Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Blogrige

The Official Baldrige Blog

Lumberjacks and Supply Chain Cybersecurity: Take Time to Prepare

Businessman's hand shown holding digital supply chain cybersecurity icon.
Credit: sdecoret/Shutterstock

A Lumberjack Story

by Motivational Speaker Harvey Mackay

Two lumberjacks are cutting wood. One of the men worked hard all day, seldom took a break, and took only 20 minutes for lunch. The other man took several breaks a day, spent 45 minutes for lunch, and even took a 15-minute nap before going back to work. The first man became increasingly frustrated because, no matter how hard he worked, the other man's pile of chopped wood was always much bigger than his at the end of the day. "I don't understand how you do it," said the first man one day. "Every time I look around, you are sitting down, and yet you cut more wood than I do. Why is that?" With a smile, the second man replied, "Did you also notice that while I was sitting down, I was sharpening my ax?"

Sharpening One's Ax

Here’s another way to look at “sharpening one’s ax.” Is your organization just reacting to problems once they occur, or are you anticipating, mitigating, and improving risky scenarios for your organization? Certainly, in the world of cybersecurity, one can only imagine the state of your data, secrets, and sustainability if you do not prepare for future scenarios and assess the risk. This blog looks at one area within cybersecurity that many organizations forget to include in their risk assessments—their supply chains.

Understanding Supply-Chain Cyber Risks

Paul Myerson, in his recent Industry Week article “Can’t Turn Back Time: Cybersecurity Must Be Dealt With,” includes the statistics that “80% of all cyber breaches occur in the supply chain, and that 72% of companies don’t have full visibility into their supply chains. . . .  Organizations—supply chain and otherwise—need to identify the potential risks (information security included), estimate both their potential impact . . . and the likelihood of them occurring, and put together a mitigation strategy to avoid the most likely high-impact risks.”

Myerson cites Jon Boyens of the National Institute of Standards and Technology (NIST) who points out that three trends exacerbate cyber risks to supply chains:

  • Internet of Things—everything is smart and interconnected.
  • IT-enabled supply chain management—product and supply chain data run on top of business software that connects supply chains, and weak links abound globally.
  • 3-D printing—production is going viral and digital.

He offers examples to illustrate the risk:

  • Supplier-provided keyboard software gave hackers access to owner data on 600 million Samsung Galaxy phones.
  • Poor information security by service suppliers led to data breaches at Target, Home Depot, Goodwill, and many companies and organizations.

Holding Supply-Chain Partners Accountable

In "Supply Chain Cybersecurity: Supply Chain Contractors Need to Improve Cybersecurity Risk,” Megan Ray Nichols wrote about the need to assess your suppliers’ cyber risk.

She writes, “The impact of just one weak link in the supply chain cybersecurity ‘chain of custody’ can be significant. . . . What’s really at risk isn’t necessarily something with a fixed, one-time value. Merchandise can be replaced. What’s at stake is quite often the key to your remaining profitable at all. You stand to lose vital organizational and client data, intellectual property and trade secrets. In some cases, you’ll be held responsible for damages if formal laws and guidelines apply.”

To hold “your supply chain partners, and yourself, to higher security standards,” Nichols suggests determining which vendors have access to your network, being explicit about security requirements in your contracts, monitoring your technology providers and other partners, and seeking constant improvement.

Says Nichols, “Each company is unique and has its own needs, which might make your particular approach unique.”

Assessing Risk and Prioritizing Improvements

A recent Industry Week article "(Cyber)Securing Manufacturing's Future" underscores the need for preparation when thinking about cybersecurity.

Author Gary Williams writes, "Cybersecurity is a journey, not a destination: Security can never be viewed as a one-off project. New threats, attack techniques, and technologies are continually being developed, so security protocols must be regularly reviewed and updated. End users must apply and strengthen cybersecurity measures across the lifecycle of a device or system, and not just as an 'add-on' when it is first operational. That means continually monitoring and assessing the security of every system and device, as well as their networks and interconnections."

To help organizations assess and mitigate their cyber risk, including across supply chains and based on their own unique needs, the Baldrige Cybersecurity Excellence Builder blends two recognized NIST frameworks: the Baldrige Performance Excellence Framework and the Cybersecurity Framework. Following the model of the Baldrige framework, the Baldrige Cybersecurity Excellence Builder offers thoughtful questions to help an organization assess the effectiveness and efficiency of its cybersecurity risk management program, assess the cybersecurity results it achieves, and identify priorities for improving cybersecurity risk-management efforts. This free resource can also be shared with—even required for—suppliers.

Using the Baldrige Cybersecurity Excellence Builder

Speaking at a 2017 cybersecurity panel, Steve Caimi, industry solutions specialist, US Public Sector Cybersecurity for Cisco, said that the

Baldrige Cybersecurity Excellence Builder helps organizations ask key questions: “How do we assess where we are in the organization [in terms of cybersecurity]? How do we measure our progress and dial the risk down to an acceptable level?”

Russ Branzell, president and CEO of the College of Healthcare Information Management Executives, speaking at the same cybersecurity panel, said, 

“Risk analysis has to occur . . . because [for example] there is zero possibility for us to absolutely secure the health care system in this country. [The Baldrige Cybersecurity Excellence Builder] is going to force the entire organization—the board, every single staff member in the organization who wants to understand why we have to focus on cybersecurity—to have the really hard conversations on how much and appropriately where they will be spending the money to secure the organization.”

Will your organization be like the lumberjack working hard but not taking time to prepare, or like the lumberjack preparing, anticipating, mitigating, and improving?

Start using the Baldrige Cybersecurity Excellence Builder today to assess your own organization’s cyber risk, as well as the risk of your supply chain!


Improve Your Organization’s Cybersecurity Risk Management Efforts

Baldrige Cybersecurity Excellence Builder Version 1.1 cover

Baldrige Cybersecurity Excellence Builder

The Baldrige Cybersecurity Excellence Builder, Version 1.1 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identify improvement opportunities in the context of their overall organizational performance. 

Download your copy today!


About the author

Dawn Bailey

Dawn Bailey is a writer/editor for the Baldrige Program and involved in all aspects of communications, from leading the Baldrige Executive Fellows program to managing the direction of case studies...

Related posts

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.