Gartner report highlights threat of supply chain attacks

Gartner Supply Chain Practice Senior Director Analyst Brian Schultz urges CSCOs to assume more responsibility for supply chain cyber security

The threat of supply chain cyber attacks means Chief Supply Chain Officers (CSCOs) must assume more ownership of their company’s cybersecurity strategy, urges Gartner.

Brian Schultz, Senior Director Analyst with the Gartner Supply Chain Practice, says CSCOs should mitigate cyber threats by following a three-prong approach to cyber security.

This includes:

  • Fostering internal and external partnerships with key functions built on clear business outcomes
  • Developing risk-aligned governance processes by implementing supply chain cyber frameworks, standards and guidelines.
  • Creating aligned controls across the partner ecosystem by developing and deploying a supply chain third-party risk management capability for cybersecurity.

In a report earlier this year, Gartner predicted that 60% of supply chain organisations will use cybersecurity risk as a key buying criteria by 2025. Although such a growing level of awareness is encouraging, Schultz says CSCOs need to do more to actively manage risks presented by their ecosystem partners.

He stresses that while it is not reasonable to expect CSCOs to assume the mantle of Chief Information Security Officers it is vital they “have a grasp of how supply chain cyber attacks are evolving, including sophisticated attacks that can impact products undetected until they reach the customer”. 

Schultz adds that they also need to play a leading role in third-party risk management, “as attacks on key suppliers can cause significant business continuity disruptions”.

CSCOs 'can coordinate cyber action among stakeholders'

He continues: “CSCOs can leverage their experience in coordinating action among many different stakeholders both within and beyond their function. 

“Supply chain cyber resilience hinges on engaging a wide range of stakeholders both inside and outside the organisation. The role of the CSCO among these diverse stakeholders is to coordinate a shared view of the threats and translate those threats into clear business impacts that leadership can understand.”

Gartner recommends that CSCOs build this visibility by:

  • Identifying the operational assets that support an organisation’s value drivers
  • Assessing the impact of a loss of these assets in terms of business costs in lost days of operation
  • Clearly communicating these impacts to the board and C-Suite. 
  • Implementing a playbook to monitor these critical assets, including regular testing of mitigation plans through coordinated exercises.

To address the exposure third parties, and build a more resilient supply chain, Schultz says CSCOs must develop a business continuity plan in the event of a cyberattack, and also work with procurement and other CSCOs to “develop the appropriate contract language to flow down the organisation’s supply chain cyber standards to the partners”.

Gartner urges CSCOs to forge partnerships with key internal and external stakeholders as part of the fight against supply chain cyber attacks.

He adds: “Unfortunately, there is no one-size-fits-all solution for cyber security today. CSCOs must select an appropriate mix of in-house or outsourced cyber functions based on their business risk needs. 

“This selection must be determined based on a balance of the organisation’s risk appetite, detail and accuracy of risk information requirements, serviceable urgency, and the cost utility of functionality.

“CSCOs need not reinvent the wheel in determining their cyber resilience strategy, but they do need to lead the effort to align their stakeholders to a common set of best practices and help them understand the nature of the trade-offs being made.”

A recent report from software supply chain management company, Sonatype shows there have been twice as many software supply chain cyber attacks in 2023 than in the previous three years, with so-called back-door attacks targeting supply chains, as a means to work upstream or downstream to larger organisations.


For more insights into the world of Cyber - check out the latest edition of Cyber Magazine and be sure to follow us on LinkedIn & Twitter.

Other magazines that may be of interest - Technology Magazine | AI Magazine.

Please also check out our upcoming event - Net Zero LIVE on 6 and 7 March 2024.  


BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.

BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.


Featured Articles

Secure 2024: AI’s impact on cybersecurity with Integrity360

With 2023 seeing increased AI in cybersecurity, and rising cyberattacks, Integrity360 leaders consider what the 2024 cyber landscape will look like

IT and OT security with Ilan Barda, CEO of Radiflow

Cyber Magazine speaks with Radiflow’s CEO, Ilan Barda, about converging IT and OT and how leaders can better protect businesses from cybersecurity threats

QR ‘Quishing’ scams: Do you know the risks?

QR code scams, or Quishing scams, are rising and pose a threat to both private users and businesses as cyberattacks move towards mobile devices

Zero Trust Segmentation with Illumio’s Raghu Nandakumara

Network Security

Is the password dead? Legacy technology prevents the shift

Network Security

Fake Bard AI malware: Google seeks to uncover cybercriminals

Technology & AI