The Big Takeaway from the Kaseya Supply Chain/Ransomware Cyberattack

This month, the world of enterprise security was badly shaken, as the Russia-based cybercriminal syndicate REvil launched yet another high-profile ransomware attack. The hackers, responsible for the recent attack on JBS Foods, infiltrated Kaseya VSA, an endpoint protection software solution used by large Managed Service Providers (MSPs). Through the software supply chain, REvil was able to quickly spread to at least 50 of Kaseya’s direct customers, with somewhere between 800 and 1500 small-to-medium sized businesses further down the supply chain.

This is not the first such attack, though it is REvil’s most ambitious (and successful) to date. Over the past year, we’ve endured SolarWinds, Colonial Pipeline, JBS Foods, and now Kaseya. This seemingly endless litany of supply chain-centric cyberattacks grows every week. As it does, companies and governments are simultaneously dealing with a host of other disruptions like COVID, the Suez Canal blockage, Brexit, international trade disputes, and more.

While these cyberattacks and global disruptors may appear dissimilar, having wildly varying causes and impacts, there is strategic value in considering them – and the supply chains they spread across – as a collective. Together, they represent a rapid learning opportunity for both adversaries and defenders – an open-source global weapons development program. The adversaries – hostile nation states and cyber criminals – are already studying these elements for future tweaks toward enhanced weaponization. So should we.

What have they Learned?

Every supply chain disruption – be it a successful hack, a natural disaster, or an international political dispute – increases the information adversaries and defenders have on the effectiveness of techniques, viability of targets, and the favorability of global circumstances. All of which can be mixed and matched, refined over time to discover not just the ideal avenue for an attack, but the optimal conditions of the greater supply chain and business ecosystem under which to conduct one.

Major Revil and DarkSide Ransomware Attacks
Major Revil and DarkSide Ransomware Attacks

What everyone is learning is that the battlefield we’re on is considerably larger than previously imagined. We’re used to thinking about the enterprise as a collection of endpoints that need securing. The effectiveness of these supply chain shocks shows that our enterprises are also individual nodes of a much bigger macro-network. It’s a battlefield so large that drawing up a strategic defense using conventional tools and tactics won’t work. To do so effectively, we need to learn about this broader playing field in all of its dimensions – from enterprise networks to transportation/logistics tools to environmental and labor concerns.

Understanding the interplay between these elements is crucial. In addition to the direct damage done to Kaseya, this latest attack shut down 800 supermarket locations that could no longer operate their checkout software, interrupted Swedish rail service, and disrupted the operations of a Swedish pharmacy chain. A more holistic understanding of the possible knock-on effects of a cyberattack could have enabled defenders to better prepare for the situation or, at the very least, understand the level of digital concentration risk posed by having so many critical systems in one country connected to a single application.

Attacks like the recent strike on Kaseya have upended how we think about crime. Conventionally, attackers strike on a single target, and receive payment from that target. Today, attackers are essentially able to, using the supply chain, probe endlessly for small fissures in our digital armor, and strike many victims simultaneously, while collecting untraceable ransoms in an endless variety of cryptocurrencies.

Nested Networks

This is a problem of networks within networks. Consider the ongoing supply chain disruption facing the semiconductor industry. On the surface it’s a simple matter of demand exceeding supply. But when you examine it from a more holistic, networks-within-networks perspective, it becomes infinitely more complex.

An expected, COVID-driven dip in automotive sales led to a reallocation in silicon production resources. When that dip failed to materialize at the same time as a spike in consumer electronics purchasing, combined with a litany of natural disasters affecting production: the great silicon squeeze was on. This representation is, of course, still greatly simplified from the reality of the situation, which involves thousands of companies, millions of workers, and impacts practically every person on this planet.

With a holistic understanding of multi-factor supply chain risk — how the non-obvious connections and dependencies were poised to amplify this shortage — we could have limited the impact, or strategically allocated resources. This problem of understanding exposure and how the supply chain can magnify small disruptions into massive ones, lies at the heart of the ransomware challenge as well. If we are to have a hope of preventing supply chain-based cyberattacks, understanding their potential impact, and mitigating the proliferated “fan-out” damage when they occur, we need to understand the entire picture.

The Supply Chain Challenge

Kaseya is, in many ways, a microcosm of the entire problem. MSPs relay on the convenience of tools like Kaseya VSA to easily connect and deploy software across complex ecosystems. This interconnectivity creates convenience but also magnifies the potential impact of a single attack. This is also true of the broader global supply chain, where the closeness created by globalization similarly magnifies the potential impact of any one supply chain disruption.

Both of these problems, the security concern and the greater, global supply chain problem, reflect the same fundamental security challenge (as described in Matt Tait’s excellent blog on the attack): defending a network or system with countless endpoints on the edge requires centralization of defensive resources; but that centralization inherently creates ideal attack points that, when compromised, immediately create massive risk to the entire system.

What’s more, both the Kesaya and SolarWinds attacks, though hugely impactful to a handful of customers and industries, are almost insignificant when compared to the potential impact of a similar compromise to one of the truly universal software providers. Imagine the situation if Amazon, Microsoft, Apple, or Google were similarly compromised. These organizations regularly push updates that affect the virtual entirety of consumer and enterprise computing resources on the planet. Their respective cybersecurity measures are obviously among the most stringent on the planet, certainly for the private sector — but still the point is made.

To have a hope of blunting the inevitable impact of such a potentially devastating attack, security leaders, company C-suite leadership, and governments need to stop looking at the problem in isolation and begin considering the broader context. We must implement comprehensive, multi-tier, multi-factor, continuous risk monitoring across the entire supply chain if we are to understand how and where we are most vulnerable, and where to concentrate defensive resources. The goal is not only to survive these constant attacks, but to thrive in spite of them.

The Resilience Operations Center: Building Supplier Inventory and Leveraging Automation

The following is an excerpt from the Interos book, “The Resilience Operations Center: A New Framework for Supply Chain Risk Management.” Download the ebook or request a print copy here.

Operational Resilience and Determining Supplier Inventory

Having identified risks and assets, and with a clear understanding of the challenges and success factors to creating a Resilience Operations Center (ROC), the next important phase is determining your supplier inventory. Here are some important questions to answer:

  • What is the scope of your supply chain risk management (SCRM) program? Organization wide, including all affiliate companies? Limited to a specific business unit? Something else?
  • Do you have an inventory, and if so, how do you know that it is complete and includes your extended supply chain?
  • Do you know who your critical suppliers are and who their critical suppliers are?
  • Is there a database where supply chain inventory information is stored and managed? Or are there multiple databases where this information resides? Is the database automated or manual (Excel spreadsheet)?
  • What organization and supplier information do you collect as part of the new supplier onboarding process?
  • Do you categorize your suppliers into risk domains based on the products or services they are providing to your organization or, alternatively, on the functionality provided or information that you shared with them? What role does your information classification scheme play in this process?
  • Which lines of business in your organization have been granted exclusions from your standard procurement process (and may not have been included in the overall supplier inventory)? Does documentation exist for any exceptions that have been made?
  • How is the supply chain inventory kept up to date to maintain the confidentiality, integrity, and availability of your organization’s key products or services, business processes, and information?
  • How can you use the available information to achieve quick wins to build program momentum with management and your board of directors?

