Supply chain disruptions have become both commonplace and the subject of a lot of news in the last two years or so. As problems continue to unfold, nearly every sector of the global economy is scrambling to fulfill unmet demand and get supply chains back to operating capacity. “Re-shoring” and “near-shoring” have become the topics of much discussion as ways to address the challenges of globalized supply chains, but these are at best long-term solutions to shortening supply lines and reducing complexity in supply chains.
As described by Jayant Menon in his recent article ”Supply Chain Resilience and the Trumped-up Case for Reshoring,” “The disruption to … global supply chain operations is being used as a pretext to re-shore production, although diversifying supply chains actually lowers risk. Furthermore, the ongoing digitalization of [global supply chains],\accelerated by the pandemic, also increases resilience while reducing the cost of distance, thereby diminishing the case for re-shoring or near-shoring.”
Indeed, diversification of suppliers reduces risk by helping to avoid vendor lock-in, increasing competition and reducing the impact of regional or localized supply chain disruptions. Similarly, automation of supply chain processes has rapidly enabled the globalization of supply chains and brought new efficiencies. However, these are not new techniques, and can be somewhat of a double-edged sword.
One could argue that a re-shoring effort to consolidate a supply base will bring about economies of scale and a reduction of the attack surface that nefarious actors might be able to exploit to subvert or disrupt the supply chain. From a different perspective, that same consolidated supply base might then also increase the risk of having a single point of failure in the supply chain. Supply chain automation has been shown to drive economic benefits, increases in transparency and agility, and reductions in compliance costs, but it also comes with an increased risk of cyber-attacks on that connected infrastructure.
In a 2011 Wall Street Journal op-ed, Mark Andreessen coined the phrase “software is eating the world.” According to a recent Forbes article, “companies that embraced software in 2011 are the current market leaders in their respective fields, and the top five market capitalization companies worldwide in the second quarter of 2019 are all offering some type of software solutions.”
We’ve all seen the results of reliance on connected assets — all of which run on software — when those assets contain exploitable weaknesses and vulnerabilities. And we’ve all seen the reports about how the software we depend on to accomplish many of the tasks of our daily lives is full of flaws. It’s also common knowledge that exploiting known software vulnerabilities is relatively inexpensive and doesn’t require a high degree of sophistication.
In today’s world, essentially every business is a software business. Every company either develops software or uses it to maintain business processes. In 2022, software risk equates to business risk.
It follows that any attempt to improve the resilience of a supply chain must balance the degree to which the supply base is consolidated and automated with the risk of a bad actor having cheap and easy access to disrupt or subvert a single weak point in the supply chain. The imperative is to improve software security, to make it more expensive and difficult for bad actors to execute attacks.
There are no silver bullets for software security. But that doesn’t mean its time to throw up your hands and turn off the computers. Basic hygiene and attention to security in the software development process is the foundation, an ounce of prevention being truly worth a pound of cure in this arena. Testing and validation throughout the lifecycle cannot be ignored; trust but verify. Continuous monitoring and mitigation are critical — there’s no such thing as being “done” with security. Tight management of free and open-source software components is an imperative. Nothing is really free, and the cost of “free” software components could be the downfall of your organization with one cyber incident. Building these things into the business process is the only way to survive.
By building software security into the supply chain, companies gain the ability not only to survive, but to gain advantage. (Perhaps your competitor was an easier target than you.) In the words of Jim Butcher: “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.”
Emile Monette is director of value chain security with Synopsys, Inc.
Timely, incisive articles delivered directly to your inbox.