We asked a series of questions about supply chain security to our audience on LinkedIn and in our recent Supply Chain webinar.
We asked a series of questions about supply chain security to our audience on LinkedIn and in our recent Supply Chain webinar.
Although the pool of respondents on the webinar was too small to draw any definitive conclusions, the results point to some interesting contradictions in our thinking about two-way security within supply chains.
Our first questions were around the usefulness of transparency within supply chains. Is it useful to know when a company in your supply chain has experienced and incident? Of our respondents, 65% of respondents said that this is very useful, but organizations typically do not share information in this way. 72% said that this was to minimize reputational damage.
Turns out, those people are right to be wary. When we asked whether the organizations our respondents worked for would drop vendors if they experienced a major cyber incident, 58% said they would be likely or very likely to do so.
This reaction is understandable, but not very constructive. In our recent supply chain security discussions, we advocated for a shift in approach to one that is more collaborative and less reactive. Our results suggest that this approach might be welcomed. When we asked if our respondents were confident in their ability to accurately assess the security of other organizations, results were split between ‘not at all confident’, ‘somewhat confident’, and ‘quite confident’, but no one indicated that they were ‘very confident’.
But supply chain security doesn’t have to be passive. We asked whether our respondents would support organizations that were openly trying to improve their security posture, and 60% said that they would be very likely to offer help. A further 30% said that they would be quite likely to support.
This disconnect between being open to help other organizations but also reacting strongly to information about incidents seems counterintuitive. Has this juxtaposition always existed, or does it indicate a shift away from reactive, isolationist security policies, or were those policies established for reasons that are still valid?
How useful is it to have 100% transparency around incidents in the supply chain?
What is the main reason that organizations do not openly share information in this way?
How confident are you in your ability to accurately assess the cyber security of others in your supply chain?
How likely is it that a contract will be signed with a new vendor before a supply chain risk assessment is performed?
If an organization in your supply chain was openly trying to improve its security posture, how likely would you be to offer support?
How likely is your organization to stop working with a vendor if they experience a major cyber incident?
