When I speak to clients and audiences on the topic of supply chain risk, I’m increasingly including the category of information security in the listing of top risks.  The reasons are obvious and stem from increasing incidents of cyber-attacks on corporate networks where key information is pilfered. Earlier this month we penned a specific commentary that highlighted increased concerns for information security and IP protection related to operations in China, which falls under this same umbrella.

The London based Information Security Forum (ISF) has released a research report, Securing the Supply Chain, which concludes that information compromised along the supply chain is just as damaging as that compromised within an internal organization. This report, which has been 9 months in its making, involves inputs from various ISF members. In its press release announcing this new report, Michael de Crespigny, CEO of the ISF is quoted: “Supply chains are inherently insecure and organizations can create unintended information risk when sharing information with suppliers.  There is a ‘black hole’ of undefined supply chain information risk in many organizations- they understand and manage this across their hundreds or thousands of suppliers.

This author had the recent opportunity to speak with Mr. de Crespigny regarding this new report. He shared recent research findings from the Ponemon Institute indicating that among U.S. companies, 41 percent of information breaches occurred from information compromise at a supplier. One of the areas we explored was the conflicting goals of nurturing an enhanced relationship with a key strategic supplier, which implies increased sharing of information. One of the first conclusions of the report is that the sharing of information with suppliers is essential, yet it introduces the added potential for information leaks. Supply Chain Matters has offered various commentaries noting how too much proprietary information related to products is leaked from lower tiers of the supply chain. Thus, the enhanced information sharing has to be contrasted with the importance for having robust information security practices.

In our conversation, CEO de Crespigny focused on the information-led, risk-based approach that various ISF members have assimilated together, based on their experiences. ISF has created what is termed a Supply Chain Information Risk Assurance Process, an audit mechanism to help companies identify and manage information risk among suppliers.  Although we have not, thus far, had the opportunity to review the methodology behind this process, it has been designed to be predicated toward identifying and monitoring suppliers with the potential for highest information risk.  It has further been formulated to assimilate into existing procurement and supply contract practices.

The report and methodology is available at no-cost to ISF members, and for what was described as a reasonable fee for non-members.

Readers may want to assess this new methodology for addressing information security needs.

Bob Ferrari