“Supply Chain Security” – I do not think that phrase means what you think it means.

Allie Williams, IOM
Executive Director, CRA
Executive Director’s Report – January 2017

One of the recent buzzwords I heard at a conference I recently attended is the concept of “supply chain” security. That is, the need to secure data, applications, and connections not only within your enterprise, but also throughout the “supply chain,” which is responsible for your goods and services. It comes from the concept that your security is only as good as your weakest link, and your vendors, suppliers, and other third parties are likely to be among your weakest links. So it’s important that you secure your supply chain. No arguments here.

But which supply chain?

Everybody has their own definition of “supply chain” and they are all mostly accurate, but completely different. Take a medium-sized company that assembles widgets in New Jersey from parts made globally, and then exports those widgets worldwide. What is their “supply chain?” Certainly you can look at the vendors and suppliers who make the component parts that physically go into the assembled widget (the sub-widgets). Defects or problems with those can cause defects in the completed widget. Defects in the computer system of these suppliers may result in shortages or late delivery, and upset the ability to manufacture and assemble widgets, or may increase the cost of assembly. But there are dozens of other “supply chains.” For example, the widget company’s IT infrastructure is made up of routers, hubs, computers, servers, cables, WiFi, and other connections, all of which are part of the corporate information “supply chain.” A defective or compromised router can impact a company as much as—or more than—a defective sub-widget. Even things like CAT-6 cables, WiFi routers, etc. can be compromised and used to launch attacks against companies and their IT infrastructure. Thus, suppliers of IT products (and services) become part of your IT supply chain. Standards, security, and the ability to test and audit are necessary on these devices.

There’s also a supply chain of information or knowledge—sort of “follow the data.” Information flows into and out of an organization, and is relied upon by decision makers. Some data is critical, some meaningless. But there is a supply chain of information, and degrees of trust for that information. You then get: another supply chain.

Companies also have supply chains of vendors and third parties. Your lawyers, accountants, consultants, vendors, suppliers, customers, middlemen, Xerox repair people, cleaning crew, and thousands of others may send and receive information, may have temporary or permanent access to your networks or data, and are part of your “supply chain” of information. Weaknesses in their practices can impact your overall security. Complicated, much?

Rather than just focusing on supply chain, companies should focus on comprehensive risk. “What would happen to me if …” What are my core business functions, what infrastructure (human, technological, and information-based) is necessary to support these functions, and what would be the impact to the business if that infrastructure was not available, reliable or secure. To paraphrase Sam Cooke, “That’s the sound of the men working on the supply-chain gang.”

Posted January 25, 2017 in CR Blogin Supply Chain