Supply chains are obviously a key target for cyber criminals.
While many companies have stayed quiet about attacks on their systems, there have been some high profile incidents, such as in 2017, when global systems at container shipping giant Maersk Line were paralyzed by a ransomware attack, forcing the company to rely on phone calls and texts to keep operations going.
Just last Friday, DP World shut down operations at terminals in four Australian cities (Sydney, Melbourne, Brisbane and Fremantle) after detecting a cyberattack. The terminals, which handle some 40% of Australia’s imports and exports, were reopened Monday even though the cyberattack had not yet been fully neutralized.
With that backdrop, Brian Schultz, Senior Director Analyst with the Gartner supply chain practice, recently shared some thoughts on cyber security and the supply chain in a blog post interview.
In that interview, Schultz said that there are three actions that CSCOs should take to develop cyber resilience. Those are:
1. Build visibility to supply chain cybersecurity threats facing the enterprise by fostering internal and external partnerships with key functions built on clear business outcomes.
2. Develop risk-aligned governance processes by implementing supply chain cyber frameworks, standards and guidelines.
3. Create aligned controls across the partner ecosystem by developing and deploying a supply chain third-party risk management (TPRM) capability for cybersecurity.
While they are obviously not IT security pros, supply chain executives can play a key role in cyber security, Schultz notes.
“What [chief supply chain officers] will increasingly be expected to do is have a grasp of how supply chain cyberattacks are evolving, including, for example, more sophisticated attacks that can impact products undetected until they reach the customer,” Schultz says, adding that “They also need to play a leading role in third-party risk management, as attacks on key suppliers can cause significant business continuity disruptions.”
(See More Below)
|
CATEGORY SPONSOR: SOFTEON |
|
|
| |
| |
|
|
Schultz also says the role of the CSCO among the many diverse stakeholders impacted by security risks is to coordinate a shared view of the threats and translate those threats into clear business impacts that leadership can understand.
Garter offers the graphic below that summarizes that that CSCMO role:
Schultz says CSCOs should execute a four-step supply chain cyber TPRM program:
1. Identify organizational value drivers and the supporting operational assets by conducting a business impact analysis (BIA).
2. Develop a business continuity plan (BCP) detailing how to protect, defend, recover and/or replace partner critical assets in the event of a cyberattack.
3. Work with procurement and other CSCOs to develop the appropriate contract language to flow down the organization’s supply chain cyber standards to the partners.
4. Develop a risk-based capability to select partners initially and then continuously monitor their compliance and the effectiveness of contractually required cyber standards.
So more acronyms to focus on.
There is no such thing as complete cybersecurity protection, Schultz observes.
He says that he best-case scenario is reaching a state where cyber resilience is in line with the organization’s risk appetite. Once the risk exposures are clarified both for CSCOs and their stakeholders, then expectations for the level of protection can be agreed upon and operationalized.
“CSCOs do not need to, nor should they, reinvent the wheel in determining their cyber resilience strategy, but they do need to lead the effort to align their stakeholders to a common set of best practices and help them understand the nature of the trade-offs being made,” Schultz concludes.
Any reaction to Gartners's advice on cyber secuity? Let us know your thoughts at the Feedback section below.
|
