Sections

Cybersecurity In The Digital Supply Chain: Managing Third-Party Risk Through Verified Trust

Craig Moss

A digital supply chain (DSC) establishes new links inside your company and with the third parties in your end-to-end supply chain. With access to real-time data and other insights from the DSC, you can foster new collaborations between your procurement and product development departments and link them with your customers, your customers’ customers, and your suppliers.

The proliferation of data moving across platforms and among parties requires a new and different kind of umbrella of trust, one that enables increased agility and performance. But how is this trust built and maintained? And how does one not only trust but verify? These are a few of the management challenges that lie ahead, and they exist in an environment marked by escalating cybersecurity risk.

Additionally, the rise in critical intellectual property being stored and shared digitally puts confidential information, trade secrets, and personally identifiable information at risk. These vulnerabilities present an even greater need for rigorous and transparent risk management that incorporates cybersecurity.

Cybersecurity risks in the DSC

The Digital Supply Chain Institute (DSCI) – a new leading-edge research institute, established by the Center for Global Enterprise (CGE) – defines DSC as a customer-centric platform model that captures and maximizes the use of real-time data derived from a variety of sources. It enables demand stimulation, matching, sensing, and management to improve performance and minimize risk. Just as it will create tremendous opportunities, it will exponentially increase cybersecurity risks.

The number of cybersecurity breaches is growing by 64% every year. While cyber threats come from a wide variety of sources (including nation states, competitors, and organized crime syndicates), 60% of cyber breaches are linked to insiders – current and former employees, contractors, service providers, suppliers, and business partners. These could be insiders in your company or in the companies in your end-to-end supply chain.

In the DSC, companies will be collecting and storing more data and sharing high-value confidential business information with other companies. A 2016 CGE study found that 95% of people surveyed agree that the digitalization and sharing of company information with third parties (i.e., suppliers, customers, and business partners) increases the importance of cybersecurity measures.

Companies are rapidly realizing that cybersecurity is not purely a technology issue. Effective cybersecurity is a people, process, and technology issue. It is critical to get cybersecurity out of the IT silo and embed it in how the company operates.

In short, everyone in the value chain – from internal employees to external third parties – needs to know what is expected to mitigate and manage cyber risks. It will require a broad approach built on policies, procedures, controls, and contractual agreements, supported by monitoring, training, and continual improvement.

Internally, senior management needs to set the right balance between ensuring tight cyber controls and enabling people to efficiently do their jobs and collaborate. Overly stringent and cumbersome security procedures have the unintended consequence of driving people to create workarounds. The right blend of people, processes, and technology is needed inside your company and across the companies in your supply chain.

From a technology perspective, companies have improved their perimeter defense. However, according to The State of Cybersecurity and Digital Trust 2016, 69% of respondents had experienced an attempted or realized data theft from insiders. Building stronger perimeters alone is not a sufficient or practical solution in the interconnected DSC, where companies need to share valuable information.

The role of cybersecurity standards and frameworks

Industry and government are coming to the collective realization that they need to prioritize cybersecurity in the DSC. The momentum has built dramatically since the National Institute for Science and Technology (NIST) released its Cybersecurity Framework (CSF) in 2014.

In response to feedback from companies, NIST recognized the need to directly address cybersecurity in the supply chain. In January 2017, NIST released the updated draft of the CSF (V1.1), which includes specific additions on how companies must begin assessing supply chain cybersecurity risk. The CREATe Cybersecurity Advisory Council – a multi-industry group of more than 20 multinational companies, formed to broaden the use of the NIST CSF and make it easier for companies to operationalize the framework to reduce risk – views the addition of supply chain risk management as a positive.

However, the advisory council highlighted that there is a long way to go for companies to be able to efficiently assess third-party cyber risk. Organizations need to develop effective, scalable methods that provide a calibrated way to assess third-party cybersecurity risk across a large number of companies. Ultimately, it is in everyone’s best interest to use assessment results as the basis for prioritizing improvements and integrating cybersecurity into business operations.

In December 2016, the Commission on Enhancing National Cybersecurity, with CGE chairman Sam Palmisano as the vice-chair, released its Report on Securing and Growing the Digital Economy. This document, which was recently provided to the White House, highlights the importance of focusing on cybersecurity in the DSC and outlines some ways the NIST CSF can be helpful.

