What did the significant data breaches of Target (2103), Home Depot (2104) and the U.S. Office of Personnel Management – “OPM” (2015) have in common? In addition to these being existential threats when they occurred, along with massive fines, litigation, loss of market share and reputation (except for OPM), ALL of these data breaches originated from their respective suppliers! Let that sink in while I lay some groundwork.
- More and more corporations are becoming virtual in nature thus depending more and more on relationships with suppliers to create and deliver value
- There is more and more integration with suppliers on processes, data/information, systems and applications etc., etc.
- More and more of everything is now on the “cloud”
Yet most supplier selection processes are still too heavily focused on the price/cost risk and nowhere close to enough attention is paid to one of the biggest risks, nay threats posed by our supply base and that is cyber risk. And by the way, we pass along the risk from our suppliers to our customers.
My supply base has access to my systems and they have tons of information related to my operations (my order history can tell my competitors lots about me; information on a new composite I developed got hacked at supplier and got in the hands of my competition- wipes away 3 years of market advantage etc., etc). That means that each of my suppliers is a potential node of failure in my overall cyber risk environment. Cumulatively, as a CPO I am now adding to my overall risk profile as it relates to cyber/information risk. Therefore, cyber security MUST be part of the evaluation/selection/decision criteria of any procurement/sourcing activity, just like financial stability of the supplier? This can no longer be thought of as an activity for IT alone.
Cyber security of our supply chains is the weakest link that most organizations have in their overall portfolio of cyber risk and it is probably the one that gets the least relative attention by sourcing and procurement departments. While going after lowest price seems to pre-occupy most organizations, they let catastrophic risk be absorbed by their companies without a second thought. While that may seem harsh, the situation demands attention and harsh language may be one way to do it. Regulators (FDIC, Payment Card Industry Data Security Standard etc.) have already sprung into action and Procurement/Sourcing leaders can create competitive advantage for their corporations by getting ahead of the competition. Remember: Your customers look at you as part of their supply chain risks!
While we have started to see more and more inclusion of this cyber risk as a selection factor, we are nowhere close to actually understanding this risk deep enough and the challenge continues to get bigger and bigger every day. Most procurement organizations are playing catch-up to a target that is moving faster than us – making it impossible to catch up. We also don’t see a concerted coordinated effort being made to tackle this issue. It almost feels like people think that if we ignore it, it won’t happen to us and it will go away – till it does happen to us.
Imagine that the elections in the US (which have a major impact across the globe) could actually be strongly influenced by the cyber risk posed by the supplier who was managing the private email servers of one of the candidates . . . . . . .