Security in the supply chain of an information technology company like Cisco is very complex because it covers everything from intellectual property to physical boxes in transit.
“You want untampered products that are genuine and protected IP and information security,” said Edna Conway, chief security officer for Cisco’s global value chain. That means managing third party vendors across the entire ecosystem — any third party which might touch a solution that goes to a Cisco customer.
The National Institute of Standards and Technology included Cisco as one of 18 companies with best practices for cyber supply chain risk management. Others included Deere, Dupont, Fie Eye, Intel NetApp and Northrop Grumman.
Security starts with the first spark of an idea and proceeds through development and quality assurance and manufacturing, she said.
“I come out of a traditional manufacturing supply chain, but today I am sourcing software, 3-D components, storage, compute…” The product could be software, code development, or a manufacturing plant putting out a router. Delivery, in a company with hardware and software, could involve trucks and warehouses or code downloads. The last two nodes of the value chain are sustainment — how does a customer use the product and upgrade or change it, and finally what happens to the product at end of life.
“There could be interference at every step.”
Cisco was one of the first companies with a dedicated supply chain risk management (SCRM) team
Cisco’s risk management infrastructure is complex and evolving. First, there is an overall corporate risk management team. This is layered on top of functional risk management teams, including security, IT and supply chain. From a broad strokes perspective, there are multiple teams driving supply chain risk management, including:
• Resilience
• Quality
• Security, both physical and cyber
• Sustainability
• Compliance
Cisco increased its focus on resilience in the  aftermath of Hurricane Katrina, and the close call that Hurricane Rita gave Houston, and created a SCRM team to assess and mitigate supply chain risks.
As a risk manager for Zurich Re has noted, an awful lot of industry around the world is situated on or near water — rivers, seacoasts, or in the cases of hard drive manufacturers based in Thailand, in former rice paddies, which are prone to flooding.
Cisco jointly invested with their contract manufacturers to achieve Highly Protected Risk (HPR) status from its property insurer for critical sites. This has helped the company lower its insurance premiums, while gaining higher coverage for business continuity disruptions.
Events such as the Fukushima Daiichi nuclear disaster triggered by an earthquake/tsunami and the Thai floods of 2012 validated and reinforced the importance of investment in supply chain resilience, Cisco noted. The supply chain team also has 130 members focused on quality.
Supply Chain Security has been a key part of Cisco’s manufacturing supply chain for more than four years, focused on the risks of counterfeit or tainted products and misuse of intellectual property. Recently, the company established a new corporate organization focused on shifting the role security plays from “limiting damage” to enabling business.
The supply chain risk management team can help the company recover from disasters — Cisco calls them events. Nghi Luu, supply chain risk leader said that a team of “nine full-time staff and nine contractors protect literally billions in revenue. Without this team, it would take four weeks longer to get the business running after a disruption — and how much money would be lost every day during that period?”
The company has a comprehensive framework for managing supply chain risk, he added.
“We’ve come to realize that it’s not just about boxes getting from Point A to Point B. It’s geopolitical risks, cyber risks, overall supply chain continuity risks. We’ve created a holistic framework for risk assessment that examines six overall categories of risk with over 25 subcategories.”
The Cisco Security and Trust Office is partnering with every team that touches any part of the product lifecycle, and embedding new security capabilities into existing people, processes and tools.
“Adversaries change, threats change, concepts of security like ID management change,” Conway said.