Welcome to ThatThirdPartyGuy.com – my website highlighting my journey in third party cyber-security.

How Can Realized Risk Be More Dangerous?


Realized risk can be more dangerous when it’s unknown risk.  Think about it: if you know of a risk, you take steps to avoid, mitigate, or otherwise transfer the consequences of the risk if it comes true.  Sounds straightforward right? 

That lead me to think about risks that can impact a company beyond the cybersecurity domain.  Can a supplier be ‘weaponized’ to disrupt or cause a company to go out of business?  Diabolical and complicated long-game I know, but that’s the world we live in. 

So I thought about it some more– what if the supply chain were disrupted and I didn’t recognize that risk?  After all, that supplier is practically “part of my family – we’ve been together for over 20 years!  They always produce and they always will”

Financial risks are something a lot of TPRM and procurement teams look at early and often.  But what about cybersecurity practitioners? What if a cyber attacker were to disrupt a supply chain and hope that it severely impacts the target in a way that leaves their security posture less funded and less secure?  Or so busy litigating that they get distracted from their security?

I don’t have any particular examples for this thought exercise, although there are all kinds of supply chain attacks that are going on from a cybersecurity perspective (daily, hourly, etc.)  But one issue that occurred that seems like nobody realized was a risk, was the case of Huy Fong Foods.  Through problems with the supply chain, they were unable to produce their beloved product – Siracha.  The main problem?  They relied primarily on a single farm for nearly 30 years. That relationship ended in a bitter lawsuit.  A billion dollar empire was put at risk because of one supplier that could have supplied the needs of the company.    And I’m sad because I loved the product.

Risk is present in more than just cybersecurity.  I focus on cybersecurity and it’s a big part of the risk, but let’s not lose sight of the other areas of risk just because it’s not as exciting as cybersecurity. Keeping track of other areas of risk is just as important.  And as impactful. 

#third party risk #risk domains

Articles:

https://www.accenture.com/us-en/insights/consulting/supply-chain-disruption

https://www.wsj.com/articles/supply-chain-pressures-burned-instant-pot-maker-6ec9278a

https://www.latimes.com/local/lanow/la-me-ln-sriracha-lawsuit-underwood-ranches-20190712-story.html#:~:text=A%20jury%20recently%20awarded%20%2423.3,the%20signature%20green%2Dcapped%20bottle.

https://www.cnbc.com/2023/08/19/how-did-the-huy-fong-foods-sriracha-shortage-happen.html

https://globaledge.msu.edu/blog/post/57296/huy-fong-foods-sriracha-shortage-a-tellt#:~:text=Supply%20Chain%20Disruption-,Huy%20Fong%20Foods’%20Sriracha%20Shortage%3A%20A%20Telltale,Sign%20of%20Supply%20Chain%20Disruption&text=A%20Sriracha%20shortage%20has%20struck,hard%20to%20find%20for%20years.