But, and this is partly evident in the way the question is framed, the focus is still on IT and cyber security in the supply chain, not security. Security has many pillars and it includes places and people, not just technology.
By forgetting the impact of these other areas, we are ignoring their potential to harm us. We also know that the vast majority of security incidents are human behaviour-facilitated, including the way in which the tech is managed.
For instance, consider IT managers who have not been given enough time to take systems or platforms offline in order to patch them. We have been schooled for years in the importance of patching, but does our understanding go far enough to ensure that it is made possible? This is the way that known vulnerabilities get exploited and while we may be hypnotised by zero-day exploits, the depressing truth is that many exploits have been around for years but still get traction.
The IT solution for the patching issue, in my example, exists. It is the human perspective – allowing the IT manager to effect this solution – that is missing. This will only change when organisations understand that people have to be part of the security budget. You can’t expect 100% uptime and security, even in critical systems. This is on a par with refusing to fix fire exits because the corridor is very busy.
Are we expecting supply chain partners and their people to be better at security than we are? But if we are not prepared to invest in these human issues, why are we expecting our supply chain partners to be willing to do that?
A unilateral approach doesn’t work. Multilateral is the way because it isn’t really a supply chain, it’s an ecosystem, with connections in many directions and forward links that we cannot pretend to know. That ecosystem is only as strong as its weakest link, but maybe we’re not being honest that the weakest link potentially might be ourselves.
High expectations are fine, but we need to ensure that this is communicated to them effectively. Complex…