All businesses are becoming increasingly aware of the importance of formulating strategies and deploying solutions, to protect themselves against the ever-increasing threat of malicious cyber activity and the theft of data. The associated reputational damage and fiscal penalties that are now in force are focusing the minds of the executives, resulting in budgets being increased for Cyber operations teams to build defences against the various threat actors and activities.
There are many board members across all sectors, who are being kept awake at night by the fear of what impact a targeted cyber strike might have on their business and the associated reputational and financial impact it would bring. Cyber threats are not diminishing, in fact they are growing day by day, with nation states targeting corporate IPs and national infrastructure disruption, organised crime monetising cyber breaches and data loss etc., all of which are a fraction of the malicious activities at large.
A full corporate cyber portfolio consists of many facets, from incident management, proactive threat intelligence, data loss prevention, targeted user campaigns etc. Each of these individual aspects are segmented in differing ways, with differing toolsets being offered to cover those sub-segments. Such a fragmented portfolio requires an intense degree of management to mitigate risk and ensure the appropriate fiscal and commercial structure is adhered to.
With annual global spend in the Cyber security space expected to exceed $100 billion by 2019, there is a tremendous growth of niche companies providing a multitude of products and services to address the Cyber market. Therefore, an in-depth technology and market knowledge are key to be able to ensure internal and external credibility when supporting sourcing activities. The market dynamics and ever-changing solutions offering which must address the various aspects of an end-to-end cyber defence strategy, means that procurement must always be on the front foot.
As threat actors look for more creative ways to penetrate company defences, they see external organisations as opportunities to facilitate this and Procurement and its supplier base are no different and therefore not immune from attack. Masquerading as current suppliers, potential suppliers, debt recovery agents, legal representatives, even bank representatives to engage with unsuspecting staff, they seek out possibilities to defraud and compromise systems. Conservative estimates state that over $250 million was lost to this type of fraudulent activity in 2017 alone.
The challenge that procurement has in supporting Cyber operations is overlaying the appropriate level of process and governance, whilst understanding the dynamics and culture that underpin a successful Cyber operations team. The average Cyber portfolio will probably consist of every type of supplier from large multi-nationals to the small niche providers addressing bespoke activity within the threatened estate.
The appropriate level of budget for a Cyber portfolio is between 7% and 10% of a company’s turnover, with further investment during key transition activity. With a spend profile at this scale, procurement need to be embedded from the early stages to ensure fiscal propriety and corporate policy is adhered to.
Procurement organisations need to respond by analysing, challenging and embedding the correct cultural approach, targeted education on an ongoing basis, end-to-end reviews and a realignment of appropriate processes alongside the implementation of solid governance covering both contractual and operational aspects, as well as the risk management and appropriate auditing of external suppliers.
Make no mistake, Cyber threats are here to stay and Procurement are a key part of the defence structure.
Written by Andrew Davis, Technical Procurement Consultant