How The Digitalisation Of Supply Chains Affects The Way In Which Project Managers Manage Cyber Security Risks When Working With Large Multi-National Organisations.
ABSTRACT
Today cybersecurity threats have been identified as a major concern for any projects undertaken both by the government and private business organizations. Various news reports about criminal misconduct and security breaches are being seen more regularly on major news outlets. These high profile events or security breaches highlight the risks posed by cybersecurity threats to the modern organization. With evidence indicating that these cybersecurity threats are increasing rapidly, modern organizations are now becoming more aware of these cyber risks and their potential consequences. This literature review has defined cyber supply chain risk management and identified the cyber supply chain risks that affect modern organizations. It has also described how modern organizations approach supply chain risk and cybersecurity, as well as the current vendor’s risk management methodology. Finally, it also looks at the impact of the SCRM risk management framework on PMBOK (2017) and comparative approaches in presenting cyber supply chain risk management.
Introduction
Threats from Cyber-attack continue to grow and, in the process disrupting global supply chains while exposing organizations to disruptions that completely halt or severely affect normal operations. As a consequence, business performance is impacted negatively while the company’s reputation is damaged significantly, and in extreme cases leading to long-term legal ramifications. Today, supply chains are preparing for cyber-attacks using traditional resilience and risk frameworks, protecting the networks via firewalls, antiviruses and patches. In contrast, insurance is used to provide these companies with financial protection. However, these approaches have failed to give the desired result, as evidenced by the steadily increased disruptions resulting from cyber-attacks. As such, this discussion explores various research studies published on the subject of cyber supply chain risk management, the cyber supply chain risk affecting modern organizations, and the organizational approach to supply chain risk and cybersecurity.
Cyber Supply Chain Risk Management (CSCRM)
Cyber supply chain risk management refers to a new discipline that’s designed to Help information technology executives to deal with the challenges arising from rapid globalization and the outsourced diffusion of software and hardware systems. This integrative discipline combines different elements of supply chain management, cybersecurity, as well as enterprise risk management to become a powerful and new concept with the ability to exert strategic control over the end to end processes of local organizations and their extended enterprise partners.
With digitization rapidly taking shape, supply chains have now become integrated between organizations via various digital communication links. NIST (2020) indicates that the strength of all members within a given supply chain network is as strong as its weakest members since they have shared security arrangements and information that cuts across the supply chain. Pandey et al. (2020) add that the agility, visibility and information exchange tends to increase through various digital technologies. Still, these supply chain systems tend to come with several consequent risks and threats. Sepúlveda Estay (2017) argues that recent studies demonstrate that in most cases, small organizations will often be the target of these cyber-attacks, given their overall size within the supply chain system. As such, it implies that larger companies will often get prone to being exposed to specific risks, given the fact that they are often on contract with the small organizations for the production of specific niche products. Moreover, supply chain organizations are often at a disadvantage, given the fact that they have to protect a very wide technology swath. At the same time, cybercriminals and other similar attackers only require to identify the weakest link within the supply chain system to exploit. As such, the goal of cyber supply chain risk management is to identify any new or emerging risks so that they can be managed or mitigated effectively.
Cyber Supply Chain Risks That Affect Organizations
Cybersecurity practitioners and researchers across the globe have been paying a lot of attention to the increasing threats affecting supply chain risk management. Colicchia, Creazza and Menachof (2019) indicate that since the /11 terrorist attacks, concerns regarding the potential of major disruption to supply chain systems have always existed. As a consequence, the fundamental requirements of modern organizations should be to enhance supply chain security. Colicchia and his colleagues add that cybersecurity threats like sabotage vandalism, riots and sea piracy have the potential to disrupt the normal flow of operations at any given supply chain. These threats can emerge from voluntary actions instigated by employees within an organization, or insiders within the supply chain companies. Moreover, external criminals can work closely with insiders of specific companies operating within the supply chain, and these insiders deliberately breach the necessary regulatory frameworks such as manipulating documents or providing authentication passwords to aid the intruders.
