Know what it takes to create a VRM program that’s ready and able to stand up to the current state of affairs and find a step-by-step guide for creating a sustainable and scalable vendor risk management program from the ground up.
You may have heard the term “digital supply chain management” being used to describe an emerging business function. But what exactly is a digital supply chain, and how is one supposed to manage it?
Digital Supply Chain: Two Definitions
Depending on the context in which it’s used, the term “digital supply chain” could have one of two different meanings. The term can either refer to:
- The digital aspects of a physical supply chain
- The chain of technology companies involved in the delivery of digital products
Definition 1: Supply Chain + Digital
In the first definition, “digital supply chain” is typically used when discussing how the development and implementation of advanced digital technologies (IoT, blockchain, machine learning, artificial intelligence, predictive analytics, etc.) can drive improvements to traditional supply chains.
For example, in McKinsey’s concept of the “next-generation digital supply chain,” supply chain leaders ought to “place sensors in everything, create networks everywhere, automate anything, and analyze everything to significantly improve performance and customer satisfaction.”
Who’s responsible for managing the digital supply chain? Within this definition, the team responsible for digital supply chain management is the same as the team responsible for any supply chain functions (which could be sales, manufacturing, logistics, etc.).
These teams are tasked with finding new ways to accomplish the same goals they’ve always had: improving efficiency and increasing margins. In other words, “digital supply chain management” is really just supply chain management with an added layer of digital technologies. These technologies include:
- Predictive analytics to optimize inventory allocation and forecast demand
- Automated replenishment solutions
- Robotics to speed up assembly or picking
- IoT sensors to gather real-time feedback from manufacturing equipment and vehicles
Definition 2: Digital Product Ecosystem
The second definition — that the digital supply chain is the chain of technology companies involved in the delivery of digital products — originally referred to the supply chains of digital products that initially existed in physical form, such as ebooks and mp3s. This term was coined in a 2001 paper.
Now, the definition has expanded to include the supply chains that help deliver any digital product, such as a website or software platform.
Take an e-commerce website, for example. Its digital supply chain includes the website’s developers, its administrators, the cloud services company that hosts the website’s data, the CMS provider, and the devices that consumers use to access the website. In addition, every third-party technology provider whose code provides functionality to the website — e-commerce plugins, personalized recommendation engines, advanced analytics services, inventory tracking solutions, custom product builder, chatbots, etc. — should also be considered part of the digital supply chain.
Risks to the Digital Supply Chain
Looking closely at any digital product, whether it’s an e-commerce website, B2B software product, or something else, one can discover the long list of providers upon which the product relies.Viewing this list as a supply chain can help technology companies improve their own security, and can help customers decide whether or not a technology vendor is secure.
Consider the 2016 DDoS attack on DNS provider Dyn that took down a large portion of the North American internet (including Spotify, Reddit, and the New York Times) for nearly a day. This is a typical example of a digital supply chain risk. The relationship between Spotify and Dyn is comparable to the relationship between a clothing retailer and a wool supplier — one relies on the other in order to deliver their product.
Another example is the 2018 Ticketmaster breach. Card skimming malware was added to the Ticketmaster website via a vulnerability in the code of a customer support software company. In other words, a threat was introduced through Ticketmaster’s digital supply chain.
A Growing Attack Surface
Digital supply chains are distributed and complex. Providers that appear to have little to do with the delivery of a digital product can still act as points of entry for cyber attacks, and must be considered part of the digital supply chain.
Take the 2020 SolarWinds breach, for example. Microsoft, which had used SolarWinds Orion software, revealed that the hackers behind the cyber attack were able to escalate access inside Microsoft’s internal network to view their source code repositories.
The SolarWinds incident shows us that monitoring the security of one’s own third-party network is insufficient. True digital supply chain security demands knowing not just that your technology vendors are secure, but that their vendors are secure (and so on).
That problem isn’t as insurmountable as it seems. Tools are available that can help IT security teams create a map of the digital supply chain to identify vulnerabilities and single points of failure among third-, fourth-, and fifth-party providers.
Digital Supply Chain Risk Management - In Summary:
What is digital supply chain management? Depends on who you ask. It can either refer to managing the digital aspects of a physical supply chain, or managing the supply chain of digital products.
In many ways, however, these definitions overlap. Almost every supply chain is now digital, and almost every digital product is now part of a supply chain.
For IT security teams, understanding how the organization fits within various digital supply chains can help improve security. Once you’re able to map third-, fourth-, and fifth- party connections, you can gain a better understanding of your attack surface.
This post was updated on 1/8/2021.