We live in a fast-paced, global economy that relies heavily on data and information being carried through cyberspace. Our interconnected world offers many attractive opportunities, but also unprecedented risks.
In the past, organizations often invested in securing their own digital environments, without considering how their partners responded to the challenge. In today’s complex world, technological advances mean this type of approach is no longer viable and collaboration is essential. In fact, building cyber defenses beyond an organization are just as important as securing its own internal infrastructure.
That is why collaboration is one of Aramco’s strategic cybersecurity objectives, through which we aspire to create a culture of co-operation across our business ecosystem, including both national and international partners.
As one of the world’s largest companies, we also strive to build long-lasting and robust alliances with leading national and international cybersecurity institutions, government agencies and organizations operating critical national infrastructure (CNI).
It is an approach tailored to a 21st Century in which third-party business partnerships are often unavoidable, particularly for organizations operating across different business lines and managing a diverse portfolio of services.
Engaging contractors or outsourcing functions could put data at risk, raising questions about governance and security. A single third-party operator could be exposed to multiple data breach opportunities in their dealings with respective subcontractors/partners (i.e. fourth-parties).
In recent years, companies around the world have faced multiple cyber incidents in which third-party vulnerabilities were exploited – almost like stepping stones - to infiltrate intended targets. Impacts typically range from sensitive information being compromised, operational disruption, financial losses to legal liability and reputational damage. Only through collaboration can trust be assured all the way along the supply chain.
Given its scale and vital contribution to the global economy, Aramco remains a target for cyber-criminals who are relentless in their attempts to disrupt our operations for their own gain. As a result, we deploy best-in-class cybersecurity solutions and adopt the highest standards of data and cybersecurity governance. We also educate our employees about such threats to ensure a culture of awareness.
The cybersecurity of any organization in a chain is only as strong as its weakest link. A determined aggressor will identify the organization in a supply chain with the weakest cybersecurity capabilities - and exploit vulnerabilities in their systems to gain access to others. While not always the case, smaller organizations in a supply chain are often targeted since more limited resources may translate into the weakest cybersecurity posture.
This is why Aramco developed a Supply Chain Cybersecurity Program to effectively combat cyber risks originating from third parties. A 2020 recipient of the CSO50 Award, which recognizes security projects or initiatives that demonstrate outstanding business value and thought leadership, the program identifies functions and capabilities required by third-party firms to mitigate such risks.
Adherence is monitored through the development of third-party cybersecurity standards, processes, committees, assessments, contractual requirements, performance measurement and consequence management.
The aim is to ensure cybersecurity remains a priority for our partners throughout our engagement lifecycle. It aims to safeguard Aramco data and assets entrusted to third parties, and minimize potential disruption, by elevating their critical cybersecurity posture.
Our focus on collaboration also led to Aramco becoming a founding partner of the newly established World Economic Forum Center for Cybersecurity (WEF C4C), a platform that will shape the global response to cyber threats. It will do so through policy recommendations, intelligence sharing, new frameworks and recognizing industry best practices.
This year, Aramco has worked closely with the center and its partners to initiate a cyber resilience program specifically focused on our industry. The initiative includes crafting cyber resilience principles and guidance for company directors, which can influence organizational and behavioral change within the oil and gas (O&G) sector. It also focuses on cyber risk in the operational technology/industrial controls systems environment and supply chain.
The program aims to develop a trusted network across the O&G ecosystem, through new recommendations for systems manufacturers, operators and third parties. The program also aims to increase the visibility of cybersecurity measures across the sector by establishing independent and trusted benchmarking processes and mechanism.
WEF C4C is also helping operators across industries overcome cybersecurity challenges against a backdrop of rapid digitalization. One paper, a collaboration between Saudi Aramco and WEF C4C addresses the cybersecurity response during the COVID-19 pandemic – highlighting the importance of security on business continuity.
Our vision is to achieve seamless cybersecurity resilience globally, while at the same time fostering capability and talent excellence. This requires continuous collaboration between IT, legal, procurement and business personnel across organizations and networks. For most of us, the days of cybersecurity being no more than an afterthought are long gone.
However, in this era of rapid technological development there can be no room for complacency. We must continue to advance capabilities around people, processes and technology – and in doing so, safeguard our business models in the decades to come.