DC Velocity - IdeaBook 2016

and supply chain on an ongoing basis.

In spite of its growing importance, getting the funding needed to identify and target possible cybersecurity threats can be difficult, as success does not show up in net profit or increased revenues. A company’s security spend, in fact, is often treated as a stand-alone cost of doing business. This approach can be problematic because the true costs of responding to and recovering from a cyberattack, as well as the ongoing expenses from a breach and loss of proprietary information, customer data, and brand reputation, are not factored into a strategic assessment of revenue generation.

A more reasoned approach may be to incorporate IT and cybersecurity spending into the cost methodology for supply chain management, through an accounting approach that is differentiated as an absorption costing model. This method would quantify the security spend as a function of all total direct costs, including overhead costs associated with logistics, sales/marketing, and manufacturing. We believe this is the most transparent method of determining cybersecurity’s return on investment, and one that gives a full picture of its organic importance to the supply and value chain.

HOW DO YOU EVALUATE SUCCESS?

An important but often missing element of supply chain security is a company’s method for evaluating its level of success. While the absence of a documented breach is a notable accomplishment, it is not necessarily a good indicator of a successful cybersecurity program. Recall that hackers are now trying to exploit data at deeper levels over longer periods of time. For example, malware could be embedded in your manufacturing organization years before it is detected.

It is important, therefore, to integrate security metrics
into your company’s key performance indicators (KPIs),
balanced scorecards, and/or executive dashboards. One
possible metric is audit efficiency; that is, how effective
and accurate are the audits of third-party vendors and
company systems relative to supply chain threats. A sec-
ond possible metric would be the degree of uniformity
in security policy throughout an organization and its
supply chain. Another is supplier concentration in the
company’s overall operations—in other words, how
important any one supplier or group of suppliers is to
the supply and value chain. Correlating that information
with the suppliers’ level of security strength or weakness
can reveal the potential degree of impact of a breach at
a particular supplier. Using this methodology would
ensure that KPIs were tailored toward limiting cyber-
attack exposure, as opposed to the simple measure of
whether or not a breach had occurred.

Whichever metrics a company decides to use, it is clear that information has becomes the critical asset in a firm’s supply chain, and that the need to protect the organization’s overall infrastructure from cyberattacks has grown in importance. The technological integration between supply chain partners provides ever-increasing efficiencies, but with that comes increased risk of security problems for customers.

The threat is real, and companies will be challenged in the next decade to shield their proprietary knowledge from cyberattacks. While this is a daunting prospect, the reality is that there are concrete steps that executive management teams can engage in to best protect their strategic competencies. Supply and value chains are now the drivers of profitability and brand awareness, and investments to protect them from a cybersecurity perspective are even more critical as the threats become more acute. c

Notes:

1. Identity Theft Resource Center, “Identity Theft Resource Center Breach Report Hits Record High in 2014,” January 12, 2015, http://www.idtheftcenter.org/ ITRC-Surveys-Studies/ 2014databreaches.html.

2. Verizon, 2015 Data Breach Investigations Report, April 2015, http://www.verizonenterprise.com/DBIR/2015/.

3. The Home Depot (via PR Newswire), “The Home Depot Reports Findings in Payment Data Breach Investigation,” November 6, 2014, http://www. prnewswire.com/news-releases/the-home-depot-reports-findings-in-payment-data-breach-investigation- 281830571.html.

4. United States Senate Committee on Commerce, Science, and Transportation, “A “Kill Chain” Analysis of the 2013 Target Data Breach,” March 2014, http:// docs.ismgcorp.com/files/external/Target_Kill_Chain_ Analysis_FINAL.pdf.

5. Michael Porter, Competitive Advantage: Creating and Sustaining Superior Performance (New York: Free Press, 1985).

6. PricewaterhouseCoopers, U.S. Cybercrime: Rising risks, reduced readiness, 2014, http://www.pwc.com/ en_US/us/increasing-it-effectiveness/publications/ assets/2014-us-state-of-cybercrime.pdf.