Monthly Archives: February 2024

The Supply Chain of Supply Chain Talent is Not Only Broken … It’s Running On Empty!

A recent article in Forbes noted that The Supply Chain of Supply Chain Talent Is Broken, which it is, and has been for well over a decade. The problems started back with the global first world truck driver shortages back in the early 2000s, but the real problems were much deeper and hidden from view due to the fact supply chains were otherwise running smoothly and no one was looking behind the curtain or shining a light into the dark recesses of the supply chain.

Why? Because of the rampant digitization of procurement, logistics, and supply chain over the past twenty years, a time when globalization reached its peak, conflict was at a minimum, inflation was in the rear-view mirror, and natural disasters were still manageable, supply chains just worked. Predictable processes, routes, costs, and flows allowed simple systems to manage the supply chains almost automatically. Supply Chains didn’t need traditional supply chain talent to run; they needed buyers, logistics managers, inventory operations, and compliance personnel who could use systems — IT geeks ruled the day!

At the same time, seasoned supply chain professionals — negotiators, logistics professionals, and inventory/warehouse managers — were retiring in droves, and no one was replacing them. More importantly, no one was replacing them because there was no perceived need. These were the individuals who where doing supply chains in the 80s and 90s, before modern systems managed everything, when there were still lots of regulations to deal with (as the EU was still forming), when you didn’t always have container ships available (or easy container transportation to all locales), and when you would have to know, by rote, who to call when a truck wasn’t at the factory or the dock for a pick-up. When you had to do everything by phone and fax, because email was a luxury; when you had to deal with dozens of import/export regulations (and know how to create the reports by hand), and how to manage logistics scheduling on paper, especially when availability of certain carriers or personnel would change by the day. When you had to truly know how supply chain operations worked end to end, and not just push buttons on a virtual screen.

But then they retired, and no one replaced them. Even worse, no one was recruited to replace them. The organizations saw no need, since the systems did everything, the EU and harmonized regulations across regions made trade easy, and the big global carriers managed logistics for them. As long as they had negotiators, system operators, outsourced carriers, and outsourced consultants to do the rest, who cared? They certainly didn’t.

Furthermore, because there was no need in the organizations, people who studied Operations Research and might have went into Supply Chain went elsewhere, and as demand shallowed, so did students, but more importantly, so did apprenticeships. Now, with disruptions on the rise, globalization retreating, inflation resurging, supply chains breaking due to slowdowns, (port) shutdowns, and double canal slowdowns/closures (Panama and Suez), and current systems not designed for the world today, there’s no one who can handle the current situation. And that’s why supply chains are broken, talent chains are broken, and most importantly, why they are empty.

All of this happened behind the scenes because no one was watching, no one was thinking about the future, and no one was doing a risk assessment or managing the risks that were destined to come. All despite the fact that natural disasters were on the rise, political tension was on the rise, and we were being warned that a pandemic was the top global risk for over a decade.

Now we are at a point where software alone won’t fix this, consultancies who don’t have talent either (despite telling you to go to China for two decades) won’t fix this, and hope won’t fix this. The only thing that will fix this is the re-introduction of supply chain apprenticeship programs, as noted by the Forbes article, along with the return of retirees with actual knowledge to mentor the new recruits, which is missed by the article. Most organizations, or consultancies, these days barely have enough talent to manage their own operations yet alone train a batch of new recruits on the side, especially if they didn’t live through the rise in global trade in the 80s and 90s. The retirees did, and they have the knowledge the consultancies, and modern systems, don’t. Along with new recruits, it is their (temporary) return that is needed to fix the supply chains.

Close the Supplier Loop with LUPR

Suppliers are key to sourcing and procurement success because you depend on your suppliers for the products you sell, the services you provide, and the materials you need for your daily operations. Thus, Supplier Management is key to sourcing and procurement success, but most companies don’t even have up to date information on their suppliers.

