New Cybersecurity Executive Order Pivots Supply Chain Risk Management

What it Means for Your Digital Relationships and Your Software Bill of Materials

Following the February executive order concerning supply chain risk management, on May 12, 2021, the White House issued one of the most robust, far-reaching directives on improving cybersecurity monitoring and response at the U.S. federal government level. The Biden administration’s Executive Order responds to meddling in our elections, cyber espionage by foreign governments, ransomware attacks, intellectual property theft, and other cybercrimes by criminal gangs.

With operational resilience on everyone’s radar, the news comes at a sensitive time. The order provides instructions to various government agencies focusing on the software supply chain. It also includes a directive to develop and use a Software Bill of Materials (SBOM). The order mandates the adoption of SBOM by large government supply chains and will change how software is supplied to U.S. federal agencies in the years ahead. The new regulations, one can assume, will also influence commercial and international markets to adopt SBOM standards set by the U.S.

The move by the Biden administration – and its focus on the SBOM — should be heartily embraced by industry. A huge unavoidable challenge to today’s “fragile’ supply chains that extend around the world is the simple fact that both physical (hardware) product and software are made from many components from many suppliers – permitting unwanted access by unauthorized actors (nation-states, criminal gangs,) leading to massive disruption, intellectual property theft, extortion and beyond. The response must be to ensure that components (physical and/or digital) are trustworthy (uncompromised) and come from vetted suppliers.

A Government Call to Action

For decades, in the physical supply chain realm, companies conducted inspections and verification probes into real and potential risks stemming from the product, component, and factory level; now, with the White House cyber EO, we have a US government call-to-action for the private sector to do the same kind of inspections and probes into the subcomponents of the software we all have been using for decades. SBOMs – at appropriate levels of transparency, depth and accuracy – allow us to identify all the different developers of the software that we are using — and any attendant risks.

Before we dive into why the SBOM directive in the Biden cyber EO is a highly laudable move – providing rail-guards for preventing compromised components from entering digital supply chains – let’s provide some background.

What Is a Software Bill of Materials?

A software bill of materials (SBOM) is a hierarchical and machine-readable inventory of all open source and third-party components present in a codebase. It also contains details about the relationships between the software elements, version information, and patch status.

To create transparency and standardization across software supply chains, the National Telecommunications and Information Administration (NTIA) is leading an effort to develop national SBOM guidelines and formats. The effort began ahead of the expected executive order. Expect much of the government’s SBOM practices to be based on the NTIA’s work.

The Benefits of Adopting SBOM

The expected benefits and use cases for SBOMs are numerous since they affect all software development phases, both for the creator and consumers.

Software creators can use a SBOM to replace outdated development tracking tools and manual spreadsheets. Most software today uses multiple open-source libraries bundled into the final product. Tracking open-source software is especially challenging for the software developer. It involves a vastly diverse array of suppliers, ranging from huge, well-funded organizations providing updated software to volunteer-supported projects for decades-old software. By creating a well-documented set of software components, producers can simplify development and patching and reduce costs.

New Cyber Threats in Software Supply Chain Security

Supply chain security was traditionally concerned with counterfeiting and other supplier compromises. Recently there has been a greater focus on third-party and supply chain risk management. This includes products compromised at the factory or software-development level, that have been purchased, and deployed into the network. After installation, the compromised nodes survey the network. They then contact the command-and-control system owned by the cybercriminals. This lets them know their product is online.

Cybercriminals, often nation-state bad actors, exploit this compromise to gain access to the entire network. The SolarWinds compromise—engineered by Russian state agencies—is a well-known example of this type of highly proliferated attack. More of these attacks have occurred with other vendors. Since they have been successful, cybercriminals will continue to exploit them.

These “supply chain” cyber-attacks work by exploiting a software component of a built product (i.e., an innocuous seeming software upgrade). They are distinct from traditional perimeter-penetration hacks. It is much easier to compromise a library or third-party software bundled into the main software build. The compromise can be made on-site or even at the source. The practice of development teams using open-source or third-party software is very common. It is routinely used to for tasks like encryption or data input to streamline development.

Unfortunately, open-source software may have vulnerabilities and weaknesses that are unmitigated, given their lack of resources. The Heartbleed bug in the open-source OpenSSL cryptographic library is but one example. OpenSSL was included in thousands of software solutions but maintained by minimal part-time staff. It was difficult to correct and replace when researchers found a flaw in the OpenSSL cryptographic library. Cybercriminals clued into the flaw, scanned for this version of OpenSSL on deployed software, and exploited it where possible.

To resolve these issues, developers need to identify the exact version of the software library, open-source code, and tools. SBOMs will replace manual processes to collect and manage this information. This will happen because of the new responsibilities the US federal government has placed on software solution providers.

The Future of SBOM: Fully Assess and Monitor Software Supply Chains

SBOM integration will enable developers to identify and manage the vendors providing software in their software supply chains. Without SBOM, much of this information would not be available. The data provided by the mandated SBOMs will allow organizations to create detailed maps of the extended software supply chain for the first time, immensely improving supply chain risk management.

That is just the beginning. With a map of the software supply chain, organizations can assess each software provider’s risk and monitor impact events. This can be done across a host of factors, from cyber hygiene to financial risk. Development teams must make decisions to replace an open-source solution if the provider goes out of business or stops providing updates. Financially weak vendors may be a leading indicator of potential risk. Another indicator could be where the software vendor is located. This would be a form of geopolitical,  governance, or compliance risk. And the biggest issue could come down to seeing the announcement of another breached vendor and not knowing if that vendor or its customers are in your supply chain.

SBOM–as a new standard developed in the months ahead—will launch a dramatic change to traditional software supply chain risk assessment. This new methodology will provide real-time, highly accurate data to cybersecurity and procurement teams to proactively reduce risk. At the enterprise level, SBOM and the awareness it brings will reduce costs and speed development.

Operational Resilience and Software Supply Chain Risk Management

Governments and businesses are waking up and responding to a new world of risk. Planning and visibility—those are the keys to resilience, agility, compliance, and good business. The Interos cloud solution gives you an instant and continuous view of every connection in your digital and physical supply chains. With the power of artificial intelligence and machine learning, any organization can create a living map of their business ecosystem, including SBOM elements, so they can monitor actions in real time, model scenarios, and predict outcomes. Learn more here, or contact us for a demonstration.

