Supply-chain security is not a matter to be taken lightly. In the age of real-time communication technology such as cloud computing and mobile devices, today's supply chains are more complex, multinational and packed with sensitive business information than ever before. SearchManufacturingERP.com site editor Brenda Cole spoke with Steve Durbin, global vice president of the Information Security Forum (ISF), about what supply-chain security means now for organizations, suppliers and customers.
What are the most common kinds of business supply-chain security issues?
Steve Durbin: Supply chains have become an increasingly complex area. They've moved from traditional supply chains -- Apple products, for instance, designed in California, built in Asia and sold in Europe -- to a cyberperspective. Now they're incorporating people like your law firm, your accountant -- anybody you actually share any amount of information with. If you add on top of that all the regulatory changes that have been going on [globally], we have a really complex web that's been created.
There isn't an organization that I know of today that doesn't work in conjunction with a number of other parties. They're all sharing information, and that's the key: How do you [as a business] understand where your information is being transmitted, selected, stored and used? How do you put in place the appropriate guidelines to ensure that you can stand up to your partners and customers, hand on heart, and say that you are preserving the integrity of data across the whole supply chain and know exactly where all of the information is at any one point in time? That's the challenge that organizations are facing.
Have you observed any notable trends in supply-chain security in the past few years?
Durbin: People are really starting to understand the business impacts associated with a loss of information or an attack on the supply chain. Increasingly, when I talk to CIOs or chief risk officers, they talk more to me about the impact on reputation. It isn't so much about what happens if we lose some information; it's about what my partners think of that. Could we suffer some reputational damage that could impact our ability to do business and the trust in us that our customers and third parties have? The questions are coming from the top of the organization -- it's not just about technical [security] issues anymore.
Has the growth of cloud computing and mobile computing made supply chains less secure globally?
Durbin: What those two types of technologies have certainly done is make the supply chain more complex. It's raised a number of issues in IT security departments about needing to understand the way information is accessed and where it's being stored. With the increase in cloud computing and bring-your-own, well, pretty much everything, we do have some devices that are coming into the expanded network that were never designed from a security standpoint -- they're consumer-based products. [Mobile and cloud] are raising issues around the integrity of information storage, irrespective of whether it's in the supply chain.
Is supply-chain security about preventing security leaks, or is it more about knowing how to best react to them? Or is it a little of both?
Durbin: Prevention is a thing of the past. I don't think it's possible to prevent [security leaks], because prevention requires perfection, and perfection is something we all aspire to but never achieve. The reality is, it's all about how you respond when you do lose information -- whether it's through a breach, an attack or negligence. It's about how you get your systems back up and running, how you understand why something went wrong, and how you then put in place resilience programs around that to prevent that specific thing happening again. But in terms of absolute prevention of [these scenarios], there really is no point in chasing that.
Do supply-chain security risks -- and preventive measures -- differ depending on the size of the organization? What about the industry?
Durbin: Size does have something to do with it, because large multinationals have a significant number of third-party suppliers that they need to get their arms around. If you're in the aerospace industries, for example, you typically don't manufacture the parts for an aircraft -- you assemble them. You have many, many suppliers that provide the pieces that you'll then assemble.
I always tell people, focus on the importance of your data and find the critical points that you need to be protecting. For most organizations, that usually adds up to 10 to 15% of the total information across the enterprise. That's a much more manageable number. Then if you're tracking the flow of that data and making sure you're putting in good security measures around that data, that's a good place to start, rather than trying to go around six figures' worth of suppliers.
More on supply chain management
Learn more about financial supply-chain management
Prepare for potential challenges with supply-chain management
How IKEA distribution brought its supply-chain management to the next-level
Are emerging markets showing concern for supply-chain security as supply chains become increasingly global?
Durbin: Certainly. I was in Malaysia last week, and Apple manufactures a number of components there for the iPhone. I met with CyberSecurity Malaysia, which is very concerned with supply-chain security and working to implement better cybersecurity practices across Malaysia. I see the same when I go to India.
I think security is a global business and a global challenge. There is, however, more that we can do from a primary supplier standpoint in making sure all of our suppliers understand the level of security that we expect. We can do a much better job of communication and awareness across the supply chain.
What steps can businesses -- specifically, manufacturers -- take to ensure that their supply chains are as secure as possible?
Durbin: Understand the importance of the information, and conduct a solid business-impact and risk assessment in terms of what might happen if information was lost. Look at all that from a threat-vulnerability standpoint. Once [an organization] has done that, they're in much better shape to convey the message of good security practices to third-party providers and encourage them to perform security checks on themselves.
Follow SearchManufacturingERP on Twitter @ManufacturingTT.