Cisco Systems Inc. was determined to be a "trusted partner" of its customers. The company's supply chain was a logical place to start, says chief security strategist Edna Conway. The key, she says, was to "think holistically end to end."
Coupled with that goal was a need to ensure security throughout the supply chain. Conway evaluated the full spectrum of activities in which the company and its partners were engaged. Most of all, she needed to determine what customers cared about, as a means of establishing the proper priorities. Major concerns included counterfeit products, the protection of intellectual property and guarding against malicious modification of the company's proprietary technology.
The needs of Cisco and its customers don't always dovetail. At the heart of the company's strategy is a need to foster "home-grown innovation," Conway says. Commonality occurs in many areas, however, including the battle against counterfeiting and the protection of confidential information as it's relayed throughout the network. Each entity in the process has its own areas of concern, "but I'm thinking end to end about every note of the value chain," she says.
There's work to be done in communicating throughout multiple tiers of suppliers. "The trick is articulating the requirements in international standards," says Conway. Cisco and its partners are collaborating on establishing common criteria for product quality and information exchange. One of the key bodies through which they are working is the International Standards Organization (ISO). Another is the Open Group, a vendor-neutral consortium dedicated to open standards and global interoperability. Conway says commercial IT vendors are working with the government to devise a series of best practices that will help companies to determine when they are dealing with trusted providers.
For those wishing to start their own supply-chain security programs, Conway recommends that they come up with a small set of focus areas and stick to them throughout the process. For Cisco, the main drivers were technological innovation, physical security and logistical processes. Other priorities included product lifecycle management and stronger partnerships with suppliers.
