Apr 1, 2021

Why Adaptive Supply Chains Are Vital for Future-Proofing

Procurement
Agility
Automation
DigitalTransformation
Henrik Smedberg, Head of Intel...
5 min
A year unlike any other taught tough lessons and exposed the necessity for end-to-end supply chain digitalisation to succeed in an ever-changing world
A year unlike any other taught tough lessons and exposed the necessity for end-to-end supply chain digitalisation to succeed in an ever-changing world...

From panic buying toilet paper and eggs to the boost in ecommerce, it’s safe to say that 2020 was a year like no other for nearly every business, in every industry, in every region. In fact, according to a recent report, 90% of companies expect the disruption of global supply chains caused by the pandemic to have a lasting impact on their business, with the majority (97%) of respondents agreeing that their network needs more transparency and better visibility.

Despite COVID-19 causing major upheaval for procurement professionals around the world, it has also accelerated trends that will not only lead to the diversification and localisation of supply chains, but also increase the need for digitalisation and end-to-end visibility. As a result, the tough lessons learned on managing supply chains in a crisis can help companies emerge stronger post pandemic, and can even drive lasting change. 

Establishing digital and partner connectivity 

In the midst of transformation, it’s critical that procurement leaders are prepared to withstand incoming shocks and respond quickly. This is where digitisation and strong partner relationships are so important. I like to call this a pivot in the traditional buyer-supplier relationship. The rapid supplier innovation we are seeing means that buyers in many areas really strive to be or become a buyer-of-choice to their suppliers. What does that mean? It means working closer, paying faster, raising the importance of fair and clean trade, and finding win-win situations for both parties to optimise trade. Making sense of data and digital communication sits at the core of this.

Leaders must have a pulse on the ‘digital heartbeat’ of their operations to know where they might be able to withstand risk and where they cannot. Based on recent findings from the Agile Procurement Insights Research conducted by SAP in collaboration with Oxford Economics, procurement functions that make greater use of technology – including AI and automation – achieve stronger business benefits, including better supplier performance, greater operational efficiencies and cost savings, stronger compliance and improved transaction accuracy. 

And it’s clear that procurement digital transformation pays off through improved efficiency and cost savings. In fact, 81% of leaders say that digital transformation of their procurement function has improved supplier performance management. One SAP customer, NTT DATA Services, was even able to save $125M by digitising its procurement operations, which also helped the company protect itself from potential supplier disruptions. When leaders treat suppliers as partners, they collaborate more effectively (digitally) and build strategic, trusting relationships that go far beyond transactions. For this reason, suppliers should be viewed as heroes and valuable co-innovation partners that can help organisations be more agile and resilient to incoming shocks. When people come together, they achieve more.  

"A business' future ability to pivot will have a lot to do with maintaining the flow of information in the supply network through digital channels and collaboration with a partner ecosystem"

undefined

Henrik Smedberg, Head of Intelligent Spend Management, UKI, SAP

Agility and Visibility 

A business’ future ability to pivot will have a lot to do with maintaining the flow of information in the supply network through digital channels and collaboration with a partner ecosystem. Leaders in the procurement industry use supplier collaboration solutions to automate and speed transactions with suppliers. According to the above research, the vast majority – 92% – use a network to collaborate with suppliers and 61% use cloud-based collaboration solutions as their primary means of collaborating with external partners on key supply chain processes. Once connected and data is flowing back and forth, companies will be more risk-aware and can use that to power increased productivity and efficiency. 

Another major factor in an organisations’ future ability to pivot – and management of risk – will be the diversification and localisation of their supply network. Diverse and local sourcing is one of the key ways to build stronger, smarter and more agile supply chains. It allows companies to be more proactive, rather than reactive, which will be essential in tackling new business challenges in a post-COVID-19 world. A good example is the Modern Slavery legislation that has been rolled out in the UK, Australia and other countries. It is interesting to see that doing the right thing is good for business. About 20% of the submissions to the Australian governments Modern Slavery Act has come from organisations that did not have to report on their practices to eradicate slavery. That shows that legislation is driving change even beyond those that have to comply. Consumer behaviours are making an impact to drive a better world.

