Cybersecurity in procurement: between cost pressure and a lack of standards

The importance of cyber security in procurement is growing, but many corporate procurement departments are facing considerable challenges. This is shown by a recent survey conducted by IT security service provider Sophos among 201 purchasing managers from various industries and company sizes in Germany.

Cost optimization as the biggest obstacle

According to the survey, the four biggest challenges among all respondents are:

• Focus on cost reduction instead of long-term security (45 percent)
• Lack of or hardly any standardized security criteria in the supplier evaluation (41.6 percent)
• Too little awareness of cyber security in purchasing departments (40.1 percent)
• Lack of coordination with own IT/security department (39.6 percent)

At 45%, the focus on cost reduction is the most frequently cited challenge. This tension between efficiency and protective measures shows that cyber security is possibly still often treated as a secondary priority in procurement.

Company size determines challenges

Around 42% of respondents criticize the lack of or hardly any standardized security criteria in supplier evaluation. In addition, almost 40 percent complain about a lack of coordination with their own IT or security department; this factor is mentioned particularly in larger companies (over 52 percent in companies with more than 1000 employees).

The survey also reveals differences depending on the size of the company. Smaller companies (100-249 employees) struggle in particular with a lack of technical expertise (35.8%) and non-standardized security criteria (54.7%). Large companies with 1,000 employees or more mainly see coordination problems with the IT or security department (52.6%).

While smaller companies obviously lack the necessary skills, complex structures often make effective security integration difficult in larger companies.

Administrations lack know-how, utilities urge cyber security awareness

There are also clear differences between the sectors. The public administration sector reports a lack of expertise and a lack of standards particularly frequently (60.0% each). In the financial sector, the lack of training is particularly significant at 53.8%.

In retail, on the other hand, the figures are consistently low: only 13% see a lack of expertise as a problem, while only 17.4% complain about a lack of supplier transparency. Almost 100 percent of utility companies complain about a lack of awareness of cyber security in purchasing departments.

"The fact that utility companies are complaining about the lack of cyber security awareness in purchasing is very serious," comments Michael Veit, security expert at Sophos. "Especially in sensitive sectors, security aspects should not be sacrificed to cost optimization."

The appeal: Even more priority for cyber security in purchasing departments too

The results of the survey show: Cyber security is also increasingly being recognized as a critical factor in corporate procurement. However, there is still a lack of knowledge, internal coordination and structural guidelines in many places. Companies are therefore called upon to give the topic more priority - both through training and clear guidelines in supplier evaluation.

"Many purchasing departments are currently facing the challenge of integrating cyber security aspects into their processes in a structured way," says Michael Veit. "However, there is often a lack of expertise, clear criteria or close cooperation with IT. Yet the supply chain in particular is a decisive lever for a company's security situation. That's why procurement needs clear security guidelines, trained employees and close coordination with IT managers. The resilience of entire supply networks, for example, no longer depends solely on firewalls, but also on the decisions made in procurement."

Source: Sophos

This article originally appeared on m-q.ch - https://www.m-q.ch/de/cybersicherheit-im-einkauf-zwischen-kostendruck-und-fehlenden-standards/