Cybersecurity In The Digital Supply Chain: Managing Third-Party Risk Through Verified Trust

Craig Moss

A digital supply chain (DSC) establishes new links inside your company and with the third parties in your end-to-end supply chain. With access to real-time data and other insights from the DSC, you can foster new collaborations between your procurement and product development departments and link them with your customers, your customers’ customers, and your suppliers.

The proliferation of data moving across platforms and among parties requires a new and different kind of umbrella of trust, one that enables increased agility and performance. But how is this trust built and maintained? And how does one not only trust but verify? These are a few of the management challenges that lie ahead, and they exist in an environment marked by escalating cybersecurity risk.

Additionally, the rise in critical intellectual property being stored and shared digitally puts confidential information, trade secrets, and personally identifiable information at risk. These vulnerabilities present an even greater need for rigorous and transparent risk management that incorporates cybersecurity.

Cybersecurity risks in the DSC

The Digital Supply Chain Institute (DSCI) – a new leading-edge research institute, established by the Center for Global Enterprise (CGE) – defines DSC as a customer-centric platform model that captures and maximizes the use of real-time data derived from a variety of sources. It enables demand stimulation, matching, sensing, and management to improve performance and minimize risk. Just as it will create tremendous opportunities, it will exponentially increase cybersecurity risks.

The number of cybersecurity breaches is growing by 64% every year. While cyber threats come from a wide variety of sources (including nation states, competitors, and organized crime syndicates), 60% of cyber breaches are linked to insiders – current and former employees, contractors, service providers, suppliers, and business partners. These could be insiders in your company or in the companies in your end-to-end supply chain.

In the DSC, companies will be collecting and storing more data and sharing high-value confidential business information with other companies. A 2016 CGE study found that 95% of people surveyed agree that the digitalization and sharing of company information with third parties (i.e., suppliers, customers, and business partners) increases the importance of cybersecurity measures.

Companies are rapidly realizing that cybersecurity is not purely a technology issue. Effective cybersecurity is a people, process, and technology issue. It is critical to get cybersecurity out of the IT silo and embed it in how the company operates.

In short, everyone in the value chain – from internal employees to external third parties – needs to know what is expected to mitigate and manage cyber risks. It will require a broad approach built on policies, procedures, controls, and contractual agreements, supported by monitoring, training, and continual improvement.

Internally, senior management needs to set the right balance between ensuring tight cyber controls and enabling people to efficiently do their jobs and collaborate. Overly stringent and cumbersome security procedures have the unintended consequence of driving people to create workarounds. The right blend of people, processes, and technology is needed inside your company and across the companies in your supply chain.

From a technology perspective, companies have improved their perimeter defense. However, according to The State of Cybersecurity and Digital Trust 2016, 69% of respondents had experienced an attempted or realized data theft from insiders. Building stronger perimeters alone is not a sufficient or practical solution in the interconnected DSC, where companies need to share valuable information.

The role of cybersecurity standards and frameworks

Industry and government are coming to the collective realization that they need to prioritize cybersecurity in the DSC. The momentum has built dramatically since the National Institute for Science and Technology (NIST) released its Cybersecurity Framework (CSF) in 2014.

In response to feedback from companies, NIST recognized the need to directly address cybersecurity in the supply chain. In January 2017, NIST released the updated draft of the CSF (V1.1), which includes specific additions on how companies must begin assessing supply chain cybersecurity risk. The CREATe Cybersecurity Advisory Council – a multi-industry group of more than 20 multinational companies, formed to broaden the use of the NIST CSF and make it easier for companies to operationalize the framework to reduce risk – views the addition of supply chain risk management as a positive.

However, the advisory council highlighted that there is a long way to go for companies to be able to efficiently assess third-party cyber risk. Organizations need to develop effective, scalable methods that provide a calibrated way to assess third-party cybersecurity risk across a large number of companies. Ultimately, it is in everyone’s best interest to use assessment results as the basis for prioritizing improvements and integrating cybersecurity into business operations.

In December 2016, the Commission on Enhancing National Cybersecurity, with CGE chairman Sam Palmisano as the vice-chair, released its Report on Securing and Growing the Digital Economy. This document, which was recently provided to the White House, highlights the importance of focusing on cybersecurity in the DSC and outlines some ways the NIST CSF can be helpful.

