The Supply Chain Risk Conundrum: Rethinking the Network and Its Risks

Current information security and risk mitigation approaches are ineffective, and this failure is nowhere more apparent than in critical supply chains – defense, energy, health services, and other key industries. The source of much of the persistent failure to secure supply chains and the success of hackers compromising these vital arteries of commerce is that most organizations do not recognize all of the components and connections that comprise their networks. This blinkered thinking leads to suboptimal measures even when leading information security frameworks are in place. We routinely encounter the following shortcomings in our supply chain security work:

  • 󠄀Inadequate supply chain mapping – Most organizations misperceive or fail to perceive at all the characteristics of their supply chains. As a result, they overlook all kinds of risks and fall prey to hackers regardless of what the organization does to ameliorate risk.
  • 󠄀Failing to test cyber defenses – Many organizations stress security in depth but fall far short on what is, for supply chain purposes, a far more important security element – validation in depth, an all but fatal shortcoming that hackers count on persisting.
  • 󠄀Ignoring OpSec – Organizations place much more emphasis on information security than they do on operational security. This overlooks a multitude of risks associated with their supply chains, one of which is exploits that disrupt operations.
  • 󠄀Focusing on insoluble problems – An organization will never have perfect, if any, visibility into its 3rd and 4th degree of separation vendors. Yet organizations still struggle to find a solution to such problems. But there is no viable solution. Hence, the problem should be viewed not as a problem with a potential solution but rather as an immutable fact, at least for now.
  • 󠄀Expertise Deficit – Current cyber risks are not even remotely aligned with the number of available professionals with the expertise to address these risks. And yet organizations unfairly task their IT groups with responsibility  for supply chain security.

We are not thinking the right way about supply chain security. The empirical evidence is that regardless of the spend on information security – in human, technical financial resources – the frequency and magnitude of security incidents continues to increase. This has led to a widespread view that the most important variable in an incident lifecycle is an organization’s response to a security incident. While incident response is crucial, much more is needed to protect against risks to far-flung supply chains.

What an organization can do in terms of security with its principal vendors becomes less and less efficacious when the same or similar measures are applied to more remote vendors, if they can be applied at all. Moreover, a billion-dollar company has a different suite of concerns than a much smaller company – and the limited resources of smaller companies tend to constrain the thinking of their principals, routinely making their security strategies subpar.

Effective supply chain security strategies therefore require a realistic and far more expansive view of what comprises the organization’s network. This entails effective mapping of the entire network – including supply chains – and a robust identification and continual assessment of vendor risks, even those that can’t be easily identified or measured. Absent such initiatives, the supply chain security problem will continue to reel out of control.


Michael A. Gold is the Chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at or +1 310.201.3529.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.