UPDATED 15:05 EST / MAY 13 2024

TheCUBE discusses the changing faces of supply chain security, zero trust and resilience with Schneider Electric's Cassie Crossley. SECURITY

Tackling supply chain security with Schneider Electric

Supply chains are the inalienable backbone of the digital enterprise. From coding to testing, continuous improvement and version management, its importance can’t be overstated.

However, technology and business have become intertwined, meaning that enterprise software supply chains have evolved more nuances and are exposed to an expanding crop of threats. What, then, happens when this intricate web is compromised? Enter supply chain security — a critical aspect that often operates behind the scenes but can make or break an organization’s success.

“I think we are at a turning point; I present quite a lot and talk with CISOs all the time and stress … you can’t just look at ISO27K or SOC 2 — it doesn’t cover software security practices,” said Cassie Crossley, vice president of supply chain security, cybersecurity and product security office at Schneider Electric SE. “You need to learn what’s not in your normal skill set to understand what to look for. So, even if [companies aren’t] building applications, they are now and have been dependent on all these others. What’s important is to have that relationship with your critical suppliers and understand how they do business.”

Crossley spoke with theCUBE Research analyst Shelly Kramer and CUBE Collective analyst Jo Peterson during a SecurityANGLE analyst insight series from theCUBE. They discussed supply chain security as critical to enterprise success, balancing trust, verification and resilience in a digital operating landscape.

Schneider Electric’s supply chain security vantage

Schneider Electric focuses primarily on enterprise digital transformation, energy management and sustainability advocacy. The company combines energy tech, real-time automation and services to upgrade data centers, buildings and industrial locations.

The enterprise supply chain is like an intricate symphony, with each instrument playing in a larger harmony. Raw materials harmonize with manufacturers who, in turn, dance with distributors. However, this symphony faces challenges, disruptions, vulnerabilities and threats, and that’s where Schneider comes in, according to Crossley.

“We have over 54,000 suppliers for Schneider Electric, and a lot of those are just component suppliers, screws, things like that,” she said. “But over 2,000 of those suppliers provide intelligent components, software components, chips, things that may be part of the manufacturing process. We develop a lot of operational technology and IoT technology, so they have access to that firmware. Those suppliers need extra scrutiny — you need to see what’s going on from their standpoint.”

Any professional engaged in supply chain security must equip themselves to counter new kinds of malevolent forces, ranging from cyberattacks, counterfeit components and geopolitical tensions. They must ensure that every link, from supplier to end user, remains resilient, according to Crossley.

“You should know, at any company, what your critical applications are by now,” she said. “Assume breach, what’s going to happen? Assume this, and go through all those. It doesn’t take longer than a couple of days to workshop, because that is your cyber risk portfolio from a risk management standpoint that you need to be considering. I think with third-party risk management, there are people in the business that do that, but nobody knows it like CISO.”

The resilience equation expanded

Supply chain security is a dance between trust and verification, where transparency is key. There is the crucial need for visibility into sub-tier suppliers, as any weak link can unravel the entire chain, according to Crossley. Zero trust is the new strategy for enterprise survival, and it must be implemented more thoroughly. Every factor, from hardware to software and personnel needs to be scrutinized. There also needs to be rigorous access controls in place to validate identities, monitor anomalies and fortify endpoints.

“What we need to do is have our developers understand the risks,” Crossley said. “You have to assume that each one of those projects and code that they’re bringing down, whether it be open source [or] even just in general … could have logic bombs, it could have back doors, it can have malicious things hidden in. We just saw that with XZ backdoor that happened, where the backdoor had been in the release for a while, it just hadn’t been widely consumed.”

Resiliency isn’t about avoiding storms; it’s about dancing in the rain. In doing so, companies must embrace redundancy, diversify suppliers and map alternative recovery routes to ensure business continuity in the event of any kind of disruption, according to Crossley.

“What I think for supply chain resilience [is] you’ve got to look at it from that supplier viewpoint and the process viewpoint,” she said. “Supply chain resilience is something that over time, we just need to work toward continuous improvement on the Six Sigma Belt. I’m always looking for [how to] get better at that resilience number, but [since] there’s no real number to go with, you’re really judging the maturity.”

Here’s theCUBE’s complete video with Cassie Crossley:

Image: kanawatTH / Canva

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU