A Founder’s Journey: A Blind Ad, A dream, and One Person Who Believed

It all started with a blind ad and one person that believed…

The summer after I graduated college, I had a BS degree in Finance (cue laughter) no job, and no idea of what I wanted to do. I responded to a blind advertisement looking for a customer service person – with no inkling that my life would be forever changed by the experience, and that this was just the beginning of my career at the nexus of global supply chains and technology.

My first boss (we’ll call him ‘Ron’) did a herculean job of funneling my energy into, first, process re-engineering every department in the supply chain headquarters for a major retail brand, and then as the #2 person for a brand-new technological capability – building an inventory management system for that global brand’s entire supply chain. Today, my role would be considered as a product manager, i.e. I would interview the users on their manual activities and then discuss with the programmers how to build and automate a solution.

From there my career progressed to leading similar initiatives on behalf of technology companies, traveling the world, and working with a wide variety of businesses ranging from automotive, to CPG, to food and agriculture. My final, and most critical, stop on this path was bringing that technology to the US Federal Government and the Dept of Defense.

During my journey I continually noticed the companies were focused on what was inside the building or their supply chains, but not what was outside – and paid no attention to whether or not those exterior factors and relationships were causing potential risks to their operations and success. This was the genesis for the concept of Interos.

In 2019 I met the one person who would believe in both me and my technology concept – Ted Schlein of KPCB – who led my Series A. In 2020, he was joined by Nick Beim at Venrock, who led my Series B. Just like my first boss, all it took was the support of a handful of believers to make the difference between a dream manifested and a dream deferred.

Today, we are exposed to many stories articulating the need for greater diversity in business – and specifically on my personal passion, building greater support for more women in leadership- to bring their energies and companies to scale. I couldn’t agree with these stories more.

To close out International Women’s History Month, I‘d like to celebrate some of the women who are already in the pipeline and making it happen, paving the way for the next generation of female entrepreneurship, and a more just and inclusive world of business.

A Few Female Entrepreneurs of Note

Muriel Siebert – It’s fitting to start with the woman who, arguably, started it all. Muriel Siebert, who became informally known as the “first woman of finance” was, simultaneously, the first woman to found a brokerage, the first woman to take a company they founded all the way to an IPO and hold a seat on the New York Stock Exchange. Siebert’s application for the seat was rejected 9 times before she succeeded, and she accomplished it all without even holding a high school diploma. Siebert credited her idea to buy a seat on the exchange to investor and friend Gerald Tsai. Despite the many obstacles she faced, her indomitable entrepreneurial spirit just needed the push of a single believer to help her change history.

Cathy Hughes – An American entrepreneur, DC public figure, and broadcast entertainer, Cathy Hughes became the first Black woman to head a publicly traded company when she took her media company Radio One (now Urban One) public in 1999. Hughes achieved all of this despite her family’s struggles with poverty and her station WOL is still the capital region’s most listened to radio station. In the 1970s, when Hughes aimed to purchase her first station, she was denied by 31 banks. All it took was one lender to see the promise in her ambition for her to take the first steps towards revolutionizing American radio. Today Hughes owns over 55 radio stations across the country.

Whitney Wolfe Herd – A recent addition to the growing ranks of highly successful female founders, Whitney Wolfe Heard became the world’s youngest female self-made millionaire in 2021, when her company, Bumble (makers of the eponymous, female-focused dating app) went public. Herd’s experiences grappling with the challenges of being a female technology executive led her to give this advice to aspiring businesswomen: “Cherish being underestimated,” she said in an interview with The Wall Street Journal. “That’s your superpower.” Herd credits the friendly belligerence of Russian entrepreneur Andrey Andreev, the founder of Badoo, a dating app with 330 million users, for energizing her to build Bumble, after Herd weathered a storm of online harassment following her departure from Tinder, her previous company. Three years later, 17.5 million people had registered with Bumble, and the app has been responsible for more than 1.2 billion matches.

Sheila Lirio Marcelo – the founder and CEO of Care.com, the world’s largest online service for finding medical care. Sheila’s world-changing medical technology vision began with a simple, maternal need: as a young college student, immigrant, and mother, Sheila struggled to balance caring for her two sons, ailing father, and school. 5 years later, in 2006, she founded Care.com. Sheila ultimately raised over $111 million in funding before taking the company public. Sheila shares an early investor with Interos, Nick Beim!

Ruth Zukerman – a co-founder of SoulCycle and Flywheel, Ruth Zukerman’s rise to entrepreneurial stardom, began with the acceptance that her career as a dancer would never take off. A Long-Island native, Ruth had no exposure to business growing up. After attempting to make it as a dancer in NY with little success, Ruth began building a following as a fitness instructor for Reebok. Zukerman’s entrepreneurial career was kicked off when a dedicated student approached her about front Zukerman the money to open her own dedicated, boutique spin business. With a single, devoted believer behind her, Ruth built a fitness empire.

Katrina Lake – The founder and CEO of Stitch Fix, the online personal shopping service, Katrina Lake started the company out of her Cambridge apartment while she worked on her MBA at Harvard. Buoyed by her experience consulting for the retail industry, and having watched her sister’s work as a buyer, Lake set up to create a data-driven styling solution that would make a tailored, personalized shopping experience available across America. At 34 she became youngest female founder ever to lead an IPO. Stich Fix’s success began with just 29 clients and the venture backing of Steve Anderson (Baseline Ventures) in 2011.