If you do not know the services or products that are provided by your existing suppliers, then a review of how your suppliers are onboarded and what information is captured upfront is an important place to start.

Supplier Inventory Building: Automated Discovery Versus Manual Survey

The manual survey methods for building your organization’s inventory likely have gaps or inaccuracies, given that they are based on reporting of supplier relationships by individuals. What if there was a more objective way to discover, evaluate, build, and continuously verify your supply chain inventory?

Emerging automated tools and platforms, ones that leverage multi-tier, multi-factor, and continuous inventory discovery processes, demonstrate this possibility. These tools can use a variety of artificial intelligence technologies and include machine learning and natural language processing. This makes it possible to fill in important gaps, remove overlaps, and resolve conflicts in supplier and subcontractor inventory tiers, while continuously validating and adding to your existing supplier inventory.

These tools provide actionable insights into and alerts of the risks introduced to your supply chain. They continuously monitor changes in supplier relationships and associated risk factors. Machine learning can be used to discern relationships from public, commercial, and private sources of data that are not obvious in investor/ownership, board membership, and subcontractor relationships, to name a few. Machine learning can also be used to build out more robust risk information; for example, identifying ripple effects of geographic events. Natural language processing can immediately identify and alert you to negative information about suppliers in public news feeds, allowing for a proactive response before the news negatively impacts your organization.

Automated tools now exist with the ability to create and maintain a single source of truth for supplier risk, covering financial, operations, geographic, cyber, regulatory, geopolitical, and environmental/social/governance (ESG) risks. Such tools allow centralization of your organization’s aggregated supplier risk posture and can drive key operational risk mitigation and trends in your organization’s risk reporting.

What Supplier Inventory Information Do I Need to Get Started?

In order to leverage this opportunity effectively and efficiently, your organization would need a minimum amount of information regarding your suppliers. Otherwise, the high volume of data returned by these automated tools could overwhelm you. This baseline information includes:

  • Supplier name
  • Location of product or service being provided
  • Relevant URLs and internet hosting details
  • Critical software development organizations involved
  • Names of commercial products being used or deployed
  • Additional specific data, depending on defined individual use cases

Spending time upfront to carefully define use cases (for example, starting with new supplier onboarding) can help you discover supply chain relationships that you were unaware of and that may pose unacceptable risks that need to be addressed prior to contract signing. Being aware of the constant, rapidly evolving nature of SCRM through increased use of these automated tools, along with a clear understanding of and plan for integrating these tools into your organization’s existing operating processes, are important success criteria for SCRM risk management. Their contribution to maintaining operational resilience is a game changer in the rapidly evolving SCRM landscape.

Lay the Groundwork for a Resilience Operations Center

The Resilience Operations Center book goes into more detail on these and other topics, including aligning a business operating model with strategic risk management objectives, identifying your risk management program’s maturity level, and defining key ROC governance processes. Get a copy of the book here and put your supply chain and your organization on the road to operational resilience.



The Resilience Operations Center: Challenges and Success Factors

The following is an excerpt from “The Resilience Operations Center: A New Framework for Supply Chain Risk Management.” Download the ebook or request a print copy here.

With the goal of reaching and maintaining operational resilience, organizations are looking for a modern approach to supply chain risk management (SCRM) and third-party risk management (TPRM). One way organizations are working to improve their preparedness—and overcoming the deficiencies of SCRM and TPRM approaches—is adopting Resilience Operations Centers (ROC).

The ROC framework can drive better outcomes because it is based on three simple but vital principles: 1) aligning risk management and organizational goals, 2) breaking down silos, and 3) modernizing threat detection and mitigation with technologies like automation, artificial intelligence, and natural language processing. Plus, it provides the insight and agility needed to capitalize on never-before-seen opportunities.

Challenges to Operational Resilience

Of course, aligning around a new risk management approach is not always a smooth journey. There are several areas where operational resilience breakdowns can occur. The following issues and pitfalls can occur across the extended supply chain and within your own organization:

  • Weak, ineffective operational risk management governance processes at the board, senior management, business unit line management, and independent enterprise risk management levels.
  • Incomplete business continuity management for critical operations functions, including monitoring, scenario analysis, periodic testing and tabletop exercises, staff training, and availability.
  • Lack of scenario planning and analysis to anticipate potential disruptions in supply chains. Scenario planning should be combined with forecasting to assign probabilities of occurrence of scenarios to further refine plans.
  • Insecure information systems, including inadequate protections for sensitive information in transit and in storage at all locations.
  • Ineffective operations monitoring, log review, and follow-up actions and reporting.

Any one of these inefficiencies could result in the loss of significant financial resources and pose additional operational risk to your organization.

ROC Success Factors

Making a ROC successful involves many factors. But following these five fundamental principles will help any organization lay the groundwork for reaping the framework’s benefits.

  1. Be aware of your industry’s key operational risks. Different industries are exposed to different types of risks, along with varying levels of regulation. For example, financial services organizations focus on service interruptions to their supply chains caused by misconfigurations, misuse, and phishing/hacking. IT hygiene, focusing on active monitoring of your threat environment and proactive patching of security vulnerabilities, is a critical activity, as is having a mature software development life cycle. Manufacturing supply chain risk managers focus on disruption of logistics, transportation, and raw material procurement. Monitoring for and taking actions to address political instability, natural disasters, and the potential for black swan events such as pandemics can ensure greater operational resilience. Understanding your critical risks will allow you to focus on key mitigation steps to ensure operational resilience.
  2. Don’t think you can outsource business risk and accountability. Business units often assume that once a function has been outsourced to a supplier, they are no longer accountable for that functionality or the performance of their suppliers and extended supply chains. That is not the case. Establishing appropriate oversight of these relationships is management’s responsibility. By performing quarterly supplier performance reviews based on pre-determined success criteria, this can be easily done. Outsourcing oversight also includes the ability to preserve, and, as necessary, recover services in the event of a supplier failure. All outsourced critical business services need a contingency plan for either bringing the function back in house or migrating it to a new supplier in a timely manner.
  3. Maintain operating execution knowledge. Alongside accountability, the knowledge to effectively operate a business, if not carefully preserved by your organization, can disappear. You should always have a fallback plan for your suppliers to ensure your operational resilience should catastrophe strike. Preserving this knowledge within the business, with the capacity to insource or migrate the functionality should the need arise, is often neglected and can create a situation in which the ability to continue operating may be lost over time.
  4. Don’t equate compliance with risk management. Your SCRM program can become overly focused on compliance and “check the box” exercises to demonstrate that suppliers have been reviewed to identify operational risks. Focus on ensuring that proper steps have been taken to mitigate risks to a level that meets your risk appetite. Compliance isn’t resilience. Use KPIs to report trending changes in the delivery of critical outsourced products and services before product or service delivery resilience is negatively impacted. This leads to the next point.
  5. Focus on total cost of ownership (TCO) of your SCRM program. Your SCRM program can easily become a “Field of Dreams” endeavor in which you spend years building out an asset inventory, identifying supplier relationship managers, and performing increasingly large risk assessments without achieving risk mitigation. Risk assessments alone do not reduce operational risk. When combined with unfettered growth in the number of suppliers used by your organization, this can lead to inefficiencies in your overall risk management program and operational performance degradation. From the beginning of your program, identify quick wins that mitigate actual risks and report to all levels of management on progress being made towards greater operational resilience.