In the report, the NIST CSF was positioned as a key way for organizations to manage cyber risk in their enterprises and supply chains. The commission paid special attention to the interdependencies among companies in a DSC and the growing Internet of Things. The report also emphasizes that trust is fundamental to a digital economy:

The success of the digital economy ultimately relies on individuals and organizations trusting computing technology and the organizations that provide products and services and collect and retain data. That trust is less sturdy than it was several years ago because of incidents and successful breaches that have given rise to fears that corporate and personal data are being compromised and misused.

The commission references the NIST CSF when discussing risk management and mechanisms for increasing trust. As the document gains wider adoption, there is growing speculation that U.S. government procurement departments will use the CSF as a means of assessing the cybersecurity performance of potential suppliers. If this occurs, it will accelerate the use of the CSF as large U.S. government suppliers cascade cybersecurity requirements into their domestic and global supply chains.

The need for verified trust

The DSC puts more emphasis on the interdependency of companies and the associated need for verified trust. In Digital Supply Chains: A Frontside Flip, a white paper published in October 2016, CGE identified four pillars for managing the DSC: demand, people, technology, and risk. Looking at the four pillars from a cyber perspective, the mission is clear: To reduce cyber risk, companies will need trusted, cross-functional collaborations internally – and with verified third parties – that are enabled by secure technology that integrates cybersecurity into operations.

This leads to one important task that is often overlooked: knowing and prioritizing what to protect. It is impossible to protect everything equally. Companies must allocate resources strategically to protect the most valuable information. Linking cybersecurity into the broader areas of enterprise risk management and supply chain management will be essential focal points for cross-functional collaboration.

Mapping interdependencies with third parties

Just as the DSC will require greater collaboration with third parties to improve business performance, it also requires greater collaboration to reduce cyber risk and improve the ability to respond and recover from breaches. Companies should have a map of their critical cyber interdependencies and conduct a risk assessment. The collaboration on cybersecurity with third parties needs to be built into contractual agreements, addressing areas such as access control, identity management, training, threat intelligence sharing, and incident response plans.

If we look at other supply chain performance and compliance issues, such as quality, corruption, or labor practices, companies typically evolve toward a verified trust. As the trust grows with a third party and the business relationship becomes more long-term and strategic, the companies tend to shift their resources from verification to collaboration on mutually beneficial improvement areas. One of the foundational elements of the verified trust approach is the existence of a mature management system to ensure the right business processes are in place.

Currently, the assessment of third-party cybersecurity programs lags far behind the assessment of certain business performance and compliance issues (e.g., labor and environment, health, and safety). Very few companies have started to integrate cybersecurity into their supplier qualification and evaluation programs. The challenge is how to achieve the right level of verified trust.

Some senior executives that oversee supply chain risk management strongly feel that it will not be practical nor reliable to depend on self-assessment. One member of the CREATe Cybersecurity Advisory Council suggested using a mix of internal staff and third parties to verify supplier performance. The challenge is how to add cybersecurity at the right level. The NIST CSF can be an effective tool for assessing the maturity of a third party’s cybersecurity program, the associated risk, and priority improvements.

Begin your race toward a secure DSC

Leading companies are racing forward in their transformation into a demand-focused DSC – and for good reason.

According to the CGE report, the transformation into a DSC can:

  • Reduce procurement costs for all purchases of goods and services by 20%
  • Cut supply chain process costs by 50%
  • Increase revenue by 10%

However, companies also need to move quickly to manage the risks associated with greater interdependency. They need to shift from being reactive to proactive. They need to begin using practical, scalable ways to assess the cybersecurity risks of third parties that incorporate evaluating the maturity of the third parties’ cybersecurity programs.

Ultimately, companies will need trusted cross-functional collaborations internally – and with verified third parties – that are enabled by secure technology that integrates cybersecurity into operations.

Read CGE’s entire report, Digital Supply Chains: A Frontside Flip: Building Competitive Advantage to Optimize Performance and Customer Demand, to gain even more insight on what business leaders have to say about digitizing the supply chain.

Comments

Craig Moss

About Craig Moss

Craig Moss is the Director of CGE’s Digital Supply Chain Institute (DSCI) and Chief Operating Officer of the Center for Responsible Enterprise and Trade (CREATe.org), a non-governmental organization (NGO) helping companies around the globe prevent piracy, counterfeiting, trade secret theft, and corruption and benchmark their practices against other companies.

BlockShow Europe 2017: A Look At Top Use Cases For Blockchain Technology

Jacqueline Prause

With people now looking beyond the banking industry for promising use cases built on blockchain technology, BlockShow Europe 2017 could not have come at a better time.

