Gartner report highlights threat of supply chain attacks

Gartner Supply Chain Practice Senior Director Analyst Brian Schultz urges CSCOs to assume more responsibility for supply chain cyber security

The threat of supply chain cyber attacks means Chief Supply Chain Officers (CSCOs) must assume more ownership of their company’s cybersecurity strategy, urges Gartner.

Brian Schultz, Senior Director Analyst with the Gartner Supply Chain Practice, says CSCOs should mitigate cyber threats by following a three-prong approach to cyber security.

This includes:

  • Fostering internal and external partnerships with key functions built on clear business outcomes
  • Developing risk-aligned governance processes by implementing supply chain cyber frameworks, standards and guidelines.
  • Creating aligned controls across the partner ecosystem by developing and deploying a supply chain third-party risk management capability for cybersecurity.

In a report earlier this year, Gartner predicted that 60% of supply chain organisations will use cybersecurity risk as a key buying criteria by 2025. Although such a growing level of awareness is encouraging, Schultz says CSCOs need to do more to actively manage risks presented by their ecosystem partners.

He stresses that while it is not reasonable to expect CSCOs to assume the mantle of Chief Information Security Officers it is vital they “have a grasp of how supply chain cyber attacks are evolving, including sophisticated attacks that can impact products undetected until they reach the customer”. 

Schultz adds that they also need to play a leading role in third-party risk management, “as attacks on key suppliers can cause significant business continuity disruptions”.

CSCOs 'can coordinate cyber action among stakeholders'

He continues: “CSCOs can leverage their experience in coordinating action among many different stakeholders both within and beyond their function. 

“Supply chain cyber resilience hinges on engaging a wide range of stakeholders both inside and outside the organisation. The role of the CSCO among these diverse stakeholders is to coordinate a shared view of the threats and translate those threats into clear business impacts that leadership can understand.”

Gartner recommends that CSCOs build this visibility by:

  • Identifying the operational assets that support an organisation’s value drivers
  • Assessing the impact of a loss of these assets in terms of business costs in lost days of operation
  • Clearly communicating these impacts to the board and C-Suite. 
  • Implementing a playbook to monitor these critical assets, including regular testing of mitigation plans through coordinated exercises.

To address the exposure third parties, and build a more resilient supply chain, Schultz says CSCOs must develop a business continuity plan in the event of a cyberattack, and also work with procurement and other CSCOs to “develop the appropriate contract language to flow down the organisation’s supply chain cyber standards to the partners”.

Gartner urges CSCOs to forge partnerships with key internal and external stakeholders as part of the fight against supply chain cyber attacks.

He adds: “Unfortunately, there is no one-size-fits-all solution for cyber security today. CSCOs must select an appropriate mix of in-house or outsourced cyber functions based on their business risk needs. 

“This selection must be determined based on a balance of the organisation’s risk appetite, detail and accuracy of risk information requirements, serviceable urgency, and the cost utility of functionality.

“CSCOs need not reinvent the wheel in determining their cyber resilience strategy, but they do need to lead the effort to align their stakeholders to a common set of best practices and help them understand the nature of the trade-offs being made.”

A recent report from software supply chain management company, Sonatype shows there have been twice as many software supply chain cyber attacks in 2023 than in the previous three years, with so-called back-door attacks targeting supply chains, as a means to work upstream or downstream to larger organisations.


For more insights into the world of Cyber - check out the latest edition of Cyber Magazine and be sure to follow us on LinkedIn & Twitter.

Other magazines that may be of interest - Technology Magazine | AI Magazine.

Please also check out our upcoming event - Net Zero LIVE on 6 and 7 March 2024.  


BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.

BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.


Featured Articles

BlueVoyant's Tom Moore Talks Legal Procedure Following Hack

BlueVoyant's Tom Moore explains how companies should act with legal council following a cyber attack

GDPR: Studying the World's Strictest Security Law 6 Years On

We take a look at the history, impact, and future of GDPR to see how it has effected the cyber sphere six years after its enactment

Banking Titan Baird Gives 9 Pointers for Cyber Investors

Investment bank Baird have made nine observations from RSA Conference that investors should consider when investing in today’s cyber market

OpenText's Pillr Buy Show Acquisitions Still in its Strategy

Cyber Security

Zoom Prepares for Quantum World with Post-Quantum Encryption

Cyber Security

Tenable: Security Expertise Gap Threatening Cloud Expansion

Operational Security