Need Operational Resilience? Get the ROC Book

The Resilience Operations Center book goes into more detail on these and other topics, including aligning a business operating model with strategic risk management objectives, identifying your risk management program’s maturity level, and defining key ROC governance processes. Get a copy of the book here and put your supply chain and your organization on the road to operational resilience.

A Founder’s Journey: A Blind Ad, A dream, and One Person Who Believed

It all started with a blind ad and one person that believed…

The summer after I graduated college, I had a BS degree in Finance (cue laughter) no job, and no idea of what I wanted to do. I responded to a blind advertisement looking for a customer service person – with no inkling that my life would be forever changed by the experience, and that this was just the beginning of my career at the nexus of global supply chains and technology.

My first boss (we’ll call him ‘Ron’) did a herculean job of funneling my energy into, first, process re-engineering every department in the supply chain headquarters for a major retail brand, and then as the #2 person for a brand-new technological capability – building an inventory management system for that global brand’s entire supply chain. Today, my role would be considered as a product manager, i.e. I would interview the users on their manual activities and then discuss with the programmers how to build and automate a solution.

From there my career progressed to leading similar initiatives on behalf of technology companies, traveling the world, and working with a wide variety of businesses ranging from automotive, to CPG, to food and agriculture. My final, and most critical, stop on this path was bringing that technology to the US Federal Government and the Dept of Defense.

During my journey I continually noticed the companies were focused on what was inside the building or their supply chains, but not what was outside – and paid no attention to whether or not those exterior factors and relationships were causing potential risks to their operations and success. This was the genesis for the concept of Interos.

In 2019 I met the one person who would believe in both me and my technology concept – Ted Schlein of KPCB – who led my Series A. In 2020, he was joined by Nick Beim at Venrock, who led my Series B. Just like my first boss, all it took was the support of a handful of believers to make the difference between a dream manifested and a dream deferred.

Today, we are exposed to many stories articulating the need for greater diversity in business – and specifically on my personal passion, building greater support for more women in leadership- to bring their energies and companies to scale. I couldn’t agree with these stories more.

To close out International Women’s History Month, I‘d like to celebrate some of the women who are already in the pipeline and making it happen, paving the way for the next generation of female entrepreneurship, and a more just and inclusive world of business.

A Few Female Entrepreneurs of Note

Muriel Siebert – It’s fitting to start with the woman who, arguably, started it all. Muriel Siebert, who became informally known as the “first woman of finance” was, simultaneously, the first woman to found a brokerage, the first woman to take a company they founded all the way to an IPO and hold a seat on the New York Stock Exchange. Siebert’s application for the seat was rejected 9 times before she succeeded, and she accomplished it all without even holding a high school diploma. Siebert credited her idea to buy a seat on the exchange to investor and friend Gerald Tsai. Despite the many obstacles she faced, her indomitable entrepreneurial spirit just needed the push of a single believer to help her change history.

Cathy Hughes – An American entrepreneur, DC public figure, and broadcast entertainer, Cathy Hughes became the first Black woman to head a publicly traded company when she took her media company Radio One (now Urban One) public in 1999. Hughes achieved all of this despite her family’s struggles with poverty and her station WOL is still the capital region’s most listened to radio station. In the 1970s, when Hughes aimed to purchase her first station, she was denied by 31 banks. All it took was one lender to see the promise in her ambition for her to take the first steps towards revolutionizing American radio. Today Hughes owns over 55 radio stations across the country.

Whitney Wolfe Herd – A recent addition to the growing ranks of highly successful female founders, Whitney Wolfe Heard became the world’s youngest female self-made millionaire in 2021, when her company, Bumble (makers of the eponymous, female-focused dating app) went public. Herd’s experiences grappling with the challenges of being a female technology executive led her to give this advice to aspiring businesswomen: “Cherish being underestimated,” she said in an interview with The Wall Street Journal. “That’s your superpower.” Herd credits the friendly belligerence of Russian entrepreneur Andrey Andreev, the founder of Badoo, a dating app with 330 million users, for energizing her to build Bumble, after Herd weathered a storm of online harassment following her departure from Tinder, her previous company. Three years later, 17.5 million people had registered with Bumble, and the app has been responsible for more than 1.2 billion matches.

Sheila Lirio Marcelo – the founder and CEO of, the world’s largest online service for finding medical care. Sheila’s world-changing medical technology vision began with a simple, maternal need: as a young college student, immigrant, and mother, Sheila struggled to balance caring for her two sons, ailing father, and school. 5 years later, in 2006, she founded Sheila ultimately raised over $111 million in funding before taking the company public. Sheila shares an early investor with Interos, Nick Beim!

Ruth Zukerman – a co-founder of SoulCycle and Flywheel, Ruth Zukerman’s rise to entrepreneurial stardom, began with the acceptance that her career as a dancer would never take off. A Long-Island native, Ruth had no exposure to business growing up. After attempting to make it as a dancer in NY with little success, Ruth began building a following as a fitness instructor for Reebok. Zukerman’s entrepreneurial career was kicked off when a dedicated student approached her about front Zukerman the money to open her own dedicated, boutique spin business. With a single, devoted believer behind her, Ruth built a fitness empire.

