It’s been nearly a year since the Government launched a new online cyber security training course to help the procurement profession stay safe online. Developed in partnership by government and industry, the course was designed to help procurement professionals protect themselves, their businesses and their suppliers from cyber attack.
Speaking at the launch of the training, Andrew Coulcher, Director of Customer Solutions, CIPS said “This is one of the biggest issues of our time and as procurement professionals we need the right tools and support to meet these challenges head on.”
Lack of a joined-up approach
Whilst cyber security is headline news, it is only part of the wider challenge of managing information risk or Information Assurance (IA). And although IA has been on the CIPS syllabus for some time, we rarely see a joined up approach to IA in the procurement process. There’s something just not working in practice, and we at Ascentor would like to see this changed.
As we see it, while there is a focus on training procurement people to understand what cyber security is, we fear this may be seen as superseding IA rather than being an added perspective.
So, why has cyber security been so difficult to embed in the procurement process?
A multi-faceted affair
First, without a strong understanding of the different aspects of IA, it can be easy to focus in the wrong area.
Staying with the CIPS objective to ensure procurement professionals considerthe risks to the information used bythemselves, their businesses and their suppliers, let’s look at each of those areas in more detail.
To protect themselves, procurement professionals need to ensure they understand how to keep online and offline information safe when conducting their day to day business. This is as much about policy, people and education as it is technology, but basic IA awareness – including cyber security – is critical.
To protect their businesses, IA needs to be truly inherent throughout the procurement process – it must be built into both running a procurement exercise and managing the supply chain.
If IA is not given enough prominence in the requirements specification and then transposed into the ITT, suppliers can often treat it as something to ignore or trade-off in favour of lower costs with a ‘worry about it later’ approach. But adding effective IA back into a contract once the engagement with a supplier has started is far more costly than building it in from the outset.Once the contract is let, both the project delivery and on-going supplier relationship management programmes need to maintain an eye on IA.
Easy pitfalls to avoid
Our top five tips are:
- Ensure your business users have considered information risk in the specification then build an appropriate focus on IA and cyber security into the ITT questions and evaluation (with its importance being reflected in the assessment framework).
- Focus on the entire supply chain, not just the prime contractors. There are many links in a chain and that makes it difficult to identify where the weakest points are in their security. Procurement might think they have covered IA with their suppliers – but have these suppliers been as rigorous with their suppliers?
- Remember the small companies. The cyber risks involved in dealing with smaller suppliers emerged from a multi-sector KPMG survey of 175 procurement managers across the UK in 2015. The survey found that many SMEs still take a blasÃ© approach towards cyber security and mistakenly don’t see themselves as targets of cyber criminals.
- Check how your suppliers will protect information in your solution as well as how they have protected themselves against information/cyber risk within their own businesses. Schemes like CES and certification processes such as IASME or ISO27001 are a good start, but where the project risks are higher, probe a little deeper into the associated scope and ask some questions to assure yourself that it’s integral to working practices and systems.
- Don’t just look at the biggest contracts – having multiple suppliers might lead procurement to naturally look at identifying risk in the obvious places. This may lead to missing a smaller contract that could have an equally big impact on risk as a part of a larger project.
Take a lifecycle approach
A new full lifecycle approach to IA for suppliers and buyers is needed – and ‘ IA Inside ‘ from Ascentor has been developed to make IA integrated into projects and effective throughout.
IA Inside is a robust and holistic process for securing information. It’s based on early analysis of requirements (by the buyer) to give IA focus and weight during the procurement process. This means that IA increases in importance and starts to feature explicitly in ITTs. Those suppliers that have treated IA seriously will be in a stronger position with their bids. There will be no hollow promises or ‘retro IA’ – suppliers will be accountable to the promises they made in the ITT.
Buyers benefit because building IA into the heart of their projects will save them money and reduce risk. Suppliers benefit because having strong and well defined IA from both a business and project perspective enables them to build competitive advantage.
How can Ascentor help?
We can ensure the procurement industry and the supply chain has the tactics to fight the cyber threat. We understand how to embed IA within the procurement process of your projects. Our consultants can work with you through any or all phases – from the analysis and capture of IA in specifications to guiding your IA delivery.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about IA and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how ourconsultants could advise on any aspect of IA and cyber security, please contact Dave Jamesat Ascentor.
Email: [email protected]
Office: 01452 881712