Supply chain risk should be at the forefront of conversations among management – not just in the security realm, but across industries, experts on a panel at SC Congress Chicago shared on Thursday.
Donald “Andy” Purdy, the CSO of Huawei USA, a Chinese network equipment provider, told SCMagazine.com before the event that it's crucial for management to understand the “industry-wide problem” that constitutes supply chain risk.
Purdy joined Huawei, the world's second-largest telecommunications equipment vendor, in July, while the company was in the midst of an 18-month White House investigation to determine whether the company was involved with Chinese government-led spy operations.
Last month, the White House determined that Huawei was not a cyber espionage threat to the U.S., and the company proposed to set up an Australian center where it would open up its code for testing to further quash suspicions.
“Private companies and governments are going to have to work together to establish regulations on third-party involvement so we can address [supply chain] risks,” Purdy said. He later added that while companies can't eliminate all risks, there needs to be a vetting system that's “based on facts and is transparent, so that anyone can have trust in the process.”
Matthew Dosmann, cyber security policy consultant for Columbia, Md.-based SAFEOperations, told SCMagazine.com that making certain that quality assurance checks are in place is paramount. Even if companies spot a supply chain breach, the problem could still persist without a proper plan for tracking the incident, he said.
“You may get hints that there's a problem at different points, but if you don't put them all together, you won't have a broader view of the problem,” Dosmann said.
Everette Hubbard, information security manager at HNI, the second-largest office furniture manufacturer in the world, said that communication lines between staff must always be open to catch threats before they are fully realized.
“There shouldn't be a next step unless communication has been completed,” Hubbard said of decisions made in the supply chain process. Something as commonplace as confirming a new delivery can have an adverse domino effect if the proper management isn't notified of the change, Hubbard said.
Everyone should be involved before the next step is completed, he said, or else one won't even know what happened, and would pretty much be in the dark.