The threat of supply chain cyber attacks means Chief Supply Chain Officers (CSCOs) must assume more ownership of their company’s cybersecurity strategy, urges Gartner.
- Fostering internal and external partnerships with key functions built on clear business outcomes
- Developing risk-aligned governance processes by implementing supply chain cyber frameworks, standards and guidelines.
- Creating aligned controls across the partner ecosystem by developing and deploying a supply chain third-party risk management capability for cybersecurity.
In a report earlier this year, Gartner predicted that 60% of supply chain organisations will use cybersecurity risk as a key buying criteria by 2025. Although such a growing level of awareness is encouraging, Schultz says CSCOs need to do more to actively manage risks presented by their ecosystem partners.
He stresses that while it is not reasonable to expect CSCOs to assume the mantle of Chief Information Security Officers it is vital they “have a grasp of how supply chain cyber attacks are evolving, including sophisticated attacks that can impact products undetected until they reach the customer”.
Schultz adds that they also need to play a leading role in third-party risk management, “as attacks on key suppliers can cause significant business continuity disruptions”.
CSCOs 'can coordinate cyber action among stakeholders'
He continues: “CSCOs can leverage their experience in coordinating action among many different stakeholders both within and beyond their function.
“Supply chain cyber resilience hinges on engaging a wide range of stakeholders both inside and outside the organisation. The role of the CSCO among these diverse stakeholders is to coordinate a shared view of the threats and translate those threats into clear business impacts that leadership can understand.”
Gartner recommends that CSCOs build this visibility by:
- Identifying the operational assets that support an organisation’s value drivers
- Assessing the impact of a loss of these assets in terms of business costs in lost days of operation
- Clearly communicating these impacts to the board and C-Suite.
- Implementing a playbook to monitor these critical assets, including regular testing of mitigation plans through coordinated exercises.
To address the exposure third parties, and build a more resilient supply chain, Schultz says CSCOs must develop a business continuity plan in the event of a cyberattack, and also work with procurement and other CSCOs to “develop the appropriate contract language to flow down the organisation’s supply chain cyber standards to the partners”.
He adds: “Unfortunately, there is no one-size-fits-all solution for cyber security today. CSCOs must select an appropriate mix of in-house or outsourced cyber functions based on their business risk needs.
“This selection must be determined based on a balance of the organisation’s risk appetite, detail and accuracy of risk information requirements, serviceable urgency, and the cost utility of functionality.
“CSCOs need not reinvent the wheel in determining their cyber resilience strategy, but they do need to lead the effort to align their stakeholders to a common set of best practices and help them understand the nature of the trade-offs being made.”
A recent report from software supply chain management company, Sonatype shows there have been twice as many software supply chain cyber attacks in 2023 than in the previous three years, with so-called back-door attacks targeting supply chains, as a means to work upstream or downstream to larger organisations.