In August, I wrote about the likely hyperbole in an article, Cybersecurity Risks Loom Large In Hospitals. The financial risk stated in the article that “loomed large” was tiny compared to other financial risks at a large hospital. The numbers in that article would get a shoulder shrug from executives rather than the call to action the article envisioned.
The current emphasis on supply chain cybersecurity also requires care to not overstate the risk and lose credibility.
Many companies are facing an actual supply chain crisis right now. A crisis due to lack of components and raw materials, delays due to transportation for parts and finished product, and delays due to lack of employees. Not only is this causing delays, but it also is adding costs to the manufacturing and delivery of products and services.
- The cost to ship a 40′ container is up 5x.
- A shortage of raw materials, such as silicon, coal, and chemicals, is preventing the creation of supply to service demand.
- Labor shortages are causing price increases and delays throughout the supply chain.
Right now supply chain security at the executive level is often viewed as being assured that a viable supply chain will exist at all.
Imagine you are an executive who is seeing sales projections plummet because you can’t manufacture or deliver product to meet demand due to supply chain issues. Or you are seeing profit projections shrink dramatically because everything costs more.
Then the cybersecurity team walks in and claims supply chain cybersecurity should be a top priority. Even though the company has never suffered a security incident in the supply chain that has had a major impact. And that supply chain cybersecurity effort will cost money and introduce additional time to the supply chain. You are unlikely to get a good reception, whether this is wise or unwise. It is a bit like telling someone who has no food that they need to focus on eating organic.
This does not mean supply chain cybersecurity risks, or any cybersecurity risks, should be ignored. Unless you are in a risk acceptance position, your job is to make sure those that can accept risk understand the risk and the options to reduce that risk. It is, however, a time to be better prepared and business risk calibrated when you walk in to present the risk and options to your executives.