Securing America’s Software Supply Chains From Attack: Biden’s Executive Order on Cybersecurity

A major oil pipeline shuts down. Ransomware halts city operations and online systems. A new banking trojan spreads across Europe. This may seem like an extraordinary week in cybersecurity. But, unfortunately, these kinds of ‘Black Swan’ events are no longer Black Swans. Recent incidents—including SolarWinds, Exchange, Pulse Secure, and Codecov—further demonstrate that cybersecurity and the resilience of supply chains are inextricably linked.

As the global cyber threat landscape has exploded in actors (state-sponsored, criminal organizations, and privatized non-state organizations), tools, and techniques, there has been little federal movement in cyber policy focused on strengthening defenses to counter such a diverse array of threats and interdependencies within and across organizations. However, with the publication of the Executive Order on Improving the Nation’s Cybersecurity, there is a new focus on cyber defenses and potentially the start of a significant paradigm shift in cybersecurity. As the order notes, “Incremental improvements will not give us the security we need.”

Bolstering Both Digital and Physical Security

Coming on the heels of February’s Executive Order on America’s Supply Chains, which aims to build more resilient, secure, and diverse physical supply chains, this Executive Order similarly prioritizes supply chain security. In contrast, it focuses, rightly so, on the urgent need for enhanced digital supply chain security while also addressing information sharing, data breach notification, modernized security standards, and safety. Together, these core themes further highlight a shift toward defense and private/public sector collaboration before, during, and after a cyber incident.

  • Software supply chain security: New guidelines and criteria for evaluating software security will be established, focusing on the security practices of both developers and the suppliers. A Software Bill of Materials (SBOM)—a formal record of the various components and supply chain relationships used to build software—will be required for each product. This process to create these SBOM guidelines will begin immediately, with initial findings published within 60 days. A labeling scheme will also be explored to inform consumers of the security of their products.

  • Information sharing: The dissemination of timely information across federal agencies and the private sector regarding risks and threats will be facilitated through the reduction of contractual barriers that limit information sharing as well as standardization of the data.

  • Data breach notification: Contractors will be required to report breaches on a graduated severity scale. Similar to the European Union’s General Data Protection Regulation breach notification, companies partnering with the federal government will be required to disclose the most severe breaches to the federal government within 72 hours. While the U.S. lacks a federal data breach notification policy, there are bills underway to replace the patchwork of 54 data breach notification laws across all 50 states, the Virgin Islands, Puerto Rico, Guam, and Washington, DC.

  • Security standards: With an emphasis on modernizing cloud-based services, a Zero Trust security model formalizes many of the recommendations the security industry has been advocating for years, such as multi-factor authentication and encrypted data at rest and in transit. Organizations will have to demonstrate adherence to these requirements and also follow an incident response procedures playbook.

  • Safety: A new Cyber Safety Review Board comprised of both private-sector and federal representatives will be established, including cybersecurity and software suppliers, to review incidents and make recommendations. This may be modeled on the National Transportation Safety Board. The actual scope—including membership and the kinds of incidents to be evaluated—will be determined in the upcoming months.

The executive order stresses the need for strengthened defensive postures and processes at all phases of an incident, emphasizing a more proactive approach to defense that has largely been reactionary. This includes gaining greater visibility of suppliers and working toward building trustworthy and transparent systems through a modernized approach to cybersecurity. Importantly, this applies not only to your organization’s security but the security across your entire supply chain network. The introduction of security standards and information sharing demonstrate the emphasis on collective security to help target and reduce vulnerabilities across the entire supply chain. The days of a “perimeter defense” are gone and, as the executive order articulates, together the public and private sector must work together for the collective security of all.

Operational Resilience: Public- and Private-Sector Collaboration

While the executive order is already framed as a response to the Colonial Pipeline attack, in reality it has been months in the making. Following the breadth and depth of the state-sponsored SolarWinds intelligence-gathering attack that targeted at least nine federal agencies and hundreds of private sector organizations, administration officials began circulating various components of the executive order. It is just one component of a nascent strategy shift focused on strengthening security, creating more resilient supply chains, and building trusted networks within the U.S. and with like-minded partners. With this steady drumbeat of high-profile breaches and localized, financially motivated ransomware attacks as in the Colonial Pipeline hack, the executive order may be a harbinger of many regulatory changes to come as the federal government seeks to modernize cybersecurity and technology policy—strengthening defenses, securing supply chains, and ultimately bolstering operational resilience—for an era of technological competition and geopolitical friction.

As Bob Brese, former CIO at the U.S. Department of Energy and a current board advisor to Interos, observes: “Broadly enhanced cybersecurity improvements are critically needed. However, as articulated in the Executive Order on America’s Supply Chains, cybersecurity is one of many lines of effort necessary to ensure operational resilience for companies and government organizations as well as to enhance our nation’s economic and national security resilience. We can’t let this need to improve cybersecurity lead us to drop the ball on the other supply chain risk factors impacting operational resilience.”

Nested Networks: Hidden impacts to Supply Chain Risk Management & Operational Resilience

The ongoing crises of the past 15 months have practically upended supply chain risk management. COVID, SolarWinds, Texas power outages, microchip shortages, backed-up waterways, a massive cargo ship stuck sideways in the Suez, and other incidents have threatened the stability of the global economy. These disasters have prompted organizations to rapidly uncover their reliance on “nested networks,” groups of suppliers that are hidden from conventional visibility but are crucial to continued operations.

To achieve operational resilience, organizations must continue to rethink how they look at supplier relationships and these nested networks. Only by visualizing and understanding these connections can organizations finally better anticipate and quantify supply chain risk.

Visualizing the Nested Network in Your Supply Chain

Your primary supply chain network is mostly one of business relationships. You buy parts, raw materials, services, and software from a wide variety of vendors—some large, some small, some foreign, and some domestic. Most large companies have global footprints, whether they want to or not.

Nested Network Layer 1: Business Network

Imagine your primary supplier of microprocessors has a fire at one of its factories and you don’t maintain a mountain of inventory. Assuming you can’t easily substitute another vendor, that’s a major production problem for your business. This is a first-tier network disruption that is probably obvious to your organization and easily discoverable through traditional supply chain risk management methods.

Nested Network Layer 2: Transportation

Most goods and services need to be physically transported somewhere else to be consumed. If you are a fashion retailer in New York buying denim pants from a factory in Pakistan, do you have a business relationship with Suez Canal Authority. No? Well, of course you do because those articles of clothing go into a container, which goes on a ship that travels through a waterway like the Suez Canal before being unloaded in New York. The maritime, air, rail, and trucking networks of the world are embedded in your business, often out of sight and out of mind. You might think that the transportation and logistics network is also obvious and easily quantified and visualized. Maybe. But that’s not the end of the nested—and often hidden—network.

