Leveraging Supply Chain Tools to Develop a Cyber Risk Culture and Strategy: Part III

Editor’s Note: This is the third installment of a six-part series on “Building a Cyber Secure Supply Chain.” Dan Pellathy is Assistant Professor of Operations & Supply Chain Management at the Seidman College of Business, Grand Valley State University.University of Tennessee, Knoxville’s Global Supply Chain Institute (GSCI) research reveals most supply chain professionals don’t have a strong grasp of the cybersecurity fundamentals necessary for protecting their supply chains from risks. First and foremost of these fundamentals is understanding the nature of supply chain cyber risk.

Once supply chain management professionals begin to understand the cyber risks impacting the supply chain, the next step is to act. Research by the University of Tennessee, Knoxville’s Global Supply Chain Institute and sponsored by Leidos shows that benchmark companies lean heavily on traditional supply chain management tools and techniques to build their organization’s cyber security capabilities. What distinguishes these companies is their understanding that cyber security originates with robust cyber strategies and applying any organization-wide strategy starts with investing in organizational culture.

A Culture of Supply Chain Cyber Security

Organizations resistant to cultural change take a familiar form: functional groups and supply chain partners have their own way of doing things and people are distrustful – even disdainful – of alternative approaches. To promote a cyber risk culture, companies must first have fertile ground that values common supply chain goals through collaborative, end-to-end approaches.

The benchmark companies we studied emphasized that cyber security is everyone’s concern by incorporating it into supply chain goals. As part of the supply chain strategy, cyber security gets folded into the behaviors leadership emphasize formally through compensation and rewards systems as well as through everyday norms of open communication and joint problem solving. In benchmark companies the sense of ownership extends to interactions with supply chain partners with operational discussions grounded in common standards, principles and values that support a well-articulated cyber strategy.

Organizational culture characteristics we observed in benchmark companies include:

• Deep understanding of risk management best practices
• Focus on excellence and attention to detail across all systems
• Cross-disciplinary, cross-functional collaboration on problem solving
• Continuous improvement aimed at building cyber security capabilities
• Learning that draws on knowledge and experience from across the company and supply chain
• Overlapping functional and company rewards systems that include executive compensation
• Common standards, principles, and values for end-to-end supply chain systems
• Recognition and celebration of successes with supply chain partners In benchmark companies, cyber security influences the way people approach and prioritize organizational issues as well as how teams engage with supply chain partners. Without this foundation, companies struggle to implement even the best conceived strategies.

  Developing a Robust Supply Chain Cyber Security Strategy

  No one strategy fits all companies, but there are several well-developed cyber security strategy frameworks that companies can adapt to their needs, including ISO 27001 and ISO 27002, ITIL, COBIT, and NIST. Many of the benchmark companies we spoke to couple these frameworks with supply chain management fundamentals to develop their cyber security strategies. They
  integrate Lean techniques, total quality management and Six Sigma problem solving into cyber security processes and leverage proven supply chain tools such as rigorous scorecards, action plans, and leadership reviews to drive results. Many benchmark companies treat cyber security like another supply chain capability – building on existing frameworks while focusing on continuous improvement with monthly cyber supply chain map reviews and joint problem solving on key issues.

  Most importantly, however, benchmark companies clearly identify the systems critical to business success and create rigorous cyber security around them. At a minimum, these involves multiple-step password verification to access critical systems and mandated software upgrades to ensure users have the latest protections. More broadly, benchmark companies employ zero trust approaches to cyber security that establish and verify all requests for access. They also tend to deploy small, highly qualified teams to manage critical systems, reducing dependence on automated management technologies. Regular cyber event debriefs and trainings help teams maintain awareness and identify emerging threats. Some companies opt to unplug critical systems from broader cyber environments altogether, cutting access from intranets, the cloud and the internet. Each of these tactics maintain the integrity of critical systems while supporting cyber security in the broader operating environment.

  Continuously Improving Cyber Strategy

  The supply chain cyber risk environment is extraordinarily dynamic, and benchmark companies are always on the lookout for new ways to protect their supply chains. One of the latest approaches, active defense, involves using decoys and misdirection, which have ethical and legal implications. Still, active defense is one of many emerging techniques that supply chain managers should be aware of as they develop their own robust supply chain cyber security program.

  Find a full explanation of each of the four fundamentals, along with 11 best practices in the GSCI white paper, “Managing Cyber Risks in Global Supply Chains: The Four Fundamentals,” sponsored by Leidos available for free download at https://haslam.utk.edu/gsci/publications.

  SC
  MR