Katrina Lake – The founder and CEO of Stitch Fix, the online personal shopping service, Katrina Lake started the company out of her Cambridge apartment while she worked on her MBA at Harvard. Buoyed by her experience consulting for the retail industry, and having watched her sister’s work as a buyer, Lake set up to create a data-driven styling solution that would make a tailored, personalized shopping experience available across America. At 34 she became youngest female founder ever to lead an IPO. Stich Fix’s success began with just 29 clients and the venture backing of Steve Anderson (Baseline Ventures) in 2011.

Beating the Odds

All of these women had to fight incredibly difficult battles against the odds, and the system itself, to bring their vision to the world. But they couldn’t do it alone. At critical junctures in each of their careers, they found support from someone else.  It’s my hope that these stories of success resonate with each one of you, to inspire you to pursue your dream or be that one person to support someone else achieve theirs.

And remember, it just takes one person to believe….

RSA 2021 Recap – Supply Chain Resilience & Techtonic Geopolitical Shifts

2020 was a global inflection point for supply chains – and so much more. Economic nationalism, a splintering internet, and geopolitical tensions were simmering long before 2020, but were accelerated by the pandemic. The global shock also deepened the growing global divide between authoritarian and democratic ideologies around technology, expediting the emergence of distinct technospheres of influence. Driven by geopolitical shifts and the rapid evolution of emerging technologies, these techtonic shifts are already reshaping and redefining global supply chains. At last week’s RSA, I had the opportunity to discuss these global shifts and what forward-leaning companies should consider when seeking “Supply Chain Resilience in a Time to Techtonic Geopolitical Shifts”.

In addition to the horrific human toll, the COVID-19 pandemic punctuated the global order between Before Times and the post-pandemic era.

A Tale of Two Techno-Ideologies

The Chinese model of digital authoritarianism has spread aggressively. The model leverages technology to surveil, repress, and manipulate domestic and foreign populations. The tools and tactics inherent in this techno-ideology increasingly wreak havoc on both citizens and supply chains. With the steady beat of digital supply chain attacks, internet shutdowns, digital sovereignty stifling cross-border data flows, and government surveillance and mandates to access data, the digital authoritarian model is taking root across the globe.

A counter-weight is starting to emerge based on the aspirational visions of a secure, open, trusted, and free Internet. This nascent digital democracy model is beginning to address security and privacy through a multi-stakeholder lens and prioritizes collaboration and cooperation as well as individual data rights and protections.

Just as these distinct approaches continue to accelerate the splintering of the Internet, they are now leading to a splintering of supply chains and the technologies that undergird them. Government and private sector entities alike are increasingly reimagining supply chains based on trustworthy networks – with a specific focus on trusted suppliers and products.

Techno-spheres of Influence

How are these divergent ideologies impacting global supply chains? There are (at least) three core areas: trade wars, regulatory shifts, and global hot spots. In each of these, geopolitics and diverging approaches to technology are changing the risk calculus and cost of doing business at home and abroad.

  • Global Trade Wars: Just as the weaponization of cyber has shifted power structures across the globe, so too is the weaponization of trade. Governments are increasingly seeking to leverage industrial policy for national interests. Weaponized cyber programs are being paired with specific industrial policies to threaten supply chains. As the IMF recently summarized, “Technology wars are becoming the new trade wars.” And these technology wars are further exacerbated by opposing perspectives on the rules and norms surrounding the use of technology.

These disputes continue to influence corporate decisions regarding reshoring, onshoring, as well as alternative suppliers especially when geographic concentration risks are considered. In recent surveys, almost a quarter of companies plan to relocate supply chains and three-quarters have enhanced their scope of existing reshoring. Tariffs and market pressures have driven many of these changes, but a shifting regulatory landscape provides additional fodder for reassessing supply chain resilience.

  • Regulatory Shifts: To offset the risks posed by digital authoritarians, democracies across the globe have begun to prohibit or restrict foreign technologies. The U.S. Departments of Commerce, Treasury, State, Homeland Security, and Defense have all produced an uptick in export, re-export and capital flows restrictions. As the chart below highlights, the Bureau of Industry and Security at the Department of Commerce alone has added over 350 different Chinese entities to restricted lists since 2019.

Many countries are also leveraging industrial policy, such as the patchwork of 5G restrictions within Europe as well as India and Australia. China has also implemented its own unreliable entity list which could further pose challenges for global brands. Finally, the data protection and privacy landscape provides one more layer of complexity. Many countries are crafting similar laws to the GDPR. On the other hand, some nations are creating regulations in the mold of Cambodia’s internet autarky, Kazakhstan’s digital certs, and Ecuador’s all-seeing eye. All of these policy approaches introduce localized data risks.

  • Global Hot Spots: While major power competition dominates national security discourse, global supply chains are also impacted by a rise in instability. Cyber and emerging technologies have introduced asymmetric power, wherein small countries can have an oversized impact due to the minimal resources and diminished price required to harness offensive cyber or emerging technologies. North Korea, Russia, and Iran are the usual suspects when considering the asymmetric nature of power, especially when considering the reach of campaigns such as SolarWinds or Iranian and North Korean campaigns against the financial industry.

Similar capabilities are now available across the globe and further exacerbate instability and unrest. For instance, Vietnam and Lebanon both have advanced persistent threat groups (APTs) linked to global campaigns. Meanwhile, localized conflicts between Armenia and Azerbaijan, Western Sahara and Morocco as well as the Tigray region have integrated foreign-made drones and disrupted energy markets, trade routes, and manufacturing supply chains, respectively.

Building Resilience Amidst Techtonic Shifts

What can be done to build resilience under these dynamic conditions? First, a collective security approach is essential. As a Wall Street Journal logistic report noted, “A substantial investment in securing customer data at one company can easily be undermined by a supplier with weak financial incentives for safeguards.” Second, in preparing for the ‘new normal,’ avoid the inherent inclination to prepare for yesterday’s risks and disruptions. This is not simply a new Cold War or the end of globalization, but rather a new order that includes risks new and old. Finally, gaining visibility across your entire supply chain ecosystem – as well as the data that flows through it – is paramount. Data and privacy risks are increasingly localized, and borders do exist on the internet.

Of course, these ongoing global shifts introduce a range of challenges. Decoupling and reshoring are expensive and costly, but it is important to keep in mind that it is not an all or nothing approach: We must prioritize based on criticality and dependencies. Keeping up with the regulatory shifts is also increasingly difficult, especially since some of these changes may occur below the radar if you don’t have a way to track them. And of course, mental models are hard to shift. It’s easier to assume the new normal will look like it did in Before Times, but that could leave organizations ill-prepared for tomorrow’s disruptions.

Despite these challenges, there are also significant opportunities. Resilience can be a competitive advantage. Preparations now for the range of disruptions will pay off down the road. Collective security and collaboration    can further strengthen resilience and help lead to more trustworthy and reliable networks. Finally, technology can help overcome blind spots and provide greater visibility and insights into the range of current and potential future disruptions.

