Whether we’re talking about mechanical components, or accounting software, countless businesses around the world make up the complex supply chains that keep our business’s lights on. As a business leader focused on zero trust strategy, it’s important to hold your vendors accountable to the same level of data protection and data privacy standards that you apply to your own operations.
Government and industry bodies take supply chain security seriously, and they continue to introduce requirements and audits to tighten security measures, but the reality is that many businesses that support the supply chain lack basic cybersecurity hygiene. Add to that our increased reliance on global vendors, and suddenly we’re dealing with a higher volume of business in regions where security requirements may be lax, or more vulnerable to nation state risks.
In this episode of the Insider Series, I sat down with George Kehayas, CEO and founder at Yokoten Operations Management to talk through factors driving supply chain security and why every business needs to take another look at their own supply chain vendors.
James Mignacca (JM): George, you specialize in supply chain management - you’ve worked with multinational companies like Toyota Motors Manufacturing in Canada to optimize and manage supply chain issues. One of the most relatable and relevant supply chain examples is the auto manufacturing industry, because really, the complexity of that supply chain can serve as a model for other industries, albeit on a smaller scale. Not to mention the industry's shift to connected cars and systems.
George Kehayas (GK): Absolutely. Year over year, supply chain has been getting more complex. One key aspect driving the complexity are smart vehicle components requirements.
Typically, an internal combustion engine vehicle has approximately 30,000 parts. And traditional engines weren’t considered to be a connected vehicle by today’s IoT adoption standards.
With traditional manufacturing, we would never have thought that a vehicle manufacturer could actually shut down because there's not enough chips to make car components, because those chips are being used to make a computer or a cell phone instead, but that's the reality with the demand for and progression toward IoT and connected cars.
As technology has progressed, it's created competition for key, required components.
JM: So, you’ve got increased parts competition across products thanks to IoT – how have you seen that trend impact supply chain risk?
GK: Let’s use a Canadian auto manufacturer as an example. As an OEM they need to source parts, which could come from Mexico, the US, China or anywhere across Asia.
The risk associated with supply chain increases when you look at that OEM’s requirements, and then at their Tier one supplier, and then the Tier two suppliers who supply the Tier one supplier and so on. Today we’re talking about a global industry - an interdependent supply chain where any little glitch, or the weakest link in the chain can and will impact the OEM upstream.
As these interdependencies become more complex, the risks just keep growing. We've seen that this year with global parts shortages – maybe there’s a shortage due to raw materials, pandemic shutdowns or a supplier facility fire that that impacts the supply chain. Maybe it’s shortage due to a global political issue and the uncertainty that comes with it.
The complexity of supply, and its interdependency introduces additional risk.
JM: What’s changed with supply chain and data security obligations?
GK: So many suppliers are small companies with 10 or 15 employees, and they don't necessarily have the sophistication that a larger entity might have.
Typically, OEMs do audits of their Tier 1 and sometimes their Tier 2 suppliers, and the understanding is that any supplier needs to do similar sort of audit across their supply base to ensure the fact that the parts quality is there. But in opening ourselves up to the digital world of applications and connectivity in the supply chain, in some circumstances convenience supersedes security.
JM: How have government and industry regulators changed how they look at supply chain on the digital side to ensure that there's no weak link?
GK: The cybersecurity aspect of EVs and autonomous and smart cities, is a key risk that industry is looking at right now. Through digitization we're weaponizing our vehicles effectively in those connected vehicles are talking to each other and connected systems. Malicious actors are always looking for opportunity.
There are a lot of organizations right now that are working together toward standardization and how to best proceed with a security-first approach.
The W3C, or the World Wide Web consortium includes companies like BMW and Toyota, and are working to standardize electric vehicles. Others like VESA are focused on connected vehicle systems and automation to create standards and guidelines in partnership with auto manufacturers.
It's becoming a lot more important and a lot more prevalent in today's era with automation and the trickle-down effect to the supply chain - we're truly at a revolutionary stage.