In my last post, I introduced the concept of the "Supply Chain of Information". I use this term in reference to any supply chain, as the trust in the supply chain is based upon the information derived from the supply chain indicating how trusted it is. After all, visibility into your supply chain for any managerial purpose is actually gathering information, at varying levels of reliability, to inform business decisions - inventory management, job sequencing, production shortfalls, supplier diversity requirements,...all things the traditional supply chain expert needs to support the business. Now, transform the supply chain context to cyber-security. Supply chain becomes critical to the cornerstones of cybersecurity: confidentiality, integrity, and availability. The supply chain of information is fundamental to measuring the trust in your supply chain.
The context of the trust you should have in your supply chain varies based upon the risk you are trying to counteract. For example:
- Organic Produce: A consumer seeks assurance that the product that says 100% Organic is not only grown on a farm that employs only organic growth and weed reduction practices, but also that their seed is 100% GMO free. Real Food Fake Food by Larry Olmsted is a great example of understanding the ingredients that go into making our food.
- Consumer Goods: A retailer seeks to assure their customers that they only source toys, shoes, clothing, etc. from companies that don't exploit child labor, practice fair trade practices, and use sustainable production - environment, sustainability, and labor (ESL standards).
- Software: Companies in high-security industries like banking, healthcare, and government need assurance of open-source code in their enterprise. See Ion Channel, which has a very unique set of products.
- Credit Market: Credit originators, debt securities issuers, investors, and servicers need a detailed understanding of the financing participants, underlying asset value, status of collateral, potential performance, and continuity/integrity of structure for every credit they touch. For some credit transactions that have an established and trusted measurement and reporting framework, this is fairly easy; much more complex when delivering credit for an economic development project in a frontier economy. See UFT Commercial Finance, who seeks to get this so right that they will be able to trade their pioneering new credit instrument - the "CPC" - across a financial exchange in reliance upon near real-time data
- Plane Engine Parts: Aircraft manufacturers, airlines, and especially passengers need confidence that the engine is maintained well, and highly critical parts are inspected with the most robust metallurgy tools and qualified inspectors.
- Nuclear Reactors: The plant owner and operator tracks each piece of metal or electronics in the plant from where the ore is dug out of the ground, through raw material manufacture, forging, destructive and non-destructive testing, all of the way through to installation and maintenance. Includes people, shippers, results, and history.
Each of these supply chains depends upon information to deliver a level of assurance. Conversely, they also depend on providing early warning of risk within the supply chain or its information flow. Hence, complex cyber architectures need to have a Supply Chain of Information in order to assure the trust in our overall view of the environment and risks.
Now let's take this one step deeper. How much can we trust the information about trust? This originates from process modeling and compliance like ISO 9000 or SOC 2. The business entity being measured has to prove that it collects measurements properly and prevents corruption. Assessors evaluate the plan for collecting data, then evaluate the quality of the data collected. Even one step further, companies certified as assessors must complete and maintain records showing their compliance with the standards regimen.
With really complex supply chains, several key factors make assurance more complex. First, trust is inherited from the bottom up (that is, if you look at the supply chain the same way I do). The end item is the top of a highly branched and sometimes intertwined root structure. You see is the flowering plant - the product. Everything below builds it...like a foundation on a building.
Second, to extend the analogy perhaps too far, the plant is built with the nutrients and chemicals retrieved from the soil. But once built, it consumes carbon dioxide and produces oxygen (yes my biology dork friends, that is only during daytime for a plant - work with me). This is representative of the supply chain of operational consumption to execute the business. For a plant it is growing and making more plants. Bottom line, every company feeding that process takes in raw materials (the operational consumption), produces its goods, (for which we are measuring the trust) and produces waste.
Third, the context of trust varies. If I need to know the environmental, sustainability, and labor (ESL) trust associated with my favorite clothing brand, then I need to find one or several independent assessments of such. Similarly, if I need to build a trusted device used in healthcare, I might look to the ISO standards for cleanliness as well as the Underwriter's Laboratories (UL) to assess the trust of the components, and use Ion Channel to continuously monitor the software ecosystem for vulnerabilities as they emerge and as my capabilities are updated. The cybersecurity of the single device is fused with all other known devices, processes, systems, and testing thereby building the Supply Chain of Information for cyber risk management.
As usual, I would value any feedback about the concepts behind the Supply Chain of Information. Please also share with your colleagues and friends who have similar interests using the social media links below.