Identifying and Navigating Supply Chain Risk

Posted on by Sunil Bakshi

The efforts by various governments to contain the spread of COVID-19, at times, had positive effects on the pandemic. However, the initial period of chaos and unprecedented measures such as lockdowns highlighted the shortcomings of our supply chain governance and management. Virtually any organization in business or service must depend on third-party suppliers or service providers. These service providers also depend upon suppliers or service providers. These suppliers form a chain, commonly referred to as the supply chain, to enable services to be provided. ISACA’s recent survey about supply chain security gaps, based on the responses from about 1,300 IT professionals worldwide, brought to light several interesting insights on the topic.

Organizations typically try to manage the relationship with the immediate supplier/service provider and expect that service provider to manage the relationships with its suppliers. Thus, supply chain management becomes a collaborative activity of multiple organizations that depend upon each other. As the pandemic has underscored, though, those relationships and dependencies are fragile and can unravel quickly without a holistic approach to supply chain governance and security.

While many industry professionals generally understand the concept of the supply chain, the implications of gaps in supply chain security can cut deeper than many realize. Suppose a bank or financial organization uses information technology (IT) to improve the efficiency and effectiveness of its service products. Now since the management has expertise in banking and not in IT, they have to depend on IT experts or IT service providers. There are multiple service providers like application providers, hardware suppliers, and network service providers, who in turn depend on other suppliers or service providers. If a service provider in this chain has a problem, it may impact the bank’s operation, even though the immediate service provider may not have any problem. Hence, in order to ensure uninterrupted services, the bank must have complete visibility into its service providers/suppliers and also these suppliers’ service providers. Similarly, an organization may deal with multiple suppliers/service providers for its different requirements, and, therefore, there are multiple supply chains—each with different levels of dependency.

This brings us back to the ISACA survey. One of the questions was, “Do you have visibility into the supply chain operations within your organization?” to which 100% of respondents said, “yes.” The supporting question about the relationship with suppliers raised a question in my mind: Do they really have visibility about all supply chains, or do they know all their suppliers and have processes in place to manage them, but not for further down the chain? That ambiguity might be the reason only 44% of respondents have high confidence in their organization’s supply chain.

Delving deeper, the majority of respondents are concerned about risks associated with the supply chain. Top risks, according to the ISACA survey, are due to well-known threats like ransomware (73%), poor security practices (66%), software vulnerabilities (65%), third-party storage (61%), and third-party access (55%).

Meanwhile, 25% of respondents confirmed that their digital supply chain experienced an attack during the past year. Yet, still, there are about half of the respondents who agreed that they do not perform vulnerability assessments of suppliers or evaluate suppliers’ security posture and 38% who do not validate the security audit reports. However, the majority of respondents say they include security and privacy compliance clauses in contracts.

To me, the most interesting response was to the question, “Do you think your organization’s supply chain needs stronger governance than is currently in place?” A vast majority (84%) agreed there is a need to improve supply chain governance. Perhaps this should be no surprise, considering ISACA has long been an IT governance-minded professional community.

ISACA has done a lot of research in this area, and there have been many publications, articles, and blog posts available through ISACA addressing supply chain issues. Two of them are listed here for reference:

1. A book on
How to Manage Supply Chain Risk

2. A white paper on supply chain resiliency

During the past 20 years, I interacted with a number of members of senior management, and each of them, at some point during discussions, asked me for guidance on how to better manage their suppliers. Apparently, it is an omnipresent issue and will continue to be. We need more IT professionals in the future to be able to confidently state, “Yes, we know how to manage the supply chain.”

Sunil Bakshi

Consultant & Trainer, IT Governance & InfoSec

Protecting Data & the Supply Chain Ecosystem

supply chain governance risk & compliance

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community