Global Supply Chain Risk Management

As a follow up to his July Enterprise Client Briefing on Cyber Supply Chain Security, IANS Faculty and Senior Research Fellow at the University of Maryland's Supply Chain Management Center, Hart Rossman has provided IANS clients with a road map that will set them on their way to defining policy and creating a uniform application of tactical risk mitigation measures. His exclusive IANS blog post follows:

Global supply chain risk management (GSCRM) (aka, cyber supply chain assurance or information communications technology supply chain security) is a domain that has slowly gained visibility over the last half-decade as its impact to consumer electronics and critical infrastructure has become more widely understood. I’ve said it many times over the years-- it’s a national security imperative in a global economy that we have confidence in the supply chains of integrated systems and the integrity of the people, processes, and technology that comprise them. DHS has recently acknowledged the threat publicly as well.

As a supplier, it costs you money and impacts your brand & reputation when resolving customer issues arising from supply chain compromise or counterfeits. As an individual consumer or acquisition authority it undermines your ability to purchase with confidence.

This is a complex domain that will require a truly multidisciplinary approach to managing the risk. Being a successful risk manager in a global supply chain necessitates a truly collaborative effort to manage a shared risk across the entire ecosystem.

At its core, the challenge is to gain enough visibility into your supply chain (both upstream to your suppliers AND downstream to your customers) to create supply chain-wide governance, shared risk management services, and a uniform application of tactical risk mitigation measures. This is because a cyber supply chain is fundamentally comprised of the interrelationship between system & product development life cycles among the critical nodes in your supply chain. In order to adequately protect such a system of systems, you need to employ solutions that provide for defense in depth within a single enterprise or node in the supply chain, as well as defense in breadth that spans the entire supply chain. This is a true test of collaborative security solutions.

Fortunately, there are a number of efforts underway to define policy, best practice, and mutual recognition of assurance to ultimately affect an environment where global supply chain risk management is a practical endeavor that includes better visibility, inclusive governance supply chain wide, shared risk management services, and a uniform application of tactical risk mitigation measures. Some of the lessons learned from these efforts can benefit you today.  Here are three to get you started:

First, the old saying that you can’t manage what you can’t measure is true in the supply chain. You’ll need to take that a step further though-- you can’t measure what you can’t see. If you don’t already have a mapping of your cyber supply chain, that’s the first step on the road to assurance. The map should include physical and logical representations of critical nodes and workflows. Developing an accurate map will likely require you to coordinate with the CIO, procurement, legal, as well as sales to ensure you cover both the upstream and downstream elements of your cyber supply chain. Consider mapping at least 5 levels deep in each direction and communicating with the organizations represented to validate your mapping.

Second, leverage your map and the process you used to create it to engage the stakeholders within your organization and across your critical nodes to develop a governance structure that will focus on managing shared risk across the cyber supply chain. You’ll likely find that the larger organizations in your supply chain already have corporate governance boards and enterprise risk management programs which will allow them to quickly grok the value and scale applicable components of their framework horizontally. Smaller organizations may need some coaching or will require you to work together to identify the best role for them to play in supply chain wide governance & risk management.

Finally, come to some agreement on tactical risk mitigation measures that you can apply uniformly across the critical nodes. This may be a coordinated incident response playbook, sharing of intrusion detection or threat data, or a common approach to vulnerability assessment and reporting. Start small and scale quickly as value is created and risk is demonstrably reduced.

By taking the time to work with your supplies and customers in thinking through the risks inherent in your cyber supply chain today; you place the entire ecosystem in a much stronger position to effectively hand the threats of tomorrow with minimal impact to operations, brand, and reputation.