Managing Supply Chain Havoc

Published on 18th June 2020 Author: Rob Black

I have been an Amazon customer since 1999 and a Prime member for over a decade. Until recently, I have been pleased — thrilled, on occasion — by Amazon’s ability to deliver (literally) on its promise of fast and reliable service.

Lately, however, and even though I continue to pay for two-day shipping through Prime, most things I have ordered over the past few months have been weeks in arriving.

Of course, I understand the situation. The company has been inundated with orders and it needs to prioritize. My six-pack of multicolored underwear (TMI?) should rightly take a back seat to more essential items.

That said, the delays have served to shine a bright light on how dependent I have become, both personally and professionally, on this one vendor.

For example, since our staff of five began working from home, we have had to order a bunch of office-related cables and devices in our effort to keep everyone as productive and comfortable as possible. Until now, Amazon was the obvious choice.

Suddenly, that’s all changed. I’ve had to scramble to identify and evaluate alternative suppliers. It’s been a hassle, and these aren’t even business critical needs for us.

Third-Party Vendors Must Be Part of Your Cybersecurity Program

The security planning for your business needs to encompass more than just protection against bad actors and unforeseen disasters. It must also include guarding against disruptions in your supply chain and, as a result, your business continuity.

For example, most of our clients are SaaS providers, companies that by their very nature have operations that can be handled remotely.

But even companies like these are dependent, to varying degrees, on key suppliers — vendors who themselves may not be able to perform adequately in the midst of a pandemic (or whatever). When they slow down, or stop temporarily, or even go out of business, then what?

At that point, unfortunately, and as my recent Amazon experiences have demonstrated, your options are limited. A better approach is to plan, now, for various disruption events and your associated responses.

Begin by assembling a complete list of vendors. Even for small companies, these may number in the hundreds. If you don’t have the list readily available, you can often export it from your ERP system or have someone on your technical team generate a list of libraries used in your software products.

Then categorize them into Tiers 1, 2 and 3, based on how business critical each one is to your operation. Put another way, how big a problem would you have and how quickly would it manifest if a given vendor shut down, right now?

Tier 1:

These are your key vendors, the ones whose smooth, ongoing operation is tied directly to yours. Amazon Web Services (AWS), MS Office 365, your code repository that holds all of your software source code, to name just a few.

In all cases, if they stop, you stop, which means you need a plan for managing this eventuality.

Write out your potential mitigations if any of these vendors were to show signs of trouble. During the course of this work, if you feel uncomfortable with what you uncover, evaluate other options and see if you can make the switch.

For Tier 1 vendors, make sure you really understand their cybersecurity and business continuity plans. Especially for smaller providers in this category (who are less likely to have robust plans), there is almost no amount of due diligence that is not worth your while.

Tier 2:

If Tier 1 vendors are like flour to a bakery operation (i.e., without this essential ingredient, everything grinds to a halt), Tier 2 vendors are like chocolate — you can probably weather the storm for a little while without them. Examples of these include Customer Relationship Management (CRM) or Data Analysis tools.

Here as well, and while they are less critical to your immediate needs than Tier 1, you’ll want to evaluate their cybersecurity and business continuity plans and identify alternatives, just in case.

Tier 3:

The majority of your vendors will fall into Tier 3. It includes things like social media management, mailing list solutions, video editing software, and other nonessentials. If they fail, you just switch vendors and go on as before, so it is not so important to dive deep regarding their contingency plans.

Do make sure, however, that you keep up-to-date backups of any important information that may be stored with these vendors and would be lost if they vanished, including mailing lists, customer histories, or original content you’ve developed, such as audio and video files.

Final Thoughts

Every business is dependent on the products and services of other companies to keep it running. That’s fine; I am not suggesting that you try and create a closed system, absent any vendor relationships (it’s not possible anyway).

I am saying, though, that you need to take a good look at where the weak links lie within your particular supply chain and make sure you have done all you can to limit potential interruptions.

Until then, I’m still waiting on my underwear.

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).