Held April 6-7 at the Alte Kongresshalle in Munich, Germany, the event attracted more than 560 people and featured 26 speakers, making it the largest international blockchain event in Europe to date. Organized by Cointelegraph in partnership with Nexussquared and BlockPay, BlockShow Europe provided ample opportunity for networking, knowledge sharing, and education.

The event attracted a mostly young, entrepreneurial crowd, many of whom were already working in established Bitcoin and blockchain startups. Innovation experts from the corporate sector were also on hand, as well as “explorers” who were just getting familiar with the technology. According to Cointelegraph, more than 200 individual networking meetings took place during the event.

Notable and quotable

Moderator Elizabeth Lumely, a leading expert on fintech solutions and managing director of Rainmaking, guided the program in a constructive exchange that offered information useful to both Bitcoin and blockchain people alike. She shared the results of a recent survey by Cointelegraph that asked: What is necessary for blockchain in the enterprise? Fifty-seven percent of respondents answered “security first for Bitcoin,” while 43% answered “smart contract Ethereum.”

Bitcoin entrepreneur Charlie Shrem presented the opening keynote, “The Current State of the Blockchain.” During his address, Shrem, founder of the Bitcoin Foundation and currently responsible for business development for cryptocurrency exchange Changelly, compared blockchain technology with the power of the printing press for its potential to remove corruption, power, and control from the hands of the few and put it back into the hands of the people. Shrem said, “The printing press gave people the ability to publish their own information very cheaply across borders around the world and distribute it in a decentralized way. Bitcoin is the printing press of our time. And blockchain technology is what’s powering that.”

Trust: the decisive factor

Panel discussions took on provocative hot topics like the challenges of blockchain implementation and initial coin offerings (ICOs) of cryptocurrencies. Panel experts agreed that blockchain technology is good for solving issues of trust, which they said seems to be the best measure for evaluating the promise of use cases. The blockchain community, however, is faced with challenges common to new technologies: lack of standardization; fee structure; interoperability between different blockchains; and absence of relevant legislation. One hurdle for new users of the technology may be a willingness to accept full responsibility for their data and use of the technology. As one panelist noted, there is no blockchain help line, for example, in the event that you lose your privacy key.

The banking industry was represented with a keynote from Daniel Drummer, vice president at JP Morgan, describing the blockchain-related projects underway at his company. In another keynote that resonated well with the audience, Milan Sallaba, partner at Deloitte, shared his organization’s insights and advice on how entrepreneurs can move from blockchain use cases to scalable production.

Use cases showcase breadth of new technology

Throughout the day, startups took to the main stage to present their blockchain use cases and business models. Here is a sampling of just a few.

  • Energy: The aim of SolarChange is to incentivize people and even developing nations to produce solar energy and sell it back into the grid. The blockchain billing mechanism allows people to track how much energy they are feeding into the grid.
  • Content distribution: DECENT provides a peer-to-peer content distribution network, without the absorbent fees associated with traditional publishing houses. Content on the network includes books, blogs, music, and video provided directly from the artist or author. DECENT’s Caesar testnet launched in March, and it plans to launch its mainnet in June.
  • Supply chain: Kouvala Innovation Oy, based in Finland, is using blockchain technology to enable an information backbone for the movement of goods Europe-wide – or the “Internet for Logistics” – so that every logistics company on the network can benefit from a new level of transparency into shipping activities. Test results with live data are expected at end of June.
  • Intellectual property: Bernstein.io is using blockchain-based, secured digital certificates to create a trail of record for inventors’ creations. Digital certificates can also be attached to non-disclosure confidentiality agreements to establish the existence of a creation and record who knew of it. Legal acceptance of blockchain certificates is developing rapidly because they provide reliable documentation for clients.
  • Fine art: Verisart is a startup that is using blockchain technology to provide verification of authenticity for fine art.

Blockchain Oscars: more use cases!

The event also featured a Blockchain Oscar Competition to select the most promising startups working with blockchain technology. The winner for “Most Innovative Blockchain Startup” was Etherisc, a German startup specializing in providing a blockchain solution for the insurance industry that uses smart contracts. The prize in this category was €5,000 worth of Bitcoins.  The winner for “Startup with the Biggest Potential for Betterment of Humanity” was SolarChange. The prize in this category was €5,000 worth of tokens from Humaniq, a next-generation bank offering solutions for the unbanked.

To learn more about blockchain, read the Forbes Insights Briefing Report: Transforming Transaction Processing for the Digital Economy.

