The Chief Supply Chain Officer and third-party security risk

The importance of good supply chain management has grown in recent years with numerous supply chain challenges ranging from various disruptions to the impact of evolving customer expectations. Not surprisingly, more companies give the supply chain manager a seat in the C-suite with a significantly increased role for the Chief Supply Chain Officer (CSCO).

While the many supply chain disruptions (think of the recent pandemic and various geopolitical events, for example) often received the most attention, there are several other reasons for the rise of the Chief Supply Chain Officer and the evolutions regarding expectations of his function and role in the company.

Digital transformation is an essential factor here, given the importance of the digital supply chain in a network economy where the multi-channel customer needs to be served faster and more personally with connected networks whereby efficiency and agility are always top of mind. Chief Supply Chain Officers must increasingly operate in an extended supply chain where digital technologies and processes are ubiquitous. Ultimately, transforming and optimizing the supply chain for rapidly changing conditions is a goal in many digital transformation strategies.

The vision of Industry 4.0 and industrial transformation in general also revolves heavily around supply chains. In a customer-centric economy, people sometimes say that transformation takes place in the last mile. However, every link is crucial in a hyper-connected, highly data-driven, and automated digital supply chain, a pillar of the concept of Industry 4.0 (and of Industry 5.0).

In this complex digital business landscape with its need for speed, optimization, efficiency, continuity, and flexibility, the Chief Supply Chain Officer comes into contact with a variety of themes that are gaining in importance, such as sustainability, resilience, (near-)real-time data for planning and traceability (also think of IoT), digital ecosystems and, inevitably, cybersecurity and cyber risks. A solid knowledge of these technological and other evolutions, both in terms of opportunities and innovations as well as risks and security, is crucial for the CSCO.

Cyber TPRM: third-party security risk and supply chain management

Risk management and vendor management have always been part of the tasks of the Supply Chain and Operations Officer. In this world where supply chain cyberattacks are a more frequent and impactful risk for companies, cybersecurity is part of the need for resilience, including cyber resilience, in a supply chain management context.

This is all the more true when we consider the evolution from traditional linear supply chains to digitally connected supply chain networks and the increasing complexity of supply chain security (note: not the same as software supply chain security but overlapping).

One of the critical elements of supply chain cybersecurity is TPRM (third-party risk management) or, in this context, third-party security risk management (TPSRM), as it’s sometimes called. Third-party security risk management is inherent to the increasing complexity and interconnectedness of supply chains AND software supply chains. Every enterprise in our cloud-intensive and increasingly connected digital economy will often have to deal more with third parties without knowing it. Third-party risk management, therefore, takes on a greater cyber risk dimension – on top of all other forms of risk concerning partners and other third parties.

Brian Schultz, Senior Director Analyst in Gartner’s Supply Chain Practice, also notes the importance of third-party risk management for supply chain cybersecurity. He recalls that Gartner predicted in early 2023 that sixty percent of all supply chain organizations will use cybersecurity risk as a key buying criterion by 2025.

Bringing cyber resilience in line with risk appetite

What does this mean for CSCOs? Obviously, they should not replace the Chief Information Security Officer (CISO) or others responsible for cybersecurity in the organization. However, they will increasingly be expected to understand how supply chain cyberattacks evolve and will play an important role in third-party risk management since attacks on key suppliers and partners go up and can cause significant business continuity disruptions. As a consequence, by definition, collaboration with various stakeholders is essential for CSCOs in a TPRM and cyber resilience context. This concerns internal and external stakeholders, as Gartner’s chart below illustrates.

Role of the Chief Supply Chain Officer in managing cybersecurity – source and courtesy Gartner – more here

CSCOs must also take a more active role in managing risks from working with partners. Schultz presents a four-step supply chain cyber TPRM program enabling to address the exposure third parties present and build a more resilient supply chain, as you can read in the full article that looks at the key actions CSCOs should take to improve cyber resilience.

Finally, as Schultz reminds us, it’s important to note that there is no one-size-fits-all solution for cyber TPRM nor complete cybersecurity protection. Consequently, Schultz says, “the best-case scenario is reaching a state where cyber resilience is in line with the organization’s risk appetite.” And that is a challenge as well, realizing organizations don’t often have an updated and/or unified risk appetite statement.

All pictures and logos are property of their respective owners. Top image acquired under license Adobe.