How FSI organisations should balance supply chain and concentration risk
I speak to a lot of people about the security challenges facing financial services organisations in my role as Cyber Security Sales Director at Microsoft. The topics of those conversations change as the threat landscape evolves and new approaches to managing those threats emerge.
But a topic that seems to be top of mind in every meeting I’m in at the moment is supply chain risk. In particular, how we can balance it against the risks that come from concentration.
So, what do we mean by concentration risk? And where should organisations stand on the axis between that and the risks that come with multiple-vendor supply chains?
In this article, I want to unpack the debate with particular regard to FSI organisations, and offer some ideas for how CISOs can move forward securely and with confidence.
The risks of a multiple-vendor approach to security
Many of the customers I speak to face a dilemma: stitch together multiple security vendors from the top right of the Gartner Magic Quadrant, or go with a best-of-suite approach with a smaller number of vendors?
Both approaches have their benefits and drawbacks. Historically, the Magic Quadrant approach has been the most prevalent, because customers have felt that buying all the best-in-class products and services will give them the best level of security.
It’s an approach that’s been followed by lots of CISOs for years also because it’s been easy to justify to the board. But it’s one that comes with a number of risks.
Integrating multiple security vendors has always been a challenge for organisations. It’s complex and costly, and it can be difficult to keep the skills within the organisations to maintain it. But while these challenges have been known to organisations for some time, what’s become apparent more recently is the security risk a supply chain poses to an organisation.
Put simply, the more vendors you have in your environment, the higher your risk. This really came to light following the SolarWinds incident. One of SolarWinds’ products was compromised and it had an impact on a large number of SolarWinds’ partners. The hackers used the vulnerability in the SolarWinds software as a way to gain access to their customers environments.
And these types of attacks are growing. In fact, 45 percent of organisations worldwide will have experienced attacks on their software supply chains by the end of 2025, according to Gartner, a three-fold increase from 2021.
It’s something organisations are acutely aware of and was the focus of the City of London Innovation Challenge, which I presented at a few weeks ago. The event brought together FSI organisations such as Nationwide and Hiscox alongside tech companies to try and tackle the challenge of supply chain risk.
Managing supply chain risk
Companies try to stay on top of their supply chain risk by thoroughly auditing their suppliers. The challenge with this is that the answers the organisation gets back are only as good as the questions they ask. What’s more, the data from those audits quickly becomes out-of-date, because an audit isn’t a continuous process.
Some of the questions that organisations need to ask are:
- Does my risk of a breach increase as I increase the number of suppliers in my environment?
- Do I trust that my suppliers are dedicating the right level of investment and resources to their own security standards?
- How do I validate this on an ongoing basis?
Digital supply chain risks demand new mitigation approaches. Things like more deliberate risk-based vendor/partner segmentation and scoring, requests for evidence of security controls and secure best practices, and a shift to resilience-based thinking and efforts to get ahead of forthcoming regulations.
But another approach to reducing supply chain risk is to reduce the number of vendors you work with. However, this presents another type of perceived threat: concentration risk.
Balancing concentration risk for FSI organisations
The basic concept of concentration risk is simple: if you have too much of your environment that’s dependent on one vendor and something happens to that vendor, it can take down your whole environment.
Companies have typically addressed this by spreading their risk across multiple vendors, which means if something happens to one then they still have the majority of their environment running.
In the financial services industry, companies’ aversion to concentration risk is exacerbated by regulators who require you to have an exit plan in place to mitigate the impact if one of your systems is compromised; you need to be able to keep your services running. A lot of organisations see that as a reason to have multiple deployments. Because if something goes wrong with one, they have an exit strategy by moving things from one place to another.
This is really where the dilemma comes from for financial services organisations. How to balance the regulatory need to have an exit strategy if something goes wrong with the growing prevalence of supply chain attacks?
You might think that, as a Microsoft security professional, I would be advocating to move everything to our security infrastructure. But that’s not what I’m advocating for. In fact, I think it’s impossible to go all in on Microsoft from a security perspective, because we don’t play in every area of security.
What I believe is that you need to keep your supply chain at a level where it’s manageable from a supply chain risk perspective, manageable from a skills perspective, and also from a cost perspective.
You don’t need to put all your eggs into one basket, but try not to have so many baskets that it becomes a challenge in itself to carry them all.