Nested Network Layer 3: Money

In order to have those denim pants shipped to you, you probably needed to pay someone. Money needed to change hands, and since its unlikely you pay all your vendors in cash out of the back of your loading dock, you are depending on yet another nested network.

Money movement is sometimes opaque and difficult to understand. How exactly does the money from your account at your local bank make its way across the world and into another businesses’ account in a verifiable and trusted way? If you said, “via a nested network,” you get a gold star. These networks include routing systems like Fed Wire, CHIPS, ATM, ACH, SWIFT, and even crypto currencies such as Bitcoin, Ethereum, and many others. ACH networks get defrauded; ATM networks can go down. These financial networks don’t get disrupted often, but, as we’ve learned, disruptive events are out there, they are happening more often than ever, and organizations need supply chain risk management approaches that can anticipate such unlikely, but disastrous, eventualities.

Nested Network Layer 4: Telecom

Different from cyber or the internet, telecom is a mix of technologies, some dating back 100 years, that includes plain old telephone system (POTS) lines, microwave towers, submarine fiber optic cable, telco hotels, and LTE/5G. I will also lump GPS in there as well, realizing it could also fit in several places. Thick copper and fiber optic cables snake around the world going into peering exchanges, central switching facilities, across bridges, through tunnels, under shipping channels, and onto rocky beaches. Satellites and ground stations plug into those cables literally and metaphorically. You can have multiple offices, maybe even multiple data centers, all being fed off the same cable. And sometimes weird stuff happens to those cables—unexpected things involving ship anchors and backhoes.  Your digital data supply chain is just as vital as your physical one. But it’s not as visible, and unless you truly understand how it works, you can easily have a false sense of security and resilience.

Nested Network Layer 5: Cyber

Cyber networks are related to telecom, but they are substantially different. Cyber is really all about today’s internet and our dependence on that specific slice of communications technology. You would be hard pressed to come up with a list of big companies that don’t depend on cyber networks to conduct business. That means there are also dependent on yet another hidden network.

There are foundational technologies networked together that lurk right beneath the surface, controlling how your data moves across the internet. Domain Name System (DNS) and the Border Gateway Protocol (BGP), which route enterprise critical information over the internet, are based on trust, distributed on servers all over the world, and are not nearly as robust as you might think. If you’re sending data from the U.S. to Italy, should it take a detour and route through China? Probably not, but that’s what happened in 2016 when China Telecom exploited BGP to route internet traffic through their domestic cyber infrastructure rather than letting data take the most efficient path. In 2010, China (accidentally?) slurped up 15% of all internet traffic for 18 minutes by misconfiguring some BGP settings.

The threats and vulnerabilities to your company’s cyber operations are well documented and hard to miss. Phishing emails, ransomware, bot-based distributed denials of service, and malware propagation have become household words at this point, and they rightly get most of the attention. However, the hidden network of technologies behind the internet are a tempting target and ripe for disruption. The question is: Where does your organization’s cyber infrastructure intersect with the larger internet and how can your supply chain risk management function better anticipate and prepare for situations where everything is not working as it should?

Gaining Insights and Visibility into the Complexity of Your Nested Network

Your supply chain is an interwoven group of visible and hidden nested networks that tend to behave normally most of the time but are subject to chaotic interactions that are nearly impossible to predict or anticipate. You may be aware of some of the critical weak points, but it is increasingly difficult to know them all at any given moment in time.

If you expand your collective definition of what constitutes the supply chain to include the concept of nested networks, you can better frame the problem. You can take advantage of new and existing technologies — such as all-source data fusion, anomaly-event detection, time-series forecasting, and dependency graphs — in ways that will change how you see and manage your supply chain.

You can’t be immune from supply chain failures, but you can be prepared. You can see and monitor your full supply chain down to the Nth tier, understand your nested networks, and achieve operational resilience. The right partner can help you identify the data, tools, and technologies you need to deal with these events when they occur. Reach out to us to see how.

End of an Era: Legacy TPRM Solutions Do Not Create Operational Resilience (Part 4)

As discussed in “The Black Swan is Dead” blog, corporate boards and government agency heads are demanding visibility into their supply chain risk exposure and are starting to hold the organizations — and their leaders — personally responsible. They cannot wait days, weeks, or potentially months for answers. They want to know now, and they want to know what steps the company or agency is taking to prevent the next big COVID- or SolarWinds-like supply chain shock. In other words, they want Operational Resilience.

Even in this new world where “not knowing” is no longer an acceptable excuse, companies and agencies are still operating in silos. They are still using manual processes and point-in-time tools, such as Third Party Risk Management (TPRM), Supply Chain Risk Management (SCRM), spreadsheets, and surveys. These all fail to map, monitor, and model extended supply chains, capabilities without which you cannot reduce risk, avoid disruptions, and achieve dramatically superior resilience.

TPRM Is Too Limited in Scope

Building on existing vendor risk management and suppler risk management tools, TPRM attempts to broaden the focus beyond just vendors and suppliers to include all kinds of third parties. For TPRM vendors, this allows them to expand their market from manufacturing companies to all commercial entities. Most are point solutions, but the big Supplier Relationship Management (SRM) and Supply Chain Management (SCM) vendors have rolled out TPRM modules.

What TPRM solutions do:

  • Surveys
  • Single-risk focused

What they don’t do:

  • Visualize the extended supply chain
  • Provide ongoing monitoring
  • Look at the ripple effect of global events
  • Capture complex, multi-factor risks

Supply Chain Risk Management Tries to Regulate Operational Resilience

Through a series of regulations and legislation enacted over the past decade, the US government has prompted organizations to leverage increasingly formalized approaches to SCRM, which is officially defined as:

“A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the suppliers’ product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).”

Unlike TPRM, SCRM enables a couple of critical elements needed for Operational Resilience:

  • SCRM clearly calls out that sub-tier suppliers need to be evaluated and tracked.
  • Cyber and financial stability risk are top priorities, but so are foreign ownership, location of facilities, counterfeit products, and other factors.

What is still missing with SCRM?

  • The process uses a regulatory and compliance approach. This means setting mandates for an unwieldly 300,000 defense companies and their extended supply chains. Companies see this as a compliance issue and the cost of doing business instead of a way to ensure Operational Resilience.
  • It still relies heavily on self-reported, annual surveys to collect information, which is inadequate for supply chain security and continuity.

