16 December 2020

Is supplier risk management useless?

So here we are again. Another supply chain attack which has led to the compromise of highly sensitive computer networks. Is this the point we draw a line under supplier risk management, put hands up and say ‘too hard’? Alex Stamos, Adjunct professor at Stanford University’s Center for International Security and Cooperation and former chief security officer (CSO) at Facebook seems to think so. In a tweet following the SolarWinds compromise he said,

“Vendor risk management is an invisible, incredibly expensive and mostly useless process as executed by most companies. When decent, it happens too late in procurement.”

For those of you who follow our blogs, you will know that this is a subject we also have strong views on. It is our view that supply chain risk is something companies cannot solve on their own. We were therefore delighted to see statements in the 2020 Australian Cyber Security Strategy that help is on its way:

“The Australian Government will establish a Cyber Security Best Practice Regulation Task Force to work with businesses and international partners to consider options for better protecting customers by ensuring cyber security is built into digital products, services and supply chains.”

What this Task Force looks like outside of the conceptual, we will need to wait and see. Given recent events however, we at elevenM hope whatever the action is, that it gets delivered sooner rather than later.