Collaborating with suppliers is one of the basic tenets of supply chain management; after all, if you're not actively communicating with your external partners, there's no real chance that you'll gain any competitive advantage by leveraging those relationships. And yet, as technology has not only flattened the world but made it that much easier for the bad guys to threaten us, companies are understandably skittish about exactly how much they want to share throughout the supply chain in all its incarnations.
In fact, securing the physical supply chain might in some ways be easier than securing the transactional supply chain. Witness, for instance, the political football that's been played between the Obama administration and Congress regarding cybersecurity legislation. H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), recently won House approval. Among other things, this act allows the government to share cyber-threat information with the private sector; the administration, however, has signaled it would veto the act on the grounds that it doesn't go far enough to protect privacy.
"Manufacturers know the economic security of the United States is directly related to our cybersecurity," says Aric Newhouse, senior vice president of policy and government relations with the National Association of Manufacturers (NAM). "Cybersecurity will play a significant role in defining the future of the Internet and business in the 21st century, so it is natural that the manufacturing and high-tech communities strongly support the CISPA legislation." Notwithstanding New- house's assertion, such high-tech companies as Microsoft, Facebook and Mozilla either oppose or have yet to strongly endorse CISPA. The issue, again, comes down to the protection of transactional data.
"Supply chains are inherently insecure, and organizations create unintended information risk when sharing information with their suppliers," says Michael de Crespigny, CEO of the Information Security Forum (ISF), particularly the risk that the confidentiality, integrity or availability of that shared information could be compromised. "There is a 'black hole' of undefined supply chain information risk in many organizations -- they understand and manage this risk internally but have difficulty identifying and managing this risk across their hundreds or thousands of suppliers." This risk, he adds, is yours to manage -- you can't outsource supply chain risk management.
"When suppliers share your information with their suppliers, the risk is extended further up the supply chain, and visibility and control diminish," de Crespigny points out. "The key to managing information risk in the supply chain is an information-led, risk-based approach to identify what information is being shared and assess the probability and impact of a compromise."
The ISF, a not-for-profit association specializing in information security and risk management, recommends that companies focus on identifying information shared in the supply chain, especially on the contracts that pose the highest risk. To that end, the group has developed a Supply Chain Information Risk Assurance Process for large manufacturers and other companies to manage risk across thousands or tens of thousands of suppliers.