What’s really broken with supply chain security is the demand chain

Digital transformation is revolutionizing industry, driving innovation, streamlining operations and raising customer expectations to new heights. With businesses becoming more digital by default, with connectivity as the norm and data everywhere, supply chain security is a crucial part of ensuring a resilient organization. Yet, while demand for always-on services has never been higher, supply chains have never been more fragile.

The times when supply chains were simple and linear is over. Today’s digital supply web is a tangled, hyperconnected mess — more like a drawer full of knotted cables than a neat chain, where almost every organization is a supplier and a consumer of a product and service. If it were a chain, it would be broken in several places.

There are several reasons why securing the supply chain is so hard, with the complexity and diversity of players exacerbating the challenge.

Assessment overload: Evaluating the security of every supplier (or yourself as a supplier) is tough. Most organizations lack the resources to answer bespoke security questionnaires for every customer.

Misaligned incentives: Suppliers rarely see security as a market advantage. Customers push for lower costs, not better security. Security basics, like patching and access management, don’t drive sales in the same way that a new AI feature does (and that’s often easier to do).

Lack of Injunction: Consumers rarely demand robust security — until a breach happens. By then, it’s too late.

Put simply, supply chain management is hard to do and the market incentives are broken. But as a consumer, you are not helpless. Every supply chain has a corresponding demand chain — the network of users who consume the supply chain. In theory, supply follows demand – like the basic principle of economics. So, if demand rises, supply will adjust accordingly. If demand falls, supply shrinks. And, when demand outstrips supply? Prices go up.

But in supply chain security, this principle seems to break down, even when customers want better security. Why?

The supply chain is already complex and fragile, but the demand chain could strengthen it, if there’s alignment, collaboration and strong requirements for the supply chain. But there are a few issues to tackle first:

Cost is king, not security and everyone expects everyone else to foot the bill: Suppliers supply what the market asks for, while demanders prioritize cost and features, not security, when choosing suppliers. Often, demanders either expect a baseline by default or – and this is a harder problem to fix – they don’t include the security posture of an organization as a key criterion in assessing a supplier. This is not wilful disdain for security; it’s driven by business pressure and, as the impact is not immediate, organizations don’t believe it’s a problem or they assume someone else has already owned the risk or responsibility for any potential security shortcomings.

Consistent supplier assessment eludes us, we need to define a common baseline: Demanders don’t evaluate suppliers consistently. Demanders take similar but differing, non-standardized approaches to assess suppliers. Whilst there might be plenty of overlap, there are no collective security requirements, a minimum baseline set or a common methodology for assessment. In duplicative efforts, even when there are multiple similar requirements, each demander does its own work to check a supplier. This boring and redundant work can be at least partially tackled with a consensus-created technical standard, but the ecosystem seems unwilling to collaborate or unable to find a commonality of baseline. It could be more effective if tackled on a per-vertical basis, but fragmentation is difficult. Digital gatekeepers and dominant platforms could also take on the role to lift the hygiene baseline, but they risk anti-competitive behaviours and accusations of overreach.

Dynamic supplier assessment eludes us too, we must find a common systemic way to achieve this with low effort: Demanders haven’t found a way to reflect that cyber is dynamic. Minute-by-minute monitoring of a supplier’s status is overkill, but yearly questionnaires fail to convey the current, changing status of security in an organization. Software bill of materials (SBOMs) and VEX are a start to automating and understanding the risk and exposure in a consistent way, but a supply chain is more than just the software supplied. More regular assessment of suppliers could lead to a lack of depth at each assessment or require extra staff power, unless large parts of the assessment are automated or standardized for repeatability and periodic updating.

SMEs are too small to influence alone and impact on the ecosystem requires scale: SMEs don’t have the buying power to demand better security. They must choose from what larger organizations request, which might not work for their needs. It’s difficult for SMEs to group together and ask for their requirements. Governments can jumpstart the market with their own contracts to ensure that simple capabilities are available out-of-the-box for technically constrained SMEs, but this is a piecemeal approach that lacks consistent results for SMEs.

Feedback feels optional, we need a transparent, consistent feedback loop: Demanders don’t feed back into their suppliers to influence their security priorities and roadmaps. If multi-factor authentication (MFA) is required by your internal policies, you can place this demand on your supplier at the contract time. This begins to shape the market dynamics – there is now a revenue stream associated with implementing MFA for that supplier. This can snowball, but there is always a risk that the supplier will deem the revenue not worth the cost.

As consumers, organizations often resign themselves to their supply chain security ‘just being the way it is.’ They can undertake an intensive effort to fix certain aspects, but the problem often feels too large, too expensive and too difficult to do alone. Collective effort seems to be the obvious solution, but the coordination is also difficult, and standardization doesn’t exist. The ecosystem is dormant.

When a market isn’t working for good security outcomes, it can be ‘fixed’ by supply, demand or shaping the market dynamics through regulatory efforts. Each of those fixes has its own issues (no need to mention the existing tapestry of regulations and market dynamics), especially if there’s an overfocus on the end product or ticking boxes, rather than processes and true change drivers. However, creating a standardized approach to evaluation, leveraging purchasing power for better outcomes or well-made regulation, are all incentives – tangible and intangible – to doing something different, something better.

What’s the smallest thing we, as a security community, could do to create basic hygiene around our supply chain security? What are the criteria that demanders should be including in their thought process when they choose and interact with suppliers?

As businesses move towards more digital operations, supply chain security becomes more important and more challenging. Addressing these challenges requires a holistic, risk-based and collaborative approach.

To advance these areas of research and questions, the Cyber Resilience in Industries initiative is bringing together key stakeholders with supply chains of all shapes and sizes. By adopting best practices and fostering multi-stakeholder cooperation, organizations can build more resilient and secure digital supply chains.

Read the latest World Economic Forum report: The Cyber Resilience Compass: Journeys Towards Resilience