Gartner urges CSCOs to take more ownership of cyberattacks

Share
Brian Schultz, Senior Director Analyst with the Gartner Supply Chain Practice, says CSCOs need to "lead the effort to align their stakeholders to a common set of best practices on supply chain cyber security".
Gartner Supply Chain Practice Senior Director Analyst Brian Schultz urges CSCOs to assume more responsibility for supply chain cyber security

The threat of supply chain cyber attacks means Chief Supply Chain Officers (CSCOs) must assume more ownership of their company’s cybersecurity strategy, urges Gartner.

Brian Schultz, Senior Director Analyst with the Gartner Supply Chain Practice, says CSCOs should mitigate cyber threats by following a three-prong approach to cyber security.

This includes:

  • Fostering internal and external partnerships with key functions built on clear business outcomes
  • Developing risk-aligned governance processes by implementing supply chain cyber frameworks, standards and guidelines.
  • Creating aligned controls across the partner ecosystem by developing and deploying a supply chain third-party risk management capability for cybersecurity.

In a report earlier this year, Gartner predicted that 60% of supply chain organisations will use cybersecurity risk as a key buying criteria by 2025. Although such a growing level of awareness is encouraging, Schultz says CSCOs need to do more to actively manage risks presented by their ecosystem partners.

He stresses that while it is not reasonable to expect CSCOs to assume the mantle of Chief Information Security Officers it is vital they “have a grasp of how supply chain cyber attacks are evolving, including sophisticated attacks that can impact products undetected until they reach the customer”. 

Schultz adds that they also need to play a leading role in third-party risk management, “as attacks on key suppliers can cause significant business continuity disruptions”.

CSCOs 'can coordinate cyber action among stakeholders'

He continues: “CSCOs can leverage their experience in coordinating action among many different stakeholders both within and beyond their function. 

“Supply chain cyber resilience hinges on engaging a wide range of stakeholders both inside and outside the organisation. The role of the CSCO among these diverse stakeholders is to coordinate a shared view of the threats and translate those threats into clear business impacts that leadership can understand.”

Gartner recommends that CSCOs build this visibility by:

  • Identifying the operational assets that support an organisation’s value drivers
  • Assessing the impact of a loss of these assets in terms of business costs in lost days of operation
  • Clearly communicating these impacts to the board and C-Suite. 
  • Implementing a playbook to monitor these critical assets, including regular testing of mitigation plans through coordinated exercises.

To address the exposure third parties, and build a more resilient supply chain, Schultz says CSCOs must develop a business continuity plan in the event of a cyberattack, and also work with procurement and other CSCOs to “develop the appropriate contract language to flow down the organisation’s supply chain cyber standards to the partners”.

He adds: “Unfortunately, there is no one-size-fits-all solution for cyber security today. CSCOs must select an appropriate mix of in-house or outsourced cyber functions based on their business risk needs. 

“This selection must be determined based on a balance of the organisation’s risk appetite, detail and accuracy of risk information requirements, serviceable urgency, and the cost utility of functionality.

“CSCOs need not reinvent the wheel in determining their cyber resilience strategy, but they do need to lead the effort to align their stakeholders to a common set of best practices and help them understand the nature of the trade-offs being made.”

A recent report from software supply chain management company, Sonatype shows there have been twice as many software supply chain cyber attacks in 2023 than in the previous three years, with so-called back-door attacks targeting supply chains, as a means to work upstream or downstream to larger organisations.

Gartner urges CSCOs to forge partnerships with key internal and external stakeholders as part of the fight against supply chain cyber attacks.
Share

Featured Articles

How Natural Disasters Expose Supply Chain Vulnerabilities

Flooding from Hurricane Helene has halted ultra-pure quartz mining in North Carolina, a critical component in the global semiconductor supply chain

US Port Strikes Suspended: Will Supply Chains Stabilise?

Dockworkers have suspended strikes following a wage agreement, easing fears of holiday supply shortages as talks on automation and other issues continue

Why the EU has Delayed the Deforestation-Free Supply Mandate

The EU has proposed to delay enforcing its regulation on deforestation-free products, initially planned for December 2024, after political challenges

What Does US Port Strike Mean for Global Supply Chains?

Operations

WINNERS ANNOUNCED - Global Procurement & Supply Chain Awards

Digital Supply Chain

We're LIVE: Procurement & Supply Chain LIVE London

Procurement