In order to achieve the value you expect from your suppliers, you need to

  • properly onboard and vet them
  • manage their information
  • monitor their performance
  • record related issues
  • manage the relationship
  • store contracts
  • track the savings goals
  • track the realized savings
  • and so on

And, more importantly, your supplier account managers need to work with the supplier representatives in each of these tasks, which need to be streamlined for both parties.

The founders of LUPR, each with two decades (plus) of Procurement project experience, realized this and created a supplier management platform that could tackle these issues, and it did so on top of Salesforce, which makes it an easy buy for any organization already using Salesforce as the platform has already been vetted by IT, Risk, Sales, and Finance. It also makes it easy for staff to learn the platform, as they are already used to the basics of Salesforce, and they have staff who can help out.

Before we get into the specifics (modules) of the solution, one thing to note is that because it’s built on Salesforce, it has:

  • high levels of configurability
  • security down to the field level in an object (record)
  • automation
  • familiar reporting and analytics capability
  • easy integration with other Salesforce AppExchange apps

The platform has the following primary modules:

  • supplier registration portal (for self-serve onboarding)
  • supplier information management module
  • risk assessment module
  • issue reporting and performance tracking
  • supplier corrective action resolution (SCAR) control
  • savings tracking and pipeline management
  • reporting and analytics

Supplier Registration Portal
The supplier portal is a very user-friendly web-based portal where a supplier can go and register itself as wanting to do business with the buying organization as well as provide all of the information requested by the buying organization. When it comes to onboarding, it should be noted that the only available out-of-the-box integrations (subscriptions required) for supplier validation are Experian, CreditSafe, Equifax and RapidRatings for business identifiers, financial information, and/or credit scores. Additional, custom, integrations are possible, but if you have other validation data being pulled into your ERP (such as SAP and Oracle which they integrate with), you can pull the validated data in from your ERP rather than collecting it from a supplier (and having to validate it manually).

Supplier Information Management
Upon login, the user is taken to their dashboard, which can be custom configured, and usually overviews their approved supplier list (by product and service), their top supplier spend (by supplier), outstanding tasks (including approvals for onboarding, information updates, etc.), suppliers by relationship tiers (as it supports multiple tiers, which can be custom configured, but are defaulted to critical, strategic, transactional, and leverage, which matches many consulting 2*2 breakdowns), today’s events, NCRs by type, NCR and KPI trends, etc.

Supplier profiles are typical of what you would expect and you can define and track all standard corporate data (including registration numbers), contacts, banking information, risk scores (through an API or collected from surveys), ESG data (from AppExchange partners, including Ecovadis and CSRHub, or pulled in from surveys), and spend (with an ERP or P2P integration). You can also store certificates and track associated metadata, see the supplier’s Z-score, its KPI scores (and drill into scorecards), see any associated nonconformance occurrences, open activities, surveys, and create supplier level initiatives (around overall savings targets, organizational alignment, performance measurements, etc.).

Products and Services
One unique capability of the LUPR platform is that they support extensive product and service definitions, which are associated with the corresponding suppliers, as well as the corresponding organizational standard product or service, and you can drill into each individual supplier product/service from both the supplier profile and the standard product/service, which can be organized by category (or category hierarchy with additional system hierarchy). It’s also easy to search for products and services by keywords (and then filter into particular categories or suppliers if desired).

The built-in out-of-the-box support is very extensive, and allows buyers to analyze total spend, define organizational needs, analyze markets, engage stakeholders, create strategies, and manage performance by product as well as manage performance by suppliers (discussed below). The assessments can be quite deep and look at the business aspect, supply market flexibility, savings estimation, and ease & speed of implementation. Furthermore, any relevant stakeholders can be engaged in the analysis as needed.

