One field-tested security strategy for information systems and digital content is to address the problem through processes, people and technology. On the process front, all companies involved in the production of digital IP should, by now, be adhering to a proven information security framework that fully addresses supply chain risks. That includes making sure your digital IP is protected at all times, even during post-production (or maybe we should say especially during post-production, given recent incidents).
Fortunately, there is a ready-made cybersecurity framework that companies can use, at no charge, thanks to the US federal government, which has done some sterling work in this area, namely the NIST Cybersecurity Framework.
The current version is a great way to get a handle on your organization’s cybersecurity, and the next version, currently in draft, goes even deeper into the need to maintain cybersecurity throughout the supply chain. For that reason, the draft is worth quoting at length:
“The practice of communicating and verifying cybersecurity requirements among stakeholders is one aspect of cyber supply chain risk management (SCRM). A primary objective of cyber SCRM is to identify, assess and mitigate “products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.”
In exploring AGCO’s success with implementing a global supply chain risk management (SCRM) program, we can summarize our key recommendations to other manufacturers and services oriented companies in 10 tips:
Start to engage with solution providers – Try them out, start to inflict the pain of visibility on your internal stakeholders, teach your organization to act with many blinders removed and adopt a more strategic level of thinking.
Solutions are in a state of flux – Early adopters will likely have to go through radical changes in their programs as this industry matures, but this is preferable to remaining on the sidelines, getting stuck deeper in the old ways.
Heuristics will make a big difference over time – Both in helping to eliminate false positives and also in identifying real issues with greater precision. Aggregated metadata from your third parties, combined with other big data sets, all processed in real time, will drive a change toward solutions that not only show what your supply base looks like but also helps manage risk scenarios and develop mitigation plans of action.
A picture is worth a 1,000 conference calls – Think of a map, showing all your major internal and external business relationships (manufacturing facilities, warehouses and distribution facilities, logistical paths, suppliers and their suppliers, etc.). This simple illustration can quickly rally stakeholders around a common cause.
Good SCRM analysis requires good data – Don’t skimp on the prep work. You know that sooner or later you do need to get to a clean master data management understanding, as well as item level PO analysis. You also need to fully assess your key suppliers and their immediate supply base and product lifecycles. This is a good time to start on that journey.