Operational Resilience is the New Standard

To achieve Operational Resilience, organizations require tools that can:

  • Instantly discover the Nth tiers in your supply chain.
  • Provide situational awareness based on automatic, broad, multi-factor risk assessment.
  • Evaluate “what if” scenarios and alternative suppliers.
  • Be updated on a continuous basis in near real time.

In addition to these tools, “risk and resilience leaders” must find a structured approach to implementing organizational change. The Resilience Operations Center (ROC), described in Part 2 of this series, more than fits the bill. The ROC represents a new approach to modern supply chain security and continuity, delivered through an enterprise-wide framework that ensures supply chain risk management (SCRM) objectives are tied to organizational goals. It brings previously siloed groups together to form agile and informed teams that are empowered to use data intelligently and to react quickly to changing circumstances.

We’ve seen it work in a variety of industries, and our customers are using ROCs to dramatically change business outcomes for the better.

To learn more about Operational Resilience, the ROC, and the technology that can enable it, visit www.interos.ai.

Operational Resilience is Now Everyone’s Job (Pt. 3 of 4)

You know you’re only as secure as your weakest link.

When it comes to your supply chain, that link could be one of your suppliers, your suppliers’ suppliers, multiple internal teams, or any of the thousands of employees whose daily work impacts how you source, distribute, process, and ship materials. That means your operational resilience is not the job of one department or manager—it’s everyone’s job.

With today’s varied and constantly shifting risk factors, keeping the supply chain safe depends on connected teams and coordinated decision-making. The two previous posts in this series explained how the death of Black Swan events has created a need for a Resilience Operations Center—an organizational framework for monitoring and mitigating supply chain risk factors.

But where in the organization does operational resilience responsibility belong?

Supply chain threats are organizational threats

Cyber security mitigation became everyone’s job once business leaders saw that internal silos and lack of education were putting the entire organization at risk. Bad actors seek out and exploit weakness anywhere they can find them. Supply chain risk is very similar. If a risk exists in one part of the supply chain, it makes the entire system weaker because suppliers rely upon each other for compliance and governance.

The need for a Resilience Operations Center (ROC) has never been greater as the role of supply chain security is shifting to the entire organization rather than traditional silos.  And you are only as secure as your weakest link.

Creating a silo-less supply chain

The status quo in supply chain risk management is to have multiple groups looking at a small piece of the problem, with little communication or coordination between them—a fragmented approach to risk that is no longer acceptable. Traditionally, these threats were addressed separately by the chief security officer (CSO) or chief information security officer (CISO), legal and governance teams, and procurement. Many companies have recently added chief risk officer (CRO), but those roles often do not cover supply chain. A new solution is needed, one that connects stakeholders and ensures information is shared freely between them.

For example, consider a business reliant on high quality steel for its products. Imagine they purchase lower quality components at some point, which results in a poor product and a dip in customer loyalty. In a traditional organization, the role of addressing this problem would be divided among multiple groups, often with different goals. The purchasing team wants low-cost materials and may ignore concerns about quality. The product teams need high quality steel to support the design. The governance and legal teams only get involved much later in the process. The CISO wants to ensure the company only uses vendors with good cyber hygiene. The marketing team promoted the product as high end. What results is often finger pointing, uncoordinated responses, and a long, difficult process to sort out and remedy the issue. Meanwhile, customer frustration grows.

Organizations must tear down the silos in order to create a central organization to address these issues. A ROC can act as that central resource by connecting teams, laying out clear processes, and creating reliable decision-making criteria for managers.

A top-down approach and awareness are keys to success

Fortunately, events of the past 14 months have created an awareness in the C-Suite that has put the health and agility of the supply chain squarely in the purview of the CEO and Board.  Ensuring executives saw and understood the big supply chain picture, fostering a collaborative environment, and creating organizational goals used to be more difficult.  The solution requires a top-down approach. It’s near impossible for one department or team to achieve these objectives on their own. If you don’t spend time and money vetting a supplier to make sure they are compliant with your risk reduction goals, it doesn’t matter if your purchasing team picks another supplier purely because they were cheaper or that supplier has the best security policies in place.

Siloed actions create winners and losers within an organization. Leadership needs to ensure teams are acting as a single entity, not as individual units. Group success benefits everyone, and group failures allow for learning experiences—a chance to understand gaps or mistakes and implement best practices.

Again, the ROC helps create and sustain this kind of mindset. It enables communication, improves visibility, and keeps teams focused on big goals and shared KPIs through a set of tools and processes, including:

  • Coordinated risk assessment
  • Supplier relationship mapping
  • Continuous monitoring
  • Incident response teams
  • Single-source-of-truth dashboards
  • Insight sharing and real-time alerts
  • Outcome modeling and predictive insights
  • Closed-loop processes for lessons learned

Most supply chain risk management (SCRM) programs and processes fall way short of what organizations need in today’s complex threat environment. Ad hoc tools, point in time surveys and spreadsheet-driven systems can’t tell you that. They are too limited in scope, not agile enough, and don’t align with or help meet wider enterprise objectives.

Who understands your supply chain?

For agile, competitive companies, this is a long list. If it’s only your VP of supply chain and your procurement officer, you’re not doing enough to achieve operational resilience. A list of supply chain stakeholders needs to include:

  • CEO and CFO
  • Procurement
  • IT (CIO) and information security managers
  • Regulatory officers
  • General counsel
  • Business unit heads

That’s just the minimum. A broad base of connected team members creates a foundation for a number of supply chain and business benefits, from better risk management and business continuity planning to speed-to-market and customer satisfaction.

We’ve been warned, now it’s time to act

Cyber security fears (and failures) motivated organizations to rethink how they monitored and responded to technology threats. Will the supply chain events of the past year, and the ongoing looming threats, inspire similar action?

In an era where the workforce has more freedom than ever before, every remote user is a possible entry point for a supply chain-driven cyberattack. We are all responsible for supply chain integrity and operational resilience. It is only by working together, sharing information, and reducing organizational silos that we can support a healthier, more resilient supply chain. This is the guiding principle behind – and function of – the ROC.

Why wait until the next supply chain shock to start building a ROC when your business, brand, and reputation are already on the line? If you’d like to see how Interos can help your organization achieve operational resilience, reach out for a solution demonstration.