Issue Reporting and Performance Tracking / KPI Scorecards
Performance tracking in the platform revolves around KPI scorecards which can be very extensive, depending on how much data the organization tracks and integrates into the platform. The platform comes with a number of scorecard templates (and a large number of pre-defined measures in the KPI library), but LUPR can build custom scorecards to evaluate a supplier on any dimensions that are relevant to your business. (Also, all of the templates can be updated as you see fit, measures added and removed and weights updated to suit organizational preferences.) (They’ve done quite a few over the years and can implement extensive, custom scorecards relatively quickly.) Contract compliance, (On Time) Delivery, Quality, ESG, realized savings, etc. can all be tracked (by default) at the supplier level if the data is available, and you can get KPI scorecards by supplier, category, supplier-category, or a subset of the supply base (restricted to a region).

Nonconformance / Supplier Corrective Action Resolution
The system comes with built in templates to capture nonconformances (related to contracts, delivery, quality, invoices, etc.) that can be filled out by any system user and then turned into a supplier corrective action workflow by a supplier (account) manager that will accept and complete the information, share the nonconformance report with the supplier through the supplier community, get additional information back, propose a corrective action, capture supplier acceptance (or rejection, and then restart the process), track progress, and when the issue is resolved, close it out. LUPR has a detailed dashboard to help the Procurement team track nonconformances for fast resolution.

Savings Tracking and Initiative/Pipeline Management
The entry point is the initiative dashboard which is a Kanban type project management dashboard that summarizes projects in each stage (idea, evaluation, validation, execution, finalization, and realization) as well as the total dollar value of all projects in each stage. If the user prefers, she can flip to a tabular view that can be filtered by stage, owner, spend category, SOP category, and other relevant dimensions. Upon drilling into an active initiative, the user can see all of the associated data as well as what has been realized to date in the realization phase.

A new initiative can be created by simply defining a small amount of project data (name, owner, bracketing dates, business unit, etc.), the spend category, and one or more actions that will need to be performed. Actions just need a name, type, associated category, and one or more suppliers or products you are tracking the action against, each of which is associated with a start date, end date, tracking frequency (one time, monthly, quarterly, etc.), and accounting categorization (capex, opex, etc.).

Reporting and Analytics
Most reporting in the system is summarized in dashboards (from which you can drill into the individual reports behind the widget).

Provided the system is integrated with your ERP or spend analysis system, or someone enters the monthly spend or (data necessary to calculate the) savings realized against each initiative, one of the key reports is the savings dashboard that summarizes the initiatives, total anticipated savings, savings targets for the year, target run rate savings by month, targets by owner, targets by status, targets vs actioned, and so on to allow a supplier and/or category manager to get a firm grip on how initiatives are going, where they may not be going as well as projected, and where supplier management may be needed.

Another key report is the category dashboard which tracks on-time delivery, NCRs not resolved within 30 days (or the number of days defined by the organization), average NCR resolution time (by supplier) invoicing errors, spend, identified savings by quarter, and other key metrics filterable by category.

LUPR comes with out-of-the-box reports and dashboards which can be further configured for you upon implementation, or you can build your own.

The system also maintains complete, unalterable, audit trails on every data element in the system which can be queried and reported upon at any time in the reporting module.

Global Search & Chatter
It’s worth pointing out that the platform also supports global search, and will show all results by type (supplier, product/service, projects, reports, dashboards, events, etc.).

It also has built in slack-like communication where the user can communicate with other users, supplier users, or custom groups of users.

Administration
As the platform is built on Salesforce, everything can be customized, and, most importantly, users can be given access rights down to an individual data element if needed. Most of the administration takes place in the object-manager, which allows the user to select any LUPR system object for customization, as appropriate. Within an object, the user can edit the data elements, the allowed value ranges, the display criteria and layout, the access rights, etc.

So if you’re on the market for a Supplier Relationship Management (SRM) solution, and especially if you are a mid-size organization looking for an SRM solution, that’s quick to buy, quicker still to implement (if you already have Salesforce), and a great complement to a modern Sourcing and Procurement solution (as their API can be used to build integrations that pull data in from your ERP/AP [and they already have integrations with SAP and Oracle] and push up-to-date supplier data to your sourcing platform), LUPR is a platform you should check out. As with the new generation of solutions aimed primarily at SME organizations, it starts at a very affordable price point and as it was designed by Procurement consultants with over two decades of experience, you know they will help you configure it to support the supplier management projects and reporting your organization needs.

