Security is often a trade-off. In this video, learn about how the way businesses use technology creates the supply chain security problem.
- [Instructor] We're adding technology to our processes all the time. For example, the last time I visited my dentist, they'd moved all of their forms onto tablets. For the dentist it means less data entry, more time to talk with patients and less data duplication for GDPR. But even without outsourcing they've added a whole eco-system of new suppliers who can change the level of security. They've also changed the way that people act. So that they make different mistakes and that's only one business process. The way that businesses use technology has created a supply chain cyber-security problem. We're increasing our interconnectivity both within our businesses and with the outside world. But we need to understand how that increases the complexity of the cyber-security problem. And also, how it creates new interdependencies with our suppliers and customers. We also need to understand how the pressure to make quick decisions, while juggling the implications, can inadvertently make businesses more vulnerable. Technology is a facilitator. The way that we use technology is influenced by the way that we work together. It allows us to be more flexible. There's lots of reasons to digitalize processes. Streamlining, making processes easier to use, allowing people to work together while apart, to innovate services to compete and to meet customer expectations. Security, or the absence of security, is a property. It's integral to all of our processes. It's in the way that we choose to use our IT system, the way the software functions, and the way that data is communicated between devices. It's also a quality of our pre-existing processes. The ones that we haven't digitized yet. The ones with paper records where we only have to worry about things like burglary and fire. In short, it's managing our risks so that we can work the way that we want to. The impact on cyber-security. Well, cyber-security isn't a catalyst for choosing to use more technology. It's the scary thing that many people try not to think about when they're making those decisions. Each time a process is digitized the content and purpose of the process remains the same. But cyber-security properties change. It changes existing relationships between organizations so that cyber-security becomes a shared responsibility. It introduces not one but an entire eco-system of new suppliers all of whom have an influence on security. They have various partnerships and incompatibilities between each other and none of them have a clear responsibility. In hindsight, it's an obvious problem. Businesses started out-sourcing before they knew that there would be a cyber-security requirement attached to each contract. But contracts can only go so far. One business's risk might well be disproportionate to the budget of the partner they're relying on. We can't always identify who is in the supply chain. That's often highlighted in the press in other supply chains. For example, not being able to fully understand the risks of an allergen being present in food. Ultimately, if a competitor is already using technology to gain an edge then it's difficult to justify the time needed to understand these issues. Businesses just have to accept that everyone will be in the same boat. Velocity makes the problem worse. We're intentionally speeding up the way that we create and exchange information. But it also increases the pressure to make decisions to change processes fast. Some sectors, like banking, are changing so much that they have to consider themselves technology companies in order to remain relevant. Anyone who's watched any of the videos about social engineering will know that hackers use time and pressure to make us create vulnerabilities for them. This supply chain problem isn't that different. So each process or building block that makes up the business process is gradually being updated to include more technology. Decisions are made, as they should be, by the functions that need to update their processes. Processes that aren't viewed as being technical become dependent on good cyber-security decisions from both inside and outside the organization. So each of these building blocks that increase interconnectivity also have hidden sides. There are hidden interdependencies and complexities that make it more challenging to understand how secure we are. A that awareness needs to be built into decisions that have to happen at ever increasing speeds.
- Recognize how business and technology together create a supply chain cybersecurity problem.
- Identify how cybersecurity defines and maintains boundaries.
- Analyze how common cybersecurity practices compare to supply chain security issues.
- Give examples of how cybersecurity is implemented throughout an organization.
- Differentiate between prescriptive-based requirements and goal-based cybersecurity, with an identified supply chain risk.
- Provide evidence for why communicating about cybersecurity between businesses can be daunting.