray Nichols wrote about the need to assess your suppliers’ cyber risk.
She writes, “The impact of just one weak link in the supply chain cybersecurity ‘chain of custody’ can be significant. . . . What’s really at risk isn’t necessarily something with a fixed, one-time value. Merchandise can be replaced. What’s at stake is quite often the key to your remaining profitable at all. You stand to lose vital organizational and client data, intellectual property and trade secrets. In some cases, you’ll be held responsible for damages if formal laws and guidelines apply.”
To hold “your supply chain partners, and yourself, to higher security standards,” Nichols suggests determining which vendors have access to your network, being explicit about security requirements in your contracts, monitoring your technology providers and other partners, and seeking constant improvement.
Says Nichols, “Each company is unique and has its own needs, which might make your particular approach unique.”
A recent Industry Week article "(Cyber)Securing Manufacturing's Future" underscores the need for preparation when thinking about cybersecurity.
Author Gary Williams writes, "Cybersecurity is a journey, not a destination: Security can never be viewed as a one-off project. New threats, attack techniques, and technologies are continually being developed, so security protocols must be regularly reviewed and updated. End users must apply and strengthen cybersecurity measures across the lifecycle of a device or system, and not just as an 'add-on' when it is first operational. That means continually monitoring and assessing the security of every system and device, as well as their networks and interconnections."
To help organizations assess and mitigate their cyber risk, including across supply chains and based on their own unique needs, the Baldrige Cybersecurity Excellence Builder blends two recognized NIST frameworks: the Baldrige Performance Excellence Framework and the Cybersecurity Framework. Following the model of the Baldrige framework, the Baldrige Cybersecurity Excellence Builder offers thoughtful questions to help an organization assess the effectiveness and efficiency of its cybersecurity risk management program, assess the cybersecurity results it achieves, and identify priorities for improving cybersecurity risk-management efforts. This free resource can also be shared with—even required for—suppliers.
Speaking at a 2017 cybersecurity panel, Steve Caimi, industry solutions specialist, US Public Sector Cybersecurity for Cisco, said that the
Baldrige Cybersecurity Excellence Builder helps organizations ask key questions: “How do we assess where we are in the organization [in terms of cybersecurity]? How do we measure our progress and dial the risk down to an acceptable level?”
Russ Branzell, president and CEO of the College of Healthcare Information Management Executives, speaking at the same cybersecurity panel, said,
“Risk analysis has to occur . . . because [for example] there is zero possibility for us to absolutely secure the health care system in this country. [The Baldrige Cybersecurity Excellence Builder] is going to force the entire organization—the board, every single staff member in the organization who wants to understand why we have to focus on cybersecurity—to have the really hard conversations on how much and appropriately where they will be spending the money to secure the organization.”
Will your organization be like the lumberjack working hard but not taking time to prepare, or like the lumberjack preparing, anticipating, mitigating, and improving?
Start using the Baldrige Cybersecurity Excellence Builder today to assess your own organization’s cyber risk, as well as the risk of your supply chain!
The Baldrige Cybersecurity Excellence Builder, Version 1.1 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identify improvement opportunities in the context of their overall organizational performance.