Supply Chains & The ESG Imperative: The Buck Stops with the C-Suite

Nike and Chipotle tied executive compensation to sustainability goal achievement. Mary Barra of GM allocated $27B to the development of electric and self-driving vehicles through 2025. Citi recently added circular economy and sustainable agriculture focus areas for its $250 billion Environmental Finance Goal, which it expanded from the original $100 billion goal that it met four years early. Environmental, Social, and Corporate Governance (ESG) is a top concern for today’s businesses and it’s not going away.

This said, there are plenty of businesses still grappling with the challenge. Whether it’s unethical child labor practices in China creating business concerns for H&M or environmental recklessness in the Amazon region creating problems for McDonalds, Walmart, and Costco, these days the C-Suite is working hard to gain real visibility into risks lurking deep in the supply chain that could cause serious negative repercussions back at HQ.

Let’s call it the new ESG imperative. The movement towards embracing ESG responsibility as a core corporate value has been some time coming. 2000 saw the launch of the Global Reporting Initiative, which redefined corporate governance to include sustainability measures. Today, these standards have been adopted by more than 80% of the world’s biggest corporations.

Sustainable Investing & Regulations Drive Adoption

ESG has risen to even greater prominence today as a form of sustainable investing, whereby investment into new ventures is evaluated through a more holistic lens that looks at the environmental sustainability and societal impact of the funded project and not merely at its projected raw financial performance.

To be sure, there is a growing sense that ESG-funneled investments will perform better than most, as the global community begins to place increased priority on ethical behavior, fair labor practices, combatting human rights abuses, diversity, inclusion, and climate change. In 2018, a survey on climate and sustainability services found that just 32% of investors conduct a structured review of ESG performance. By 2020, that number had jumped to 72%. The pandemic has added fuel to this argument, where sustainable equity funds withstood early pandemic market dips, better than non-sustainable counterparts.

Let’s be clear. There are laws and regulations that will force us to take responsibility for certain aspects of our supply chain. Here in the United States, for instance, the Securities & Exchange Commission (SEC) is promulgating an effective ESG disclosure system – one that would require publicly traded companies to elucidate their broader ESG exposures in their extended supply chain, as part of their annual 10K filings, beyond some existing mandatory disclosure requirements in the area of board membership diversity.

The SEC’s John Coates, Acting Director of Corporate Finance, said on March 11, 2021: “The SEC is well equipped to lead and facilitate a discussion on when and how ESG risks and data must be disclosed, and how to create and maintain an effective ESG-disclosure system that would promote the disclosure of decision-useful, reliable and, where appropriate, globally comparable ESG information.”

“There remains substantial debate over the precise contents and details of what ESG disclosures might or should encompass. Part of the difficulty is in the fact that ESG is at the same time very broad, touching every company in some manner, but also quite specific in that the ESG issues companies face can vary significantly based on their industry, geographic location and other factors,” Coates added.

This isn’t mere posturing. Last Friday the SEC put out a risk alert, citing instances of misleading claims, inadequate internal controls, and weak policies found in an examination of investment advisors, companies, and funds.

 

Flipping the Script

Clearly, this is only the beginning of what is to come from a government mandate perspective. Even without strong compliance drivers, there are ample, solid business reasons for executives to move proactively to 1) understand/visualize their ESG profile in their extended supply chain and 2) optimize how they position their ecosystems to be operationally resilient and to yield top performance by being “ESG-forward.” It’s short-sighted to see this in defensive or even cynical terms, or to think that real hard-nosed business execs don’t really take ESG seriously. But implementing that desire can be difficult. As I recently told the Financial Times, said businesses want help identifying their exposure but struggle with the many tiers of suppliers on which they depend.

What if we can flip the script? Go beyond what is merely the minimum (the basic “compliant” level) and actually find and reward positive behavior. The power of transparency means the right thing to do is a massive business opportunity. This goes beyond the investment world; this goes straight to the core of the corporate world and the myriad extended supply chains of finance, manufacturing, energy, aerospace and defense, pharma, automotive and beyond.

Done right, we can encourage the creation of a better, healthier, safer global economy. We help re-build trust in the global supply chain. We can reveal and reward the good, as well as see the bad and put a higher cost of doing business in pursuing those out-of-fashion ways of operating.

Likely Changes for the Future

To be sure, there have been a number of self-correcting moves along these lines of late. The large solar-power industry here in the U.S., repped by the Solar Energy Industries Association, resolved to eschew solar-panel product components from a region of China reportedly involved in unethical child labor. The SEIA has been urging its members to move supply out of the Xinjiang autonomous region following reports of forced labor among the local Uighur ethnic-minority population.

Relatedly, numerous international companies involved in sourcing components from the same region – making a range of products from footwear to consumer electronics – are reevaluating their sourcing from Xinjiang in western China as reports surface of forced labor in factories located in this remote region.
In sum, when speaking of resilience in supply chains, more and more companies are realizing that we all have a shared responsibility to upholding our values, protecting the environment and finding a visible seat at the table for ethics. More and more boardrooms, rightly so, are focused on exposure to ESG risk, if you will, of a business. It’s a matter of improving your top and bottom line and of securing your brand’s global reputation.

The following hypothetical scenarios, where improved visibility into your extended supply chain and a will to change into an ESG-forward posture is the new normal, could prompt businesses to:

  • Not source lumber from native forests that are not being replenished… in the case of a worldwide home-goods producer
  • Refrain from using products tested on certain species… a CPG giant focused on personal care products
  • Eliminate the use of child labor at cobalt mines in Congo… a global electric-car/hybrid automaker
  • Ensure diversity in your supplier base to increase innovation and economic impact in various socioeconomic demographics

At Interos, we enable companies to monitor that risk in real time based on automated models that look at relationships and events around the globe. Our customers are able to see their commitments, as well as their risk, down to five or more tiers in their supply chain when it comes to environmental damage and protection, gender inequality, governance, labor practices and unethical sourcing. The rising prominence of ESG reflects the moral imperative that faces us as business leaders to hold ourselves accountable for the future of our planet and future generations.

Jennifer Bisceglie, founder & CEO, Interos

Why You Need a Resilience Operations Center – The Case for Operational Resilience (Part 2)

In the first post in this series, we talked about the death of Black Swan events—how the challenges of the past year necessitated a new approach to supply chain preparedness. Being caught off guard by unlikely events isn’t an option anymore.

The downside to this new environment is that supply chain shocks are more common and more costly than ever. The upside is that technologies and new business frameworks exist that are helping organizations map, monitor, and model their global relationships to improve outcomes and uncover opportunity.

