Supply chain security refers to efforts to enhance the security of the supply chain. It combines practices of supply chain management(SCM) with the security requirements of the system, which are driven by threats such as terrorism, piracy, and theft. The main purpose of security in the supply chain is to make the process more transparent so that you understand the associated possible vulnerabilities in products. Supply chains are complicated as many vendors are involved.
More involvement means more communication and transfer of data. Organizations have information and technologies that need to be protected from theft by foreign adversaries. A common vulnerability increasingly being exploited is the acquisition supply chain.
Earlier, protecting our nation’s secrets was simple. Confidentiality was practised and no one without the proper authorization had access. Those secrets were kept out of the hands of Cold War adversaries but those days are over.
Today confidential information is targeted by foreign intelligence services, foreign militaries, corporations, criminal organizations and terrorist groups. They are targeting more than just classified information. They are looking to steal our technologies, our trade secrets, our research and development and anything that will weaken our national and economic security.
In response, government agencies and private industry have strengthened their defences. The physical and personnel security programs have been bolstered. The information assurance and cyber defences are now leading organizational priorities yet there’s still one missing piece to this integrated defence i.e the integrity of the supply chain.
The supply chain is the interconnected web of people, processes, technology, information and resources that deliver a product or service.
For example, suppose you purchase a new pickup truck. You purchase the truck from your local dealership. The dealership got the truck from a manufacturer. An assembly plant put the parts together. The real question is – Where do they acquire parts used to assemble the truck?
There are hundreds if not thousands of components. It’s no different when your organization acquires computer telecommunications equipment or countless other goods and services that are vital to its mission. Reliance on traditional physical personnel and information security countermeasures makes it not adequately safeguard sensitive data and assets.
This leads to a discussion of supply chain risk and how your organization can mitigate the risks in the supply chain. The supply chain risk is the possibility that an adversary may exploit a weakness to compromise a component of the supply chain.
To manage these risks we weigh several factors including:
- Threats to the Supply Chain
- The vulnerability of the Supply Chain
- Likelihood of an Attack
- Potential Impact on SCM
The key to managing risk is to mitigate vulnerabilities introduced through the supply chain as well as vulnerabilities that emerge over the lifecycle of a product or service.
So what can you do to mitigate risks and minimize the possibility of exploitation?
Ensure your acquisition and procurement offices are fully integrated with other organizational components, most notably – information assurance and security.
Let’s take another example of a high-level meeting at a major government contractor. Here, critical data and the organization’s IT systems have been targeted by foreign governments.
The CEO has gathered key officials to discuss vulnerabilities and how to strengthen their defences. Security assurance is that all physical access points of the building and IT systems are being monitored. Information assurance reports that they have detected no network intrusions. The insider threat is monitoring employees with access to the critical data ensuring there isn’t unauthorized activity.
However, one person is missing from this meeting i.e a representative from the organization’s acquisition department. This individual isn’t considered a part of this organization’s integrated defence and that is a recipe for failure.
To mitigate risks and minimize the possibility of exploitation knowing your suppliers due diligence is imperative. So make sure your acquisition team is asking the right questions before procuring a particular product or service from an outside company. The companies must ask questions like who are their strategic partners and subcontractors. Are they associated with organizations that are competitive or adversarial? How do they manage their supply chain risks and who are they purchasing parts or services from?
In short, Integration of acquisition and procurement teams into your organization’s defensive efforts is important. Practising due diligence with the companies and suppliers your organization is doing business with are the foundation for successfully managing supply chain risks.
By mitigating those risks of the supply chain you will strengthen your organization and help safeguard the national and economic security.
