

接下来的几个星期, we plan to publish a series of blog posts exploring cyber security supply chain risk management (C-SCRM) and looking at what you should consider when deciding whether to outsource your C-SCRM programme. We will cover everything from initial explanation of the reasons why you should do it, 规划结构化方法, developing and implementing an approach that best suits your company, 以及如何持续评估和监控. 

These blog posts will give you the experience and knowledge needed to secure your eco-system and help win more business. 检查他们,因为他们每周发布.

在最初的这篇文章中, 我们来看看C-SCRM, 为什么重要?, 以及为什么你会考虑外包. 如果你正在考虑外包一些, 或全部, of your C-SCRM programme to an independent or external consultant, 有一些事情需要考虑, 无论是事前还是过程中, 以避免日后出现问题.

有, 当然, 总是可以选择自己管理, and this series is intended to give you the tools for managing C-SCRM in-house if you prefer.


一般来说,供应链风险是很容易理解的. 例如, 你的供应商可能会遭受灾难, 并且无法为您的业务提供所需的东西, 所以你必须找一个新的供应商. Or t在这里 might be a worldwide shortage of a particular product that you need, 没有人能提供——或者只能付出高昂的代价.

C-SCRM is more specific: it aims to understand and mitigate the cyber security risks associated with a business’ supply chain, 是否来自供应商, 他们的产品, 或者他们的服务, 甚至是他们的供应商. C-SCRM involves identifying and assessing the cyber security risk associated with each supplier, 为任何风险确定适当的缓解措施, 然后实施这些行动.


  • 如果你的企业从一家公司购买软件, and that software contains a security vulnerability that could be exploited by an attacker, 你的企业正面临网络攻击的风险.
  • 如果您的企业与第三方存储数据, 他们被攻击了, 您的数据可能有被泄露的危险.
  • If someone working for a supplier (perhaps a systems integrator) with access to your sensitive intellectual property steals it, 你可能会失去竞争优势
  • 如果供应商可以访问您的IT, they (or an attacker who has gained access to their systems) could damage your systems, data, 和声誉.
  • 如果您的业务依赖于特定的小部件, 但是这个小部件不能由您的小部件供应商提供, because their supplier of widget-parts suffered a ransomware attack, you might have a production issue due to a cyber problem further down the supply chain.



Cyber security supply chain risk management is increasingly seen as an important element of risk management, 于是就被加到了 NIST网络安全框架v2草案,在新添加的Govern功能中. Also, the National Cyber Security Centre has recently created a new collection of 支持您供应链安全的资源.



Cyber criminals are often savvy businesspeople and are likely to target the weakest link in the chain to achieve their goal – which might be to infiltrate your business, 或者找个小点的给你供应的.

You might deploy significant cost and money on your cyber security technical controls, 但网络罪犯的目标是较小的, 不太安全的组织. Why spend millions targeting you when attacks can be generated far more cheaply at your suppliers? Effectively, it is a better return on investment for the business-minded cyber criminals.

By understanding the cyber security precautions your suppliers (and their suppliers in turn) put in place, you can understand w在这里 cyber attackers might focus their attention and put in place security controls to minimise the risk to your business and t在这里fore potentially to your customers in turn. 



  • understand which of your critical assets are most susceptible to supply chain weaknesses and vulnerabilities
  • 减少供应链妥协的可能性
  • have greater assurance that the products you acquire for use in your business are secure
  • 有比供应商更大的保证, 无论是服务还是技术, 可以信赖的交付你需要的东西吗, 安全, 根据需要. 

This series is intended to help you establish—or strengthen—your C-SCRM programme.


T在这里 are several benefits to hiring an external consultant to carry out some 或全部 of the C-SCRM activities for you. 在这种情况下,最相关的好处包括: 

  • you’ll be able to focus on your core business activities while someone else handles C-SCRM 
  • you’ll have access to C-SCRM skills and resources that you may not have available for these tasks in your organisation
  • and the speed and quality of delivery of these tasks is likely to increase as a result.

你需要记住, 当然, that your consultant will not be an expert in your business and how it operates – you are the expert in that – so will need some time from you and/or your team to cover business-specific areas. You will also need to be honest with them about your business (the issues as well as the successes), so that they can offer the best possible advice for your specific circumstances.  



CSP are a specialist security consultancy helping our clients navigate this increasingly interconnected world.

  • 根据您的情况,对安全要求提出建议
  • assess your suppliers against your security requirements at every stage:
    1. 检查他们对安全问题的回答
    2. 审查合同中的担保条款
    3. auditing your selected suppliers for compliance with your security requirements.
  •  work with you to enhance your policies and processes to improve security throughout your procurement process. 