According to Presley and Landry (2016), cybersecurity is a concept that involves the protection against damage or theft to information technology hardware or software, as well as the data stored in these systems. Boyes (2015) argues that good cybersecurity comprises of a comprehensive or holistic approach involving people and technological aspects or processes. Today cybersecurity is a matter that has gained a lot of global interests and significance, with the internet and other electronic gadgets becoming a big concern for most companies. The existence of these threats has the potential to facilitate crime within a given supply chain network or system.
According to Sepúlveda Estay (2017), the automation of operations happening in most industries due to the increased use of technology like cloud computing and the internet of things introduces new types of threats refers to as safety risks and cybersecurity. These threats have a very high likelihood of occurring due to the malicious behavior associated with some supply chain products or members, with the services offered to contain counterfeits or counterfeit components. Sepúlveda Estay (2017) adds that adverse events like freight breaches, data theft and vandalism threaten the integrity of information systems, human resource and integrity of operations. As such, organizations should be concerned about both their asset protection and the security or safety of their employees. Sepúlveda Estay (2017) argues that every secure system tends to be safety-critical, but the reverse is not always the case. This situation is often the case because of the built-in safety features within a given system that are often susceptible to potential cyber-attacks, especially when the safety-critical systems are insecure.
Boyes (2015) points out that confidentiality is now an important security requirement to enhance the protection of the personal information of the organization’s customers from potential cyber-attacks. As such, organizations have to put in place proper promotion and forecast measures through effective information sharing and collaboration. However, Boyes (2015) argues that business collaboration within a supply chain can often be transformed into a potential crisis due to the obstacles arising from information sharing. Apart from confidentiality, Boyes (2015) notes that other major issues exist among supply chain partners, among them being the use of various technologies, the accuracy of the information provided and timelines. Moreover, Boyes (2015) suggests that the lack of encryption during the transport of crucial information and the lack of sufficient authorization is a situation that often exposes IoT systems to potential attacks. This transparency during information sharing and collaboration between various supply chain members often leads to the existence of threats like cyber terrariums and data theft, among others. Based on this understanding, the critical ingredients within a supply chain partnership are cooperation and trust between members.
Finally, cybersecurity threats exist across the supply chain, especially if any cybersecurity device or equipment is transported through a given supply chain. According to Colicchia, Creazza and Menachof (2019), cyber supply chain risk management comprises of the key players and their process level and organizational interactions that build and defend induration systems infrastructure. The likely consequences resulting from operations of cyber supply chain committed by cyber-attacks involve interruption of operations, information loss and operations being discredited (Colicchia, Creazza and Menachof, 2019). Risk assessment or mitigation through an end-to-end process over programmatic activities and organizational strategy has to be undertaken through the established cyber supply risk management framework. This process is made up of the development and design works that come alongside the deployment and integration of supply chain involving information technology networks, software and hardware systems. In other words, Colicchia and his colleagues describe CSCRM as the integration of the processes involving cybersecurity and enterprise risk management. However, unlike cybersecurity that gives the significance to only technical control measures for preventing risks from the disruption of information technology systems and operations within an organization, CSRM aims to merge both human factors and managerial engineering. Moreover, CSRM also aims to change the network demand patterns by hiding the identities of the supply chain network providers. Colicchia, Creazza and Menachof (2019) conclude that risk management within any supply chain can only be undertaken effectively when risk sources are well known.
Organizational Approach to Supply Chain Risk and Cybersecurity
According to NIST (2020), organizations often adopt different approaches to their cyber supply chain risk management in terms of oversight, organizational structure and policy development. One of the key themes to these approaches is the Integrated SCRM; it implies that mature SCRM programs demonstrate close collaboration that cuts across both business and functional lines. NIST (2020) indicates that these measures involve supply chain risk leadership councils, which are inclusive of the executive level, as well as numerous working meetings that exist at staff levels of most organizations. The collaboration existing across various organizational lines ensures that the SCRM is given a priority, which facilitates decision making while Helping organizations to be proactive with their priorities. As a consequence, Presley and Landry (2016) indicate that organizations can come up with timely responses to any potential issues affecting their enterprise while also developing more efficient engagements throughout the enterprise.
