With supply chain cyberattacks posing a material risk to an organization’s operations, production lead times, logistics and product delivery, Chief Supply Chain Officers (CSCOs) must take three actions to mitigate supply chain cyber risk to an acceptable level.
We spoke with Brian Schultz, Senior Director Analyst with the Gartner Supply Chain Practice, to discuss why CSCOs must take an increasing share of ownership over cybersecurity strategy and the key actions to take today to maximize their responses.
Members of the media who would like to speak with Brian in more detail on this topic can contact Justin Lavelle to schedule an interview.
Q: To combat supply chain cybersecurity risks, what actions should CSCOs take to begin building cyber resilience aligned to their organization’s risk appetite?
A: There are three actions that CSCOs should take to develop cyber resilience. They include:
- Build visibility to supply chain cybersecurity threats facing the enterprise by fostering internal and external partnerships with key functions built on clear business outcomes.
- Develop risk-aligned governance processes by implementing supply chain cyber frameworks, standards and guidelines.
- Create aligned controls across the partner ecosystem by developing and deploying a supply chain third-party risk management (TPRM) capability for cybersecurity.
Q: How can CSCOs mitigate cyber threats when the attacks are so varied, and the supply chain surface area vulnerable to them continues to expand, both digitally and through third parties?
A: CSCOs are not expected to be substitutes for Chief Information Security Officers. What they will increasingly be expected to do is have a grasp of how supply chain cyberattacks are evolving, including, for example, more sophisticated attacks that can impact products undetected until they reach the customer. They also need to play a leading role in third-party risk management, as attacks on key suppliers can cause significant business continuity disruptions.
CSCOs can leverage their experience in coordinating action among many different stakeholders both within and beyond their function. Supply chain cyber resilience hinges on engaging a wide range of stakeholders both inside and outside the organization (see Figure 1). The role of the CSCO among these diverse stakeholders is to coordinate a shared view of the threats and translate those threats into clear business impacts that leadership can understand.
We recommend CSCOs build this visibility by identifying the key operational assets that support the organization’s value drivers, assess the impact of a loss of these assets in terms of business costs in lost days of operation and then clearly communicate these impacts to the board and C-Suite. Finally, a playbook must be implemented to monitor these critical assets, including regular testing of mitigation plans through coordinated exercises.