Beating the Odds

All of these women had to fight incredibly difficult battles against the odds, and the system itself, to bring their vision to the world. But they couldn’t do it alone. At critical junctures in each of their careers, they found support from someone else.  It’s my hope that these stories of success resonate with each one of you, to inspire you to pursue your dream or be that one person to support someone else achieve theirs.

And remember, it just takes one person to believe….

RSA 2021 Recap – Supply Chain Resilience & Techtonic Geopolitical Shifts

2020 was a global inflection point for supply chains – and so much more. Economic nationalism, a splintering internet, and geopolitical tensions were simmering long before 2020, but were accelerated by the pandemic. The global shock also deepened the growing global divide between authoritarian and democratic ideologies around technology, expediting the emergence of distinct technospheres of influence. Driven by geopolitical shifts and the rapid evolution of emerging technologies, these techtonic shifts are already reshaping and redefining global supply chains. At last week’s RSA, I had the opportunity to discuss these global shifts and what forward-leaning companies should consider when seeking “Supply Chain Resilience in a Time to Techtonic Geopolitical Shifts”.

In addition to the horrific human toll, the COVID-19 pandemic punctuated the global order between Before Times and the post-pandemic era.

A Tale of Two Techno-Ideologies

The Chinese model of digital authoritarianism has spread aggressively. The model leverages technology to surveil, repress, and manipulate domestic and foreign populations. The tools and tactics inherent in this techno-ideology increasingly wreak havoc on both citizens and supply chains. With the steady beat of digital supply chain attacks, internet shutdowns, digital sovereignty stifling cross-border data flows, and government surveillance and mandates to access data, the digital authoritarian model is taking root across the globe.

A counter-weight is starting to emerge based on the aspirational visions of a secure, open, trusted, and free Internet. This nascent digital democracy model is beginning to address security and privacy through a multi-stakeholder lens and prioritizes collaboration and cooperation as well as individual data rights and protections.

Just as these distinct approaches continue to accelerate the splintering of the Internet, they are now leading to a splintering of supply chains and the technologies that undergird them. Government and private sector entities alike are increasingly reimagining supply chains based on trustworthy networks – with a specific focus on trusted suppliers and products.

Techno-spheres of Influence

How are these divergent ideologies impacting global supply chains? There are (at least) three core areas: trade wars, regulatory shifts, and global hot spots. In each of these, geopolitics and diverging approaches to technology are changing the risk calculus and cost of doing business at home and abroad.

  • Global Trade Wars: Just as the weaponization of cyber has shifted power structures across the globe, so too is the weaponization of trade. Governments are increasingly seeking to leverage industrial policy for national interests. Weaponized cyber programs are being paired with specific industrial policies to threaten supply chains. As the IMF recently summarized, “Technology wars are becoming the new trade wars.” And these technology wars are further exacerbated by opposing perspectives on the rules and norms surrounding the use of technology.

These disputes continue to influence corporate decisions regarding reshoring, onshoring, as well as alternative suppliers especially when geographic concentration risks are considered. In recent surveys, almost a quarter of companies plan to relocate supply chains and three-quarters have enhanced their scope of existing reshoring. Tariffs and market pressures have driven many of these changes, but a shifting regulatory landscape provides additional fodder for reassessing supply chain resilience.

  • Regulatory Shifts: To offset the risks posed by digital authoritarians, democracies across the globe have begun to prohibit or restrict foreign technologies. The U.S. Departments of Commerce, Treasury, State, Homeland Security, and Defense have all produced an uptick in export, re-export and capital flows restrictions. As the chart below highlights, the Bureau of Industry and Security at the Department of Commerce alone has added over 350 different Chinese entities to restricted lists since 2019.

Many countries are also leveraging industrial policy, such as the patchwork of 5G restrictions within Europe as well as India and Australia. China has also implemented its own unreliable entity list which could further pose challenges for global brands. Finally, the data protection and privacy landscape provides one more layer of complexity. Many countries are crafting similar laws to the GDPR. On the other hand, some nations are creating regulations in the mold of Cambodia’s internet autarky, Kazakhstan’s digital certs, and Ecuador’s all-seeing eye. All of these policy approaches introduce localized data risks.

  • Global Hot Spots: While major power competition dominates national security discourse, global supply chains are also impacted by a rise in instability. Cyber and emerging technologies have introduced asymmetric power, wherein small countries can have an oversized impact due to the minimal resources and diminished price required to harness offensive cyber or emerging technologies. North Korea, Russia, and Iran are the usual suspects when considering the asymmetric nature of power, especially when considering the reach of campaigns such as SolarWinds or Iranian and North Korean campaigns against the financial industry.

Similar capabilities are now available across the globe and further exacerbate instability and unrest. For instance, Vietnam and Lebanon both have advanced persistent threat groups (APTs) linked to global campaigns. Meanwhile, localized conflicts between Armenia and Azerbaijan, Western Sahara and Morocco as well as the Tigray region have integrated foreign-made drones and disrupted energy markets, trade routes, and manufacturing supply chains, respectively.

