IT Supply Chain: The Invisible Risk That Can Cripple Your Business
The global pandemic exposed the weaknesses of supply chains. But that has been just the beginning.
The problems were related to physical supply chains. And they were clearly visible. Missing regular products in stores, in fact, the suspension of all regular life.
But it didn’t end there. Although we now have products in stores as we are used to, the supply chain problems have shifted to a much more insidious form. They now concern suppliers of IT infrastructure, systems and applications and their customers. Because these areas are now in most cases “invisible”, they are much more challenging to deal with.
So what are the areas that we need to be careful about when putting together and managing our IT supply chain? How to navigate the pitfalls of AI and shadow IT? And what does it actually mean?
We will look at all these areas and many more in this article. Let’s get to it.
The Importance of Security in the IT Supply Chain 🔒
We all know it — we cannot do without IT, neither in our personal nor in our corporate lives. Never again. So logically, it is one of the areas that has the greatest impact on the way we function. When IT works properly, we function properly. When it doesn’t, our whole world collapses into a small pile of tears and anger.
This fact implies that the choice of IT suppliers directly affects our ability to function as we wish. We are what we eat, and what IT suppliers we choose. It is therefore very important to think about which partners we choose even when initially selecting and designing our operations. If we do not choose carefully or neglect analysis, we endanger a key and critical element of our functioning with our decision.
Moreover, the number of cyber attacks and their sophistication are increasing these days. Unsurprisingly, their targets are also IT solution suppliers. So the EU is right when it makes companies look after their technological supply chain. Yes, it is not a popular phrase, but here the Union scores points in this case.
Case Study — Capital One
But let’s back up these words with actions. Or rather, the problems of someone who experienced the failure of their supplier. That company is Capital One, the banking sector. Its clients could not influence the functioning of their bank accounts, they could not even access them.
The problem was an outage on the supplier’s side. And the reason was certainly not that the supplier was some nameless company. FIS Global is a provider of technology services for the financial sector, whose customers include large banks. It obviously knows what it’s doing.
But that didn’t stop IT problems from paralyzing its customers. So a big name is not the only guarantee, although Czech companies are still falling into this trap on a large scale. Specialized knowledge of a specific market or niche market is also not a guarantee. That’s why the sentence that keeps coming out of our keyboards is — don’t skip the analysis.
The Capital One case shows us that not only do you have to do the equivalent of due diligence on your side when choosing a supplier, but you also have to coordinate processes with them in case of an outage or other problem.
If you want to get the most out of your IT, you need to invest time in it, both at the beginning and throughout. The basis is a needs analysis, based on which you will receive recommendations for the architecture of the entire IT infrastructure. But then you also need to check whether everything is still valid and fits.
Complexity as a Challenge 🧩
But you’re probably in the same situation as Capital One — you’re not choosing your IT infrastructure, but you already have it fully up and running and implemented. So how do you cope with the current state and even navigate it? How do you deal with the complexity of the IT market, financial constraints, and the discrepancy between AI expectations and their costs?
Increasing Difficulty in Finding Solutions
We start with the information that since you selected your IT infrastructure, the entire market has changed. This applies even if you have a relatively new one. Technologies are advancing at such a pace that we are all dizzy.
Moreover, it is not just about the arrival of new generations of existing products and technologies. We are looking at revolutions in IT, which are almost an everyday occurrence. For example, in the past, IT infrastructure was selected in the style of servers, then the cloud came, then SaaS services were in fashion.
However, today, correctly selected IT is mainly about adapting to the individual activities that are taking place in the company. That is why the principle of hybrid cloud, multicloud, including cloud repatriation is on the rise.
Given the endless number of options and at the same time another endless number of combinations, selecting IT is becoming a process for which you need to hire an expert. What should they bring to the table?
- Orientation in the IT environment (ideally at least a decade — under such conditions, he had the opportunity to go through different types and understand their possible uses)
- Ability to translate your needs into a properly composed IT architecture
- Willingness to admit that change is not the best solution
- Understanding the financial side of things (explained in the next section)
A separate chapter of the entire selection is cybersecurity. Given that there are no standardized processes and recommended approaches, do not forget about the customized incorporation of security processes and coordination with suppliers.
