• United States




Protecting the supply chain in an era of disruptions

Dec 07, 20205 mins
Business ContinuityRisk ManagementSecurity

Supply chain problems encountered during the COVID-19 pandemic brought continuity planning out of the shadows and into the boardroom.

supply chain management logistics - ERP - Enterprise Resource Planning
Credit: Thinkstock

Business continuity planning is an important but often overlooked aspect of managing enterprise risk. This year, the COVID-19 pandemic has made it clear to risk and security professionals—and their enterprises—that business continuity must be an organizational focal point, with supply chain continuity being an especially critical area to solidify.

Many enterprises today outsource a variety of business- and technology-related processes, making successful and reliable supply chains essential for their survival. Eight in 10 (79%) of companies with high-performing supply chains achieve revenue growth above average within their industries. But maintaining that reliability in a fast-moving era of digital disruption requires a concerted commitment to assessing threats and managing gaps in continuity plans.

While supply chain problems encountered during the COVID-19 pandemic are top of mind for many organizations, other major events in the not-too-distant past (from natural disasters to terrorist attacks and cyberattacks) have underscored the need for resilient supply chains. In fact, cybersecurity incidents increasingly are among the common causes of supply chain disruption. A study from Resilience360 finds that there were around 300 cybersecurity incidents that impacted supply chain entities last year, with many of those attacks coming in the form of ransomware.

Assess your supply chain partners’ security

Unfortunately, attacks on supply chains is a trend that is likely to escalate in the months and years to come. Earlier this year, even before the COVID-19 pandemic took center stage, the US Federal Bureau of Investigation issued a security alert to companies in the private sector regarding a hacking campaign targeting supply chain software providers. The bottom line: inadequate security and incident management procedures within supply chain ecosystems can result in major interruptions to an enterprise’s business operations. Therefore, enterprises need to vet the security capabilities of their supply chain partners on an ongoing basis. This holds particularly true in the aftermath of the current pandemic and resulting economic fallout, as some suppliers might no longer be in the economic position to implement the security safeguards that they previously had in place.

Whatever coordinating is done with existing suppliers, it is imperative in this era to rethink business models and enable a more digital enterprise by transforming products and services. As enterprises re-imagine themselves and how technology can best be leveraged to drive growth and innovation, their transformations will often lead them to engage with new vendors and suppliers. Suppliers can be categorized into four major groups: strategic, tactical, commodity and niche. Each group carries its own set of potential risks that need to be mitigated. For example, instead of relying upon only one supplier for commodities (suppliers of materials and parts), continuity can be bolstered by utilizing multiple suppliers, while niche suppliers of exclusive components require extra vetting if they are essential to the product’s distribution because they can be especially challenging to replace. Before entering into relationships with new supply chain partners, it is critical to understand their security capabilities and the impact any gaps could have on organizational cybermaturity and business continuity.

Address the entire supply chain

Of course, in addition to cybersecurity incidents represent, there are several other threats that can wreak havoc on supply chains, such as hardware and equipment failures, environmental hazards and other continuity crises, including the disruptions to the workforce that have occurred during the COVID-19 pandemic. As indicated in ISACA’s recent white paper, Supply Chain Resilience and Continuity, “A supply chain risk mitigation process should not just focus on supplier-specific risk, but rather address overall supply chain interruptions and their impact on the enterprise as a whole. The mitigation plan should address the entire supply chain rather than a specific supply partner. The risk mitigation process should be both proactive (to ensure adequate controls while establishing the process) and reactive (to include an appropriate incident management process supported by continuity plans).” [Disclaimer: I am a board director of ISACA.]

The ISACA guidance highlights some key best practices in this area, including:

  • Monitoring supply chain partners for performance and quality
  • Aligning enterprise continuity plans with the plans of supply chain partners
  • Avoiding scenarios with single points of failure, ensuring redundancy where possible
  • Understanding and maintaining good working relationships

We are in a dynamic and sometimes tumultuous business landscape that presents enterprises with tremendous opportunities but also comes with increasing risks. This is a result of both the pace of technological change and a global business environment with increasing interdependencies. Add in the ever-present possibility of large-scale disasters such as a global pandemic, and the need to prioritize business continuity is evident.

While organizations should always be prepared for the unexpected, the scale of the COVID-19 pandemic has been an eye-opener for many business leaders about the necessity of continuity planning and resilient, dependable supply chains. Planning in advance for what to do when a problem abruptly surfaces—and applying the risk management, governance and security fundamentals to mitigate the potential damage—should remain a high priority long after the current crisis abates.


Experienced leader and board member, international authority in cybersecurity, with a proven track record in developing and managing strategy, programs and initiatives. Innovative thinker, with several international patents to his name, proven successful communicator and consensus builder across borders and cultures.

Chris is Director and Past Chair of the Board of ISACA, an international non-for-profit association with more than 200 Chapters, serving more than 160,000 IT, Cybersecurity, Information Security, Audit, Risk and Compliance professionals, in 180 countries. He has served ISACA as Chair of the Board for 2 consecutive terms (2015-2016 and 2016-2017) and as director of the BoD for 9 terms (2010-2014 and 2015-present).

Chris is also a Board Member at INTRALOT a leading gaming solutions supplier and operator active in 42 regulated jurisdictions around the world. Prior to his role he has served as Group CEO, Group Chief Services and Delivery Officer, Group Director of Technology Operations and Group Director of Information Security.

He has also served as a member of the Permanent Stakeholders Group (PSG) of the European Network and Information Security Agency (ENISA) from 2012 to 2015. Chris has been working in the area of information technology for 20 years, he holds 3 patents, 6 awards and has authored more than 150 publications.

He holds a degree in Electrical and Computer Engineering and a Ph.D. in Information Security.