What’s your supply chain security program level?

September 18, 2019
Harris Allgeier

Photo by Jirsak from Getty Images Pro

Businesses love a good process assessment. You can’t shake a proverbial stick without hitting an ISO, CMMI, or Six Sigma seal. There’s good reason for this too: common standards provide an easy verification of an organization’s efficiency, maturity, and long-term stability. Of course, there’s no guarantees but standardization is provably helpful. For example, a study of the defense contracting industry found that organizations with a high maturity level spend about half the time on software defect testing as their less-mature competitors.

A recent SANS whitepaper co-sponsored by Interos articulates the various stages of maturity for a supply chain security program. The levels or patterns articulated below reflect the various possible stages of a company’s supply chain security program, and postulates where they might go next.

Stage 1 – Greenfield: The organization lacks concrete processes and policies for supply chain management and has little-to-no overarching strategy. Frequently organizations have policy mandates supply chain security processes but lack any actual implementation. This includes organizations with formalized supply chain management practices that fail to incorporate security leadership,

Stage 2 – Reactive: The organization has not integrated their security group into supply chain or procurement processes, but they routinely catch third-party vulnerabilities through standard security activities like vulnerability scanning, penetration testing, etc.

Stage 3 – Evaluation Participant: Most organizations acknowledge that granting third-party organizations direct access to their IT systems and networks is a massive security risk. An organization in this development stage has incorporated security considerations into their vendor evaluation process. However, once the vendor is approved the security group is no longer tasked with continuously monitoring vendor activity, or the security group lacks the capacity to continuously assess vendor security posture.

Stage 4 – Continuous Risk Monitoring and Evaluation: In this stage, an organization has fully integrated their security team into the vendor evaluation and due diligence process. The security team has tools in place to monitor, assess, and mitigate potential threats from suppliers. The organization has processes and policies in place that can scale alongside the organizations growing (or shrinking) supply chain.

Stage 5 – Stable Supply Chain Security Program: At this level of maturity the organization’s security program is both formalized and effective, at least at dealing with known security risks. However, their apparatus performs poorly when confronting unknown supply chain threats and is inefficient at continuously evaluating vendor security posture.

Stage 6 – Adaptive, Proactive, Supply Chain Security Program: The apex of supply chain security; a smooth process that thoroughly integrates the security and supply chain functions across the enterprise with minimal friction. At this stage the organization is capable of continuous vendor risk monitoring and can act both proactively and predictively, recognizing vendor risk not just from direct suppliers but from suppliers down to the nth tier.

But how do I know what stage my business is at?

Evaluating the maturity of your own enterprise, without the help of a formalized process or professional assessment team is naturally difficult. But the best way to assess the health of your supply chain security (and to improve that security) is by fully mapping your supply chain. Understanding who you’re doing businesses with, and who they’re doing business with, and so on down to the Nth tier is a crucial step in validating the security posture of your supply chain.

OK, but how do I do THAT?

The simplest, least-disruptive solution to mapping your supply chain is an automated tool. Traditional, manual solutions for supplier identification and tracking are adequate when initially introducing a supplier to your ecosystem. But these solutions are utterly incapable of tracking changes in that supplier’s security posture in anything approaching real-time. Which is a problem, as SANS researcher John Pescatore articulates in his whitepaper, to achieving high-level supply chain security maturity.

But I don’t have an automated tool!

You don’t have one yet. That’s where Interos comes in (a shameless plug, I know). But there’s a reason we’re bereft of shame here: our product solves this problem. Interos is the only AI-powered due supply chain assessment/risk management tool on the market (trust us we checked) and is designed to evaluate the security and overall health of your supply chain. Using the power of machine learning, clever engineering, and elbow grease Interos discovers, visualizes and assesses your suppliers and their supply chains, providing real-time scores across 5 health factors to deliver a continuous monitoring solution.

That means knowing exactly where you and your suppliers and their suppliers stand at all times, without pesky paperwork or pricey due diligence. Our platform ingests data from over 85,000 sources in near-real time. This enables organizations to maintain constant awareness of their supply chain security posture with minimal effort. No time wasted forming discovery committees, eating bad sandwiches at catered meetings, or figuring out implementation costs. Just sign up for Interos and watch the insights roll in!

Learn more about the importance of maintaining supply chain security by reading the SANS Institute’s recent whitepaper on the subject and at Interos.ai.

View next

Ensure Operational Resilience

Request Contact

Build operational resiliency into your extended supply chain:

  • 889 compliance – ensure market access
  • Data sharing with 3rd parties and beyond – protect reputation
  • Concentration risk – ensure business continuity
  • Cyber breaches – assess potential exposure
  • Unethical labor – avoid reputational harm
  • On-boarding and monitoring suppliers – save time and money