Taming Digital Supply Chain Threats: NYSE CISO’s Battle Plan for the AI Era

September 20, 2024
Dianna ONeill

Author: Dianna O’Neil 

In Interos’s latest Voices of Innovation session, NightDragon Founder & CEO Dave DeWalt, tackled today’s new breed of digital supply chain threats with Steve Pugh, Chief Information Security Officer (CISO) of the Intercontinental Exchange, Inc., better knowns as the New York Stock Exchange. As CISO, Pugh is responsible for securing critical economic infrastructure across multiple subsidiaries, geographies, and regulatory jurisdictions. 

Together Pugh and DeWalt explore the fluid landscape of digital risk and the critical role of AI supply chain risk intelligence in addressing escalating threats.  

Speed and Scale: The Core Challenges 

Pugh emphasized that the fundamental issues in digital supply chain risk management are the speed and scale of dispersed and sophisticated threats originating from bad actors, cyber criminals, adversarial nations, and other dynamic and fast-moving entities all over the world. “The key for a lot of my peers and colleagues is how do we keep up and innovate at that same speed [as bad actors], and then match the scale?” Pugh emphasized the staggering complexity of today’s attacks underscore the need for rapid adaptation and scalable solutions in the face of evolving risks. 

Building on this, DeWalt described the current global threat environment as “the perfect supply chain risk storm,” highlighting flashpoints with implications for digital supply chain stability.  

  • Heightened geopolitical tensions 
  • Regional conflicts 
  • Shifting dependencies on nations 
  • Increased cyberattacks targeting supply chains and third-party providers 

Unmasking “Unknown Unknowns”

Against this backdrop, Pugh noted the need to effectively communicating supply chain risk to high-level stakeholders, including corporate boards, to align on critical threats and move from insight to action, aided by emerging technologies that allow enterprises to take a proactive security posture. 

Pugh emphasizes two domains: visibility and control. “At the board level, we talk about it in two domains. The first is visibility, and then the second is control. And you really can’t talk about control unless you have the right level of visibility in your supply chain.” He focused on the critical importance of comprehensive supply chain visibility, using AI risk mapping and monitoring, as a prerequisite for effective risk management. 

Pugh elaborated by referencing Donald Rumsfeld’s “known knowns, unknown knowns, and unknown unknowns” matrix. He stated, “There’s a lot of unknown unknowns… that’s where the complexity really gets tough.” To illustrate this complexity, he shared an example from the experience of colleague at external engineering firm: that person experienced a catastrophic incident caused by “one bolt from a supplier somewhere in the world” failing—not due to malice but simply due to negligence or defect. He drew a parallel with third-party software and technology providers, noting how vulnerable third-party software solutions from obscure tiers of the supply chain can have significant consequences across interconnected digital supply chains. 

AI to the Rescue

Both DeWalt and Pugh expressed optimism about the role of AI and advanced risk intelligence in addressing supply chain challenges, particularly the ability of AI to deliver enhanced visibility and risk analysis at speed and scale. 

AI enables the ingestion and analysis of vast amounts of data from various sources, providing insights into complex supply chain relationships in real-time. Pugh explained, “AI can come alongside us and almost be a companion, to scale up and do so at speed and reason over all of these different data points.” Given the hundreds of millions of businesses globally, with billions of sub-tier supply chain interdependences, this capability is crucial for managing multi-tier risks effectively. 

Pugh detailed three primary ways AI is enhancing software development and security: 

  • Reasoning over code to find and fix defects quickly 
  • Generating cleaner, more secure code 
  • Enabling co-development with AI for native integration 

“We end up in this place where… you end up with some really good code that has fewer defects,” Pugh noted. He elaborated on how AI can create a “virtuous software development cycle” that significantly reduces potential vulnerabilities over time. 

Converging Physical and Cyber

Pugh’s role at NYSE encompasses both physical and cybersecurity—a trend that DeWalt sees increasing across industries. This convergence allows for a more comprehensive approach to risk management since physical threats can impact digital assets, unleashing a ripple effect with devastating financial consequences. 

Amid these changing dynamics, Pugh sees the CISO role evolving into that of a “risk business partner” to company leadership. “I think the role of the CISO is evolving to become more of a risk business partner,” he explained. This broader perspective allows for a more holistic approach to security and risk management across an organization. 

Channeling Optimism

As digital supply chain risks continue to evolve and expand, integrating AI technologies and continuous supply chain lifecycle risk intelligences alongside converging physical and cybersecurity offers promising solutions. Pugh’s final thoughts reflected a promising outlook: “I am optimistic on AI… I think it’s something that will certainly help us.” By embracing these generational innovations while maintaining a real-time view of risk management, organizations can better navigate the complex and fraught landscape of global supply chains in the digital age. 

Technology such as Interos Watchtower™ utilizes AI to continuously map and monitor relationships across the risk lifecycle to help enterprises mitigate physical and digital threats before they escalate to crisis. 

To learn more about how Interos can fortify your supply chain, contact us 

 

 

View next

Strengthen Your Supply Chain Resilience

Request Contact

Use Interos’ industry-first i-Score™ to track multiple supply chain risks in a single platform

  • Uncover Financial Weaknesses and Indicators of Future Shocks
  • Ensure Compliance with Trade Restrictions and Sanctions Lists
  • Stop Disruption from Hurricanes, Floods, Wildfires, Infrastructure Failure, and Other Catastrophes
  • Meet Internal ESG Policies and Expanding Regulatory Requirements
  • Protect Data Integrity, System Availability, and Cyber Regulatory Compliance
  • Assess Over-Reliance on Specific Suppliers or Regional Concentrations
  • Manage Geopolitical Turmoil, Political Shocks, Protests, and Shifting Alliances