How do we include the supply chain risk landscape in our daily risk assessments?

556 views3 Upvotes9 Comments

Director in Consumer Goods, 51 - 200 employees
I'm doing a project right now for a company and it's all around their third-party management program and building it out. They came to me with this huge list and I said, "All right, we can't boil the ocean. We've got to narrow this down.” So you have to figure out number one, who's accessing your data? If you've got sensitive data, PII data, data that's really governed by regulations, which of those spenders has access to it? Which of those spenders is actually storing any of that data for you? Those become the top priority. And then the next is, what would be critical to your business? What would shut you down if something happened to that company and they don't have that good business continuity plan in place for you?
3 Replies
Board Member, Advisor, Executive Coach in Software, Self-employed

When you do it that way and you apply it to data, you miss SolarWinds, because a lot of people I talked to, they were, "It was the lowest of lowest of lowest of risk." Why? Because it wasn't Cigna managed health data, it wasn't ADP managed in payroll, it wasn't some SaaS vendor that I'm using. And so the risk matrix that we've all been using frankly pointed us in, in some ways you could say the wrong direction. I've looked at it that way and go, "Boy is our own risk structures and framing sometimes pointing us to the wrong issues because of the way in which we've framed the risk?"

CIO in Software, 5,001 - 10,000 employees

In this particular case, absolutely. Because if we would have taken this through the risk matrix, again, we look for things like there's 142 questions long questionnaire, which in hindsight, we know doesn't catch everything. So in one way, that's not what they're designed to do. We all know that edges can slip by, and that's the problem with security. We all really know that there are so many ways to enter. In the end, what we look at in those questionnaires, I thought we got more focused on the third-party area about data sensitivity, code sensitivity, things like that. But we kind of got away from the fundamentals of security, which was, if you leave a door open, somebody will come through. If the door's not locked, if the key is bad, you have a bad password, basic things. That's that weakness in your fort. It's a chink in your armor.

Board Member, Advisor, Executive Coach in Software, Self-employed

Yeah, I know. It's a good point.

Board Member, Advisor, Executive Coach in Software, Self-employed
You have to put it in the context of the business, and then from there you can start truncating it in.
CIO in Software, 5,001 - 10,000 employees
When I think of supply chain, I actually think about it in a few different pillars. Security is one. I also think about the reliability of the supply chain. For example, the Suez Canal issue. In our company, we think about port slowness in the LA port. That general supply-demand gap has been an issue. So reliability is another thing. And then I also think about supply chain intelligence. Especially if you're in the hardware area, it’s about having predictive analysis and intelligence to look around the corners to figure out where you might have the component shortages, where you might have dependencies on a particular country shutting down, whether due to COVID or something else. So I look at all of these three things.
CIO in Manufacturing, 1,001 - 5,000 employees
The term black swan, it's supposedly a once in a lifetime event. How many in the last 20 years have actually happened? There's been at least a few. These types of major events that have major impacts don't seem to be that unusual anymore. And so it's a balance between trying to solve for everything. The almost impossible that could happen, and continuing to make progress reaching deeper into your supply chain and your third-party connections. We think of it as commodities and just the impact of the supply chain, the ripple effect. We actually had an incident when Texas lost all its power not too long ago. We're still dealing with the ripple effect of that. So from a third-party standpoint, we're trying to look a little bit deeper into the third and fourth parties that we're dealing with. Playing out the different scenarios more. And that's how we're approaching it, trying to figure out where we're not looking. To manage and properly secure the traceability of the supply chain, it's just this kind of broadening, increasing the size of the rings that we're working out with the different supplier, third-party networks. And there's education pieces, there's technology alignment pieces, and then ultimately the resource allocation piece. And that's how we're focused on solving it.
Board Member, Advisor, Executive Coach in Software, Self-employed
When I first started running IT security and business continuity late 2001, Andy Grove was still running Intel. His book, Only the Paranoid Survive, and his leadership caused me to grow up thinking that way and looking for what I'd call extinction events. Things that could shut you down, things that could take you out. Sometimes when you did the risk calculation, the low risk thing would have an impact so high you shouldn't ignore it. So we'd always try and say, "What's the low risk thing that would kill me?" As much as we focused on high risk vulnerabilities and patching that stuff, I worried about the low risk things because I figured if everybody's rushing the patch, what would you go exploit? The thing that nobody's looking at because it's a low risk item. And then you try and compromise that to pivot from there.
CTO in Software, 11 - 50 employees
This research from McKinsey sums it up better than I could

Content you might like

Not at all15%


A fair amount15%







Non-production DBs (Dev, Training, QA, etc.)30%


1.2k views1 Upvote

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.5k views131 Upvotes319 Comments