The Prophet‘s 2024 Procurement Prediction Number 10

A “CFA-like” Credential Emerges in Procurement and Supply Chain B+.

The Prophet says that the procurement and supply chain industries, similar to most others, excluding finance, are lacking any certifications/credentials, by those “in the know,” as a superior qualification for a job than even a top degree from a world-class or specialized university which is totally true.

The Prophet also says that organizations such as CIPS, ISM, SIG, etc., might disagree with this viewpoint which is also totally true. The Prophet does note that he supports all of these organizations, which the doctor does as well, and that he believes their training materials are highly valuable, which the doctor doesn’t across the board. (the doctor has seen some of their training materials. While some of their training materials provide a very good foundation, some of their training materials are not so good. Most of these organizations are very weak when it comes to analysis, tech-backed processes and practices, government/industry specific compliance requirements, risk management in today’s increasingly fragile global supply chains. etc. But when so many Procurement departments are struggling with the basics, understanding what their role is, and how ethics should enter the equation, we do need these organizations and that is why the doctor supports them while reminding you to do your homework when it comes to training. Use them for their strengths, not their weaknesses.)

The Prophet then suggests that in 2024, credentials will take on new meaning, and the best ones, particularly those challenging to obtain and requiring rigorous exams (which many fail), similar to the CFA in finance, will begin to take on a new significance in Procurement.

the doctor agrees with the principle, but does not agree it will happen this year, or even next year. Why? This will only happen with industry regulation, and that only happens in two situations.

  1. when an industry-led body gains enough support from the majority of professionals in an industry to make it a de-facto requirement in any employer of any size to get a high-level procurement job; no organization yet has that weight, and we’re not going to see the NLPA, SIG, APS, etc. all fold into the ISM, and definitely not into CIPS, which is pseudo-global (as it has made progress in some of the Commonwealth); this means that we’d need to see a new industry initiative that gave all parties representation and allowed them all to contribute to the standard and exam — for this to form, a certification to be adopted, and a test accepted will take years
  2. when a government forces a requirement that can only be met by a certification (and either creates their own or adopts one); governments move slow, and when we have the situation in the US where
    1. the republican focus is on ripping democrats apart for what they didn’t do, rolling back human rights to the fifties, and installing a wannabe dictator as President-for-Life
    2. the democrat focus is on shaming the republicans, selectively protecting the human rights they want, and taking up the former republican war mantle (since Trump just wants to be a dictator, which doesn’t profit the military complex) and doing everything they can to back Ukraine and Israel (including risking World War III with their Middle East bombing of Yemen vs. just destroying every Houthi vessel launched into the water)

    and the situation in the UK where

    1. the conservatives are too busy trying to keep Dishy Rishy from making them the laughing stock of the political world (as he’s so far disconnected from the common person he has no clue)
    2. the liberal (democrats) are too busy trying to counter the conservative support for the global wars and lack of focus on the situation at home by being extra woke (and we know how that fared in America) …
    3. when we look at the NHS mess and postal service mess and their apparent unwillingness to do anything meaningful about it (for longer than should be humanly possible to ignore a crisis), it seems that good procurement is the last thing on their mind

which are the two countries that would need to lead such an effort (as the EU is very focussed on climate change and AI and struggling to hold itself together now with active protests in about a third of its member states on any given day; heck it’s too focussed on attacking the farmers, already forgetting what happened when Stalin called the Farmers the enemy of the state. (See this article, for example).

Thus, while such regulation is sorely needed, it’s not likely to happen, if it happens at all, until the later part of the decade (unless, of course, The Prophet and the The Public Defender want to once again band together and take up the charge and lead the effort to bring all the necessary parties together).

