October 6, 2022

Last Updated on January 18, 2024

More orgs are becoming aware of supply chain risk management (SCRM) criticality, especially as it relates to software. But checking out risk to your suppliers, their suppliers, their suppliers’ suppliers, and so on can be a significant challenge—especially in the murky world of software.

Can a company leverage its efforts in areas like disaster recovery and business continuity management to help with SCRM?

To raise awareness about the critical need to manage software supply chain risks, Willy Fabritius, Global Head of Strategy & Business Development, Information Security Assurance, SGS, joined a recent episode of The Virtual CISO Podcast. Pivot Point Security’s CISO and Managing Partner, John Verry, hosts the show as usual.

Applying recovery objectives to SCRM

Since supply chain risk management is a group effort, it follows that recovery planning inputs like time to recovery, recovery process objectives, etc. would be useful for analyzing supply chain risks.

“If you see it from an IT perspective, or from a modern organization solely doing business based on computers, yes,” notes Willy. “But I would like to emphasize that business continuity management (BCM) is not just for IT companies. BCM is for every company.”

This is why John prefers the term IT continuity to disaster recovery, because it emphasizes that the focus is on the IT infrastructure and associated people and processes. Then it logically follows that business continuity refers to recovering the non-IT business functions.

“Ultimately from an SCRM perspective, we have to come up with those most critical risks to the organization, and the continuity of the organization—or lack thereof—is going to be one of the key ways to assess risk,” John summarizes.

Seeing a bigger picture

Why bring these new perspectives to your risk management? It’s all about considering risk from a wider, less limited context. If you fail to consider critical risks, you could be open to unacceptable consequences.

“We cannot ignore the possibility of foreign adversaries implanting some kind of bugs on hard drives, motherboards, network interface cards, routers, switches, wherever,” Willy cautions. “And trust me, in the software world it is exactly the same risk.”

Both Willy and John are skeptical about “free” software services like Google Fonts, which when accessed via API calls send the dynamic IP addresses of website visitors back to Google, in violation of privacy laws like GDPR.

“If I have this free service, the question would be obviously, why in the world is it free?” asks Willy.

“If you’re not paying for the product, you are the product,” echoes John.

What’s next?

To listen to the whole show on software supply chain risk with Willy Fabritius, click here.

Risk management is ultimately about resilience. Here’s a great podcast episode on how recovery planning, risk and resilience relate: EP#12 – Cosmo Gazzani – Disaster Recovery, Business Continuity, and Data Resilience



Interested in a checklist to see how ready you are for an ISO 27001 certification audit?

It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!