A Paradigm Shift in Supply Chain Continuity and Security

Organizations have been using Security Operations Centers (SOC) for decades. They have been instrumental for tracking information on internal and external supply chain threats and helping teams manage responses.

But the variety and speed of those threats have changed, with financial, cyber, regulatory, geopolitical, operations, and environmental/social/governance (ESG) risks happening in every tier of an enterprise’s supply chain, continuously. The internal roles have changed, too, and include risk managers, cyber security analysts, procurement teams, IT, and other groups. They all require high quality real-time data and close coordination.

The Resilience Operations Center (ROC) meets these needs and more. It represents a new approach to modern supply chain security and continuity, delivered through an enterprise-wide framework that ensures supply chain risk management (SCRM) objectives are tied to organizational goals. It brings previously siloed groups together to form agile and informed teams that are empowered to use data intelligently and to react quickly to changing circumstances. We’ve seen it work in a variety of industries, and our customers are using ROCs to dramatically change business outcomes for the better.

The Roots of Supply Chain Vulnerability

The world has seen unprecedented business process and supply chain disruption. While many companies have suffered, some have survived and even thrived in this new environment. Several organizations were able to reposition the supply chain quickly and efficiently and meet or exceed their customer’s needs. To understand what sets them apart, we need to first review some history.

If you’ve studied supply chains in recent years, you’ve likely focused on Just-In-Time (JIT) or lean manufacturing. This approach prioritizes reducing excess inventory — only ordering components when needed and keeping spare parts to a minimum to reduce storage costs.

Globalization has also impacted modern production methods. Many global organizations pull components from far-off sources. Parts are made in different factories, then shipped to central locations for assembly. For service companies, software can be written anywhere in the world and then merged into the final product. This is often done to leverage existing resources and partnerships, or to avoid taxes and regulations.

The result of these factors and approaches was a perceived increase in efficiency and cost savings. However, those benefits could only be realized in an environment of limited and easily controlled disruptions. Deep and detailed planning seems unnecessary when things are going well. But the death of the Black Swan has changed the playing field. More events are coming, and you have to prepare for them. “Not knowing” is no longer an excuse.

Traditional Risk Management Is Outdated

Organizations typically leverage operational risk management (ORM) teams and perform disruption planning. However, the scope of much of this planning is limited to traditional events with limited global impact. For instance, an organization may plan for well-known seasonal storms that could impact their shipping. But the possibility that a national border would close for a year due to a world-wide pandemic, or that trading block statuses could suddenly change and upend international shipping laws just weren’t considered. Not to mention a prolonged accidental blockage of the Suez Canal by a wayward container ship.

Compounding the problem, most supply chain risk management (SCRM) approaches rely on point-in-time supplier risk assessments made up of ever-expanding questionnaires, surveys and the like. These manual processes are meant to assure internal teams and business partners that the risks they are taking—from sourcing raw materials in the supply chain to outsourcing core business functions—were acceptable. In reality, they waste time, treat all suppliers equally, consume precious resources, and provide limited insight into risks.

Many organizations have learned through experience just how dependent they are on the actions and vulnerability of other parties, from the first tier to the Nth tier. Events large and small across multiple risk factors happen without much notice, and the deeper they are in your supply chain, the less warning you often have.

Organizations need pro-active, continuous visibility and engagement across multiple risk factors. They need to act quickly and in coordination with suppliers to identify, understand, and respond to events. And they need to anticipate emerging risks — eliminating or mitigating them before they impact business operations, assets, or clients. This is the definition of Operational Resilience—and what standing up a ROC enables you to achieve.

The ROC: Deep Planning and Full Visibility = Supply Chain Preparedness

Organizations in every industry—from manufacturing and logistics, to services providers and digital businesses—are looking for a way to map, monitor, and model their supply chains. As we’ve seen, most solutions currently in place are too limited in scope, not agile enough, and do not align with or help meet wider enterprise objectives.

A ROC solves these problems by creating an enterprise-wide framework that:

  • Acts as a single, centralized resource and coordination point within your organization and with your extended supply chain.
  • Provides a real-time view into your organization supply chain risk and a means for monitoring and taking immediate proactive action to ensure ongoing operational resilience.
  • Identifies key stakeholders and functions and helps mobilize them for risk event-planning, scenario analysis, and probability forecasting.
  • Helps you pro-actively leverage resources to quickly detect, respond to, and recover from incidents when they occur.
  • Provides a consistent measurement and reporting framework for senior management, board of directors, and other stakeholders.
  • Monitors existing and emerging risks and speeds corrective actions.
  • Embeds lessons learned from previous incidents into organizational DNA, making you more resilient to future events and incidents.
  • Serves as a catalyst for leveraging your supplier relationships, building trust across your entire supply chain, and empowering suppliers to work together to manage risk while creating mutual value.
  • Optimizes SCRM and reduces supplier duplication, minimizing the risk of a data breach and reducing administrative costs.
  • Enables intelligence functions and information sources to share and analyze data continuously at an organizational level.
  • Shares SCRM program insights with organization stakeholders to speed response times and minimize disruption and shorten recovery time.

The ROC framework can drive these outcomes because it’s based on three simple but vital principles: connecting SCRM and organizational goals, breaking down silos, and modernizing threat detection and mitigation. Plus, it provides the insight and agility needed to capitalize on never-before-seen opportunities.

Keep your eye on this space next week for parts 3 & 4 of our series on operational resilience AND stay tuned for more information on the ROC!

Panel: Solar Winds and the Supply Chain Threat We’ve Ignored for Too Long

Insights from Jennifer Bisceglie, Alpa Inamdar, Agnes Berecz, and Renee Forney

CEO and founder of Interos, Jennifer Bisceglie, moderated a lively and informative panel for this year’s OpRisk Global virtual event, “Solar Winds and the Supply Chain Threat We’ve ignored for Too Long.”
Joined by an all-woman virtual roundtable of industry veterans — Alpa Inamdar, Head of Third Party Risk Governance for BNY Mellon; Agnes Berecz, Senior Risk Analyst for Danske Bank; and Renee Forney, Senior Director, Azure Hardware Systems Information Security, for Microsoft — Jennifer led the discussion of how massive cybersecurity breaches like Solar Winds must shape boardroom discussions surrounding supply-chain resilience moving forward.

Solar Winds, COVID-19, and the not-so-“Black Swan” events that cause disruption

“These highly public attacks will certainly not be the last… what have we learned and where do we go from here?” Bisceglie posed to participants.

