Supply Chain Resilience; Managing the risk of Service Level Agreements.
An issue that is frequently raising it’s head again is supply chain resilience, and blind dependence on Service Level Agreements to ensure a resilient supply chain. This is particularly acute in large contracting relationships where complex bespoke contracts are used to ‘outsource risk’ without appropriate levels of assurance. It does, however, affect organisations throughout the feed chain!
Many organisations rely on contractual obligations (including SLAs) to ensure the delivery of critical services, without considering the operational implications of failure of these agreements.
The core problem here is that even where SLAs are in place, a contractual obligation does not necessarily provide tangible resilience. Legal recourse may be possible in the event of a failure, but that does not keep our wheels turning unless we have some contingency arrangements in place. Failure of an SLA is not an acceptable excuse for our own failure to deliver.
Unless we can gain appropriate levels of assurance to support claims of resilience, the ability to seek redress in the event of an SLA breach does not generally, in itself, give us practical protection. In addition, a weakness in the chain several links away may be invisible.
Where does this leave us? If we seek to deliver a truly resilient service, then claims of resilience at every link in the supply chain must be underpinned by a credible architecture as well as contractual frameworks.
In practical terms we must ask ourselves how we will sustain critical operations in the event of an SLA breach:
- Do we have a clear picture of those services and organisations on whom we depend to deliver our core service?
- Do we have visibility of how our critical dependencies will assure service delivery in practical terms?
- Do we have effective contingency plans to protect those areas where we don’t have clear visibility, or confidence?
And if we don’t have a satisfactory answer to any of these questions, then we need to find one.
Cyber Camp – Shrivenham 2013
Thanks to an invitation from the Land Information Assurance Group, LIAG (http://www.army.mod.uk/signals/25564.aspx), I’ve just got home from my first experience of being an assessor at the Cyber Camp run by Cyber Security Challenge UK (http://www.cybersecuritychallenge.org.uk) and thought I’d share some thoughts about the experience…
Firstly, a large group of people put in a great deal of work to pull together some very interesting challenges for the participants, each was well thought out and properly tough. These people will no doubt be named elsewhere and its a long list, so rather than risk leaving anyone out, I’ll just say thank you to everyone involved for making the event such a success.
Hosted most ably by the Defence Academy at Shrivenham (http://www.da.mod.uk/), we were provided with everything we needed, a great space to work in, an impressive Officers Mess in which to take our meals and a lovely bar staffed by a very hard working team. Hopefully we can do it again there at some point in the future.
One of the things that surprised me was that pretty much every challenge involved exploring not only technical skills and technical thinking but a wide range of soft skills such as team working, leadership, communication. In fact, only one of the challenges was an individual effort!
The participants were a very mixed bunch too, widely varying ages, both genders and many different cultural backgrounds. For a subject matter so widely associated with less than perfect social and communication skills it was a glorious experience watching everyone get on with the challenges together and then socialise together. I didn’t hear of any significant arguments, and most enjoyable to watch was the way they helped each other both to get through the challenges and to find their way back to their rooms after much socialising!!
Many congratulations to Robert Laverick, Adam Tonks, Matt Watkins and Stephen Martin who were all selected to go forward to an even more challenging challenge!! But more importantly, congratulations to everyone who took part – it was inspiring to see so many of you and seeing you get so much out of the event. If you’ll have me, I’d love to come and play again.
If any of the participants get around to reading this – though I’m sure they all have far better things to do with their time – it was a pleasure to meet you all and I hope that should you have any questions about possible careers in cyber security you will not be shy about asking me!