30% of Leaders Lack Understanding of Supply Chain Risks


Over the last two years, supply chain challenges have rocked both enterprises and consumers alike, making it harder to access certain goods and maintain business continuity. Security threats have only heightened these concerns, and a new ISACA survey report illuminates IT professionals’ key concerns around security challenges and how their organisations are responding to them.

ISACA’s supply chain security survey received responses from more than 1,300 IT professionals with supply chain insight, 25 percent of whom note that their organisation experienced a supply chain attack in the last 12 months. Survey respondents cited these five supply chain risks as being their key concerns:

  • Ransomware (73%)
  • Poor information security practices by suppliers (66%)
  • Software security vulnerabilities (65%)
  • Third-party data storage (61%)
  • Third-party service providers or vendors with physical or virtual access to information systems, software code or IP (55%)

On top of this, 30 percent of respondents say that their organisation’s leaders do not have sufficient understanding of supply chain risks. Only 44 percent indicate they have high confidence in the security of their organisation’s supply chain, and the same percentage has high confidence in the access controls throughout their supply chain. Their future outlook is not rosy either—with 53 percent saying they expect supply chain issues to stay the same or worsen over the next six months.

“Our supply chains have always been vulnerable, but the COVID-19 pandemic further revealed the extent to which they are at risk from a number of factors, including security threats,” says Rob Clyde, past ISACA board chair, NACD Board Leadership Fellow, and executive chair of the board of directors for White Cloud Security. “It is crucial for enterprises to take the time to understand this evolving risk landscape, as well as to examine the security gaps that may exist within their organisation that need to be prioritised and addressed.”

When it comes to taking action, 84 percent indicate their organisation’s supply chain needs better governance than what is currently in place. Nearly 1 in 5 say their supplier assessment process does not include cybersecurity and privacy assessments. Additionally, 39 percent have not developed incident response plans with suppliers in case of a cybersecurity event and 60 percent have not coordinated and practiced supply chain-based incident response plans with their suppliers. Nearly half of respondents (49 percent) say their organisations do not perform vulnerability scanning and penetration testing on the supply chain.

“Managing supply chain security risk requires a multi-pronged approach entailing regular cybersecurity and privacy assessments and the development and coordination of incident response plans, both in close collaboration with suppliers,” says John Pironti, president of IP Architects and a member of the ISACA Emerging Trends Working Group. “Building strong relationships with your organisation’s suppliers and establishing ongoing channels of communication is a key part of ensuring that reviews, information sharing and remediations happen smoothly and effectively.”

Pironti outlined some key steps that organisations should take when working to strengthen their IT supply chain security:

  1. You cannot protect what you do not know. Develop and maintain an inventory of suppliers and the capabilities they provide.
  2. Require disclosure of open-source software components.
  3. Conduct a threat and vulnerability analysis of key third parties for your business.
  4. Create a technical and organisational measures contract addendum for supply chain contracts.
  5. Trust, but verify. Conduct evidence-based reviews of key third parties.

“To advance digital trust, there needs to be a level of confidence in the security, integrity and availability of all systems and suppliers,” says David Samuelson, ISACA CEO. “As we have seen from previous incidents, customers do not differentiate between an attack on an element of your supply chain and an attack on your own systems. Now is the time to take swift and meaningful actions to improve supply chain security and governance.”