An estimated two-thirds of highly publicized cyber breaches reportedly now occur through the supply chain, and the magnitude of the impact is immeasurable with no predicted endpoint.

Real-time visibility into extended supply chains — and full accountability for risk — has become vital for any organization to operate in the current landscape. Within the boardroom, it is now an expectation to understand the end-to-end supplier chain when working with critical vendors. Over the last year, many corporations became acutely aware of their siloed approach and were forced, by exogenous shocks (COVID-19, Solar Winds, ongoing trade wars) to the supply chain, to determine a new strategy – one that would involve more than just point-in-time visibility of supply nodes down to say two tiers.

“Because of the current situation that we’re going through — a pandemic — organizations and industries are changing significantly at a very fast pace. So that single point of time will not [represent] all operations. You need more data. You need more analytics,” said BNYMellon Bank panelist Alpa Inamdar.

A risk associated with any one supplier is potentially a risk to the entire supply chain. Events like the Solar Winds supply chain hack illustrate how cyber risk issues can emerge and proliferate via exposure through third-party vendors. It’s become even more apparent over the past year that the interconnectedness and the interdependencies among vendors and solutions is a complex web that’s ever-changing. And, by neccessity, things have started to advance beyond traditional semi-annual, manual-focused supply chain analysis of days gone by that served as a snapshot of risk.

 

Compliance and cybersecurity must go hand in hand — “Ditching the three-ring binder”

“I think we’re in a position now where we have to challenge our traditional way of thinking, right? We all come from the ‘three-ring binder’ point in time assessment model… we have to move beyond the point in time assessment to utilizing a multilayered approach to assessing our vendor population,” said panelist Renee Forney with Microsoft. “A continuous monitoring model is key for 2021.”

Long gone are the days of measuring risk assessment focused on only the first, second, and, at most, third supply chain tiers — that only provides insight into the tip of a supply chain iceberg.

Corporations have to move into a threat-based, intelligence-led risk management model. It’s important to be able to look at vendors on an ongoing basis, to be able to understand where they reside in the supply chain, and to clearly assess their level of importance to the company’s mission and the criticality of operations.
What’s next and how do we get there?

Operational resilience can’t happen overnight; it’s always going to be an ongoing process. That said, it’s crucial to integrate a continuous monitoring model with a layered approach. Understanding where to put resources, determining the mission criticality of different vendors, and having a model that allows room for flexibility with backup options will put everyone in a better position to halt disruption before it starts.

Every supply chain is inherently exposed to risk, but in working with a provider like Interos, corporations and government entities are able to analyze the level of risk associated with any supply chain decision and monitor it on an ongoing basis in order to prepare for potential disruption or stop it in its tracks altogether.

“We are actually very, very hopeful that this digital operational resilience act will be introduced with the proper support and pillars because exactly this is what we need,” said Dansk Bank panelist Agnes Berecz. “We need this digital, cyber, and third-party requirement to wrap together holistically so that we, as a financial industry, are able to be more resilient and provide products and services to our customers…Ultimately, this is a business issue and if we are going to have issues with these areas, our customers and shareholders will pay the price.”

The Black Swan Is Dead – The Case for Operational Resilience (Part 1)

What is Operational Resilience?

Operational resilience is the ability of a commercial or public sector organization to continue to provide their products or services in the face of adverse market or supply chain events (“shocks”). Given the remarkable disruptions of the past year, you know if your supply chain is resilient or not. An organization lacking operational resilience:

  • Scrambles to cope with events as they happen
  • Wastes resources because of siloed teams, duplicated efforts, or poor communication
  • Suffers brand damage because of product or service disruptions or slowdowns

On the other hand, organizations that are operationally resilient:

  • Continuously monitor for potential risks and proactively make adjustments to minimize and potentially prevent disruption
  • Quickly identify disruptive events to evaluate exposure, find alternatives, and respond fast
  • Anticipate, model, and plan for possible scenarios and build the organizational skills to address and respond to these challenges

Only operationally resilient organizations can minimize disruptions, recover from shocks faster, protect their reputations, and ultimately capitalize on opportunities. In this age of hyperconnectivity, being operationally resilient isn’t just about managing risk, it is just good business.

There is No More “Not Knowing”

In 2020, we witnessed a watershed year of “Black Swan” events. So much so that the phrase does not really apply anymore—we can’t pretend that these kinds of disruptions are rare, unpredictable, or even shocking. It is not a matter of “if” similar events will occur, but when. Which is why governments are putting in place legislation (i.e., Germany’s “Initiative Lieferkettengesetz”) and regulations (such as EO14017, NDAA FY19 Section 889, and CMMC in the U.S.) to hold organizations and executives responsible for making sure these events do not impact national security, economic prosperity, and public safety.

Given the threat of backdoors, bad actors, and bottlenecks, today’s corporate boards of directors and government leaders around the world need to ask tough questions of their organizations:

  • Is SolarWinds in your digital supply chain? If so, where and how might it come back to harm the organization?
  • When is your sensitive or confidential data shared with partners or with their partners? Do you know who your partners’ partners are and how they are protecting your data?Do you use suppliers (or suppliers to your suppliers) who operate in the Xinjiang region where forced labor is a growing global concern?
  • Which of your suppliers (or suppliers to your suppliers), if they were to pause or cease operations, would significantly disrupt your operations?
  • Which of your suppliers (or suppliers to your suppliers) show up on any of the many prohibited or restricted lists (i.e., Section 889)? And are you tracking their subsidiaries, affiliates, or controlled entities?

Corporate boards and government leaders are demanding to know what their exposure is and are starting to hold the organizations—and their leaders—personally responsible. They cannot wait days, weeks, or potentially months for answers. They want to know now and they want to know what steps the company is taking to prevent the “next one.”

How does your organization respond to these demands and this level of oversight? In today’s fast paced world, responding before your competitors is not just a competitive advantage, it may be essential to your organization’s brand, reputation, and very survival—and your continued employment.

