Sealing security supply chain gaps

With the current unrelenting pace of cyber-attacks, business leaders surveyed in KPMG’s 2021 CEO Outlook now recognize that cyber security is no longer a short sprint, but rather a long-distance marathon to keep up with increasingly crafty cyber criminals.

However, with the non-stop growth of digital transformation — and the corresponding third-party supply chains that create complex and often opaque points of cyber exposure — today’s ‘marathoners’ should boost both their endurance and their speed to keep up in the race to achieve cyber resiliency. 

In this time of digital transformation, we’ve seen how organizations are reaping significant innovation, agility and efficiency by enlisting third-party suppliers and technology partners to introduce cloud-based solutions and artificial intelligence-enabled design, production, support and service processes.

While supply chain digitization has been at least a decade in the making, it accelerated when COVID-19 prompted organizations across diverse industries, to increase the speed, visibility and flexibility of their tangled supply chains.  In fact, respondents to the 2021 CEO Outlook expressed ambitious plans over the next three years: close to half plan to partner with third-party cloud technology and data providers and collaborate with innovative start-ups, and 70 percent say that new partnerships will be critical to continue their pace of digital transformation.

The consequence of this rapid innovation is that it often occurs in a hurried manner. As organizations make vast investments to outsource, link and automate their supply chains, they may not perform the due diligence required to identify and mitigate the new risks of this connectivity.

And, they often haven’t taken the corresponding steps to update their third-party risk management practices for these cyber risks. Nor have they made the complementary investments in security functionality that would create early warning capabilities across their supply chains.

These gaps are understandable when you consider that supply chain digitization occurred so quickly. And, with an average Fortune 500 company having at least 10,000 vendor relationships, by my estimate, many internal security and risk management functions have struggled to keep up.

That said, one may wonder if today’s business leaders are fully aware of their supply chain risks, particularly when 58 percent of 2021 CEO Outlook respondents said that they are ‘very well/well prepared’ for a future cyber-attack. Chances are, they are not thinking of all those supply chain connections added in recent years.

Fortunately, the 2021 CEO Outlook provides reason for optimism that business leaders are now grasping the supply chain challenge. For example:

• When asked about the key steps they plan to take to build ‘digital resilience’ over the next three years, 48 percent say they will focus on the security and resilience of their supply chains/supplier ecosystems.
• 40 percent say they will invest to develop secure and resilient cloud-based technology infrastructure.
• And 79 percent say that ‘protecting their partner ecosystem and supply chain is just as important as building their organization’s cyber defenses.’

These are positive indicators that corporations are ready to make the necessary ‘catch up’ investments to help secure their supply chains, whether in reaction to alarming cyber-attack headlines, or if they have been victim of a cyber breach themselves, or, perhaps in hopes of avoiding future prescriptive demands by regulators. 

If the idea of running a continuous marathon — at a faster pace — to protect one’s digital supply chain sounds grueling, keep in mind that the challenge can be broken down into key steps:

• Awareness and acceptance. As indicated above, most companies, depending on the digital maturity of their sector, have already gained awareness and acceptance of the challenge. In fact, our survey indicates that executives are ready to act, and they are starting to cast aside old attitudes about turning their business into an impenetrable fortress.
• Understand the problem scope. The next step is understanding the scale and scope of one’s extended supply chain, by determining who precisely are your vendors, what connections do you have with them, and what dependencies does that cause? Most major organizations already have robust third-party risk programs and policies in place that at least identify these relationships, as well as processes to perform supplier risk assessments. They may simply need to update those assessment processes to reflect the realities of digital supply chain connectivity.
• Conduct risk assessments. Comprehensive risk assessments can empower business leaders to establish up-front budgets for security system functionality at the start of technology and supply chain projects, rather than after the fact.  And, it can help secure crucial senior ‘buy-in’ to fund security mitigation efforts for existing systems.
• Data deep dive. Often, the obstacle to accurate risk analysis is the absence of clear, consumable data. With disparate data scattered across inconsistently formatted contracts and risk assessment forms, uploaded onto, incompatible on-boarding systems, this data should be brought together to achieve a clear line of sight across the supply chain.
• Building towards an envisioned future. With a centralized view of the supply chain and the underlying data, risks can be ranked, and decisions can be made on the most appropriate actions to take. Then, an organization can begin building the critical cyber security and risk management infrastructure that reflects its desired future state.
• Embrace continuous monitoring. It’s important for business leaders to appreciate that these actions should be part of a continuous, long-haul marathon of constant, steady effort. This mindset is beginning to take hold, as KPMG professionals introduce clients to KPMG’s own Continuous Assessment and Monitoring platform, by which third party risk is automated and continuously organized to respond to a company’s ever-changing landscape of supplier relationships, digital connectivity and evolving cyber risks.  In fact, with 34 percent of 2021 CEO Outlook respondents stating that ‘they plan to embrace automation to streamline and optimize security and technology risk management’, such solutions are now garnering considerable interest.
• Embed cyber defenses at each stage of the marathon route. Then, as highlighted in the recent article Securing the new business reality, companies should build deep cyber security cultures, where the common mantra is that “security is everyone’s job”, and security is built into product and service design.  In parallel, over-arching leadership is required to help ensure an enterprise-wide view that captures the broader supply chain web. It’s noteworthy that we have already seen leading organizations appoint ‘Supply Chain CISOs’ to enable this degree of holistic oversight.

With the irreversible rise of digitized supply chains — and the reality that running a slow, steady marathon isn’t enough to keep up with the evolving cyber threats — every organization should refine their race strategy. Fortunately, our 2021 CEO Outlook findings suggest that today’s business leaders are ready to embrace a vision of cyber resiliency, and accelerate their pace for the long road ahead.

^{Throughout this document, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity.}