Blog

I recently attended a National Institute of Standards and Technology (NIST) meeting on Best Practices in Cyber Supply Chain Risk Management (SCRM). Over 250 people were there, and the discussions were very interactive and spirited. NIST presented several case studies describing the SCRM challenges and solutions companies are deploying to address them.

For me, the key take-away was that most companies today are concerned about security vulnerabilities within their supply network, but there’s no consensus on how best to identify them. Regardless of the depth and breadth of the partner ecosystem, organizations often lack the visibility necessary to accurately assess the risks, particularly with regard to cybersecurity. As a result, they simply aren’t sure where to begin to measure, manage and mitigate their exposure, and therein lies the danger.

Meeting presenters and attendees identified several business process scenarios that are keeping them awake at night, such as:

• Infrequent monitoring of suppliers and partners opening the door to process and product quality degradations.
• Inadequate monitoring of lower-tier suppliers leading to overlooked software, hardware, or firmware product compromise, whether intentional or unintentional.
• Focused monitoring by IT of only the most critical suppliers missing vulnerabilities present in lower-profile suppliers.
• Suppliers with poor cybersecurity hygiene misusing high-value intellectual property.

These concerns are well-founded. According to a 2013 article, “The ROI of Supply Chain Resiliency,” in Sourcing Innovation, “As supply chains grow more complex and more globalized, the likelihood that a manufacturing organization will not experience a supply chain disruption in a twenty-four month period is a mere 2%.”

Two years later, there is an even more urgent need for solutions that can provide an organization with the depth and clarity of SCRM visibility and trust to confidently make decisions about partner/supplier relationships. Cybersecurity can no longer just be limited to protecting your organization from the inside. It will require holding partners to a higher standard and work with them to reduce the risk that can create devastating impacts.