Everyone is talking about supply chain assurance like it is new. This is basically because of recent high-profile cases such as SolarWinds and Log4j. It’s not new.
But, and this is partly evident in the way the question is framed, the focus is still on IT and cyber security in the supply chain, not security. Security has many pillars and it includes places and people, not just technology.
By forgetting the impact of these other areas, we are ignoring their potential to harm us. We also know that the vast majority of security incidents are human behaviour-facilitated, including the way in which the tech is managed.
For instance, consider IT managers who have not been given enough time to take systems or platforms offline in order to patch them. We have been schooled for years in the importance of patching, but does our understanding go far enough to ensure that it is made possible? This is the way that known vulnerabilities get exploited and while we may be hypnotised by zero-day exploits, the depressing truth is that many exploits have been around for years but still get traction.
The IT solution for the patching issue, in my example, exists. It is the human perspective – allowing the IT manager to effect this solution – that is missing. This will only change when organisations understand that people have to be part of the security budget. You can’t expect 100% uptime and security, even in critical systems. This is on a par with refusing to fix fire exits because the corridor is very busy.
Are we expecting supply chain partners and their people to be better at security than we are? But if we are not prepared to invest in these human issues, why are we expecting our supply chain partners to be willing to do that?
A unilateral approach doesn’t work. Multilateral is the way because it isn’t really a supply chain, it’s an ecosystem, with connections in many directions and forward links that we cannot pretend to know. That ecosystem is only as strong as its weakest link, but maybe we’re not being honest that the weakest link potentially might be ourselves.
High expectations are fine, but we need to ensure that this is communicated to them effectively. Complex legal documents are not suitable for this purpose. Data handlers may never see or understand them and supply partners and third parties may therefore never understand what is expected of them.
This explains suppliers being given too much unfettered network access or being unprepared for the access they are given.
Many organisations don’t even have a list of who they share info with and even fewer know what onward sharing agreements are happening with other third parties. Again, these are human cultural failings. We can keep buying the snake oil, but until we address the people issues, we will still end up with supply chain security failures.