How do we include the supply chain risk landscape in our daily risk assessments?
Board Member, Advisor, Executive Coach in Software, Self-employed
You have to put it in the context of the business, and then from there you can start truncating it in.CIO in Software, 5,001 - 10,000 employees
When I think of supply chain, I actually think about it in a few different pillars. Security is one. I also think about the reliability of the supply chain. For example, the Suez Canal issue. In our company, we think about port slowness in the LA port. That general supply-demand gap has been an issue. So reliability is another thing. And then I also think about supply chain intelligence. Especially if you're in the hardware area, it’s about having predictive analysis and intelligence to look around the corners to figure out where you might have the component shortages, where you might have dependencies on a particular country shutting down, whether due to COVID or something else. So I look at all of these three things.CIO in Manufacturing, 1,001 - 5,000 employees
The term black swan, it's supposedly a once in a lifetime event. How many in the last 20 years have actually happened? There's been at least a few. These types of major events that have major impacts don't seem to be that unusual anymore. And so it's a balance between trying to solve for everything. The almost impossible that could happen, and continuing to make progress reaching deeper into your supply chain and your third-party connections. We think of it as commodities and just the impact of the supply chain, the ripple effect. We actually had an incident when Texas lost all its power not too long ago. We're still dealing with the ripple effect of that. So from a third-party standpoint, we're trying to look a little bit deeper into the third and fourth parties that we're dealing with. Playing out the different scenarios more. And that's how we're approaching it, trying to figure out where we're not looking. To manage and properly secure the traceability of the supply chain, it's just this kind of broadening, increasing the size of the rings that we're working out with the different supplier, third-party networks. And there's education pieces, there's technology alignment pieces, and then ultimately the resource allocation piece. And that's how we're focused on solving it.Board Member, Advisor, Executive Coach in Software, Self-employed
When I first started running IT security and business continuity late 2001, Andy Grove was still running Intel. His book, Only the Paranoid Survive, and his leadership caused me to grow up thinking that way and looking for what I'd call extinction events. Things that could shut you down, things that could take you out. Sometimes when you did the risk calculation, the low risk thing would have an impact so high you shouldn't ignore it. So we'd always try and say, "What's the low risk thing that would kill me?" As much as we focused on high risk vulnerabilities and patching that stuff, I worried about the low risk things because I figured if everybody's rushing the patch, what would you go exploit? The thing that nobody's looking at because it's a low risk item. And then you try and compromise that to pivot from there.CTO in Software, 11 - 50 employees
This research from McKinsey sums it up better than I couldhttps://www.mckinsey.com/business-functions/risk/our-insights/enterprise-cybersecurity-aligning-third-parties-and-supply-chains
Content you might like
Not at all15%
Experimenting67%
A fair amount15%
Extensively3%
226 PARTICIPANTS
Production45%
Backup64%
Replication34%
Non-production DBs (Dev, Training, QA, etc.)30%
210 PARTICIPANTS
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.ISSO and Director of the IRU in Healthcare and Biotech, 10,001+ employees
I would definitely suggest this based of how you categorize your types of data/systems and information being stored in certain parts of your data center. I think it’s really dependent on the size of your organization and ...read moreSustainable Supply Chain Adviser in Healthcare and Biotech, Self-employed
As a human being, not just a supply chain professional, I truly hope that supply chains will look different in 10+ years than what they are now (or were in the last decades) and I proactively work for this change to happen.What ...read more
When you do it that way and you apply it to data, you miss SolarWinds, because a lot of people I talked to, they were, "It was the lowest of lowest of lowest of risk." Why? Because it wasn't Cigna managed health data, it wasn't ADP managed in payroll, it wasn't some SaaS vendor that I'm using. And so the risk matrix that we've all been using frankly pointed us in, in some ways you could say the wrong direction. I've looked at it that way and go, "Boy is our own risk structures and framing sometimes pointing us to the wrong issues because of the way in which we've framed the risk?"
In this particular case, absolutely. Because if we would have taken this through the risk matrix, again, we look for things like there's 142 questions long questionnaire, which in hindsight, we know doesn't catch everything. So in one way, that's not what they're designed to do. We all know that edges can slip by, and that's the problem with security. We all really know that there are so many ways to enter. In the end, what we look at in those questionnaires, I thought we got more focused on the third-party area about data sensitivity, code sensitivity, things like that. But we kind of got away from the fundamentals of security, which was, if you leave a door open, somebody will come through. If the door's not locked, if the key is bad, you have a bad password, basic things. That's that weakness in your fort. It's a chink in your armor.
Yeah, I know. It's a good point.