Can Security Add Value by Becoming More Involved in Supply Chain Protection?
Note: This article reflects the views of the individual contributors and not necessarily the views of the companies they work for.
?
Stephen Baker, Senior Vice President and Chief Security Officer at State Street Corporation
Yes. And we can start by looking at what the board has decided are the goals of the company. How do we make those successful? In the supply chain focus, we're going to look at customer satisfaction, contractual obligations, profitability for the company, and then the downstream impact. My company doesn’t produce products. We sell services and we have assets. For us, supply chain security is coordinating how we're successful as an enterprise. So if we need supplies to build a building, supply chain breakage or shortage can cause us to not be able to get job plans or generators or furniture, which means we can’t do business in that building as planned. And because security is part of enterprise risk management and third-party risk management, we're very much involved and have a say in the assessment of all those things inbound and outbound.
Jerrod Johnson, Head of Corporate Security & Business Continuity at Ferguson Enterprises, LLC
A term that's being thrown around a lot in our industry today is polycrisis. Polycrisis is the manifestation of being an increasingly interconnected society. Historically, regional issues would often have no impact on a domestic company, even if they sourced out of that country.? But that’s no longer true. The explosion of attacks on smaller regional U.S.-based suppliers in recent years–namely cyberattacks, ransomware, business email compromise—has made us actively consider what happens if X supplier, who is the only supplier in the world for a given component, is now insolvent because they've been victimized by ransomware? We bring value in our ability to act as trusted advisors for those risks.? As security professionals, it is important that we position ourselves so that we can communicate to our stakeholders.? For example, we need to be able to tell the board that a conflict that's happening in one region, or a political element that's causing some strife in another region of the world, has the potential to impact us in all of the following ways—and here are the solutions that we are bringing to the table.
Mark Kelly, SEC Subject Matter Expert of Global Supply Chain Security
There are companies that have always had to deal with supply chain security from a regulatory perspective.? I came out of the pharmaceutical space, where you're required to chase a certain supply chain assurance from an anti-counterfeiting, brand protection, and patient safety standpoint. I also worked in the high-tech space, where we had large government contracts, so we had to attend to government and geopolitical threats. What I've started to see a little bit more now, are companies that are pursuing supply chain security to use it as a differentiator from their competition, trying to get that extra margin. I’ve also heard from many companies that they’re seeing an exponential increase in customer inquiries about their supply chain security. They want to know - What is your resiliency? What is your assurance? Am I going to get the product that I want?
领英推荐
?
Johnson: Companies are becoming more aware of the need to have assurances that other businesses they work with need to be resilient organizations. Consequently, it has become more common for customers to ask about business continuity and resiliency plans, as part of their own supply chain security and resiliency.?? And in a lot of ways that's good. It’s great that customers are asking providers about business continuity plans. But it also can be a double-edged sword. How can they objectively review whether a provider is maintaining their continuity plans? What’s the metric? It’s great that that awareness is there, but we have to make sure it doesn't drive complacency—this is an area where we as security practitioners can definitely support and assist the business.
?
Baker: Our security function has a module for third-party risk management that is critical, and everyone has to go through it. So we're part of the assessment of every vendor that comes in - any supplier, any contract, and in every single contract, there is a security addendum in which they have to fulfill certain requirements. Also, we do site risk assessments—from inception through delivery. In banking, we have resolution and recovery requirements.? So we have to assess everything to show that we're a viable institution because we're systemically important. Inception through delivery is critical.
?
Kelly: I think security can really drive the threat intelligence piece. We can help the company get a better lens on what the future may look like. Should we be wargaming that a bridge could go down if a tanker runs into it? Or if there’s an earthquake in Taiwan or a war in the Ukraine and Russia?? Being able to look around the corner to start predicting threats against our supply chain and to share that intelligence across all business partners is key.
?
Baker: I can't remember in my career when we've had so many things show us where we're vulnerable – the Israeli conflict, the Ukraine conflict, COVID, terrorists or weather or bridges coming down or things just going wrong.? If we haven't looked at all those and said, how did that impact us or how could it impact us if it happened somewhere else, then we’ve failed. Before COVID, a lot of companies offshored. They put all the manufacturing in China and saved money, they went to just-in-time and got rid of all their warehouses and they said, we're going to save a lot of money. And then COVID hit, and production stopped, and they had nothing to back themselves up.? If that's not a lesson, I don't know what it is.
?
Johnson: If you're a corporate security professional who doesn't view yourself as being involved in supply chain, you may need to reframe your thinking. You are involved in it - it's just which portion of the supply chain you’re choosing to focus your time, energy, and effort on. By becoming more involved in supply chain protection, you're not necessarily wading into a new venture. Yes, there's some new pieces of knowledge you’ll need, but at the core, the tenets that we employ as professionals are the same, whether you're dealing with it way up at the top of the chain or at the point where it's going the last mile to your customer. Whatever that product may be, there's still a supply chain in there that you're touching.
?
Kelly: Exactly. There's nothing magical to supply chain security. All we do is apply basic security principles and management and leadership principles to certain areas like supply chain. And then we need to apply some stakeholder management as well.? And how do I make sure that I've got a voice at the table with the enterprise risk committee? I don't need to own procurement, I don't need to own cybersecurity, I don't need to own education.? I just want a seat at the table or a voice to say, hey, let me lend my subject matter expertise to this problem and put some guardrails around it.
?