The Prophet was dead on with three of the primary reasons we need it.

  • GPAs are no longer a measure of academic performance in many universities.
    The Prophet notes that, according to the Yale Daily News, “Yale College’s mean GPA was 3.70 for the 2022-23 academic year, and 78.97 percent of grades given to students were A’s or A-’s,” including the hard sciences and engineering! He also notes that the Michigan State Broad Business School (which includes the Supply Chain and Procurement degree programs) also experiences significant grade inflation, with 80% of students in 3 out of 5 undergraduate classes earning a 4.0. (Source)
    The situation is even worse in China where you don’t even get accepted to some Universities unless you are an A- or better student, and where you are under intense pressure to maintain that A, to the point where a student will drop out (or commit suicide) rather than risk being thrown out for not maintaining it. Now, this would be great except for the fact that As are often contingent on rote memorization and learning to do the work the “state way”, not always with any free thinking whatsoever. (And then graduating ONLY if they think you’ll agree to share what you learn when they allow you to go outside China for that Post-Doc/Professor position).
    The situation is better in Canada [except Quebec], but there are some Universities / Departments that are under great pressure to remain competitive to maintain grant and industry funding, and others where the professors are so overworked that they don’t even bother to confirm that a Master’s student in Engineering can manually calibrate an oscilloscope or a Master’s student in Computer Science can appropriately identify and test for all boundary cases in a simple procedure. (Remember, the doctor has been a Professor, and maintains regular contact with Professors and knows this to be truth.) How could you trust either to validate your equipment or your code? (He couldn’t!) (Regarding Quebec, the current premiere is taking Quebec’s status as a nation within a nation and essentially discriminating against anyone who is not French and willing to speak French as a first, and only, language. [See this article, for example.])
  • DEI/affirmative action preferences, which still exist (despite the supreme court ruling and their illegality if they enforce admitting or hiring a less qualified candidate), have removed objective academic criteria in both degree-based programs and industrial training programs. This has resulted in candidates who might only be a D being admitted to programs because of their minority status while non-minority candidates with Bs were excluded.
  • The best talent may no longer be pursuing traditional college or graduate programs. There needs to be an objective means of evaluating hard and learned skills for those who cannot afford or do not wish to invest time in university studies, especially those who have taken industry training programs or annex courses specific to what they need as well as obtained relevant real world experience under a mentor. (There’s a reason there used to be apprenticeships; some learning onlly happened under the guidance of a mentor.)

The only other reason that needs to be mentioned in the doctor‘s view is

  • without a certification, how can you know that any candidate, no matter how experienced and skilled they appear, knows all of the foundations you need them to know? With so many different definitions of sourcing, procurement, and purchasing; so many different thoughts on what an individual should know about analytics, supplier identification, supplier vetting/onboarding/management/development, negotiation, contracting, global trade, logistics, risk identification and management, compliance, finance / finance support, etc., how can we have a solid baseline with a (multi-level) certification program?

It would be great if 2024 is the year that we saw this certification, but while we desperately need it, the doctor believes that, unfortunately, it’s still years away. (But he will challenge The Prophet to step up and make it happen!)

The Prophet‘s 2024 Procurement Prediction Number 9

SaaS Management Solutions Start to Eat Services Procurement Tech A+

More specifically “vendor management systems” (VMS) that are all about the billable hour.

As The Prophet asks, what happens when that billable hour becomes an SOW (either to skirt worker classification requirements or because it really is a complex SOW) especially when consultants, managed services or outsourcing providers need to blend and leverage AI, tech, data and other capabilities to deliver an outcome? You get joint SaaS/[IT] Category (management) solutions that become the new new norm of solutions for taking on certain business functions. And they won’t look anything like today’s VMS or SOW solutions, and will, as The Prophet notes, likely be new generation of todays SaaS/IT Category solutions which will either blend in more services or merge with / be acquired by new-age MSPs that build the offering around the new tech, and not the old tech.