Another organizational approach to supply chain risk and cybersecurity is the use of standardized security frameworks. NIST (2020) identifies that modern organizations have now adopted standardized security frameworks, such as the NIST Cybersecurity Framework. These frameworks enable organizations to come up with a common and specific language for the SCRM across a given enterprise and streamline incident reporting and communication.
The Engagement of executive leadership, as part of the SCRM, has also become a common approach applied by most organizations. Through regular touchpoints and presentations, boards of directors and executives of various organizations are engaged in SCRM. These engagements are a demonstration of leadership commitment while also highlights the significance of SCRM to an organization.
The main driver of SCRM tends to be business priorities to ensure that there is a smooth and efficient product or service delivery. According to NIST (2020), most organizations consider SCRM to be a critical function that significantly reduces any risks of disruptions that might hinder effective service or product delivery in the event a particular incident was to occur. Moreover, organizations continue to share different practices on how to identify, respond or prioritize any cyber supply chain risks.
Vendors Risk Management Methodology
According to Ghadge et al. (2019), the risk management methodology applied by any organization should be dependent on the type of cyber-attack, organization resilience and the level of sophistication of a given attack. Ghadge et al. (2019) argue that automated IT operations are increasingly being implemented in most organizations, a factor that has allowed modern companies to reduce the size of their workforce. Moreover, there has been a suggestion that the few IT staff left behind in these organizations lack enough time to enhance their security awareness and develop a holistic understanding of their organization’s system. This factor poses significant security risks to any organization. As such, Ghadge et al. (2019) propose that for originations to nurture or enhance their employee’s capabilities and prepare them for any new cyber supply chain risks and challenges, they must initiate training and risk awareness drives as countermeasures to these risks.
Ghadge et al. (2019) also considerers information sharing to be a promising method for dealing with cyber risks since it allows for both inter and intra-organizational communication while the relevant risk data can be easily processed. Unfortunately, Ghadge et al. (2019) suggest that many organizations don’t perceive information leakage to be a potential security risk. As such, Ghadge et al. (2019) suggest that employees in modern organizations should be encouraged to change their passwords more frequently and avoid sharing them with other people to avoid the risk of information leakage.
Finally, Ghadge et al. (2019) suggest that modern supply chains should adopt more proactive measures to mitigate the increase in cyber risks, and they should also enhance their reactive mitigation strategies. Among the most prominent cyber risk mitigation measure is the use of cyber insurance, which is an industry that is currently experiencing significant growth. Moreover, Ghadge et al. (2019) add that it is very difficult to develop or design a perfect cybersecurity system with the ability to deter all cyber risks. As such, organizations should employ diverse countermeasures that cover different risks and attack scenarios or contingencies.
The impact of CSCM risk management framework on PMBOK (2017)
Presley and Landry (2016) highlight two risk management models that appear useful for the management of risks in cybersecurity-related projects, namely the PMI Model and the ). The DoD Program Managers Guidebook. The two models present unique strengths for project managers within the cybersecurity domain. According to Presley and Landry (2016), the PMI model relies on known good practices that enhance various project management processes and represents an ANSI project management standard that has been adopted and reviewed widely.
On the other hand, the DoD Program Managers Guidebook is the culmination of extensive multiagency reviews done to define and identify the best practices required to manage cybersecurity risks, mainly based on the vast experience of the DoD to deal with cyberattacks, having been a constant target in the past. Presley and Landry (2016) indicate that among the measured considered includes the adoption of the NIST standard 800-53r4 and implementation of DoD’s Risk Management Framework. The use of this framework is applicable in highly sensitive programs whose purpose or aim is to acquire the systems that are regarded as necessary to enhance national security.
Comparative Approaches in Presenting Cyber Supply Chain Risk Management
According to the Australian Cyber Security Centre (ACSC) (2020), SCRM requires a clear understanding of the exact context within which a given system is used, with the most common threats or vulnerabilities to a system as well as the impact the identified risks would have on an organization. As such, the Australian Cyber Security Centre (ACSC) (2020) suggests the following SCRM aspects should help organizations in managing their supply chain risks.
