When a CIO starts to think about what they need to do to secure their company, most often they tend to look around themselves. They look at the company’s data centers, the desktop systems that people use, the laptops that people take home, etc. All of the company’s IT assets that relate to the importance of information technology can be seen and, with a little luck, secured. However, it turns out that there is one area that too many CIOs have been overlooking: their supply chain. What this means is that all of the computers and systems that a company’s suppliers use to connect to the company have to be as secure as the company’s systems are. However, can a CIO ever be sure that their supply chain is secure?
The Problem With Supply Chains
CIOs need to start to spend time thinking about how they can go about securing their supply chains. The issue that CIOs need to investigate is if any of the IT systems that are being used by the members of their supply chain have been compromised. This kind of security lapse could have occurred due to either incompetence or malice by a worker. The challenge is that most modern supply chains consist of many different companies that both supply parts and assemble complex systems.
CIOs have to put policies in place that will allow them to scrutinize their suppliers. Any hardware that is being used as a part of the communication between companies that are part of the supply chain needs to part of ongoing vulnerability scans, patching, and security reviews. Because of the importance of keeping your supply chain secure, the security of your supply chain has to become central to way that the person with the CIO job runs their business. Likewise, the members of your supply chain have to be willing to work closely with you and be aware of industry-wide security issues.
Just to make things even more complex, CIOs need to be aware that there is always the possibility that components that your company is receiving from foreign companies may be designed to spy on your company. The U.S. government has become concerned about the telecom equipment that is coming from the Chinese firm Huawei and antivirus software from the Russian company Kaspersky Lab. Both of these companies have denied that their products are being used to collect data that will be provided to their countries.
How CIOs Can Ensure That Their Supply Chain Is Secure
The U.S. Government understands that the people in the CIO position have a real challenge on their hands when it comes to securing their supply chains. The Department of Homeland Security has gone ahead and formed a special task force that will be sharing information on supply chain security problems. Additionally, they will be tasked to find ways to create strategies that will allow the risk to be reduced. This task force will consist of representatives from Microsoft, Cisco, and AT&T along with other government departments.
CIOs need to understand that software that could steal information could be inserted into either a computer or a piece of networking gear at some point in a company’s supply chain. This understanding is starting to cause a change in behavior. CIOs are starting to take a closer look at both the security of their product designs how they go about testing their products. However, CIOs need to realize that the biggest threat to their supply chain may come from hackers who get access to computer systems by taking advantage of devices that ship with bugs in their software.
Every company is trying to reduce their costs. What this means is that parts of their supply chain may be occupied by firms that were able to win contacts with them by offering to provide the lowest cost components or services. Since these firms are working so hard to keep their costs low, they may not be spending as much time and money on securing their IT systems as they should be. The result of this is that they may be the weak link in a CIOs supply chain and it is through them that hackers will try to gain access to a CIO’s networks.
What All Of This Means For You
On top of all of the other things that a CIO has be spending time worrying about, it turns out that there is now one more thing. CIOs have to be aware that the security of the company’s networks and IT resources may depend on just exactly how secure the members of the company’s supply chain keep their own systems. Now instead of just having to keep the company’s computers secure, CIOs have to create plans to keep the systems of their suppliers secure also.
Most companies now use complex supply chains. It is the responsibility of the CIO to take a careful look at their supply chain in order to determine if any of the vendor’s IT systems have been compromised. CIOs have to create processes that they can use to evaluate the security of the IT systems being used by the members of their supply chain. Likewise, those vendors have to be committed to working with your company in order to secure their systems. CIOs have to be aware that there is always the possibility that one of their vendors could be working with their government to spy on your business. The U.S. government understands the risk to supply chains and has created a task force to look into how they can be secured. Product design issues and testing methodologies all have to be inspected to make sure that nothing gets past your supply chain security system. CIOs need to understand that some of the members of their supply chain may have been selected because they were the low cost providers. This means that you’ll have to keep a close watch on them to make sure that they are spending enough on their own IT security.
Ultimately it is the job of the CIO to keep a company’s IT systems safe and secure. This has traditionally meant that all of a company’s internal systems had to be secured. As companies come to rely more and more on their supply chains, it is now becoming part of a CIOs job to make sure that the supply chain does not open any holes in a company’s IT defenses. If a CIO can work with their supply chain vendors to keep all of their systems secure, then the bad guys will have to go someplace else.
– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™
Question For You: What should a CIO do if they discover that a supply chain vendor’s systems are unsecure?
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!
What We’ll Be Talking About Next Time
As CIO we are always trying to move our companies forward because we understand the importance of information technology. What this means sometimes is that when our company has a piece of equipment that has become outdated or perhaps no one knows how to use or maintain, we’ll often try to apply a wrapper technique to it. We’ll try to marry modern technology to older equipment in order to extend its life and avoid replacement costs. However, as some CIOs are starting to discover, this is not always a good idea.