Now is the time to either shape the future or be shaped by it. Based on the fascinating interactive Q&A session at RSA, there seems to be growing interest in these shifts and desire to do the hard work of building more resilient supply chains. Now it is on us to avoid a collective failure of imagination and reimagine supply chain resilience on par with these techtonic shifts.

New eBook Presents a Better Framework for Risk Management

“The Resilience Operations Center” updates supply chain security for a new world of risks

Note: The following is the foreword to our just-released book, The Resilience Operations Center: A New Framework for Supply Chain Risk Management. Get the full digital version here.

Risks Have Evolved—Why Hasn’t Your Risk Management?

When I began working in supply chain risk management (SCRM) over 20 years ago, third-party risk management (TPRM) was not a boardroom concern. The task was a begrudging necessity, a checkbox in the compliance process. This mentality persisted even as businesses became more interconnected and mutually reliant on a vast network of partners across the globe.

Those interdependencies, coupled with their growing complexity, introduced a litany of risks across the supply chain ecosystem. Except among a small cadre of risk management professionals and technology leaders, these risks were largely invisible, deprioritized, or ignored.

Then came COVID-19, SolarWinds, and the Suez Canal backup. The fragility of global supply chains became painfully apparent, the repercussions of which continue to reverberate across virtually every industry and corner of the globe. So many shocks so close together has made “Black Swan event” an outdated term. Such disruptions are no longer rare, unpredictable, or even shocking. It is not a matter of if similar events will occur, but when.

Operational Resilience: A Business Imperative

Recent events have exposed the symptoms of unchecked vulnerability:

  • Scrambling to cope with events as they happen
  • Wasting resources because of siloed teams, duplicated efforts, or poor communication
  • Brand damage from product or service disruptions or slowdowns

Being unprepared for such events is costly. That high cost, and the velocity and depth of disruptions, have triggered a reset in enterprise SCRM strategies, prompting dramatic re-evaluations of global interdependence and production. Organizations are trying to balance just-in-time production strategies with resilience recommendations, while also overcoming all manner of risks through better planning and more agile processes. The good news is that with continuous monitoring and the correct technologies, all are achievable.

As part of this reset, forward-leaning organizations are adopting new approaches to SCRM and setting their sights on Operational Resilience—the ability to continue providing products or services in the face of adverse market or supply chain events. While the path to achieving supply chain continuity and security varies by industry, the benefits are clear and universal. Organizations that achieve Operational Resilience can:

  • Continuously monitor for potential risks and proactively make adjustments to minimize and potentially prevent disruption
  • Quickly identify disruptive events to evaluate exposure, find alternatives, and respond fast
  • Anticipate, model, and plan for possible scenarios and build the organizational skills to address and respond to these challenges

Businesses and organizations targeting Operational Resilience recognize the need to monitor a wide range of risk factors, including financial, cyber, regulatory, operational, geopolitical, and environment/social/governance (ESG). But the complexity goes even deeper, as they must also operate in an environment of ongoing digital revolution, climate change, the global resurgence of authoritarianism, and the push for sustainable procurement. These and other sweeping changes are upending business ecosystems and the systems of risk management upon which they are built.

The Rise of the Resilience Operations Center

Existing SCRM systems are outdated—the spreadsheets and questionnaires are inadequate for risk detection, and they certainly can’t help modern, competitive organizations mitigate damage and loss. A new framework must be brought to bear on this seemingly intractable problem—the need to gain solid footing and foster resiliency amid ongoing and increasingly complex disruptions.

The Resilience Operations Center (ROC) meets these needs and more. It represents a new approach to modern supply chain security and continuity, delivered through an enterprise-wide framework that ensures risk management objectives are tied to organizational goals. It brings previously siloed groups together to form agile and informed teams that are empowered to use data intelligently and react quickly to changing circumstances. We’ve seen the ROC framework deployed in a variety of industries, and our customers are using ROCs to dramatically change outcomes for the better.

A ROC is so effective at fostering Operational Resilience because it helps organizations overcome difficult internal challenges, including:

  • Shifting behavior from response to prevention. Deep, comprehensive planning helps teams anticipate events, evaluate alternatives, prevent disruptions, and model all scenarios and options. Reacting to events as they happen is not sufficient in today’s competitive market.
  • Making risk management an organization-wide job, not the domain of one person or team. Most approaches to managing risk are siloed within business units, such as procurement, supply chain operations, and IT, or in single focus organizations, such as information security and compliance. When everyone is a stakeholder, organizations improve how they coordinate, collaborate, prepare, and respond.
  • Managing risk beyond the walls of your company. Organizations rely on an extensive network of suppliers and partners for developing and producing their products and services. Identifying relationships in the extended supply chain to the Nth tier helps organizations decide if those connections are good or bad business choices, thereby identifying and preventing potential risk. And, most importantly, remember that you are a third party to myriad other organizations, which are now looking at you through their own risk management lens.

Operational Resilience—It’s Simply Good Business

Through years of experience seeing client challenges up close, I’ve became even more convinced that cutting-edge technology can help organizations modernize and reset their approach to third-party risk management. This led me to create Interos, the world’s first multi-tier, real-time SCRM solution.

But technology, no matter how efficient, can only go as far as individuals and organizations are willing and able to take it. While our platform is a powerful engine for improving risk management and gaining transparency across the supply chain ecosystem, without a complementary organizational framework, the problem remains unsolved.

There is no one-size-fits-all approach to risk management. The concerns of a multinational manufacturer are vastly different than those of a mid-size financial services entity, but the ideas and principles contained in this volume can be modified to suit the needs of almost every organization. It contains ROC tactics, techniques, and procedures organizations can use to determine the proper scope of their risk management activities, construct plans for those activities, and execute on them. It provides a foundation that multiple stakeholders—including procurement officers, finance professionals, cybersecurity personnel, and compliance leaders—can use to plant their feet firmly and begin the important work of securing the continuity of their enterprises.

There is an urgency to adopt a more robust form of third-party risk management to mitigate the continuing fallout from COVID, SolarWinds, and the other inevitable shocks yet to come. That, of course, is the aim of this book. With a focus on providing clear, concrete, and actionable steps, we believe this guide will help you begin to build Operational Resilience into your organization and throughout your supply chain. Because Operational Resilience is simply good business. So, let’s begin.

New Cybersecurity Executive Order Pivots Supply Chain Risk Management

What it Means for Your Digital Relationships and Your Software Bill of Materials

Following the February executive order concerning supply chain risk management, on May 12, 2021, the White House issued one of the most robust, far-reaching directives on improving cybersecurity monitoring and response at the U.S. federal government level. The Biden administration’s Executive Order responds to meddling in our elections, cyber espionage by foreign governments, ransomware attacks, intellectual property theft, and other cybercrimes by criminal gangs.

