Actionable Supply Chain Security: Lessons from the Trenches

By Andras R. Szakal, Vice President and Chief Technology Officer at The Open Group

Since the pandemic, the global Supply Chain has been in a state of flux. Entire industries reduced in size and extreme labor shortages created a plethora of delays and disruption. Recent geopolitical events such as the conflict in Ukraine have worsened the situation, and we’re expecting to experience long-term commodity disruption across numerous industries as a result. 

To make matters worse, when a supply chain is disrupted, it opens up the opportunity for malicious actors and threats to make their move and create further chaos.  Luckily, there are actionable steps that can be put in place to manage and secure an organization’s Supply Chain. In fact, it’s essential to set up a risk management strategy to mitigate these issues which may come up. In order to set out an effective risk management regime, organizations must understand exactly what threats they may be faced with. 

Threat actors aren’t the only threats

It’s crucial to make the distinction that cybersecurity is not the same as supply chain security. While there is some overlap – i.e. you must have cybersecurity in place to protect the assets in your Supply Chain landscape – Cybersecurity and Supply Chain Risk Management (SCRM) are ultimately interrelated but separate disciplines. 

How are organizations responding?

It’s great to see organizations putting in the work to understand the SCRM standards landscape and embracing the idea of managing their own Supply Chains. But what actions are being put in place?

Organizations are dealing with their vendors and beginning to understand their approach to Supply Chain security. They are frequently developing supplier risk management frameworks and, in some cases, they’re coming up with their own bespoke implementations. Some companies are even going the extra mile and obtaining industry certifications to ensure they’re following the correct processes. 

While some progress is being made, organizations must go further. They need to do their due diligence and understand industry guidance on the subject – for which, there is plenty. What they absolutely shouldn’t do is come up with their own standards and guidelines. The industry drastically needs to come together, rather than being disaggregated. 

Similarly, a trend we’re frequently seeing is organizations creating their own bespoke vendor acquisition surveys. They are developing their own point of view (POV) on what questions to ask suppliers and partners as they go through the process, which is becoming a challenge for the industry. 

Understanding and managing the SCRM landscape

Though it’s still a developing area, there are practical ways that organizations can address international Supply Chain standards and requirements – SCRM surveys are a great place to start. Organizations should conduct these surveys to identify how SCRM is currently being used, what practices are in place, and whether a new SCRM framework is needed to standardize their approach to Supply Chain security. 

However, putting together the surveys may not be as simple as you’d expect. I’ve shared below my top tips for putting together a vendor SCRM survey:

  1. As much as possible, resist the urge to create surveys from scratch. It’s important to leverage some of what’s already out there. While you might capture what you’re personally interested in, it probably won’t help you mitigate risks and make good decisions with respect to suppliers. 
  2. Ask binary questions. Asking open-ended questions turns it into a creative writing exercise and you won’t get the information you need. 
  3. Don’t ask for confidential information or internal documents as proof. Legal teams will need to get involved and it will ultimately end up being a costly process. 
  4. Make the questions actionable and base your determinations on data. This will lead your organization to be able to make clear and defined decisions. 

There is also a growing number of SCRM compliance standards that organizations need to be aware of and adhere to. To comply with these regulations, they should:

  1. Conduct an internal assessment with 3PAO. This is proving invaluable in helping companies to really understand what it means to protect the supply chain and what the risks are. 
  2. Use a formal security compliance assessment framework. It’s important to leverage the existing assessments from both academia and industry. 
  3. Mitigate risk by applying compensating controls. Controls don’t apply outside of understanding risk and technology architecture – these dictate practicable security controls.
  4. Apply a formal quantitative risk analysis standard, like O-FAIR, to assess the ROI for adding additional controls. Use the outcome of this work to defend your organization’s approach to mitigating risks. 

The tips I’ve shared are by no means an exhaustive list but a snapshot of the key learnings I’ve discovered throughout my time in the industry. Each organization’s SCRM certification journey is a unique one and something that needs to be formally defined within the business. But it begins with a reflection of the organization’s current certification standings and then understanding what the standards and conformance criteria are. 

Moving forward, Supply Chain Risk Management will be a required competency for all organizations. As such, it’s essential that they use the assets and frameworks available to pull to an appropriate risk management strategy and build cross-organizational expertise. Ultimately, organizations need to get the ball rolling on their SCRM practices, as this problem isn’t going away any time soon, as evidenced by growing government interest. If you’re interested in making the most of existing resources, The Open Group is a leader in the development of open, vendor-neutral technology standards, including industry guidelines around SCRM and the upcoming threats to global supply chain integrity.

Andras is Vice President and Chief Technology Officer for The Open Group. Andras is a recognized expert on Supply Chain Security, Cloud Architecture, and Cybersecurity. He is widely recognized as the driving force behind ISO/IEC-20243 better known as the Open Trusted Technology Provider™ Standard (O-TTPS) and his tireless work to establish recognized professional credentials for technology professionals through the creation of the Open Professions Framework. Andras has achieved professional certifications in security (CSSLP), solutions architecture (Distinguished Certified Architect), and supply chain security (Master Certified Trusted Technology Practitioner). His experience spans over 30 years of research, telecommunications, global standards contributions, and public sector executive leadership.

Andras holds undergraduate degrees in Biology and Computer Science, and a master’s degree in Computer Science from James Madison University with a concentration in Operating Systems and Artificial Intelligence.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.