In the first work week of the year, I’ve seen several different articles and blog posts about predictions and what to expect from an IT perspective in 2022. Some of the thoughts I feel have been spot on. Others? I’m often left wondering, “What planet are they living on?”
While I have my own opinions and predictions on a variety of topics, these articles got me thinking about what I think the next significant security & compliance challenge will be in 2022. I immediately thought of the supply chain and the risks that come with managing it. I firmly believe that, in 2022, supply chain risk management is expected to be a significant security compliance challenge for organizations. This is especially true from a compliance perspective where evidence of control process effectiveness will need to be provided.
As part of an organization’s overall risk management and third-party due diligence (vendor management) programs, supply chain risk management is not a new idea or requirement. However, as a result of the global impact experienced from COVID-19 and other supply chain challenges, organizations can expect an increased focus from auditors, assessors, and examiners on the controls and evidence of control effectiveness related to reducing supply chain risks. Internally, organizations should expect security and business continuity leaders to increase their focus on managing these risks as well.
For years, organizations have struggled to implement truly effective third-party due diligence programs. Just having a list of service providers and subjectively estimating the potential impact a service failure could have on the organization is far from a complete program. Organizations need to have a repeatable and reliable process for risk-ranking service providers and vendors to determine the respective due diligence requirements for each third party.
In 2022, the increased focus on supply chain risk management will increase the scope of risk management and third-party due diligence processes to include fourth parties, or suppliers of the third parties that could have a negative impact on the products or services provided to organizations they support. Organizations must ensure that third-party providers perform effective due diligence, to include security control assessments, on their suppliers and fourth-party partners that provide information systems, components, or services to reduce supply chain risks.
Contracts should be used to ensure appropriate control measures are implemented to protect the supply chain and the resulting products and services that are needed. Conducting incident response and business continuity plan testing with critical suppliers or third-party providers is highly recommended. This is necessary to understand how products and services will continue to be provided during adverse scenarios, and at what levels. These testing activities may require extensive planning but will provide significant benefits to organizations upon completion.
As you can tell, I strongly feel that poor supply chain risk management, or a total lack thereof, will have a negative impact on the long-term success of any organization. Supply chain risk management is not just for organizations in manufacturing, defense, or pharmaceutical verticals. The supply chain of any organization could negatively impact the delivery of computers for newly hired personnel, other hardware or infrastructure required to support the organization’s internal operations, telecommunication service levels, professional services, or even supplies that are necessary to support daily services provided to customers.
Based on my experience with and observation of the supply chain and the risks associated with managing it over the last year or two, I’m certain this “prediction” will come to pass this year. Whether I’m right or wrong, well… I guess time will tell.