Building Resilience Amidst Techtonic Shifts

What can be done to build resilience under these dynamic conditions? First, a collective security approach is essential. As a Wall Street Journal logistic report noted, “A substantial investment in securing customer data at one company can easily be undermined by a supplier with weak financial incentives for safeguards.” Second, in preparing for the ‘new normal,’ avoid the inherent inclination to prepare for yesterday’s risks and disruptions. This is not simply a new Cold War or the end of globalization, but rather a new order that includes risks new and old. Finally, gaining visibility across your entire supply chain ecosystem – as well as the data that flows through it – is paramount. Data and privacy risks are increasingly localized, and borders do exist on the internet.

Of course, these ongoing global shifts introduce a range of challenges. Decoupling and reshoring are expensive and costly, but it is important to keep in mind that it is not an all or nothing approach: We must prioritize based on criticality and dependencies. Keeping up with the regulatory shifts is also increasingly difficult, especially since some of these changes may occur below the radar if you don’t have a way to track them. And of course, mental models are hard to shift. It’s easier to assume the new normal will look like it did in Before Times, but that could leave organizations ill-prepared for tomorrow’s disruptions.

Despite these challenges, there are also significant opportunities. Resilience can be a competitive advantage. Preparations now for the range of disruptions will pay off down the road. Collective security and collaboration    can further strengthen resilience and help lead to more trustworthy and reliable networks. Finally, technology can help overcome blind spots and provide greater visibility and insights into the range of current and potential future disruptions.

Now is the time to either shape the future or be shaped by it. Based on the fascinating interactive Q&A session at RSA, there seems to be growing interest in these shifts and desire to do the hard work of building more resilient supply chains. Now it is on us to avoid a collective failure of imagination and reimagine supply chain resilience on par with these techtonic shifts.

New eBook Presents a Better Framework for Risk Management

“The Resilience Operations Center” updates supply chain security for a new world of risks

Note: The following is the foreword to our just-released book, The Resilience Operations Center: A New Framework for Supply Chain Risk Management. Get the full digital version here.

Risks Have Evolved—Why Hasn’t Your Risk Management?

When I began working in supply chain risk management (SCRM) over 20 years ago, third-party risk management (TPRM) was not a boardroom concern. The task was a begrudging necessity, a checkbox in the compliance process. This mentality persisted even as businesses became more interconnected and mutually reliant on a vast network of partners across the globe.

Those interdependencies, coupled with their growing complexity, introduced a litany of risks across the supply chain ecosystem. Except among a small cadre of risk management professionals and technology leaders, these risks were largely invisible, deprioritized, or ignored.

Then came COVID-19, SolarWinds, and the Suez Canal backup. The fragility of global supply chains became painfully apparent, the repercussions of which continue to reverberate across virtually every industry and corner of the globe. So many shocks so close together has made “Black Swan event” an outdated term. Such disruptions are no longer rare, unpredictable, or even shocking. It is not a matter of if similar events will occur, but when.

Operational Resilience: A Business Imperative

Recent events have exposed the symptoms of unchecked vulnerability:

  • Scrambling to cope with events as they happen
  • Wasting resources because of siloed teams, duplicated efforts, or poor communication
  • Brand damage from product or service disruptions or slowdowns

Being unprepared for such events is costly. That high cost, and the velocity and depth of disruptions, have triggered a reset in enterprise SCRM strategies, prompting dramatic re-evaluations of global interdependence and production. Organizations are trying to balance just-in-time production strategies with resilience recommendations, while also overcoming all manner of risks through better planning and more agile processes. The good news is that with continuous monitoring and the correct technologies, all are achievable.

As part of this reset, forward-leaning organizations are adopting new approaches to SCRM and setting their sights on Operational Resilience—the ability to continue providing products or services in the face of adverse market or supply chain events. While the path to achieving supply chain continuity and security varies by industry, the benefits are clear and universal. Organizations that achieve Operational Resilience can:

  • Continuously monitor for potential risks and proactively make adjustments to minimize and potentially prevent disruption
  • Quickly identify disruptive events to evaluate exposure, find alternatives, and respond fast
  • Anticipate, model, and plan for possible scenarios and build the organizational skills to address and respond to these challenges

Businesses and organizations targeting Operational Resilience recognize the need to monitor a wide range of risk factors, including financial, cyber, regulatory, operational, geopolitical, and environment/social/governance (ESG). But the complexity goes even deeper, as they must also operate in an environment of ongoing digital revolution, climate change, the global resurgence of authoritarianism, and the push for sustainable procurement. These and other sweeping changes are upending business ecosystems and the systems of risk management upon which they are built.

The Rise of the Resilience Operations Center

Existing SCRM systems are outdated—the spreadsheets and questionnaires are inadequate for risk detection, and they certainly can’t help modern, competitive organizations mitigate damage and loss. A new framework must be brought to bear on this seemingly intractable problem—the need to gain solid footing and foster resiliency amid ongoing and increasingly complex disruptions.

The Resilience Operations Center (ROC) meets these needs and more. It represents a new approach to modern supply chain security and continuity, delivered through an enterprise-wide framework that ensures risk management objectives are tied to organizational goals. It brings previously siloed groups together to form agile and informed teams that are empowered to use data intelligently and react quickly to changing circumstances. We’ve seen the ROC framework deployed in a variety of industries, and our customers are using ROCs to dramatically change outcomes for the better.

