<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Security Risk Management

With Supply Chains, Transparency Only Goes So Far

Paul Roberts | November 12, 2013

Paul_Roberts_smThis post was contributed by guest blogger Paul Roberts, Editor in Chief of The Security Ledger, an independent news blog covering security and The Internet of Things.

The last decade has been an education in the dangers of opaque operational dependencies for global corporations. Time and again we’ve seen ‘once-in-a-century’ occurrences like tsunamis, volcano eruptions and sweeping political upheaval expose undetected vulnerabilities in even the best-planned global supply chains.

The response of many companies has been to rethink assumptions made during less turbulent times, demanding more flexibility in their supply chain and more transparency in supply chain operations.  With a more complete understanding of the complex web of dependencies that might affect production, the thinking goes, organizations are less likely to be caught unawares when unexpected events occur, or single source suppliers suddenly go offline.

As it has in other industries, technology has come to the rescue. Start-up firms like Sourcemap, and LlamaSoft are offering “supply chain visualization” technology that leverages a familiar formula these days: mobility, social networking, crowd-sourced intelligence, and “Big Data” analytics.

The potential of these tools is huge. Sourcemap, for example, allows supply chain partners to use a social networking platform to share real-time data on a variety of factors, from shipping schedules to delays in manufacturing or bad weather. Its creator, Leonardo Bonnani, has described it as “LinkedIn for supply chains.” And, like any social network, the platform gets more powerful the more organizations and individuals contribute to it.

With all that data, Sourcemap harnesses cloud-based computing resources and data analytics to create some impressive visualizations of relationships that, previously, were buried in Enterprise Resource Planning (ERP) reports. The results are impressive: see Colgate’s Toothpaste operation or ‘where Starbucks gets its coffee'.

When it comes to supply chains, transparency is a good thing. But the kind of transparency organizations gain with visualization tools only goes so far. That is: visualization tools can provide a granular understanding of the complex web of suppliers and subcontractors that constitute most modern supply chains. But, to date, they have no way to assess one critical element that affects supply chain risk: IT security.

Consider this: visualization technology might make the job of routing around weather-related disruptions or political instability easier. But how will you know whether the network of an otherwise trustworthy supply chain partner has been compromised by data stealing malware? That compromise might not halt delivery of a key component, or freeze your production lines. But it could have long term effects that are just as serious: the theft of critical product designs and intellectual property.

Even more prosaic business relationships have a way of ratcheting up the risks to your entire operation. In just the latest example, the web site krebsonsecurity.com reported on a hack of CorporateCarOnline, a national limousine rental service that divulged client information on VIPs from the world of sports, entertainment and politics. At least one of the targeted victims, Kevin Mandia of the security firm Mandiant, said that he received malware infected PDF attachments claiming to be limousine receipts after using the CorporateCarOnline service.

BitSight’s CTO Stephen Boyer noted something close to this in a blog post last week. “Although we are witnessing greater levels of transparency in society, government, and business,” he noted, “much of IT security and risk management continues to operate with the curtain drapes firmly closed around its practices and posture.”

Why? There are lots of reasons: concern about shareholder litigation, security concerns, and embarrassment.  There are also powerful market forces that conspire to keep companies in the dark about the IT risks. Most firms guard information about their supply chain carefully, fearful that competitors will swoop in and woo critical suppliers away. Bad actors and corner cutters have an interest in keeping supply chain relationships obscure.

Whatever the reason, though, the risks for businesses are clear: a murky or incomplete grasp of IT risk and cyber-threats threatens the integrity of your business, while also engendering low levels of trust and reliability between your organization and its supply chain and business partners.

Looking ahead, businesses that want to really understand their risk, and the risk posed by complex business- and supply chain relationships will need to add cyber to the long list of items that they must assess before signing on the dotted line.

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.