But what will these solutions look like? Good question (that The Prophet did not answer).

More importantly, as The Prophet notes, this convergence will raise a ton of questions.

  • What metrics do you use to set up ideal outcomes in a blended services/tech/AI/data world?
  • “What” is negotiated (hint: it’s as far from the billable hour or a weekly “team” rate as can be)?
  • How do you capture and validate demand?
  • How do you reduce contract risk (including indemnifying (or not) for IP considerations, given recent AI lawsuits)?
  • How do you benchmark (drumroll please) an outcome?
  • What happens when an outcome becomes continuous, a metered service (like telecom) so to speak?

These answers may or may not dictate what the blended deliverable looks like, as the developments are just as, or more likely, to be developed taking into account whatever regulations currently exist or get introduced around the services, data, technology, and/or AI utilized. Plus, the smaller players will likely try to build off of whatever is getting traction from the big players but in a more innovative, effective, and cost effective fashion. (Remember, the big players like to charge you way more than a service can be profitably delivered for. Case in point: spend analysis. Large engagements, which usually start with a massive data cleansing effort, require a lot of analysis and reports, and modern solutions, will usually get quotes starting in the 7 figure ranges when there are a number of mid-sized, niche, consultancies, that can usually do the same work, faster and better, for 250K or less. [Remember, analytics is one of the the doctor‘s area of expertise, he knows the vast majority of vendors, and talks with the best regularly. Solutions 10X better than anything a Billion Dollar Suite or ERP will throw your way cost 1/10 of what they did a decade ago — but we’ll save this rant for another day.] The point is, they’ll let the big players create a market around a new offering, and then swoop in with a better, more cost effective, alternative.

the doctor has to admit this is one area where the answer has not yet revealed itself, one of the few areas where he’s not sure what the first solutions will look like (beyond a blend of current SaaS tools pre-integrated with third-party data feeds, semi-dedicated personnel performing regular tasks, account managers monitoring progress, and consultants doing quarterly checkups and advisory), and how long it will be before new workforce regulations get passed that change how such services can be offered (or how workers must be paid).

It will be an area to watch, and the doctor bets that Andrew Karpie will be watching it closely, so be sure to read anything he writes about it. It will be the first shakeup the VMS industry has had in decades.

Darkbeam: Shining a Light on your Supply Base Cyber Risk

In part 9 of our Source-to-Pay+ series, we talked about the need for cyber risk monitoring and prevention because, in today’s hyper-connected SaaS world, nearly half of an organization’s data breaches originate in the cloud. These risks don’t just come from cyber criminals. Some come from less-than-scrupulous employees and others come from suppliers, even well meaning ones. After all, who cares if the front door is locked when the back door is wide open.

Why do you care about your supplier’s back door? What do cyber-criminals want?

  • money
  • valuable intellectual property
  • exploitable personal data

Where can they get this?

  • account hacking, which is hard, or payment redirection, which is a lot easier
  • your ultra-secure server which is locked down tighter than Fort Knox with everything on it encrypted in 256-bit AES encryption, or the relatively unprotected Google Drive your supplier stores it on (as the file will be open to anyone who can compromise the account)
  • your double encrypted HR database stored in a secure AWS instance or the plain-text Microsoft word documents stored on the supplier’s sales rep laptop with its unencrypted hard drive and an utter lack of virus protection and internet security software

In other words, if your supplier has:

  • a lot of your money coming its way
  • your intellectual property
  • your executives’ personal data

and their cybersecurity is not as good as yours, you can be sure the cybercriminals are going to be going to, and through, them to get to you.

So you need to know which of your suppliers are at risk, so you can reach out to them and work with them to close the holes and eliminate the risks to them, and you. And for suppliers that you do significant business with (and regularly send million dollar payments), who hold your patented IP (for custom manufactured electronics, etc.), or store your employees and/or customers HR data, you need to not only assess their vulnerabilities but continuously monitor for threats.

