Almost 100 Chief Supply Chain Officers (CSCOs) participated in last week’s annual SCM World Leaders Forum. One of the sessions focused on cybersecurity, a topic that despite being so critical to supply chain is mostly misunderstood. Why? Protecting a company from a cyber-attack is not solely the responsibility of the IT department; it is much broader.
A recent IBM study outlines the financial impact that cybersecurity breaches can have on enterprises. The study states that the estimated cost of a data breach of 50 million records can total $350 million. That represents enough cash, and likely brand damage, to result in executives losing their jobs, potentially even within supply chain.
While headlines tend to focus on the theft of personal and financial information, that’s not the only target of hackers and cyber criminals. Products and physical assets such as industrial equipment and web-enabled devices are also at risk. That’s a huge concern in today’s digital world, where IoT-enabled digital business solutions like blockchain and autonomous trucks demand high levels of cybersecurity.
Paul Proctor, Gartner Vice President and Distinguished Analyst, who leads research on technology risk and cybersecurity for Gartner’s Chief Information Officer (CIO) community, says it has become abundantly clear in the battle against cybersecurity is that there is no such thing as “perfect protection.” Speaking at the Forum, Proctor emphasized that while many boards will lead you to believe they understand this, they really do not. They still believe this is a technical problem, best handled by technical people, buried in the depths of IT. Many board members believe cybersecurity can be solved by simply hiring the right people with the right technical knowledge and that will keep them out of the headlines with no attacks. Nice thought, but also naïve.
Bottom line, no matter how much money and resources you throw at the problem, you will never be 100% protected. The graphic below highlights the continuum against which we must make a conscious choice and balance risk with the needs of running the business.
Proctor stressed that risk management is an explicit recognition that there is no such thing as perfect protection. The organization must make conscious decisions regarding what it will do, but more importantly, what it will not do to protect itself. The decision must be considered with the risk stakeholders in the non-IT parts of the business, such as supply chain, and residual risk must be accepted.
Risk stakeholders have choices. They can choose to accept more risk at lower cost, or lower risk at higher cost. Although we are never perfectly protected, it is a legitimate business decision to choose to exist anywhere along this continuum. We don’t have to be the most protected organization on the planet, but neither can we choose to push endlessly to the right side because there is a law of diminishing returns. Continuously pushing to the right will eventually have a negative impact on business by harming efficiency, lowering customer satisfaction, and quite possibly long-term brand damage.
Although certain industries generally cluster around one end of this spectrum or another, it is not sufficient to benchmark against a general industry. Critical in deciding the approach is to be able to measure the business outcome of any downtime, but also to be prepared to defend the approach taken. This is not done in a silo. This is where you — the CSCO — must play a key role with your C-level peers in helping the CIO decide what balance means for your organization.
Remember, as your business grows, it is crucial to continually re-assess how much risk is appropriate. The ultimate goal is to build a sustainable program that balances the need to protect with the complex needs required to run the business.
GVP, Supply Chain Research, Gartner