How Secure is Your Supply Chain?

I recently had the privilege of moderating a virtual Leaders in Action (LIA) event on the theme of secure supply chain, co-hosted by Mark Bakker, Hewlett Packard Enterprise’s (HPE) executive vice president, global operations.

A wide-ranging group of COOs and CSCOs from large global companies joined this interactive event to hear about HPE’s Trusted Supply Chain program. They also shared perspectives with peers on how to meet customer security requirements and mitigate operational disruptions, in a time of ever present and escalating cyber threats.

HPE’s Story

Beyond the fascinating roundtable discussion that followed, HPE’s story was a master class in how to systematically identify, assess and mitigate security threats spanning the entire product life cycle and extended supply base. The HPE team uses audits, inspections, attestations, certifications, as well as traceability and machine vision technologies, to ensure product provenance and compliance. Its IT group set National Institute of Standards and Technology (NIST)-based guidelines for managing risk in its enterprise systems of record. This framework is extended to suppliers as part of onboarding and ongoing supplier relationship management.

For HPE, cybersecurity is baked into its products and processes by design, not bolted on. Engineers aren’t the only people driving this work — it’s an enterprise-wide commitment to protect the network and add value for customers.

What Did We Learn?

Here are some key takeaways from the group sharing and discussion at this LIA event:

On The Scope of the Problem …

• Everyone acknowledged the enormous scale and rising importance of cybersecurity risks. HPE’s Bakker noted that by 2025 the cybercrime “market” is projected to reach $10.5 trillion — i.e., larger than the global illicit drug trade. It’s no wonder that bad actors are “flooding the zone.”
  
• Gartner’s latest quarterly Emerging Risk Report (subscription required) saw cyber risk, in the form of new ransomware models, jump to a top-ranked impact for businesses.

On Cybersecurity Governance …

• Several members highlighted the importance of clarifying who is leading and who is part of the cybersecurity team. IT often owns the standards for enterprise solutions, but supply chain owns overall cyber-physical security.
• While finance and legal play roles hedging cyber-related financial and reputational risks, the business ultimately expects CSCOs to steer the company through the impact of operational disruptions and to define solutions.
• “Zero trust” is an underlying operating principle for many advanced cybersecurity practitioners.
• Leading companies have both cyclical (e.g., twice a year) reviews of key cyber risks and event-based monitoring to intercept ongoing disruptions.

On Cybersecurity Talent …

• Companies exhibit a range of strategies for staffing cybersecurity roles. A typical journey starts with the use of external consultants and transitions to building and growing an in-house team, commensurate with the underlying level of risk.
• Cybersecurity talent often comes from outside the business (e.g., ex-government or security specialists). Like other highly technical roles (e.g., data scientists), these employees need grounding in the business and supply chain contexts to build proper defenses.

On the Strong Link Between Designing Resilient Physical and Cyber Networks …

• When quickly ramping new suppliers in response to an unexpected disruption, cybersecurity is likely not supply chain’s top priority. This introduces a new risk, as cybercriminals know that barriers to cyber intrusions are typically lowest at this juncture.
• Upstream supply bases often include small and medium-sized businesses, which supports greater supplier diversity, but can also increase the number of partners with less resources devoted to cybersecurity.
• Large brand owners often have the resources to extend cyber frameworks and help suppliers make investments in assessing and mitigating these risks.

One of the most fascinating parts of our discussion was the human aspect of cyber risk. It is important to recognize that cyber-criminal methodologies continually evolve to evade defenses (just like biological viruses!). Supply chain leaders need to maintain vigilance in terms of technology, but just as importantly through employees’ and partners’ behaviors.

It was inspiring to hear the level of conversation and passion for this topic across the supply chain community. We’re very much looking forward to the next gathering of this esteemed group, in July, when we return to London for our annual Supply Chain Leaders Forum event.

Stan Aronow
VP Distinguished Advisor
Gartner Supply Chain
Stan.Aronow@gartner.com

Listen and subscribe to the Gartner Supply Chain Podcast on Gartner.com, Apple Podcasts, Spotify and Google Podcasts