ISACA risk expert Paul Phillips and CEO of Risk Factor Richard Hollis discussed key challenges influencing supply chain security in an episode of ISACA Live last week. Their conversation was supported by insights from ISACA’s recent survey, Supply Chain Security Gaps: A 2022 Global Research Report.
Phillips opened with survey results that found only 44 percent of respondents had high confidence in their supply chain security, and Hollis admitted he was surprised that it was that high. He observed that there is a general failure to recognize that supplier and product connectivity presents a risk to systems.
“Anybody connected to anybody connected to anybody can provide an attack vector to our systems,” Hollis said.
When Phillips asked about the biggest risk regarding supply chain security, Hollis said that unauthorized access is the only risk enterprises should be considering in their supply chains. He then outlined three steps that organizations can take to minimize risks and manage threats associated with the supply chain: identify, minimize and manage.
“By defining the supplier, we start to define the problem,” Hollis said.
Once a definition of a supplier is established across an organization, then suppliers can be identified. Suppliers can be very different from each other, so a classification system based on the potential risk they pose to an organization is essential in order to prioritize the kind of risk management framework each supplier requires. Hollis recommended classifying each supplier as low, medium or high risk based on how much data they process and the sensitivity of that data. Once suppliers have been classified, a risk officer can help create a strategy that must be integrated into business processes to manage these risks.
Not only is contract management key in creating understanding of the control framework for all parties involved, but contract termination is an often-overlooked element that contributes to the survey report stat that 84 percent of companies say there is not enough governance in place around their supply chains. At the very least, said Hollis, the return or destruction of data involved needs to be settled on.
Unfortunately, the outlook isn’t so bright for the future of supply chain security as it currently stands—Phillips shared that more than half of respondents to ISACA’s survey said they expect supply chain issues to stay the same or worsen. Hollis said security by design is not the norm, and the nature of supply chain security attracts many bad actors. He said that to increase confidence in supply chains going forward, the catalyst is simple: “One word: accountability. Accountability would change everything.”
Editor’s note: View the full ISACA Live episode here, and attend Richard Hollis’ supply chain pre-conference workshop this October at ISACA Conference Europe 2022 on-site in Rome, Italy, or virtually.