Road to Recovery

It’s important to remind ourselves that the Covid-19 outbreak isn’t an isolated event. While undeniably the most impactful we have experienced in recent years, disruptions are increasing in frequency and magnitude, including geopolitical events, climate-related disasters and public health crises. It’s imperative then that we reflect on the supply chain vulnerabilities from 2020 to prepare for inevitable future shocks. As such, procurement is uniquely positioned to be transformative and highly impactful for businesses as we enter a new era of data-driven intelligence. Procurement can restore confidence as organisations seek to regain their competitive edge, revive their operational resiliency, and replenish their hopes for the future.

However, that level of confidence requires a seamless, integrated approach to digital business processes. Through dynamic partnerships, network strategies and data-driven insights, businesses will be more empowered and capable of avoiding repercussions from future shocks and shifts. Breaking away from reactivity and focusing on proactivity will be essential in tackling new business challenges and will also build stronger foundations and relationships for future stability and growth.

Share article

Jun 21, 2021

Google and NIST Address Supply Chain Cybersecurity

Google
NIST
SLSA4
Sonatype
Elise Leise
3 min
The SolarWinds and Codecov cyberattacks reminded companies that software security poses a critical risk. How do we mitigate it?

As high-level supply chain attacks hit the news, Google and the U.S. National Institute of Standards and Technology (NIST) have both developed proposals for how to address software supply chain security. This isn’t a new field, unfortunately. Since supply chains are a critical part of business resilience, criminals have no qualms about targeting its software. That’s why identifying, assessing, and mitigating cyber supply chain risks (C-SCRM) is at the top of Google and NIST’s respective agendas. 

 

High-Profile Supply Chain Attacks 

According to Google, no comprehensive end-to-end framework exists to mitigate threats across the software supply chain. [Yet] ‘there is an urgent need for a solution in the face of the eye-opening, multi-billion-dollar attacks in recent months...some of which could have been prevented or made more difficult’. 

 

Here are several of the largest cybersecurity failures in recent months: 

 

  • SolarWinds. Alleged Russian hackers slipped malicious code into a routine software update, which they then used as a Trojan horse for a massive cyberattack. 
  • Codecov. Attackers used automation to collect credentials and raid ‘additional resources’, such as data from other software development vendors. 
  • Malicious attacks on open-source repositories. Out of 1,000 GitHub accounts, more than one in five contained at least one dependency confusion-related misconfiguration. 

 

As a result of these attacks and Biden’s recent cybersecurity mandate, NIST and Google took action. NIST held a 1,400-person workshop and published 150 papers worth of recommendations from Microsoft, Synopsys, The Linux Foundation, and other software experts; Google will work with popular source, build, and packaging platforms to help companies implement and excel at their SLSA framework

 

What Are Their Recommendations? 

Here’s a quick recap: NIST has grouped together recommendations to create federal standards; Google has developed an end-to-end framework called Supply Chain Levels for Software Artifacts (SLSA)—pronounced “Salsa”. Both address software procurement and security. 

 

Now, here’s the slightly more in-depth version: 

 

  • NIST. The organisation wants more ‘rigorous and predictable’ ways to secure critical software. They suggest that firms use vulnerability disclosure programmes (VDP) and software bills of materials (SBOM), consider simplifying their software and give at least one developer per project security training.
  • Google. The company thinks that SLSA will encompass the source-build-publish software workflow. Essentially, the four-level framework helps businesses make informed choices about the security of the software they use, with SLSA 4 representing an ideal end state. 

 

If this all sounds very abstract, consider the recent SolarWinds attack. The attacker compromised the build platform, installed an implant, and injected malicious behaviour during each build. According to Google, higher SLSA levels would have required stronger security controls for the build platform, making it more difficult for the attacker to succeed. 

 

How Do The Proposals Differ? 

As Brian Fox, the co-founder and CTO at Sonatype, sees it, NIST and Google have created proposals that complement each other. ‘The NIST [version] is focused on defining minimum requirements for software sold to the government’, he explained, while Google ‘goes [further] and proposes a specific model for scoring the supply chain. NIST is currently focused on the “what”. Google, along with other industry leaders, is grappling with the “how”’. 

 

Share article