Utilize risk management to develop and implement a successful security posture within your vendor ecosystem.
By Matthew DeChant, CEO of Security Counsel
In 2023, a supplier of Applied Materials, a global leader in the semiconductor industry, had one of their suppliers fall victim to a cyber-attack. This incident caused significant delays to critical component shipments that are estimated to cost Applied Materials as much as $250 million.
Countless studies have confirmed that of all cyber-attacks on manufacturers, supply chain attacks are the costliest and take the longest to identify. And while manufacturers must address cybersecurity threats across all aspects of the enterprise, supply chain risks loom ever larger, and according to a Gartner study, are predicted to triple in cost to manufacturers in just six years.
It’s easy to understand technology tools’ role in security operations, but without the right process and people in place, the manufacturing supply chain remains vulnerable to cyberattack. As Jennifer Chew highlights in her article covering supply chain fundamentals: “…it’s important to remember that success doesn’t come just from flashy technology alone, but in the strategic alignment of processes, people, and technology to drive positive outcomes and create long-term value.” This three-pillar notion cannot be more apparent than when we evaluate the success of a cybersecurity program within supply chain management.
In addition to managing all internal tools, processes and people, a sound security program must consider every external entity within the manufacturing supply chain including all communications and interactions between each of these vendor companies. A supply chain should be viewed as a community, an ecosystem; it should have common goals, language, expectations and security standards across the entire group of organizations.
Successful supply chain cyber security begins with effective risk management. Understanding, evaluating, and documenting the highest risk elements of the manufacturing supply chain and mitigating them are the backbone to creating a robust supply chain cybersecurity program. The risk management activities will rely on an effective risk analysis at the beginning of every relationship and periodically throughout its lifecycle. It will rely on effective training of the internal team, and on successful communications with all external resources.
Risk management relies heavily on asking the right questions. As you perform your risk analysis, the key questions and topics should include internal analysis of your personnel training and roles, your own policies and processes, and external management of vendors:
For internal personnel:
For internal policies & processes:
For external supply base:
After thoroughly conducting your risk management activities and successfully documenting your findings, the output will guide your relationship with all of the companies in your supply chain. The guidelines and policies created will help to guide your interactions and communications with your suppliers. Policy will likely include:
Conducting effective risk assessment activities is critical to the successful management of the manufacturing supply chain from a cybersecurity perspective. Fortunately, the outputs from these efforts provide the roadmap for a robust supply chain cybersecurity program, and thereby help to minimize supply chain disruption and subsequent interruption to your core business. All of this will protect customer satisfaction and company profitability.
About the Author:
Matthew DeChant is the CEO of Security Counsel, a Cybersecurity management consultancy. Matt has 25 years of experience building information technology and security programs for numerous industry segments including manufacturing. As an in-house CISO and through Security Counsel, Matt has managed the creation of cybersecurity programs for numerous clients and their executive teams, corporate boards, and high-net-worth individuals. He leads response events and conducts tabletop exercises with his clients to help them prepare for their potential worst-case scenario cybersecurity events. He is part of numerous cybersecurity best practices committees & boards and is passionate about supporting quality cybersecurity education.
Tune in to hear from Chris Brown, Vice President of Sales at CADDi, a leading manufacturing solutions provider. We delve into Chris’ role of expanding the reach of CADDi Drawer which uses advanced AI to centralize and analyze essential production data to help manufacturers improve efficiency and quality.