This post is the third part of a series looking at cyber security supply chain risk management (C-SCRM).
If you are thinking of outsourcing some or all of your C-SCRM programme to an independent or external consultant, 有一些事情需要考虑, both beforehand and during the process, 以避免日后出现问题.
准备和计划
Before going to market to find someone to take on the C-SCRM programme for you (or, 事实上, 任何代表你的工作), 你应该:
- 了解你想要达到的目标
- Understand what you can or can’t do yourself
- Clearly specify what you need your partner to do.
By providing clarity at the beginning about exactly what you want from your consultant – and being transparent about what your in-house team will be able to do (and when) – you’ll get the best result. They’ll have a better understanding of your needs, and you’ll be able to track progress towards your goals.
Consider what your desired outcome will be, and then what you will need to put in place to achieve this result. This series of posts is focused on the processes needed, so you can complete the programme in-house, or outsource it if that is what you prefer.
If your decision is to outsource, it is important to find the right partner. 很明显, they should have the skills to do what you need, but you’ll also need to be able to work with them, and to trust them with the details of your business.
然而, 虽然信任很重要, you should also agree with them the timescales for the work, 任何的里程碑, 预算, 以及报告模式, 这样你就可以跟踪进度. Putting governance in place and ensuring two-way communication throughout will be essential for success.
沟通是关键
The most common problems arising from outsourcing part of your business activities come from lack of clear communication.
To be able to support your business with C-SCRM, your consultant will need information from you – about the business and your plans, 全球最大的博彩平台你的政策和流程, about the cyber security controls you already have in place, 全球最大的博彩平台你的供应商, 以及你对风险的看法. They also need to understand exactly what you want from them, and which elements you will do in-house.
Depending on what you’ve tasked your consultants to produce, they may need to work with a wide range of people in your organisation, 例如资讯保安, 采购, IT, 软件开发, 法律和人力资源. The importance of this programme to the business should be communicated to these departments or individuals.
类似的, to ensure that you get the best result from your consultant, 你需要从他们那里得到信息. They should report progress regularly, raising any issues that affect progress on the work you have tasked them with. If they raise anything else that might be an issue for your business, you should take note: while it might not be part of this project, and t在这里fore out of their agreed scope, it may be something you should consider acting on. And of course, if t在这里 is anything in their advice that is unclear, you should ask them to explain.
Elements of C-SCRM to consider for outsourcing
在接下来的几篇博文中, we will look at some of the elements of C-SCRM that you could consider outsourcing to an external consultant:
- Developing your C-SCRM policy and setting up a C-SCRM programme
- Assessing cyber security in your current supply chain
- Reviewing your current C-SCRM processes
- 实施C-SCRM计划
If you do decide to outsource some of these tasks, we’d be happy 谈谈我们能帮上什么忙. Contact us on 0113 5323763 to find out more.
对CSP
CSP are a specialist security consultancy helping our clients navigate this increasingly interconnected world. 我们的团队可以:
- advise on security requirements, based on your situation
- assess your suppliers against your security requirements at every stage:
- reviewing their responses to security questions
- reviewing security clauses in contracts
- auditing your selected suppliers for compliance with your security requirements.
- work with you to enhance your policies and processes to improve security throughout your 采购 process.
