United States: The Supply Chain Risk Enigma: Rethinking the Network and Its Risks
To print this article, simply register or connect to Mondaq.com.
Current approaches to risk mitigation and information security are ineffective, and this failure is nowhere more apparent than in the critical supply chains – defense, energy, health services and other key industries. The source of the continued failure to secure supply chains and the success of hackers compromising these vital business arteries is that most organizations do not recognize all of the components and connections that make up their networks. This blind thinking leads to suboptimal metrics even when key information security frameworks are in place. We regularly encounter the following gaps in our supply chain security work:
- Inadequate supply chain mapping – Most organizations perceive poorly or do not perceive all the characteristics of their supply chains. As a result, they overlook all kinds of risks and fall prey to hackers no matter what the organization does to mitigate the risk.
- Do not test cyber defenses – Many organizations are under stress security in depth but are far from what is, for supply chain purposes, a much more important element of security – in-depth validation, an almost fatal loophole that hackers rely on to persist.
- Ignore OpSec – Organizations place much more importance on information security than on operational security. This overlooks a host of risks associated with their supply chains, one of which is exploits that disrupt operations.
- Focus on intractable problems – An organization will never have perfect visibility, or even non-existent, on its 3e and 4e degree of vendor separation. Yet organizations are still struggling to find a solution to these problems. But there is no viable solution. Therefore, the problem should not be seen as a problem with a potential solution but rather as an immutable fact, at least for the time being.
- Expertise deficit – Current cyber risks are not even far aligned with the number of professionals available with the necessary expertise to face these risks. Yet organizations unfairly place the responsibility for supply chain security on their IT groups.
We don’t think properly about supply chain security. Empirical evidence shows that whatever spending on information security – in technical human and financial resources – the frequency and magnitude of security incidents continue to rise. This has led to a widespread opinion that the most important variable in the life cycle of an incident is an organization’s response to a security incident. While incident response is crucial, much more is needed to protect against risks to remote supply chains.
What an organization can do in terms of safety with its main suppliers is becoming less and less effective when the same or similar measures are applied to more distant suppliers, if they can be applied at all. In addition, an enterprise of a billion dollars a series of different concerns than a much smaller company – and the limited resources of small companies tend to restrict reflection of their leaders, regularly visiting their security strategies lower.
Effective supply chain security strategies therefore require a realistic and much broader view of what makes up the organization’s network. This implies efficient mapping of all network – including supply chains – and a solid identification and continuous assessment of supplier risks, even those that cannot be easily identified or measured. In the absence of such initiatives, the problem of supply chain security will continue to spiral out of control.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR POSTS ON: US Technology