A ROC is so effective at fostering Operational Resilience because it helps organizations overcome difficult internal challenges, including:

  • Shifting behavior from response to prevention. Deep, comprehensive planning helps teams anticipate events, evaluate alternatives, prevent disruptions, and model all scenarios and options. Reacting to events as they happen is not sufficient in today’s competitive market.
  • Making risk management an organization-wide job, not the domain of one person or team. Most approaches to managing risk are siloed within business units, such as procurement, supply chain operations, and IT, or in single focus organizations, such as information security and compliance. When everyone is a stakeholder, organizations improve how they coordinate, collaborate, prepare, and respond.
  • Managing risk beyond the walls of your company. Organizations rely on an extensive network of suppliers and partners for developing and producing their products and services. Identifying relationships in the extended supply chain to the Nth tier helps organizations decide if those connections are good or bad business choices, thereby identifying and preventing potential risk. And, most importantly, remember that you are a third party to myriad other organizations, which are now looking at you through their own risk management lens.

Operational Resilience—It’s Simply Good Business

Through years of experience seeing client challenges up close, I’ve became even more convinced that cutting-edge technology can help organizations modernize and reset their approach to third-party risk management. This led me to create Interos, the world’s first multi-tier, real-time SCRM solution.

But technology, no matter how efficient, can only go as far as individuals and organizations are willing and able to take it. While our platform is a powerful engine for improving risk management and gaining transparency across the supply chain ecosystem, without a complementary organizational framework, the problem remains unsolved.

There is no one-size-fits-all approach to risk management. The concerns of a multinational manufacturer are vastly different than those of a mid-size financial services entity, but the ideas and principles contained in this volume can be modified to suit the needs of almost every organization. It contains ROC tactics, techniques, and procedures organizations can use to determine the proper scope of their risk management activities, construct plans for those activities, and execute on them. It provides a foundation that multiple stakeholders—including procurement officers, finance professionals, cybersecurity personnel, and compliance leaders—can use to plant their feet firmly and begin the important work of securing the continuity of their enterprises.

There is an urgency to adopt a more robust form of third-party risk management to mitigate the continuing fallout from COVID, SolarWinds, and the other inevitable shocks yet to come. That, of course, is the aim of this book. With a focus on providing clear, concrete, and actionable steps, we believe this guide will help you begin to build Operational Resilience into your organization and throughout your supply chain. Because Operational Resilience is simply good business. So, let’s begin.

Biden EO on Climate-related Financial Risks Sends Clear Mandate to Clean Up Global Supply Chain

Hot on the heels of the recent Cybersecurity Executive Order (EO) and February’s order on securing the supply chain, on Thursday, May 20th, the Biden administration published another EO, this time on climate-related financial risk. The order instructs federal agencies to take steps to identify and mitigate the financial impacts of climate change to citizens, federal programs, and businesses.

The order outlines the clear danger posed to global supply chains by climate change. It also articulates the need for quantifiable metrics to assess climate-driven supply chain risk and financial risk, as well as the need to integrate those metrics into broader risk models.

The need for addressing these long-standing risks is clear. 2020 saw an unprecedented rise in climate-related natural disasters. In the first 9 months of the year alone, 16 weather disasters caused well over $1 billion dollars in direct damages, and untold losses in terms of supply chain disruption. In some places, sea levels are rising as fast as an inch per year. While no single government action can address the staggering impact these disruptions have on supply chains and economic activity, the EO is certainly an impressive and thorough start.

Breaking Down the EO

Beginning with an overview of policy objectives, the EO directs senior policy advisors, the Secretary of the Treasury, and the Director of the Office of Management and Budget to develop, within 120 days, a comprehensive strategy for the “measurement, assessment, mitigation, and disclosure of climate-related financial risk.” There are certainly immediate steps agencies can take to identify their own risk, but any realistic measurement of the true impact of climate-related financial risk must include a deep and continuous analysis of an agency’s supply chain.

The order also makes a clear call for better information sharing of climate-related financial risk information, instructing the Financial Stability Oversight Council (FSOC) to facilitate “the sharing of climate-related financial risk data and information among FSOC member agencies and other executive departments and agencies as appropriate.” This kind of information sharing has historically proven to be a challenge in and outside the federal government, with many organizations struggling under the burden of siloed, legacy systems that use inconsistent metrics and monitoring methods.

This EO makes a clearer case than ever for agencies to adopt common-use tools that can monitor climate-related financial risk, and seamlessly share that information for maximum, government-wide benefit.

The order further instructs several federal agencies to begin a comprehensive review of existing climate-related financial risks to “ensure that major Federal agency procurements minimize the risk of climate change, including requiring the social cost of greenhouse gas emissions to be considered in procurement decisions and, where appropriate and feasible, give preference to bids and proposals from suppliers with a lower social cost of greenhouse gas emissions.”

Measuring the Social Impact of Climate-related Financial Risk in Supply Chains

The EO also immediately directs the Federal Acquisition Regulatory Council (FARC) to consider amending the Federal Acquisition Regulation (FAR) to require major federal suppliers to disclose not just “greenhouse gas emissions and climate-related financial risk” but to also require “ the social cost of greenhouse gas emissions to be considered in procurement decisions and, where appropriate and feasible, give preference to bids and proposals from suppliers with a lower social cost of greenhouse gas emissions.”

Should the FARC agree with this recommendation, there would be an immediate and immense impact to Federal contractors. Objectively assessing and reporting on the often indirect, but very real, social impacts of climate-related financial risk could prove a difficult task without widespread adoption of intelligent tools that can comprehensively measure and report on an organization’s entire supply chain ecosystem.

