Supply chains have become intricate webs of interconnected suppliers, manufacturers, distributors, and consumers who benefit from these associations. While this global ecosystem has ushered in new heights of efficiency and productivity, and streamlined many processes and workflows, it has also exposed vulnerabilities that can jeopardize the security of entire enterprise operations.

Unfortunately, supply chain security is often overlooked, creating vulnerabilities that attackers can exploit. In today’s video, Wolfgang Goerlich, and Dave Lewis, Global Advisory CISOs for Cisco, shed light on risks, assessments, metrics, and collaboration needed to strengthen supply chain security.

According to Goerlich, companies focus on securing the enterprise from external attacks, but neglect third-party vendor access that could provide a backdoor for attackers.

“What’s going to happen if they get breached? What’s going to happen if they already have access to our systems?”
—Wolfgang Goerlich

Generally, Lewis explained, organizations usually “don’t pay mind to the third-party connections we have, [including] the vendors and suppliers that we’re working with that have direct access to our environments.”

It’s important to understand that interdependence creates cyber risks if vendors are breached, while supply chain disruptions threaten operations.

Companies historically have assessed vendor risks through questionnaires. But more rigorous, ongoing methods are needed like technical control evaluations, risk information sharing, and automated data analysis with AI. Qualitative surveys should be augmented with continuous quantitative data about emerging threats.

Additionally, supply chain security is tied to regulations covering assets and data. By calling out supply chain specifically, companies pay more attention to non-linear attack paths via third parties. Attackers always seek creative entries, Lewis said, just like the infamous fish tank used to breach a casino.

“Defenders need to understand that the attackers are not going to come at you in a conventional
sense. They’re going to look at new and exciting ways to give you heartburn.”
—Dave Lewis

Both Lewis and Goerlich detail vital performance indicators (KPIs) to track supply chain security. To learn more straight from the experts, watch the full video below:


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



Tazin Khan

Cybersecurity Specialist

Customer Marketing/Thought Leadership