Institutionalizing Operational Resilience – People and Processes

Commercial and public sector organizations looking to achieve operational resilience face challenges inherent within their own organizations:

  • Shift behavior from response to prevention. Eisenhower was quoted as saying, “Plans are worthless, but planning is everything.” What this means is that today’s organizations require a change in mindset: they need to anticipate, prevent, evaluate alternatives, and model all scenarios and options. Reacting to events as they happen is not sufficient in today’s competitive market.
  • Make managing risk an organization-wide job, not the domain of one person or team. Current approaches to managing risk are siloed within business units, such as procurement, supply chain operations, and IT, or in single focus organizations, such as information security and compliance. By breaking down silos, organizations improve how they coordinate, collaborate, and prepare. Those are essential capabilities when you need to uncover risk across activities and proactively respond faster and smarter to modern threats.
  • Manage risk beyond the walls of your company. Today’s organizations rely on an extensive network of suppliers and partners that play an integral part in developing and producing their products and services. Yet most do not know who these suppliers and partners are. Only by identifying third-party relationships in the extended supply chain can an organization decide if those connections are a good or bad business choice, thereby identifying and preventing potential risk.

 

To meet these demands, leading organizations are looking to expand from their decades-old, learned experience in setting up and running Security Operations Centers (SOC) by embracing the Resilience Operation Center (ROC). This is a framework that, from the onset, connects people and processes to organizational goals around operational resilience.

Institutionalizing Operational Resilience – Technical Requirements

As organizations shift to forward-looking Operational Resilience, they are finding that traditional tools fall short. Supply Chain Management (SCM), Supplier Relationship Management (SRM), Governance, Risk, and Compliance (GRC), point-in-time surveys, spreadsheets, and broadly deployed manual processes only reinforce silos. They also lack the external business relationships and real-time event data needed to provide the situational awareness executives require so they can ensure operational resilience and make better informed decisions based on real-world scenarios.

To achieve Operational Resilience, organizations require tools that can:

  1. Map suppliers instantly and automatically.
    Know who is in the supply chain – potentially to the Nth tier – to decide if those relationships are helpful or pose risk.
  2. Monitor continuously for changes in risk profile before operations are disrupted.
    – Assess suppliers against multiple risk factors such as finance, cyber, geopolitical, regulations, operations, and Environment, Social, Governance (ESG).
    – Track global events that could impact the operations of suppliers (and their suppliers).
    – Get alerts about the changes that matter.
  3. Model anticipated or actual changes in the extended supply chain in order to reduce risk and improve business performance.

To successfully map, monitor, and model extended supply chains, you need access to data about an ever-changing number and array of global business entities and events—a monumental undertaking for any organization. But machine learning, AI, and Natural Language Processing (NLP) make it possible to collect, analyze, and liberate massive amounts of high-velocity data so you can:

  • Identify and visualize multiple tiers of suppliers and ascertain business relationships.
  • Identify and assess potential risks.
  • Uncover hidden opportunity.

And the kicker? All of the above can be achieved and kept relevant in near real time, compared to the weeks or months that it takes organizations using manual processes, point-in-time surveys, and spreadsheets.

Operational Resilience—Your Business Depends on It

Operational resilience does not mean operating free of disruption or challenges.

  • It means having the insights you need when you need them in order to change course, mitigate loss, and find opportunity in your supply chain.
  • It’s about seeing everything—the relevant business relationships and the inherit risks within—sharing that knowledge across the organization, and acting on it to improve outcomes.
  • It’s about deep, comprehensive and ongoing planning—and responding collectively when the need arises to pre-empt unnecessary disruption.

As we have all learned, the world is complex, and connections are tenuous. The prepared will not be immune from disruption in the always fragile supply chain. But they will see it coming, have plans in place to cope with events, and emerge from them as a stronger competitor and a better business.

The upshot: Operational Resilience is just good business.

50/50 by 2025: Interos pledges to address the Gender Gap

This grainy picture, taken 43 years ago near the Khyber Pass, a narrow route through the mountains that connects Afghanistan to Pakistan, shows a young girl standing by a car on the day that she became a refugee and immigrant.

This is my picture, age 12, standing next to two smugglers who agreed to bring my brothers and me from Kabul, through eastern Afghanistan to the Khyber Pass in 1978. My parents were unable to obtain passports for us and they had to find ways to get us out of the country, narrowly escaping the violence that followed the April Revolution.

In many ways, we were extremely fortunate. Long-standing friendships enabled my family, unlike many other refugees, to quickly find our way to Hamburg, Germany. Our parents ensured that we were quickly enrolled in language classes and then traditional schooling, easing the cross-cultural barriers refugees typically contend with. This marked the beginning of my journey as one fortunate enough to attend college and ultimately begin a career in Human Resources.

I consider myself extremely privileged to have, throughout my career, worked closely with many strong, smart and generous women leaders who encouraged my growth, provided mentoring, offered advice, and ensured that a more junior female colleague was able to build a career. The importance of growing the next generation of leaders, particularly women in tech, was instilled in me from start, and has endured in me to this day.

Today, as the Chief People Officer of Interos, one of my, and the company’s, foremost aspirations is that we will offer a diverse, equitable and inclusive environment to our team members. Together, under the leadership of our female founder and CEO, Jennifer Bisceglie, our mandate has been established: Interos will be 50% female by 2025!

Achieving this goal will not be simple, given the gender gap that exists globally both within and outside the tech industry.

The Gender Gap

According to the World Economic Forum’s Global Gender Gap Index, gender gaps in professional roles have been narrowing – nearly 76% of the gap in these roles have been closed globally.

Despite this progress, we are far from parity.  Per LinkedIn “across the three technical frontier role clusters” female workers hold just an estimated 26% of workers in Data and AI roles, 15% of Engineering roles and 12% of Cloud Computing roles. There is some hope that, with the rise of Data and AI jobs, this new technology profession will offer greater parity than the more established technology professions of Engineering and Cloud Computing.

Of course, establishing a goal is not quite the same thing as accomplishing it. We are announcing this goal because we want you to know how serious we are about making it a reality – and so you can hold us accountable to it.

So what are we going to do about it?

We’ve already several steps to start making this goal a reality. They include:

  • Establishing a diverse advisory board – Building diversity of people can start with building a diversity of leadership and thought. We’ve made significant progress here in adding two new female voices to our advisory board – Mary Cheney & Renee Wynn.
  • Establish relationships with diverse schools and building a pipeline of future female leaders through internship and hiring plans. Interos has identified 6 schools with high levels of diversity which include schools with majority female students and Historically Black Colleges & Universities and plans to offer students there internship opportunities with the company.
  • Continued Leadership – Only 17% of supply chain executives are women. Only 2.3% of venture capital funding goes to female founded companies. As one of the few executives defying both these odds, the continued leadership of Jennifer Bisceglie will also attract like-minded female professionals to join our ranks.

With this in our background – and with strong female leaders in place at Interos – we are poised to reach our 2025 goal.