Guest blog by Chris Giles, Principal Security Architect at Logiq. Written for and first published as part of techUK’s National Security Week 2024
Why is ‘Supply Chain Security’ important and is it really that difficult to deal with? When you break it down, it’s just about who supplies you with what, and the impact on your business if these suppliers were to be compromised, right? Well, a chain is only as strong as its weakest link and when your chain is globally connected, subject to multidimensional threats and differing politics/laws/regulations… it can rapidly become complex and soon have you veering off into a world of ‘analysis to paralysis’, doing lots of activity but not really managing your risk effectively.
As with any situation relating to security, context is key. Anyone thinking about their supply chain security should consider who their critical suppliers are, what equipment is crucial to their business, and ensure this is suitably understood. This is essential and will allow anyone to consider how much effort should be invested because, as we are all aware, effort costs money! If you are an SME delivering a few products and have a limited supply chain, chances are you will not have to expend too much effort; however, if you are a multinational delivering critical services, there is a high probability that significant effort is necessary. Any supply chain compromise may not only affect you, but also your customers, resulting in recovery costs and potential reputational damage.
Once you have a clear picture of your critical suppliers/equipment, you can apply proactive risk management to guide your decisions and, invariably, help you to make the ‘smart’ investment(s). When considering risks, contextualising the supply chain security question to your business is essential. You should align any associated risks to your business/mission objectives; ensuring you understand what the realisation of any risk truly means to you. Now, people will probably yawn when I mention risk and will likely say ‘this is all obvious and we already do it’; however, risk is critical and, what I have noticed — risks are rarely managed well.
What I often see is ‘risks’ that appear to only consider how to fix vulnerabilities or are only explained as a loss of ‘confidentiality/availability/integrity’. This does not offer any clear understanding of the impact to your business, should this risk be realised. What is the value of any data lost? Do you care if it is lost or stolen? How does this loss affect your business? There is also a tendency to focus on ‘doing’ security activities, without any understanding of why these activities are important and what they aim to achieve. At best, this can be wasted effort but at its worst, this can be disastrous, giving a façade of security risk management. It is essential to make certain the focus is on ensuring that ‘true’ risk to your business does not get lost in the noise.
I suggest embracing effective security risk management, across your supply chain, to provide you with a sensible foundation to make the necessary investment decisions and ensure your organisation is ‘secure enough’. When referring to ‘effective’ risk management, I recommend that any associated risks are aligned to what it is that you are trying to achieve as a business, and that there is rational consideration for what is truly a risk to your business and areas that could be impacted. Sufficient consideration should then be given to the ‘cost’ for all potential courses of actions surrounding that risk.
It may appear that I am advocating ‘just do some risk work’ and the rest will follow. However, effective risk management does require time and effort, but such investment will deliver benefits. The NCSC supply chain principles offer a great structure for understanding and managing supply chain risk across organisations of any size, as too can partnering with an appropriate consultancy.
Another often repeated phrase that is easy to say but difficult to establish is trust. Building trust with your suppliers is a fundamental element of success; however, trust must be earned and, to achieve longevity, it must work in both directions. This part is not easy. Supply chain security should be viewed as a collective responsibility, requiring collaboration among the supply chain. It is essential to provide support, assist, and build partnerships with suppliers, logistics providers, regulatory bodies, etc, to establish trust through the sharing of best practices and enhanced information sharing. It may be worth considering how this can be achieved e.g., rather than large, laborious contracts, set outcomes as advised by NCSC supply chain principles. Such collaborative efforts can help ensure a more secure and resilient supply chain ecosystem for all!
Whether your effective risk management highlights the need for better training, supplier support, technology, or anything else, your business will be able to develop a clear understanding of ‘why’ investment decisions should be made. You can clearly demonstrate the risk to your enterprise that is introduced by your supply chain and, where this is outside of your risk appetite, ensure the correct risk mitigation strategy is adopted. Understanding the security risks within your supply chain means you can embrace multiple technologies (e.g, AI, IoT, ICS) throughout your supply chain, negotiate more ‘secure’ contracts, develop effective supply chain business continuity strategies, or invest in a service that analyses your supply chain. Whatever the investment, you will be doing so from an informed position.
Going through the process of mapping your supply chain offers you time and opportunity to ask those valid questions. You can consider your procurement strategy (buy or build) and how any risks associated with this will impact your business and the effect this can have on security. You can also consider procuring services; what impact will this have? As you go through the process, you may find that your critical services are dependent on a small manufacturing business, operating obsolete software, or reliant on services provided by a company that have a poor reputation for security.
Ultimately, if we all undertake this approach, we can ensure that National Security surrounding the supply chain risk is better understood and effectively managed!
Get in touch if we can help your organisation kickstart your own unique cyber security and risk management journey.
More about techUK: https://www.techuk.org/
Follow techUK: https://www.linkedin.com/company/techuk/