First, a good understanding of the existing supply chain system is necessary. Australian Cyber Security Centre (ACSC) (2020) indicates that good SCRM within any organization requires a clear understanding of the organization’s most important systems based on its security and business perspective.
Another key aspect should be to have a good understanding of the existing supply chain risks. Understanding the overall breadth of influence that these risks would have on nay organization is very crucial because it informs a proportionate threat and vulnerability Assessment process. Moreover, it ensures that the overall risk is determined by overlaying, where the system vulnerability exists, and the real sources of this threat. According to the Australian Cyber Security Centre (ACSC) (2020), undertaking this approach will appropriately prioritize, and you; ultimately determine the existing supply chain risks.
Once the identified supply chain risks have been identified, organizations should then look to manage them. Managing these supply chain risks within the system requires massive service life or product undertaking. As such, the Australian Cyber Security Centre (ACSC) (2020) suggests that to understand the real breadth or magnitude of the existing cyber supply chain risks, it’s important for organizations to be aware of the primary aspects of their products live.
Finally, the Australian Cyber Security Centre (ACSC) (2020) recommends the monitoring of the supply chain and its controls. This measure is necessary because most pervasive supply chain threats arise from a combination of technical capability and foreign interference intent.
Conclusion
From the preceding, Cyber supply chain risk management is a new discipline that’s designed to Help information technology executives to deal with the challenges arising from rapid globalization and the outsourced diffusion of software and hardware systems. Today cybersecurity practitioners and researchers across the globe have been paying a lot of attention to the increasing threats affecting supply chain risk management. The automation of operations happening in most industries due to the increased use of technology like cloud computing and the internet of things introduces new types of threats refers to as safety risks and cybersecurity. Modern organizations adopt different approaches to their cyber supply chain risk management in terms of oversight, organizational structure and policy development. However, according to the Australian Cyber Security Centre (ACSC) (2020), SCRM can only be effective if there is a clear understanding of the exact context within which a given system is used, with the most common threats or vulnerabilities to a system as well as the impact the identified risks would have on an organization.
Reference
Australian Cyber Security Centre (ACSC), (2020). Cyber Supply Chain Risk Management Practitioner Guide. Retrieved from: https://www.cyber.gov.au/acsc/view-all-content/publications/cyber-supply-chain-risk-management-practitioner-guide
Boyson, S. (2015). Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34(7), 342-353. doi:10.1016/j.technovation.2014.02.001
Colicchia, C., Creazza, A., & Menachof, D. A. (2019). Managing cyber and information risks in supply chains: Insights from an exploratory analysis. Supply Chain Management: An International Journal, 24(2), 215-240. doi:10.1108/scm-09-2017-0289
Ghadge, A., Weib, M., Caldwell, N., & Wilding, R., (2019). Managing cyber risk in supply chains: A review and research agenda. Supply Chain Management. p. 1-36. DOI: 10.1108/SCM-10-2018-0357. Retrieved from: https://www.researchgate.net/publication/334736415_Managing_cyber_risk_in_supply_chains_A_review_and_research_agenda
NIST (2020). Case Studies In Cyber Supply Chain Risk Management: Observations from industry. Case Studies in Cyber Supply Chain Risk Management. doi.org/10.6028/NIST.CSWP.02042020-1
Pandey, S., Singh, R. K., Gunasekaran, A., & Kaushik, A. (2020). Cyber security risks in globalized supply chains: Conceptual framework. Journal of Global Operations and Strategic Sourcing, 13(1), 103-128. doi:10.1108/jgoss-05-2019-0042
Presley, S.S., Landry, J.P., (2016). A Process Framework for Managing Cybersecurity Risks in Projects: Proceedings of the Southern Association for Information Systems Conference, St. Augustine, FL, USA March 18th–19th. Retrieved from: https://pdfs.semanticscholar.org/0d48/72e2e35cbb4f641807385342be7105f35aea.pdf
Sepúlveda Estay, D. A. (2017). Managing cyber-risk and security in the global supply chain: a systems analysis approach to risk, structure and behaviour. DTU Management Engineering.