You need a supplier vulnerability assessment and monitoring solution that can identify vulnerabilities, help you communicate those to your supplier, detect improvements, and, most importantly, identify new threats as they emerge that could cost you, or your supplier, significantly.

Darkbeam is one of these solutions. The Darkbeam solution offers both of these capabilities, continuous vulnerability monitoring across your entire supply base (at a very affordable price point that starts at a mere £25,000 a year, which is low-end for any cybersecurity solution) and continuous threat monitoring, and assessment, of critical suppliers in your supply base (which you can add for an incremental cost that can be as low as £10,000 a year for your ten most critical suppliers).

The vulnerability assessment solution monitors:

  • Connections: SSL certificates and associated validations (hosts, IP, TLS, etc.)
  • Privacy: e-mail and cloud servers and configurations and breaches (esp. email addresses)
  • HTTPS: web site configuration, cookies, and port security
  • DNS: DNS record completeness, security, and recent changes
  • Blacklist: domain and email blacklist monitoring
  • Exposure: shared host identification, domain permutation monitoring, favicon, exposed subdomain monitoring, etc.

Cyber-weakness in each of these areas is highly relevant because it could allow hackers and cyber-criminals to exploit your supplier, and you, in ways that include, but are not limited to, the following:

  • an expired SSL certificate could allow a cybercriminal to register a fake certificate that validates a fraudulent facsimile of the actual site
  • exposed email accounts could allow a cybercriminal to masquerade as a supplier representative and change banking details for payment
  • an insecure site configuration could provide a backdoor into your entire network
  • incomplete DNS records could be completed by a cybercriminal and redirect traffic to a fraudulent site
  • if a domain shows up on a blacklist it could prevent email/traffic to/from the domain; and if emails show up on a blacklist, it could indicate compromised emails and/or emails not being received by their intended recipients
  • if a supplier’s website is on a shared host that is used by a lot of other sites (that are insecure), a number of (one-character-off) permutations of the supplier’s domain have been registered, favicons are being replicated, etc. then that is a strong sign the supplier is being targeted by cyber criminals (that could be coming for you, or your customers, through them)

Based on their assessment, they will compute a cyber-risk score (out of 999), the lower the better, and the higher the more concerned you should be (and the sooner you should reach out to your [potential] supplier to have a conversation about what they are doing to increase their cybersecurity, especially if they have, or will have, your IP or personnel data).

The threat monitoring and assessment solution is a service-based solution where the Darkbeam cyber-intelligence team continuously monitors the web and dark web for potential threats, investigates those threats when they are detected, and if the threats are relevant, they send you a report on which you can take immediate action which can include, but not be limited to, involving the proper authorities, that they have experience working with in multiple countries.

They literally monitor dozens of legit security and threat-intelligence sites (where general cyber security firms release warnings of cloud or software insecurity along with known breaches) as well as dozens of dark-web sites where shady characters like to sell, or at least indicate the presence of, IT, Trade and Finance secrets they should not have. On many occasions, they have detected breaches and data theft even before the supplier’s IT team knew about it (and definitely well before you did, if you were ever told).

If an incident or threat is detected, the threat report you receive will outline the issue (e.g. data exposure / breach), the root cause (e.g. system breach, ransomware, etc.), when it was detected, how it was confirmed, and what is currently being done / monitored. It will then outline the perceived severity (e.g. medium due to potential IP leakage, high due to personal data likely being stolen) as well as any potential follow on risks (i.e. personal logins that can compromise other systems). It will summarize the currently known information uncovered by the analysts and the current status (which could be ongoing). And it will provide current recommendations, such as reaching out to the supplier, changing logins and/or locking down your systems, reaching out to various agencies, etc.

All in all, Darkbeam is a great Supply Chain Cybersecurity solution and should be on your consideration list if you don’t have such a solution already. Cyber attacks are coming, and it’s best to be ahead of the issue, then behind it.