With operational resilience on everyone’s radar, the news comes at a sensitive time. The order provides instructions to various government agencies focusing on the software supply chain. It also includes a directive to develop and use a Software Bill of Materials (SBOM). The order mandates the adoption of SBOM by large government supply chains and will change how software is supplied to U.S. federal agencies in the years ahead. The new regulations, one can assume, will also influence commercial and international markets to adopt SBOM standards set by the U.S.

The move by the Biden administration – and its focus on the SBOM — should be heartily embraced by industry. A huge unavoidable challenge to today’s “fragile’ supply chains that extend around the world is the simple fact that both physical (hardware) product and software are made from many components from many suppliers – permitting unwanted access by unauthorized actors (nation-states, criminal gangs,) leading to massive disruption, intellectual property theft, extortion and beyond. The response must be to ensure that components (physical and/or digital) are trustworthy (uncompromised) and come from vetted suppliers.

A Government Call to Action

For decades, in the physical supply chain realm, companies conducted inspections and verification probes into real and potential risks stemming from the product, component, and factory level; now, with the White House cyber EO, we have a US government call-to-action for the private sector to do the same kind of inspections and probes into the subcomponents of the software we all have been using for decades. SBOMs – at appropriate levels of transparency, depth and accuracy – allow us to identify all the different developers of the software that we are using — and any attendant risks.

Before we dive into why the SBOM directive in the Biden cyber EO is a highly laudable move – providing rail-guards for preventing compromised components from entering digital supply chains – let’s provide some background.

What Is a Software Bill of Materials?

A software bill of materials (SBOM) is a hierarchical and machine-readable inventory of all open source and third-party components present in a codebase. It also contains details about the relationships between the software elements, version information, and patch status.

To create transparency and standardization across software supply chains, the National Telecommunications and Information Administration (NTIA) is leading an effort to develop national SBOM guidelines and formats. The effort began ahead of the expected executive order. Expect much of the government’s SBOM practices to be based on the NTIA’s work.

The Benefits of Adopting SBOM

The expected benefits and use cases for SBOMs are numerous since they affect all software development phases, both for the creator and consumers.

Software creators can use a SBOM to replace outdated development tracking tools and manual spreadsheets. Most software today uses multiple open-source libraries bundled into the final product. Tracking open-source software is especially challenging for the software developer. It involves a vastly diverse array of suppliers, ranging from huge, well-funded organizations providing updated software to volunteer-supported projects for decades-old software. By creating a well-documented set of software components, producers can simplify development and patching and reduce costs.

New Cyber Threats in Software Supply Chain Security

Supply chain security was traditionally concerned with counterfeiting and other supplier compromises. Recently there has been a greater focus on third-party and supply chain risk management. This includes products compromised at the factory or software-development level, that have been purchased, and deployed into the network. After installation, the compromised nodes survey the network. They then contact the command-and-control system owned by the cybercriminals. This lets them know their product is online.

Cybercriminals, often nation-state bad actors, exploit this compromise to gain access to the entire network. The SolarWinds compromise—engineered by Russian state agencies—is a well-known example of this type of highly proliferated attack. More of these attacks have occurred with other vendors. Since they have been successful, cybercriminals will continue to exploit them.

These “supply chain” cyber-attacks work by exploiting a software component of a built product (i.e., an innocuous seeming software upgrade). They are distinct from traditional perimeter-penetration hacks. It is much easier to compromise a library or third-party software bundled into the main software build. The compromise can be made on-site or even at the source. The practice of development teams using open-source or third-party software is very common. It is routinely used to for tasks like encryption or data input to streamline development.

Unfortunately, open-source software may have vulnerabilities and weaknesses that are unmitigated, given their lack of resources. The Heartbleed bug in the open-source OpenSSL cryptographic library is but one example. OpenSSL was included in thousands of software solutions but maintained by minimal part-time staff. It was difficult to correct and replace when researchers found a flaw in the OpenSSL cryptographic library. Cybercriminals clued into the flaw, scanned for this version of OpenSSL on deployed software, and exploited it where possible.

To resolve these issues, developers need to identify the exact version of the software library, open-source code, and tools. SBOMs will replace manual processes to collect and manage this information. This will happen because of the new responsibilities the US federal government has placed on software solution providers.

The Future of SBOM: Fully Assess and Monitor Software Supply Chains

SBOM integration will enable developers to identify and manage the vendors providing software in their software supply chains. Without SBOM, much of this information would not be available. The data provided by the mandated SBOMs will allow organizations to create detailed maps of the extended software supply chain for the first time, immensely improving supply chain risk management.

That is just the beginning. With a map of the software supply chain, organizations can assess each software provider’s risk and monitor impact events. This can be done across a host of factors, from cyber hygiene to financial risk. Development teams must make decisions to replace an open-source solution if the provider goes out of business or stops providing updates. Financially weak vendors may be a leading indicator of potential risk. Another indicator could be where the software vendor is located. This would be a form of geopolitical,  governance, or compliance risk. And the biggest issue could come down to seeing the announcement of another breached vendor and not knowing if that vendor or its customers are in your supply chain.

SBOM–as a new standard developed in the months ahead—will launch a dramatic change to traditional software supply chain risk assessment. This new methodology will provide real-time, highly accurate data to cybersecurity and procurement teams to proactively reduce risk. At the enterprise level, SBOM and the awareness it brings will reduce costs and speed development.

Operational Resilience and Software Supply Chain Risk Management

Governments and businesses are waking up and responding to a new world of risk. Planning and visibility—those are the keys to resilience, agility, compliance, and good business. The Interos cloud solution gives you an instant and continuous view of every connection in your digital and physical supply chains. With the power of artificial intelligence and machine learning, any organization can create a living map of their business ecosystem, including SBOM elements, so they can monitor actions in real time, model scenarios, and predict outcomes. Learn more here, or contact us for a demonstration.

Securing America’s Software Supply Chains From Attack: Biden’s Executive Order on Cybersecurity

A major oil pipeline shuts down. Ransomware halts city operations and online systems. A new banking trojan spreads across Europe. This may seem like an extraordinary week in cybersecurity. But, unfortunately, these kinds of ‘Black Swan’ events are no longer Black Swans. Recent incidents—including SolarWinds, Exchange, Pulse Secure, and Codecov—further demonstrate that cybersecurity and the resilience of supply chains are inextricably linked.