Limited Budgets vs. Need for Improvements
Companies looking to get their IT together face another complexity, beyond the purely technological one. It’s financial complexity. How do we balance what we can invest with what we need?
Only a small fraction of companies can afford to pay for all the measures they need. The rest of us have to make compromises. But how do we avoid the bad ones?
Here comes the essential thing again — help from an expert. Not only do you need to find the best solution within your budget, but it has to be one that includes everything you need.
That’s why an expert should have a grasp of the financial side of things. Lots of people can put together an IT architecture that works, only a fraction can do it within your budget and transparently.
But a lot of the work will be left to you, because there are questions that an external partner simply cannot answer:
- List of activities and their priorities for the company’s operation
- Budget
- Things that need to be kept as they are
Expectations of Free AI Features vs. the Reality of Rising Costs
Everyone wants to use AI! There is nothing wrong with that. What makes it a horror is the uncertainty of integrating it into existing systems. Companies generally expect their existing systems to get an AI upgrade, but this also means increasing prices.
An example is Microsoft, which is increasing the prices of its products because they are getting a Copilot facelift. However, not every company uses these functionalities, so they are actually just experiencing price increases.
At the same time, this principle leads to companies using a diverse set of AI tools, because they use a separate LLM for something, then applications have their own AI, and then there are image, video and audio generators.
An important step is to get organized about what, who, when, how, why and in what form AI is used. You will probably find that some functionalities overlap, and thanks to this you will be able to get organized in AI tools, optimize the costs of their use, and also find out where hidden cyber threats lurk.
Third-party Threats and How to Mitigate Them 🛡️
Now that we have an overview of the areas where problems can arise and how to deal with them, it’s time to take a closer look at the threats you need to catch.
Insufficient Management Education About Security Requirements for Suppliers
The biggest danger lurks inside every company. It’s not even the IT guys stuck in their ruts, it’s not even the non-technical employees, it’s the management.
For the supply chain to function properly, the company’s management must understand the basic security principles (which are constantly changing, surprisingly). Thanks to this, the company can then prepare its security standards and requirements for IT suppliers. This will make it easier not only to manage risks, but also to filter potential suppliers. Of course, this will not be possible without professional help.
If a company does not maintain sufficient oversight of security processes, it is asking itself for real trouble. What are the related questions that management should ask itself?
- How to choose the right IT service provider?
- What are the risks associated with outsourcing IT security?
- What is the importance of contractual agreements and responsibilities for us?
- Where are we willing to compromise?
- Where can we not compromise?
- What are our legal obligations?
Non-Transparent IT Supply Chain
Who would have thought so? Quite often this problem stems from the fact that a company is used to a certain way of operating. This excuse is no longer valid. No matter how long you have had your IT up and running, it is not an excuse for not caring about its current state and the necessary optimization given the changing world situation.
A very basic area of this threat concerns data. Quite often, companies do not have an overview of where their data is stored, who has access to it or who can handle it.
For example, if you have infrastructure with an American provider, American laws also apply to it. So the question is whether they are completely safe from federal agencies, although we have valid bilateral agreements on their high level of protection.
And then there are regular audits and appropriate control mechanisms. And that is simply a big problem. Companies completely forget about the ongoing control not only of IT security, but of the IT infrastructure in general. And that is something that needs to change. But everyone has to start with themselves.
We have already mentioned AI melting pot. This is another separate chapter of non-transparency, because trends such as B.Y.O.AI are also throwing pitchforks at us, when the company actually has no problem with fragmenting internal IT.
However, from all these individual areas, it follows that the general processes that every company should implement with regard to the supply chain are:
- Thorough analysis
- Clearly defined internal rules
- Regular audits
Final Thoughts ✅
Stay one step ahead. The IT supply chain is a complex organism that is constantly changing. Without thorough analysis, clear rules, and regular audits, it can become a ticking time bomb. Don’t wait for problems to surface – be proactive, set up controls, and collaborate with partners who will not only support you, but help you grow.