Comments

Jacqueline Prause

About Jacqueline Prause

Jacqueline Prause is the Senior Managing Editor of Media Channels at SAP. She writes, edits, and coordinates journalistic content for SAP.info, SAP's global online news magazine for customers, partners, and business influencers .

Blockchain: A Rose By Any Other Name

John Bertrand

The question of what exactly blockchain is came to the fore in March with the publication of the eBook Blockchain Meets Supply Chain: Rewiring Business Operations for the Digital Age, which acknowledged “blockchain is difficult to pin down … it is a class of software composed of other technologies.” The eBook aims to clear that up a bit, as I’ll try to do here.

The blockchain is a secure, transparent, layered container. The container is distributed and made available across the Internet or cloud, with any changes reported back to all parties in the specified group. This process is referred to as distributed ledger technology (DLT).

The DLT is available to either a public or private group. Financial services activities will predominately be in private groups, for example “syndicated loans.”

The key features in the transparent container include:

  • Consensus – algorithms that confirm and accept the information as it arrives and make sure that information is distributed
  • Shared ledger – the record of information that is available to all parties
  • Immutability – cryptographic technology that ensures that records cannot be tampered with

Who says blockchain is hip and modern? The Byzantine Army in 330 AD needed to manage the diversity of loyalty in its generals through coded, distributed, hand-delivered messages. Today we use mathematicians and technology to ensure the shared ledger is robust and staying true to the course, as did the Byzantine generals.

It is the right choreographing of the different technologies that is most important, says the eBook. Given the correct combination, blockchain/DLT should appear sooner than currently anticipated.

Gone are the days banks when banks build their own technology. Most banks now only care that the technology works, with the caveat that the tech supplier is approved by the bank. To meet regulatory requirements, bank technology suppliers must be low risk, which is not the profile of most fintech companies!

The eBook suggests that more caution is needed in implementing blockchain; that is probably correct, but the banks’ situation is urgent. The long and ongoing low interest rate environment has made it very difficult for banks to generate revenue growth. The Swiss Central Bank now charges fees for money on deposit – so times really are getting hard. Banks also have very high internal cost infrastructures. Banks need to start charging for their services, cut costs, or both.

Blockchain/DLT offers efficiency, better security, and one source of the truth. As the eBook points out, the digital supply chain reduces procurement costs by 20% and halves supply chain costs, enabling controlled activity instead of caution.

The eBook’s focus on the digitalization of assets and the provenance of them, rather than crypto currency, is refreshing. I recently noticed on CoinDesk that one of the crypto currencies dropped 31% in 24 hours. That’s a Zimbabwean dollar-like fall. Maybe, like the Zim dollar, crypto currency will be officially abandoned and the U.S. dollar used instead.

One final question to ponder: What should we call the stack of technology that forms the blockchain and DLT? Every stack could be different. How about Rose? After all, U.S. hurricanes are given human names, and I believe blockchain/DLT/Rose will bring the force of the hurricane to banking. Blockchain Meets Supply Chain: Rewiring Business Operations for the Digital Age represents the calm before the storm.

To learn more about blockchain, read the Forbes Insights Briefing Report: Transforming Transaction Processing for the Digital Economy.

Comments

The Future of Cybersecurity: Trust as Competitive Advantage

Justin Somaini and Dan Wellers

 

The cost of data breaches will reach US$2.1 trillion globally by 2019—nearly four times the cost in 2015.

Cyberattacks could cost up to $90 trillion in net global economic benefits by 2030 if cybersecurity doesn’t keep pace with growing threat levels.

Cyber insurance premiums could increase tenfold to $20 billion annually by 2025.

Cyberattacks are one of the top 10 global risks of highest concern for the next decade.


Companies are collaborating with a wider network of partners, embracing distributed systems, and meeting new demands for 24/7 operations.

But the bad guys are sharing intelligence, harnessing emerging technologies, and working round the clock as well—and companies are giving them plenty of weaknesses to exploit.

  • 33% of companies today are prepared to prevent a worst-case attack.
  • 25% treat cyber risk as a significant corporate risk.
  • 80% fail to assess their customers and suppliers for cyber risk.

The ROI of Zero Trust

Perimeter security will not be enough. As interconnectivity increases so will the adoption of zero-trust networks, which place controls around data assets and increases visibility into how they are used across the digital ecosystem.