As the global cyber threat landscape has exploded in actors (state-sponsored, criminal organizations, and privatized non-state organizations), tools, and techniques, there has been little federal movement in cyber policy focused on strengthening defenses to counter such a diverse array of threats and interdependencies within and across organizations. However, with the publication of the Executive Order on Improving the Nation’s Cybersecurity, there is a new focus on cyber defenses and potentially the start of a significant paradigm shift in cybersecurity. As the order notes, “Incremental improvements will not give us the security we need.”

Bolstering Both Digital and Physical Security

Coming on the heels of February’s Executive Order on America’s Supply Chains, which aims to build more resilient, secure, and diverse physical supply chains, this Executive Order similarly prioritizes supply chain security. In contrast, it focuses, rightly so, on the urgent need for enhanced digital supply chain security while also addressing information sharing, data breach notification, modernized security standards, and safety. Together, these core themes further highlight a shift toward defense and private/public sector collaboration before, during, and after a cyber incident.

  • Software supply chain security: New guidelines and criteria for evaluating software security will be established, focusing on the security practices of both developers and the suppliers. A Software Bill of Materials (SBOM)—a formal record of the various components and supply chain relationships used to build software—will be required for each product. This process to create these SBOM guidelines will begin immediately, with initial findings published within 60 days. A labeling scheme will also be explored to inform consumers of the security of their products.

  • Information sharing: The dissemination of timely information across federal agencies and the private sector regarding risks and threats will be facilitated through the reduction of contractual barriers that limit information sharing as well as standardization of the data.

  • Data breach notification: Contractors will be required to report breaches on a graduated severity scale. Similar to the European Union’s General Data Protection Regulation breach notification, companies partnering with the federal government will be required to disclose the most severe breaches to the federal government within 72 hours. While the U.S. lacks a federal data breach notification policy, there are bills underway to replace the patchwork of 54 data breach notification laws across all 50 states, the Virgin Islands, Puerto Rico, Guam, and Washington, DC.

  • Security standards: With an emphasis on modernizing cloud-based services, a Zero Trust security model formalizes many of the recommendations the security industry has been advocating for years, such as multi-factor authentication and encrypted data at rest and in transit. Organizations will have to demonstrate adherence to these requirements and also follow an incident response procedures playbook.

  • Safety: A new Cyber Safety Review Board comprised of both private-sector and federal representatives will be established, including cybersecurity and software suppliers, to review incidents and make recommendations. This may be modeled on the National Transportation Safety Board. The actual scope—including membership and the kinds of incidents to be evaluated—will be determined in the upcoming months.

The executive order stresses the need for strengthened defensive postures and processes at all phases of an incident, emphasizing a more proactive approach to defense that has largely been reactionary. This includes gaining greater visibility of suppliers and working toward building trustworthy and transparent systems through a modernized approach to cybersecurity. Importantly, this applies not only to your organization’s security but the security across your entire supply chain network. The introduction of security standards and information sharing demonstrate the emphasis on collective security to help target and reduce vulnerabilities across the entire supply chain. The days of a “perimeter defense” are gone and, as the executive order articulates, together the public and private sector must work together for the collective security of all.

Operational Resilience: Public- and Private-Sector Collaboration

While the executive order is already framed as a response to the Colonial Pipeline attack, in reality it has been months in the making. Following the breadth and depth of the state-sponsored SolarWinds intelligence-gathering attack that targeted at least nine federal agencies and hundreds of private sector organizations, administration officials began circulating various components of the executive order. It is just one component of a nascent strategy shift focused on strengthening security, creating more resilient supply chains, and building trusted networks within the U.S. and with like-minded partners. With this steady drumbeat of high-profile breaches and localized, financially motivated ransomware attacks as in the Colonial Pipeline hack, the executive order may be a harbinger of many regulatory changes to come as the federal government seeks to modernize cybersecurity and technology policy—strengthening defenses, securing supply chains, and ultimately bolstering operational resilience—for an era of technological competition and geopolitical friction.

As Bob Brese, former CIO at the U.S. Department of Energy and a current board advisor to Interos, observes: “Broadly enhanced cybersecurity improvements are critically needed. However, as articulated in the Executive Order on America’s Supply Chains, cybersecurity is one of many lines of effort necessary to ensure operational resilience for companies and government organizations as well as to enhance our nation’s economic and national security resilience. We can’t let this need to improve cybersecurity lead us to drop the ball on the other supply chain risk factors impacting operational resilience.”

Nested Networks: Hidden impacts to Supply Chain Risk Management & Operational Resilience

The ongoing crises of the past 15 months have practically upended supply chain risk management. COVID, SolarWinds, Texas power outages, microchip shortages, backed-up waterways, a massive cargo ship stuck sideways in the Suez, and other incidents have threatened the stability of the global economy. These disasters have prompted organizations to rapidly uncover their reliance on “nested networks,” groups of suppliers that are hidden from conventional visibility but are crucial to continued operations.

To achieve operational resilience, organizations must continue to rethink how they look at supplier relationships and these nested networks. Only by visualizing and understanding these connections can organizations finally better anticipate and quantify supply chain risk.

Visualizing the Nested Network in Your Supply Chain

Your primary supply chain network is mostly one of business relationships. You buy parts, raw materials, services, and software from a wide variety of vendors—some large, some small, some foreign, and some domestic. Most large companies have global footprints, whether they want to or not.

Nested Network Layer 1: Business Network

Imagine your primary supplier of microprocessors has a fire at one of its factories and you don’t maintain a mountain of inventory. Assuming you can’t easily substitute another vendor, that’s a major production problem for your business. This is a first-tier network disruption that is probably obvious to your organization and easily discoverable through traditional supply chain risk management methods.

Nested Network Layer 2: Transportation

Most goods and services need to be physically transported somewhere else to be consumed. If you are a fashion retailer in New York buying denim pants from a factory in Pakistan, do you have a business relationship with Suez Canal Authority. No? Well, of course you do because those articles of clothing go into a container, which goes on a ship that travels through a waterway like the Suez Canal before being unloaded in New York. The maritime, air, rail, and trucking networks of the world are embedded in your business, often out of sight and out of mind. You might think that the transportation and logistics network is also obvious and easily quantified and visualized. Maybe. But that’s not the end of the nested—and often hidden—network.

Nested Network Layer 3: Money

In order to have those denim pants shipped to you, you probably needed to pay someone. Money needed to change hands, and since its unlikely you pay all your vendors in cash out of the back of your loading dock, you are depending on yet another nested network.

Money movement is sometimes opaque and difficult to understand. How exactly does the money from your account at your local bank make its way across the world and into another businesses’ account in a verifiable and trusted way? If you said, “via a nested network,” you get a gold star. These networks include routing systems like Fed Wire, CHIPS, ATM, ACH, SWIFT, and even crypto currencies such as Bitcoin, Ethereum, and many others. ACH networks get defrauded; ATM networks can go down. These financial networks don’t get disrupted often, but, as we’ve learned, disruptive events are out there, they are happening more often than ever, and organizations need supply chain risk management approaches that can anticipate such unlikely, but disastrous, eventualities.

