Securing the digital value chain

New business models often create new vulnerabilities

Editor’s note: This story originally appeared in the Unleashing Digital Value issue of Workflow Quarterly.

At the start of the pandemic, supply, vendor, and personnel shortages forced companies to adopt new ways of working—quickly. These rapid pivots helped many firms survive. They also created serious security risks.

COVID-19 forced changes to how companies worldwide produced and delivered products and services—their value chains. Often, these value chains evolved faster than organizations’ cybersecurity capabilities.

As a result, hackers carried out devastating assaults. Notably, the 2020 SolarWinds attack affected up to 18,000 SolarWinds customers, including the Pentagon and U.S. Department of State. Since then, there have been near-constant attacks on SolarWinds’ vendors and suppliers, says Larry Clinton, president of the Internet Security Alliance (ISA). SolarWinds is not an outlier: Clinton says many executives still don’t take cybersecurity seriously.

“We’re making the same mistakes with AI and other technologies that we did with the internet,” he says. “We’re waiting until we use them everywhere before we wake up to the fact that they aren’t secure.”

More vendors, more risk

In a recent ServiceNow/ThoughtLab survey on innovation, more than half of respondents reported significant progress modernizing IT systems. A quarter made similar progress automating workflows, improving processes, and harnessing AI, the cloud, and the IoT.

However, our research on cyber risks shows that more than 40% of respondents fear their cybersecurity efforts are not keeping pace with their digital transformations. Two-thirds report that remote work has exacerbated risks. Almost half say an increase in vendors and suppliers has created new vulnerabilities.

In its list of best practices for managing supply chain risks, the National Institute of Standards and Technology emphasizes that every department, from product marketing to engineering to human resources, should run their own risk assessments and security tests on vendors and partners. Due to a severe shortage of tech talent, most companies don’t have enough security professionals to do this work.

To augment these understaffed teams, organizations need an integrated system that facilitates collaboration with vendors, triages vulnerabilities, and uses AI to anticipate threats. One such system is from MITRE, a nonprofit research firm that works with the U.S. federal government. The company developed a predictive tool that can identify bad actors across the internet. Such tools can replace human security analysts, or be used to help security teams identify threats.

To secure their value chains, companies must rethink and prioritize their approaches to security, says Karl Klaessig, director of product marketing for security operations at ServiceNow. “In the 21st century, no corporate board should make a serious decision without discussing it with legal, finance, and also cybersecurity,” he says.