The order also directly countermands rules set in place by the Trump administration, directing the Labor Secretary to undo actions taken by the previous president that sought to stop investment firms from accounting for ESG factors in managing pensions and retirement accounts.

While the specific outcomes of this EO are still up to choices made at the agency directorate-level, when taken in context with other global regulatory actions, such as Germany’s Initiative Lieferkettengesetz, or the EU’s Sustainable Finance Disclosure Initiative, a clear mandate emerges: Governments are beginning to put teeth behind their words and are prioritizing climate and ESG risk as key area of concern. A time is coming where organizations can no longer skate by on just their word. They will have to provide detailed and objective proof of their commitment to a sustainable environment and mitigating risks from climate change across the entire global supply chain.

Interos

The Interos cloud solution gives you an instant and continuous view of climate-related financial risk across every connection in your digital and physical supply chains. With the power of artificial intelligence and machine learning, any organization can create a living map of their business ecosystem so they can monitor ESG and financial risk in real time, model scenarios, and predict outcomes. Learn more here, or contact us for a demonstration.

New Cybersecurity Executive Order Pivots Supply Chain Risk Management

What it Means for Your Digital Relationships and Your Software Bill of Materials

Following the February executive order concerning supply chain risk management, on May 12, 2021, the White House issued one of the most robust, far-reaching directives on improving cybersecurity monitoring and response at the U.S. federal government level. The Biden administration’s Executive Order responds to meddling in our elections, cyber espionage by foreign governments, ransomware attacks, intellectual property theft, and other cybercrimes by criminal gangs.

With operational resilience on everyone’s radar, the news comes at a sensitive time. The order provides instructions to various government agencies focusing on the software supply chain. It also includes a directive to develop and use a Software Bill of Materials (SBOM). The order mandates the adoption of SBOM by large government supply chains and will change how software is supplied to U.S. federal agencies in the years ahead. The new regulations, one can assume, will also influence commercial and international markets to adopt SBOM standards set by the U.S.

The move by the Biden administration – and its focus on the SBOM — should be heartily embraced by industry. A huge unavoidable challenge to today’s “fragile’ supply chains that extend around the world is the simple fact that both physical (hardware) product and software are made from many components from many suppliers – permitting unwanted access by unauthorized actors (nation-states, criminal gangs,) leading to massive disruption, intellectual property theft, extortion and beyond. The response must be to ensure that components (physical and/or digital) are trustworthy (uncompromised) and come from vetted suppliers.

A Government Call to Action

For decades, in the physical supply chain realm, companies conducted inspections and verification probes into real and potential risks stemming from the product, component, and factory level; now, with the White House cyber EO, we have a US government call-to-action for the private sector to do the same kind of inspections and probes into the subcomponents of the software we all have been using for decades. SBOMs – at appropriate levels of transparency, depth and accuracy – allow us to identify all the different developers of the software that we are using — and any attendant risks.

Before we dive into why the SBOM directive in the Biden cyber EO is a highly laudable move – providing rail-guards for preventing compromised components from entering digital supply chains – let’s provide some background.

What Is a Software Bill of Materials?

A software bill of materials (SBOM) is a hierarchical and machine-readable inventory of all open source and third-party components present in a codebase. It also contains details about the relationships between the software elements, version information, and patch status.

To create transparency and standardization across software supply chains, the National Telecommunications and Information Administration (NTIA) is leading an effort to develop national SBOM guidelines and formats. The effort began ahead of the expected executive order. Expect much of the government’s SBOM practices to be based on the NTIA’s work.

The Benefits of Adopting SBOM

The expected benefits and use cases for SBOMs are numerous since they affect all software development phases, both for the creator and consumers.

Software creators can use a SBOM to replace outdated development tracking tools and manual spreadsheets. Most software today uses multiple open-source libraries bundled into the final product. Tracking open-source software is especially challenging for the software developer. It involves a vastly diverse array of suppliers, ranging from huge, well-funded organizations providing updated software to volunteer-supported projects for decades-old software. By creating a well-documented set of software components, producers can simplify development and patching and reduce costs.

New Cyber Threats in Software Supply Chain Security

Supply chain security was traditionally concerned with counterfeiting and other supplier compromises. Recently there has been a greater focus on third-party and supply chain risk management. This includes products compromised at the factory or software-development level, that have been purchased, and deployed into the network. After installation, the compromised nodes survey the network. They then contact the command-and-control system owned by the cybercriminals. This lets them know their product is online.

Cybercriminals, often nation-state bad actors, exploit this compromise to gain access to the entire network. The SolarWinds compromise—engineered by Russian state agencies—is a well-known example of this type of highly proliferated attack. More of these attacks have occurred with other vendors. Since they have been successful, cybercriminals will continue to exploit them.

These “supply chain” cyber-attacks work by exploiting a software component of a built product (i.e., an innocuous seeming software upgrade). They are distinct from traditional perimeter-penetration hacks. It is much easier to compromise a library or third-party software bundled into the main software build. The compromise can be made on-site or even at the source. The practice of development teams using open-source or third-party software is very common. It is routinely used to for tasks like encryption or data input to streamline development.

Unfortunately, open-source software may have vulnerabilities and weaknesses that are unmitigated, given their lack of resources. The Heartbleed bug in the open-source OpenSSL cryptographic library is but one example. OpenSSL was included in thousands of software solutions but maintained by minimal part-time staff. It was difficult to correct and replace when researchers found a flaw in the OpenSSL cryptographic library. Cybercriminals clued into the flaw, scanned for this version of OpenSSL on deployed software, and exploited it where possible.

