Trends to Watch in Supply Chain Security
How will supply change security evolve in the coming years? Find out.
Lack of transparency and mistakes are creating massive problems, but new rules and solutions are moving things in the right direction, discusses Jon Geater, co-founder and chief product officer at RKVST, and shares the trends to be on the lookout for in supply chain security.
In times past, it was easy to know who did what and when: relationships were primarily personal, suppliers were typically local, and technology was simple enough for most ordinary people to understand – at least a little bit. A simple checklist was enough to ensure the safety of a machine. A simple handshake was enough to cement a deal. But things don’t work that way anymore. In today’s world of long supply chains and exquisitely complex technology, it is challenging to get complete transparency into products and processes to allow for trustworthy operations.
Just look at the FTX debacle, which shows what can happen when people are not transparent about what they are doing and providing. Consider the meat scandal in the UK, in which defendants are accused of passing off horsemeat unfit for human consumption as beef. Think about how the software works and how the lack of software supply chain integrity, transparency and trust can lead to major problems such as the ongoing Log4j threat and the Kaseya and SolarWinds cyberattacks.
And it’s not just direct attacks or fraud that we have to worry about: big problems can arise simply because people make mistakes but fail to understand and learn from them and because people don’t practice what they preach. Disclosing mistakes can be very scary for organizations that don’t want bad headlines, but failure to disclose means the mistakes can’t be rectified.
As transparency expert David Brin says, “Whenever a conflict appears between privacy and accountability, people demand the former for themselves and the latter for everybody else.”
In connected operations and supply chains, the scale, speed and reach of the problems this creates is just too great for us to keep rolling along with checklists, manual paperwork, and handshakes.
The year ahead provides a new opportunity to become strategic and take the right path forward. Here’s what to expect in the software supply chain in 2023.
See More: Business Case for Improving Open Source Software Supply Chain Security and Resilience
1. New Software Security and Integrity Rules
The Office of Management and Budget (OMB) recently published a memo detailing how suppliers to federal agencies must ensure the security and integrity of the software within their solutions and across their software supply chains. The memo, which expands on Executive Order 14028, sets aggressive deadlines – many of which take effect in 2023 – for agencies, the Cybersecurity and Infrastructure Security Agency (CISA), the OMB and suppliers to comply.
The executive order and memo are one sign that companies and governments around the world are waking up to the fact that the software they use to run their operations and the hardware and software solutions they use and deliver to customers represents a significant risk.
As 2022 comes to an end, there is a flurry of activity and FUD-mongering around whether SBOMs are a practical option or whether the government should be spending more time considering its options. Nonetheless, in a move to address new rules and growing software supply chain threats, expect leading organizations across private and public sectors in 2023 to create and share transparency records and attestations (including but not limited to SBOMs) around the provenance and build process of their software so users can more accurately assess and address their own risk. Expect a small but important group of customers to start demanding the same and set the standard for everyone else.
2. Organizations to Take Control and Expect More Transparency
Enabling operators to take control of their own risk is critical because real risk ends up vesting at the far end of the chain. Businesses need to understand what they’re dealing with and make decisions based on their unique circumstances to protect themselves and their customers.
Transparency is important for several reasons. One of those reasons is accountability. If you can prove that software is to blame for a problem, you can hold the solution provider accountable.
Another key benefit of transparency is that it enables community members to share what they know. That way, organizations won’t have to wait for suppliers to inform them there’s Log4j in that box in the corner. Organizations can check for themselves, and they’ll know immediately whether or not that’s dangerous. This is key since nobody is smart enough to fix every problem, but knowledge is power, and the safe sharing of knowledge benefits the whole group.
3. More Suppliers Will Realize that Hiding Software Shortcomings Is Risky
There’s still a way to go, but we are definitely now on a road on which the digital supply chain is recognized as being as critical as the physical one. This includes an expanding understanding that suppliers must deliver quality and consumers must take control of their own risk.
Of course, suppliers can provide inaccurate information. In the extreme, they can still outright lie about quality or safety procedures. But with supply chain integrity, transparency and trust systems now being formalized, we have a kind of ‘Miranda rights’ for data: you don’t have to say anything, but anything you do say can be used as evidence. Once made, a statement can’t be taken back.
Nobody wants to get caught in a lie. If a supply chain attack emerges and information surfaces that a company has been less than forthright about the software it uses, the reputational effects could be severe. If organizations are consistently found to make unreliable contributions to the supply chain record – whether by mistake or otherwise – they will quickly find challenges in doing business.
With new approaches towards integrity, transparency and trust in the supply chain, expect more companies to start building reputations for being honest and open about the provenance of the software in their solutions.
4. More Businesses Will Leverage Automation
Organizations today spend vast amounts of time and resources using manual processes and paperwork checks to make sure nothing goes wrong. Enterprises still need to address cybersecurity and reduce risk. But now, they need to do that amid a recessionary environment in which there is growing pressure on operating budgets.
Companies are going to have a massive problem as they try to do more with less. Trying to maintain traditional processes and put out fires with skeleton crews just isn’t going to cut it.
This will make 2023 the year people really have to take advantage of digital transformation. Expect to see more organizations implement real automation to manage their supply chain ecosystems better, cleaner, faster and at a fraction of the cost that it takes today.
Businesses this year will gain a greater appreciation for what’s possible when they implement integrity, transparency and trust in a standard, automated way to speed operations and decrease their digital supply chain risk. By moving from manual processes and a ‘trust but verify’ approach to one based on reliable digital paperwork and a principle of ‘verify first, then trust,’ these organizations will bring digital advantage to the physical world in areas such as nuclear materials handling.
The Biggest Cyber Disasters Could Be a Mistake Rather than an Attack
I also believe that the bulk of discoveries arising from improvements in supply chain visibility in the year ahead will highlight that most cyber threats arise from mistakes – not malice.
It’s OK to make mistakes occasionally. If we don’t make and share mistakes, nobody will own up to them because they’ll get hammered in the press and on their insurance rates.
Processes for supply chain integrity, transparency and trust journal everything important that organizations do. Noting who did what and when can expose mistakes. As a result, ecosystem partners can avoid mistakes in the future.
How are you eliminating possibilities of slip-ups to protect your supply chain security? Tell us on Facebook, Twitter, and LinkedIn.
MORE ON SUPPLY CHAIN SECURITY
