Q&A with Brian Schultz, Senior Director Analyst with the Gartner Supply Chain Practice
With supply chain cyberattacks posing a material risk to an organization’s operations, production lead times, logistics and product delivery, Chief Supply Chain Officers (CSCOs) must take three actions to mitigate supply chain cyber risk to an acceptable level.
We spoke with Brian Schultz, Senior Director Analyst with the Gartner Supply Chain Practice, to discuss why CSCOs must take an increasing share of ownership over cybersecurity strategy and the key actions to take today to maximize their responses.
Members of the media who would like to speak with Brian in more detail on this topic can contact Justin Lavelle to schedule an interview.
Q: To combat supply chain cybersecurity risks, what actions should CSCOs take to begin building cyber resilience aligned to their organization’s risk appetite?
A: There are three actions that CSCOs should take to develop cyber resilience. They include:
Build visibility to supply chain cybersecurity threats facing the enterprise by fostering internal and external partnerships with key functions built on clear business outcomes.
Develop risk-aligned governance processes by implementing supply chain cyber frameworks, standards and guidelines.
Create aligned controls across the partner ecosystem by developing and deploying a supply chain third-party risk management (TPRM) capability for cybersecurity.
Q: How can CSCOs mitigate cyber threats when the attacks are so varied, and the supply chain surface area vulnerable to them continues to expand, both digitally and through third parties?
A: CSCOs are not expected to be substitutes for Chief Information Security Officers. What they will increasingly be expected to do is have a grasp of how supply chain cyberattacks are evolving, including, for example, more sophisticated attacks that can impact products undetected until they reach the customer. They also need to play a leading role in third-party risk management, as attacks on key suppliers can cause significant business continuity disruptions.
CSCOs can leverage their experience in coordinating action among many different stakeholders both within and beyond their function. Supply chain cyber resilience hinges on engaging a wide range of stakeholders both inside and outside the organization (see Figure 1). The role of the CSCO among these diverse stakeholders is to coordinate a shared view of the threats and translate those threats into clear business impacts that leadership can understand.
We recommend CSCOs build this visibility by identifying the key operational assets that support the organization’s value drivers, assess the impact of a loss of these assets in terms of business costs in lost days of operation and then clearly communicate these impacts to the board and C-Suite. Finally, a playbook must be implemented to monitor these critical assets, including regular testing of mitigation plans through coordinated exercises.
Figure 1: CSCO's Role in Managing Cybersecurity
Q: How realistic is it for CSCOs to mitigate cyber risks of third parties such as suppliers and software providers, given the complexity of most supply chain ecosystems?
A: Third-party risk management is crucial to supply chain cybersecurity. Earlier this year, Gartner predicted that 60% of supply chain organizations will use cybersecurity risk as a key buying criteria by 2025. That growing level of awareness is encouraging, but CSCOs need to do more to actively manage risks presented by their ecosystem partners.
To address the exposure third parties present and build a more resilient supply chain, CSCOs should execute a four-step supply chain cyber TPRM program:
Identify organizational value drivers and the supporting operational assets by conducting a business impact analysis (BIA).
Develop a business continuity plan (BCP) detailing how to protect, defend, recover and/or replace partner critical assets in the event of a cyberattack.
Work with procurement and other CSCOs to develop the appropriate contract language to flow down the organization’s supply chain cyber standards to the partners.
Develop a risk-based capability to select partners initially and then continuously monitor their compliance and the effectiveness of contractually required cyber standards.
Unfortunately, there is no one-size-fits-all solution for cyber TPRM today. CSCOs must select an appropriate mix of in-house or outsourced cyber TPRM functions based on their business risk needs. This selection must be determined based on a balance of the organization’s risk appetite, detail and accuracy of risk information requirements, serviceable urgency, and the cost utility of functionality.
Q: Considering the varied and growing cyber threats facing the supply chain, what is the best-case scenario for supply chain cyber resilience today?
A: There is no such thing as complete cybersecurity protection. The best-case scenario is reaching a state where cyber resilience is in line with the organization’s risk appetite. Once the risk exposures are clarified both for CSCOs and their stakeholders, then expectations for the level of protection can be agreed upon and operationalized.
Unfortunately, many organizations fail to update or even develop a unified risk appetite statement. This leaves risk decisions to individual actors and leaves those responsible for supply chain cybersecurity exposed to scrutiny in the case of a risk event.
By utilizing already established cybersecurity standards (such as NIST CSF in the US or ISO 27001 in the EU) CSCOs can align their cybersecurity governance models to best practices that incorporate a view of end-to-end supply chain cyber risks and their remediation processes. These frameworks provide standards and guidelines consistent with the organization’s stated risk appetite, maturity level and the organization’s functional business vertical (e.g., manufacturing).
CSCOs do not need to, nor should they, reinvent the wheel in determining their cyber resilience strategy, but they do need to lead the effort to align their stakeholders to a common set of best practices and help them understand the nature of the trade-offs being made.