To resolve these issues, developers need to identify the exact version of the software library, open-source code, and tools. SBOMs will replace manual processes to collect and manage this information. This will happen because of the new responsibilities the US federal government has placed on software solution providers.

The Future of SBOM: Fully Assess and Monitor Software Supply Chains

SBOM integration will enable developers to identify and manage the vendors providing software in their software supply chains. Without SBOM, much of this information would not be available. The data provided by the mandated SBOMs will allow organizations to create detailed maps of the extended software supply chain for the first time, immensely improving supply chain risk management.

That is just the beginning. With a map of the software supply chain, organizations can assess each software provider’s risk and monitor impact events. This can be done across a host of factors, from cyber hygiene to financial risk. Development teams must make decisions to replace an open-source solution if the provider goes out of business or stops providing updates. Financially weak vendors may be a leading indicator of potential risk. Another indicator could be where the software vendor is located. This would be a form of geopolitical,  governance, or compliance risk. And the biggest issue could come down to seeing the announcement of another breached vendor and not knowing if that vendor or its customers are in your supply chain.

SBOM–as a new standard developed in the months ahead—will launch a dramatic change to traditional software supply chain risk assessment. This new methodology will provide real-time, highly accurate data to cybersecurity and procurement teams to proactively reduce risk. At the enterprise level, SBOM and the awareness it brings will reduce costs and speed development.

Operational Resilience and Software Supply Chain Risk Management

Governments and businesses are waking up and responding to a new world of risk. Planning and visibility—those are the keys to resilience, agility, compliance, and good business. The Interos cloud solution gives you an instant and continuous view of every connection in your digital and physical supply chains. With the power of artificial intelligence and machine learning, any organization can create a living map of their business ecosystem, including SBOM elements, so they can monitor actions in real time, model scenarios, and predict outcomes. Learn more here, or contact us for a demonstration.

Securing America’s Software Supply Chains From Attack: Biden’s Executive Order on Cybersecurity

A major oil pipeline shuts down. Ransomware halts city operations and online systems. A new banking trojan spreads across Europe. This may seem like an extraordinary week in cybersecurity. But, unfortunately, these kinds of ‘Black Swan’ events are no longer Black Swans. Recent incidents—including SolarWinds, Exchange, Pulse Secure, and Codecov—further demonstrate that cybersecurity and the resilience of supply chains are inextricably linked.

As the global cyber threat landscape has exploded in actors (state-sponsored, criminal organizations, and privatized non-state organizations), tools, and techniques, there has been little federal movement in cyber policy focused on strengthening defenses to counter such a diverse array of threats and interdependencies within and across organizations. However, with the publication of the Executive Order on Improving the Nation’s Cybersecurity, there is a new focus on cyber defenses and potentially the start of a significant paradigm shift in cybersecurity. As the order notes, “Incremental improvements will not give us the security we need.”

Bolstering Both Digital and Physical Security

Coming on the heels of February’s Executive Order on America’s Supply Chains, which aims to build more resilient, secure, and diverse physical supply chains, this Executive Order similarly prioritizes supply chain security. In contrast, it focuses, rightly so, on the urgent need for enhanced digital supply chain security while also addressing information sharing, data breach notification, modernized security standards, and safety. Together, these core themes further highlight a shift toward defense and private/public sector collaboration before, during, and after a cyber incident.

  • Software supply chain security: New guidelines and criteria for evaluating software security will be established, focusing on the security practices of both developers and the suppliers. A Software Bill of Materials (SBOM)—a formal record of the various components and supply chain relationships used to build software—will be required for each product. This process to create these SBOM guidelines will begin immediately, with initial findings published within 60 days. A labeling scheme will also be explored to inform consumers of the security of their products.

  • Information sharing: The dissemination of timely information across federal agencies and the private sector regarding risks and threats will be facilitated through the reduction of contractual barriers that limit information sharing as well as standardization of the data.

  • Data breach notification: Contractors will be required to report breaches on a graduated severity scale. Similar to the European Union’s General Data Protection Regulation breach notification, companies partnering with the federal government will be required to disclose the most severe breaches to the federal government within 72 hours. While the U.S. lacks a federal data breach notification policy, there are bills underway to replace the patchwork of 54 data breach notification laws across all 50 states, the Virgin Islands, Puerto Rico, Guam, and Washington, DC.

  • Security standards: With an emphasis on modernizing cloud-based services, a Zero Trust security model formalizes many of the recommendations the security industry has been advocating for years, such as multi-factor authentication and encrypted data at rest and in transit. Organizations will have to demonstrate adherence to these requirements and also follow an incident response procedures playbook.

  • Safety: A new Cyber Safety Review Board comprised of both private-sector and federal representatives will be established, including cybersecurity and software suppliers, to review incidents and make recommendations. This may be modeled on the National Transportation Safety Board. The actual scope—including membership and the kinds of incidents to be evaluated—will be determined in the upcoming months.

The executive order stresses the need for strengthened defensive postures and processes at all phases of an incident, emphasizing a more proactive approach to defense that has largely been reactionary. This includes gaining greater visibility of suppliers and working toward building trustworthy and transparent systems through a modernized approach to cybersecurity. Importantly, this applies not only to your organization’s security but the security across your entire supply chain network. The introduction of security standards and information sharing demonstrate the emphasis on collective security to help target and reduce vulnerabilities across the entire supply chain. The days of a “perimeter defense” are gone and, as the executive order articulates, together the public and private sector must work together for the collective security of all.

