How to Implement Good Governance for Supply Chains

To have good governance and to ensure the auditability of your data-driven decision making, you must infuse everyday operations with supply chain integrity, transparency and trust. That requires context.

Adam121 Adobe Stock 315095274
adam121 AdobeStock_315095274

Running the complex operational machine that is the supply chain with maximum effectiveness is no easy feat. You want to move things from one place to another as quickly and efficiently as possible. The critical decision-making needed to make that happen is increasingly dependent upon the information that flows between you and your supply chain partners.

Yet most supply chain professionals are forced to rely on static approaches to governance and compliance, which doesn’t work in a world where data-driven and connected operations are the norm and significant risks – such as the Log4j threat, the Kaseya and SolarWinds supply chain attacks, and whatever comes next – can enter your business through your supply chain.

To have good governance and to ensure the auditability of your data-driven decision making, you must infuse everyday operations with supply chain integrity, transparency and trust.

That requires context.

The importance of context

Twitter’s recent blue check mark fiasco offers a good lesson on why context is so important.

For a while, everybody knew the Twitter blue check mark indicated that an account was the real person. But then Twitter redefined the blue check mark, and anybody could get one for $8.

With no understanding or system of identity, integrity or provenance, things fell apart.

Then the policy changed again, so that if you’re a joke account, you need the word parody in your name. Then Twitter began rolling out a gray badge meant to protect official accounts against impersonation, which was essentially the initial intention of the blue check mark. Soon after, it rescinded the gray badge classification, at least from some accounts, as TechCrunch reported in November. And then, there will be three tiers of verified status, each in a different color.

The right way to fix this all along was to have transparent operations showing the provenance of those tweets.

Checkbox-based compliance lacks context, adds waste and doesn’t adequately address risk

Major software supply chain attacks have resulted in a broad understanding that significant risks can enter an organization from its supply chain. And Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains.

That’s terrifying. Clearly, organizations need to get a grip on software supply chain governance.

Yet too many of the tools to protect against these risks amount to old-fashioned check box compliance: a list of things to check and evaluate built from past experience and historic threat actors. But as the world changes under your feet, you may find that this approach is not really protecting your organization from threats. Instead, context is lost, threats evolve and you are simply going through the motions.

A critical problem is that it’s challenging to create a checklist that anticipates all the situations you will encounter during the lifetime of the equipment or software you use, and even with a high-quality program, the lists are typically backward-looking, learning from mistakes of the past. That will limit the kinds of things that you can do: you may want to apply the technology you’re using for one use case to a new situation, but because everything is so fixed to the threats related to the initial use case, you may find it difficult to get such things approved or successfully audited or approved. Some organizations build or buy a completely new unit when there’s a perfectly good one on the shelf just because the existing unit didn’t have the right compliance sticker. It makes sense in a way, but it’s a huge waste.

A context-based, verify-then-trust approach can improve efficiency and lower risk

Rather than using this trust-but-verify approach, you want to verify first, then trust.

Imagine your equipment is sending signals indicating that there’s a fire or that somebody input a security code at the gate. With a verify-then-trust posture, you can use the best available information to assess what your environment looks like at that moment before you turn on the fire sprinklers or open a security door. But to get that context, you need to be able to trade more information more quickly and reliably and with lower administrative overhead.

As you work toward this approach:

·      Imagine how much more efficient your operations could be with more, more reliable data at your fingertips when making automated or semi-automated decisions.

·       Visit IETF online to learn more about supply chain integrity, transparency and trust.

·       Look at all of the sources of data from your supply chain and the overhead involved in collecting, validating and processing it. Then, see if you can improve on that by moving from a fragmented trust-but-verify stance based on manual processes to a harmonized verify-then-trust posture based on supply chain integrity, transparency and trust.

·       Talk to colleagues in other departments, such as legal, about how much better your business processes could be if they were running on assured data.

·       Find a good partner who will make it easy to try out and benefit from assured data.

·       Then work with that partner to prove out a use case you can show to the C-suite to demonstrate the value of this new and better approach and get their buy in.

With context-based supply chain integrity, transparency and trust you can have confidence in the data running through your systems, improve your efficiency and sleep better at night.

Traditional technologies and processes make the same decisions in every case. But in today’s highly connected, complex world you need context to make the best decisions every time.