Nested Network Layer 4: Telecom

Different from cyber or the internet, telecom is a mix of technologies, some dating back 100 years, that includes plain old telephone system (POTS) lines, microwave towers, submarine fiber optic cable, telco hotels, and LTE/5G. I will also lump GPS in there as well, realizing it could also fit in several places. Thick copper and fiber optic cables snake around the world going into peering exchanges, central switching facilities, across bridges, through tunnels, under shipping channels, and onto rocky beaches. Satellites and ground stations plug into those cables literally and metaphorically. You can have multiple offices, maybe even multiple data centers, all being fed off the same cable. And sometimes weird stuff happens to those cables—unexpected things involving ship anchors and backhoes.  Your digital data supply chain is just as vital as your physical one. But it’s not as visible, and unless you truly understand how it works, you can easily have a false sense of security and resilience.

Nested Network Layer 5: Cyber

Cyber networks are related to telecom, but they are substantially different. Cyber is really all about today’s internet and our dependence on that specific slice of communications technology. You would be hard pressed to come up with a list of big companies that don’t depend on cyber networks to conduct business. That means there are also dependent on yet another hidden network.

There are foundational technologies networked together that lurk right beneath the surface, controlling how your data moves across the internet. Domain Name System (DNS) and the Border Gateway Protocol (BGP), which route enterprise critical information over the internet, are based on trust, distributed on servers all over the world, and are not nearly as robust as you might think. If you’re sending data from the U.S. to Italy, should it take a detour and route through China? Probably not, but that’s what happened in 2016 when China Telecom exploited BGP to route internet traffic through their domestic cyber infrastructure rather than letting data take the most efficient path. In 2010, China (accidentally?) slurped up 15% of all internet traffic for 18 minutes by misconfiguring some BGP settings.

The threats and vulnerabilities to your company’s cyber operations are well documented and hard to miss. Phishing emails, ransomware, bot-based distributed denials of service, and malware propagation have become household words at this point, and they rightly get most of the attention. However, the hidden network of technologies behind the internet are a tempting target and ripe for disruption. The question is: Where does your organization’s cyber infrastructure intersect with the larger internet and how can your supply chain risk management function better anticipate and prepare for situations where everything is not working as it should?

Gaining Insights and Visibility into the Complexity of Your Nested Network

Your supply chain is an interwoven group of visible and hidden nested networks that tend to behave normally most of the time but are subject to chaotic interactions that are nearly impossible to predict or anticipate. You may be aware of some of the critical weak points, but it is increasingly difficult to know them all at any given moment in time.

If you expand your collective definition of what constitutes the supply chain to include the concept of nested networks, you can better frame the problem. You can take advantage of new and existing technologies — such as all-source data fusion, anomaly-event detection, time-series forecasting, and dependency graphs — in ways that will change how you see and manage your supply chain.

You can’t be immune from supply chain failures, but you can be prepared. You can see and monitor your full supply chain down to the Nth tier, understand your nested networks, and achieve operational resilience. The right partner can help you identify the data, tools, and technologies you need to deal with these events when they occur. Reach out to us to see how.

End of an Era: Legacy TPRM Solutions Do Not Create Operational Resilience (Part 4)

As discussed in “The Black Swan is Dead” blog, corporate boards and government agency heads are demanding visibility into their supply chain risk exposure and are starting to hold the organizations — and their leaders — personally responsible. They cannot wait days, weeks, or potentially months for answers. They want to know now, and they want to know what steps the company or agency is taking to prevent the next big COVID- or SolarWinds-like supply chain shock. In other words, they want Operational Resilience.

Even in this new world where “not knowing” is no longer an acceptable excuse, companies and agencies are still operating in silos. They are still using manual processes and point-in-time tools, such as Third Party Risk Management (TPRM), Supply Chain Risk Management (SCRM), spreadsheets, and surveys. These all fail to map, monitor, and model extended supply chains, capabilities without which you cannot reduce risk, avoid disruptions, and achieve dramatically superior resilience.

TPRM Is Too Limited in Scope

Building on existing vendor risk management and suppler risk management tools, TPRM attempts to broaden the focus beyond just vendors and suppliers to include all kinds of third parties. For TPRM vendors, this allows them to expand their market from manufacturing companies to all commercial entities. Most are point solutions, but the big Supplier Relationship Management (SRM) and Supply Chain Management (SCM) vendors have rolled out TPRM modules.

What TPRM solutions do:

  • Surveys
  • Single-risk focused

What they don’t do:

  • Visualize the extended supply chain
  • Provide ongoing monitoring
  • Look at the ripple effect of global events
  • Capture complex, multi-factor risks

Supply Chain Risk Management Tries to Regulate Operational Resilience

Through a series of regulations and legislation enacted over the past decade, the US government has prompted organizations to leverage increasingly formalized approaches to SCRM, which is officially defined as:

“A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the suppliers’ product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).”

Unlike TPRM, SCRM enables a couple of critical elements needed for Operational Resilience:

  • SCRM clearly calls out that sub-tier suppliers need to be evaluated and tracked.
  • Cyber and financial stability risk are top priorities, but so are foreign ownership, location of facilities, counterfeit products, and other factors.

What is still missing with SCRM?

  • The process uses a regulatory and compliance approach. This means setting mandates for an unwieldly 300,000 defense companies and their extended supply chains. Companies see this as a compliance issue and the cost of doing business instead of a way to ensure Operational Resilience.
  • It still relies heavily on self-reported, annual surveys to collect information, which is inadequate for supply chain security and continuity.

Operational Resilience is the New Standard

To achieve Operational Resilience, organizations require tools that can:

  • Instantly discover the Nth tiers in your supply chain.
  • Provide situational awareness based on automatic, broad, multi-factor risk assessment.
  • Evaluate “what if” scenarios and alternative suppliers.
  • Be updated on a continuous basis in near real time.

In addition to these tools, “risk and resilience leaders” must find a structured approach to implementing organizational change. The Resilience Operations Center (ROC), described in Part 2 of this series, more than fits the bill. The ROC represents a new approach to modern supply chain security and continuity, delivered through an enterprise-wide framework that ensures supply chain risk management (SCRM) objectives are tied to organizational goals. It brings previously siloed groups together to form agile and informed teams that are empowered to use data intelligently and to react quickly to changing circumstances.

We’ve seen it work in a variety of industries, and our customers are using ROCs to dramatically change business outcomes for the better.

To learn more about Operational Resilience, the ROC, and the technology that can enable it, visit