Dive Brief:

• Cybersecurity is a hot topic for supply chains this year — after all, just months ago, both Maersk Line and FedEx were attacked — but still, few companies have taken the steps to ensure a business continuity plan.
• The lack of preparation is partly because the topic may be overwhelming. But it doesn't have to be, according to a presentation by Liberty Advisor Group Partner Thomas Derhake at CSCMP Edge. To prepare, supply chain managers need to be able to model the ROI of cybersecurity. 
• That is, supply chains should begin thinking of cybersecurity in terms of threats, not risks. Just like a hurricane may strike and shut down a distribution center, a hacker could at any point hit any supply chain link. Executives must be prepared to handle this, mitigating financial, reputational and operations risk. 

Dive Insight:

Part of the problem with supply chain risk, according to Derhake, is that companies tend to silo responsibility for security, where really it's a corporate-wide problem.

He presents a situation: Company X has $100 units of revenue in 10 locations. The company understands their supply chain is vulnerable to a cyberattack, that could either compromise its data — which is stored, used and transferred by suppliers — or the movement of its product. Due to these concerns, Company X calls together various departments to determine how to best control the risk, and that's where the issues begin.

Each business department has a "vested, professional interest" that shapes their risk management strategy, Derhake said. The operations team would say, "I produce 80% of my goods at location 1, and therefore my priority for security is to make sure my production doesn't come down." Supply Chain may notice upstream and downstream vendors rely most on location 2 and choose to safeguard that. Finance, however, realizes profit margin at location 3 is the highest, so that would naturally be the most important for the industry. IT? They would rather secure all locations, or the CTO could recommend upgrading the most outdated systems to reduce vulnerabilities.

The list goes on, creating an unhelpful situation for companies looking to tackle this problem. In addition, outside vendors may have their own opinions and needs. The natural conclusion, then, is to secure all locations to avoid as much risk as possible — but how feasible is that?

In reality, it may not be possible to tell when and where malware will strike, so focusing on risk may be erroneous. "There was no pattern of infections from WannaCry," Derhake reminded the audience. "All of the stuff we talked about in the scenario was irrelevant." So, companies should take a step back and ask themselves: Should we have cared about each individual risk?

A better strategy, Derhake suggests, involves considering threats and inputting those into a financial model.

"At some point, you need to quantify what it's going to cost you. At some point you'll lose security," he said. Businesses should treat this as another potential supply chain disruption and ensure their business is resilient to cyberattacks. "Say you move your products by FedEx, and FedEx gets affected by WannaCry. No vendor's going to tell FedEx how to do security." 

"You should be able to — and do the exercise — to pre-identify: where are those assets that if they were affected at a specific rate, and it affected everything in this particular location, what would that particular financial impact be?" says Derharke. "It's a big enough task to do it yourself, but once you get that done you can repeat the methodology."

That's not to say cybersecurity is not important. Quite the contrary: Derharke notes companies starting a cyberhygiene journey should look to the 20 CIS Controls and complete the full checklist. Suppliers, too, should do this. But, thinking of cybersecurity in terms of specific threats, not general risks, can help quantify the ROI of investment to company boards.