In the report, the NIST CSF was positioned as a key way for organizations to manage cyber risk in their enterprises and supply chains. The commission paid special attention to the interdependencies among companies in a DSC and the growing Internet of Things. The report also emphasizes that trust is fundamental to a digital economy:

The success of the digital economy ultimately relies on individuals and organizations trusting computing technology and the organizations that provide products and services and collect and retain data. That trust is less sturdy than it was several years ago because of incidents and successful breaches that have given rise to fears that corporate and personal data are being compromised and misused.

The commission references the NIST CSF when discussing risk management and mechanisms for increasing trust. As the document gains wider adoption, there is growing speculation that U.S. government procurement departments will use the CSF as a means of assessing the cybersecurity performance of potential suppliers. If this occurs, it will accelerate the use of the CSF as large U.S. government suppliers cascade cybersecurity requirements into their domestic and global supply chains.

The need for verified trust

The DSC puts more emphasis on the interdependency of companies and the associated need for verified trust. In Digital Supply Chains: A Frontside Flip, a white paper published in October 2016, CGE identified four pillars for managing the DSC: demand, people, technology, and risk. Looking at the four pillars from a cyber perspective, the mission is clear: To reduce cyber risk, companies will need trusted, cross-functional collaborations internally – and with verified third parties – that are enabled by secure technology that integrates cybersecurity into operations.

This leads to one important task that is often overlooked: knowing and prioritizing what to protect. It is impossible to protect everything equally. Companies must allocate resources strategically to protect the most valuable information. Linking cybersecurity into the broader areas of enterprise risk management and supply chain management will be essential focal points for cross-functional collaboration.

Mapping interdependencies with third parties

Just as the DSC will require greater collaboration with third parties to improve business performance, it also requires greater collaboration to reduce cyber risk and improve the ability to respond and recover from breaches. Companies should have a map of their critical cyber interdependencies and conduct a risk assessment. The collaboration on cybersecurity with third parties needs to be built into contractual agreements, addressing areas such as access control, identity management, training, threat intelligence sharing, and incident response plans.

If we look at other supply chain performance and compliance issues, such as quality, corruption, or labor practices, companies typically evolve toward a verified trust. As the trust grows with a third party and the business relationship becomes more long-term and strategic, the companies tend to shift their resources from verification to collaboration on mutually beneficial improvement areas. One of the foundational elements of the verified trust approach is the existence of a mature management system to ensure the right business processes are in place.

Currently, the assessment of third-party cybersecurity programs lags far behind the assessment of certain business performance and compliance issues (e.g., labor and environment, health, and safety). Very few companies have started to integrate cybersecurity into their supplier qualification and evaluation programs. The challenge is how to achieve the right level of verified trust.

Some senior executives that oversee supply chain risk management strongly feel that it will not be practical nor reliable to depend on self-assessment. One member of the CREATe Cybersecurity Advisory Council suggested using a mix of internal staff and third parties to verify supplier performance. The challenge is how to add cybersecurity at the right level. The NIST CSF can be an effective tool for assessing the maturity of a third party’s cybersecurity program, the associated risk, and priority improvements.

Begin your race toward a secure DSC

Leading companies are racing forward in their transformation into a demand-focused DSC – and for good reason.

According to the CGE report, the transformation into a DSC can:

  • Reduce procurement costs for all purchases of goods and services by 20%
  • Cut supply chain process costs by 50%
  • Increase revenue by 10%

However, companies also need to move quickly to manage the risks associated with greater interdependency. They need to shift from being reactive to proactive. They need to begin using practical, scalable ways to assess the cybersecurity risks of third parties that incorporate evaluating the maturity of the third parties’ cybersecurity programs.

Ultimately, companies will need trusted cross-functional collaborations internally – and with verified third parties – that are enabled by secure technology that integrates cybersecurity into operations.

Read CGE’s entire report, Digital Supply Chains: A Frontside Flip: Building Competitive Advantage to Optimize Performance and Customer Demand, to gain even more insight on what business leaders have to say about digitizing the supply chain.


Craig Moss

About Craig Moss

Craig Moss is the Director of CGE’s Digital Supply Chain Institute (DSCI) and Chief Operating Officer of the Center for Responsible Enterprise and Trade (CREATe.org), a non-governmental organization (NGO) helping companies around the globe prevent piracy, counterfeiting, trade secret theft, and corruption and benchmark their practices against other companies.