There is a story from years ago about a warehouse network of computers that was separated from the main network. Those machines were running older OSes. But since they weren’t connected to the company network, didn’t hold company data, and only ran the warehouse machines, they were deemed secure.

One day, the sysadmin noticed that all of those computers had a glitch at the same time. He remotely rebooted and went back to his desk. But they all glitched again.

What happened?

Even though they were not connected directly to the network, they were connected to Wi-Fi, which ran directly to the internet. Their vending machine sat on that same Wi-Fi network, and unfortunately, that particular vending machine vendor had been compromised. The virus traveled through the network to the vending machine and then to all the computers that were connected to the same Wi-Fi network.

Supply chain security – it matters.

Fortunately, there was only some downtime. No damage was done, and no data was lost.

The event detailed above raises some important questions. What’s connected to what? And just as important, who is connected to what?

That’s where Supply Chain Risk Management (SCRM) comes in. The main purpose of this blog post is to address the overall task that I’ll refer to as SCRM.

The topic above can actually be considered Cybersecurity SCRM (C-SCRM), and, because that’s a more technical aspect, I will cover that in the next article.

Building a SCRM Program

There are 3 main areas in an SCRM program: managing the vendors, mitigating the risks, and maturing the program.

Management of the Vendors

The typical vendor management (VM) program, which is part of the whole SCRM process, should contain at least the following items:

  • Policies and procedures for vendor management