"They had security management and crisis management plans in place, but the missing link was integrating them with the business so people around the world could understand management's position regarding critical things such as uptime, issue resolution and who's responsible," he says. This type of information is often not conveyed to the field in advance, a crucial error. Management needs to empower local decision-makers in advance to take action quickly to mitigate damage if certain conditions are met.
The plans have to address not just key supply chain nodes and specific scenarios that could occur, but also emerging security vulnerabilities. "That is a different mind-set and way of planning," Sager says. "The security department has to come together with the operational/financial side of the business," looking at all aspects of the supply chain, including where the different components are located and alternative sourcing arrangements. Sager puts his clients through tabletop testing, in which executives sit in a conference room and go through a scenario point by point with the key decision-makers, reviewing how they would respond.
Marc Siegel, commissioner for the ASIS International Global Standards Initiative, is leading the charge to develop an ISO standard for supply chain resilience. ASIS has already published SPC.1, its first organizational resilience standard, which it expects will be ready by the end of the year. "We think standards are the answer for dealing with [black swans]," Siegel says. "Companies have to develop a comprehensive [supply chain resilience] strategy because their resources are limited. This allows you to look at the full picture, rather than just separate out the different things." For example, a strategy to prevent terrorism might work against piracy or help during an earthquake as well.
Organizations need to approach risk from a holistic standpoint, Siegel adds. "The problem with the risk du jour is that the likelihood of it happening varies so greatly between organizations that it can divert your attention away from doing a comprehensive risk assessment." In short, it can make you take your eye off the ball.
No. 2 Game-Changing Force: The Rise of Malware
Information security matters also weigh on CSOs' minds, though they are not as visibly related to the supply chain as physical security is. An organization (and therefore its supply chain) can be brought low by an attack on its information network as surely as it can be hurt by an attack on its cargo. Many CSOs say they are worried about botnets; two of the most pressing threats related to botnets are spam/phishing attacks on employees and the possibility of a resurgence in the denial-of-service (DoS) attacks that first appeared 10 or more years ago.
Sign up for Computerworld eNewsletters.