Operational Resilience: Public- and Private-Sector Collaboration

While the executive order is already framed as a response to the Colonial Pipeline attack, in reality it has been months in the making. Following the breadth and depth of the state-sponsored SolarWinds intelligence-gathering attack that targeted at least nine federal agencies and hundreds of private sector organizations, administration officials began circulating various components of the executive order. It is just one component of a nascent strategy shift focused on strengthening security, creating more resilient supply chains, and building trusted networks within the U.S. and with like-minded partners. With this steady drumbeat of high-profile breaches and localized, financially motivated ransomware attacks as in the Colonial Pipeline hack, the executive order may be a harbinger of many regulatory changes to come as the federal government seeks to modernize cybersecurity and technology policy—strengthening defenses, securing supply chains, and ultimately bolstering operational resilience—for an era of technological competition and geopolitical friction.

As Bob Brese, former CIO at the U.S. Department of Energy and a current board advisor to Interos, observes: “Broadly enhanced cybersecurity improvements are critically needed. However, as articulated in the Executive Order on America’s Supply Chains, cybersecurity is one of many lines of effort necessary to ensure operational resilience for companies and government organizations as well as to enhance our nation’s economic and national security resilience. We can’t let this need to improve cybersecurity lead us to drop the ball on the other supply chain risk factors impacting operational resilience.”

Nested Networks: Hidden impacts to Supply Chain Risk Management & Operational Resilience

The ongoing crises of the past 15 months have practically upended supply chain risk management. COVID, SolarWinds, Texas power outages, microchip shortages, backed-up waterways, a massive cargo ship stuck sideways in the Suez, and other incidents have threatened the stability of the global economy. These disasters have prompted organizations to rapidly uncover their reliance on “nested networks,” groups of suppliers that are hidden from conventional visibility but are crucial to continued operations.

To achieve operational resilience, organizations must continue to rethink how they look at supplier relationships and these nested networks. Only by visualizing and understanding these connections can organizations finally better anticipate and quantify supply chain risk.

Visualizing the Nested Network in Your Supply Chain

Your primary supply chain network is mostly one of business relationships. You buy parts, raw materials, services, and software from a wide variety of vendors—some large, some small, some foreign, and some domestic. Most large companies have global footprints, whether they want to or not.

Nested Network Layer 1: Business Network

Imagine your primary supplier of microprocessors has a fire at one of its factories and you don’t maintain a mountain of inventory. Assuming you can’t easily substitute another vendor, that’s a major production problem for your business. This is a first-tier network disruption that is probably obvious to your organization and easily discoverable through traditional supply chain risk management methods.

Nested Network Layer 2: Transportation

Most goods and services need to be physically transported somewhere else to be consumed. If you are a fashion retailer in New York buying denim pants from a factory in Pakistan, do you have a business relationship with Suez Canal Authority. No? Well, of course you do because those articles of clothing go into a container, which goes on a ship that travels through a waterway like the Suez Canal before being unloaded in New York. The maritime, air, rail, and trucking networks of the world are embedded in your business, often out of sight and out of mind. You might think that the transportation and logistics network is also obvious and easily quantified and visualized. Maybe. But that’s not the end of the nested—and often hidden—network.

Nested Network Layer 3: Money

In order to have those denim pants shipped to you, you probably needed to pay someone. Money needed to change hands, and since its unlikely you pay all your vendors in cash out of the back of your loading dock, you are depending on yet another nested network.

Money movement is sometimes opaque and difficult to understand. How exactly does the money from your account at your local bank make its way across the world and into another businesses’ account in a verifiable and trusted way? If you said, “via a nested network,” you get a gold star. These networks include routing systems like Fed Wire, CHIPS, ATM, ACH, SWIFT, and even crypto currencies such as Bitcoin, Ethereum, and many others. ACH networks get defrauded; ATM networks can go down. These financial networks don’t get disrupted often, but, as we’ve learned, disruptive events are out there, they are happening more often than ever, and organizations need supply chain risk management approaches that can anticipate such unlikely, but disastrous, eventualities.

Nested Network Layer 4: Telecom

Different from cyber or the internet, telecom is a mix of technologies, some dating back 100 years, that includes plain old telephone system (POTS) lines, microwave towers, submarine fiber optic cable, telco hotels, and LTE/5G. I will also lump GPS in there as well, realizing it could also fit in several places. Thick copper and fiber optic cables snake around the world going into peering exchanges, central switching facilities, across bridges, through tunnels, under shipping channels, and onto rocky beaches. Satellites and ground stations plug into those cables literally and metaphorically. You can have multiple offices, maybe even multiple data centers, all being fed off the same cable. And sometimes weird stuff happens to those cables—unexpected things involving ship anchors and backhoes.  Your digital data supply chain is just as vital as your physical one. But it’s not as visible, and unless you truly understand how it works, you can easily have a false sense of security and resilience.

Nested Network Layer 5: Cyber

Cyber networks are related to telecom, but they are substantially different. Cyber is really all about today’s internet and our dependence on that specific slice of communications technology. You would be hard pressed to come up with a list of big companies that don’t depend on cyber networks to conduct business. That means there are also dependent on yet another hidden network.