A Layered Approach

Companies that embrace trust as a competitive advantage will build robust security on three core tenets:

  • Prevention: Evolving defensive strategies from security policies and educational approaches to access controls
  • Detection: Deploying effective systems for the timely detection and notification of intrusions
  • Reaction: Implementing incident response plans similar to those for other disaster recovery scenarios

They’ll build security into their digital ecosystems at three levels:

  1. Secure products. Security in all applications to protect data and transactions
  2. Secure operations. Hardened systems, patch management, security monitoring, end-to-end incident handling, and a comprehensive cloud-operations security framework
  3. Secure companies. A security-aware workforce, end-to-end physical security, and a thorough business continuity framework

Against Digital Armageddon

Experts warn that the worst-case scenario is a state of perpetual cybercrime and cyber warfare, vulnerable critical infrastructure, and trillions of dollars in losses. A collaborative approach will be critical to combatting this persistent global threat with implications not just for corporate and personal data but also strategy, supply chains, products, and physical operations.


Download the executive brief The Future of Cybersecurity: Trust as Competitive Advantage.


Comments

Tags:

How Digital Transformation Is Rewriting Business Models

Ginger Shimp

Everybody knows someone who has a stack of 3½-inch floppies in a desk drawer “just in case we may need them someday.” While that might be amusing, the truth is that relatively few people are confident that they’re making satisfactory progress on their digital journey. The boundaries between the digital and physical worlds continue to blur — with profound implications for the way we do business. Virtually every industry and every enterprise feels the effects of this ongoing digital transformation, whether from its own initiative or due to pressure from competitors.

What is digital transformation? It’s the wholesale reimagining and reinvention of how businesses operate, enabled by today’s advanced technology. Businesses have always changed with the times, but the confluence of technologies such as mobile, cloud, social, and Big Data analytics has accelerated the pace at which today’s businesses are evolving — and the degree to which they transform the way they innovate, operate, and serve customers.

The process of digital transformation began decades ago. Think back to how word processing fundamentally changed the way we write, or how email transformed the way we communicate. However, the scale of transformation currently underway is drastically more significant, with dramatically higher stakes. For some businesses, digital transformation is a disruptive force that leaves them playing catch-up. For others, it opens to door to unparalleled opportunities.

Upending traditional business models

To understand how the businesses that embrace digital transformation can ultimately benefit, it helps to look at the changes in business models currently in process.

Some of the more prominent examples include:

  • A focus on outcome-based models — Open the door to business value to customers as determined by the outcome or impact on the customer’s business.
  • Expansion into new industries and markets — Extend the business’ reach virtually anywhere — beyond strictly defined customer demographics, physical locations, and traditional market segments.
  • Pervasive digitization of products and services — Accelerate the way products and services are conceived, designed, and delivered with no barriers between customers and the businesses that serve them.
  • Ecosystem competition — Create a more compelling value proposition in new markets through connections with other companies to enhance the value available to the customer.
  • Access a shared economy — Realize more value from underutilized sources by extending access to other business entities and customers — with the ability to access the resources of others.
  • Realize value from digital platforms — Monetize the inherent, previously untapped value of customer relationships to improve customer experiences, collaborate more effectively with partners, and drive ongoing innovation in products and services,

In other words, the time-tested assumptions about how to identify customers, develop and market products and services, and manage organizations may no longer apply. Every aspect of business operations — from forecasting demand to sourcing materials to recruiting and training staff to balancing the books — is subject to this wave of reinvention.

The question is not if, but when

These new models aren’t predictions of what could happen. They’re already realities for innovative, fast-moving companies across the globe. In this environment, playing the role of late adopter can put a business at a serious disadvantage. Ready or not, digital transformation is coming — and it’s coming fast.

Is your company ready for this sea of change in business models? At SAP, we’ve helped thousands of organizations embrace digital transformation — and turn the threat of disruption into new opportunities for innovation and growth. We’d relish the opportunity to do the same for you. Our Digital Readiness Assessment can help you see where you are in the journey and map out the next steps you’ll need to take.

Up next I’ll discuss the impact of digital transformation on processes and work. Until then, you can read more on how digital transformation is impacting your industry.

Comments

Ginger Shimp

About Ginger Shimp

With more than 20 years’ experience in marketing, Ginger Shimp has been with SAP since 2004. She has won numerous awards and honors at SAP, including being designated “Top Talent” for two consecutive years. Not only is she a Professional Certified Marketer with the American Marketing Association, but she's also earned her Connoisseur's Certificate in California Reds from the Chicago Wine School. She holds a bachelor's degree in journalism from the University of San Francisco, and an MBA in marketing and managerial economics from the Kellogg Graduate School of Management at Northwestern University. Personally, Ginger is the proud mother of a precocious son and happy wife of one of YouTube's 10 EDU Gurus, Ed Shimp.