There are foundational technologies networked together that lurk right beneath the surface, controlling how your data moves across the internet. Domain Name System (DNS) and the Border Gateway Protocol (BGP), which route enterprise critical information over the internet, are based on trust, distributed on servers all over the world, and are not nearly as robust as you might think. If you’re sending data from the U.S. to Italy, should it take a detour and route through China? Probably not, but that’s what happened in 2016 when China Telecom exploited BGP to route internet traffic through their domestic cyber infrastructure rather than letting data take the most efficient path. In 2010, China (accidentally?) slurped up 15% of all internet traffic for 18 minutes by misconfiguring some BGP settings.

The threats and vulnerabilities to your company’s cyber operations are well documented and hard to miss. Phishing emails, ransomware, bot-based distributed denials of service, and malware propagation have become household words at this point, and they rightly get most of the attention. However, the hidden network of technologies behind the internet are a tempting target and ripe for disruption. The question is: Where does your organization’s cyber infrastructure intersect with the larger internet and how can your supply chain risk management function better anticipate and prepare for situations where everything is not working as it should?

Gaining Insights and Visibility into the Complexity of Your Nested Network

Your supply chain is an interwoven group of visible and hidden nested networks that tend to behave normally most of the time but are subject to chaotic interactions that are nearly impossible to predict or anticipate. You may be aware of some of the critical weak points, but it is increasingly difficult to know them all at any given moment in time.

If you expand your collective definition of what constitutes the supply chain to include the concept of nested networks, you can better frame the problem. You can take advantage of new and existing technologies — such as all-source data fusion, anomaly-event detection, time-series forecasting, and dependency graphs — in ways that will change how you see and manage your supply chain.

You can’t be immune from supply chain failures, but you can be prepared. You can see and monitor your full supply chain down to the Nth tier, understand your nested networks, and achieve operational resilience. The right partner can help you identify the data, tools, and technologies you need to deal with these events when they occur. Reach out to us to see how.

Interos Launches Campaign to Address Need for De-Risking the Global Supply Chain to Ensure Business Operational Resilience and Global Economic Health

AI-based Platform Continuously Monitors 50 Million Global Suppliers Across 85,000 Data Sources and 250 Million Risk Events Per Month

ARLINGTON, Va., May 03, 2021 (GLOBE NEWSWIRE) — Interos, the operational resilience company, today launched a global call to arms for operational resilience in response to worldwide demand for immediate, end-to-end, and continuous supply-chain risk monitoring. The company will launch a multimedia campaign in partnership with strategic and creative agency, Amsterdam Berlin.

The pandemic has crystallized the need for an immediate focus on supply chain risk management. Unprecedented events — from massive cyberattacks to physical blockages at the Suez Canal — have put additional pressure on government entities and companies of all sizes to gain full visibility of their global supply chains, and to identify and eliminate potential risk factors across their supplier networks.

Interos has been tapped by government agencies and Fortune 500 companies to continuously monitor their global suppliers and business partners for risk across a wide range of factors. In February 2021, the company reported continued unprecedented demand since 2019 as platform bookings grew by 354%, recurring revenues grew by 133%, and their workforce grew by 132%.

“Supply chains have reached a critical inflection point, and blind spots can have massive implications,” said Jennifer Bisceglie, CEO, Interos. “End-to-end supply chain risk visibility is a critical component of operational resilience. Our customers across sectors have made it their top priority — from U.S. federal agencies, to aerospace and defense, airlines, banking, and insurance companies. This is a Big Data problem that can only be solved through the application of AI and machine learning.”

Interos enables customers across the financial services, aerospace & defense, technology, healthcare, and CPG industries to identify and avoid dangerous hidden risks and disruptions in their supplier networks. The platform monitors suppliers across key risk factors – financial, operational, environmental, social, governance, geographic, and cybersecurity. The Interos ad campaign for operational resilience, launching this week, will appear across major outlets such as The Wall Street Journal, The New York Times, and Washington Post. Outdoor advertising in New York City and Washington DC is also part of the multimedia mix.

“Interos is a very special company doing something essential to a better future,” said Brian Elliott, Chairman, Amsterdam Berlin. “Based on many years of experience working with global brands and with emerging challenger brands, we went first on a strategic process of discovery, interviewing business and government leaders and stakeholders, to arrive at the truth of the Interos brand, and the truth of this moment. And this, in turn, inspired our creativity.”

To learn more about Interos, visit www.interos.ai.

About Interos
Interos is the operational resilience company — reinventing how companies manage their supply chains and business relationships — through our breakthrough SaaS platform that uses artificial intelligence to model and transform the ecosystems of complex businesses into a living global map, down to any single supplier, anywhere. Reducing months of backward-looking manual spreadsheet inputs to instant visualizations and continuous monitoring, the Interos Operational Resilience Cloud helps the world’s companies reduce risk, avoid disruptions, and achieve superior enterprise adaptability. Businesses can also uncover game-changing opportunities to radically change the way they see, learn and profit from their relationships.

Based in Washington, DC, Interos serves global clients with business-critical, independent relationships across their primary operational areas: supply chain, financial, cybersecurity, regulatory and ESG compliance, and geographical. The fast-growing private company is led by CEO Jennifer Bisceglie and supported by investors Venrock and Kleiner Perkins. For more information, visit www.interos.ai.

Contact
[email protected]