From the iconic to the mundane, consumer and enterprise technology products have transformed how we work, play and relax. From portable computers to wafer-thin personal media players to vast server farms, these products are at the center of our lives. Yet the more ubiquitous these products have become, the less value they have generated for their makers. The software, services and content bundled with and flowing through these devices have relegated all but a few devices to commodity status. Commoditization brought with it a focus on cost and perhaps an inevitable rush towards low-cost, high-scale manufacturing.
As a result, fewer high-tech original equipment manufacturers (OEMs) are indeed manufacturers. Contract manufacturers (CMs) and original design manufacturers (ODMs) make the outsourcing of manufacturing and even design a very appealing cost and capital proposition. Save for those OEMs that view manufacturing as a strategic differentiator, most have turned their focus to complex design, sales and bundled services.
Yet the supply chain is subject to Newtonian principles. Outsourcing has reduced manufacturing cost but has created a complex, multi-tier global supply chain of primary and secondary suppliers. OEMs may have good visibility into their primary suppliers, but beyond that the view becomes murky. This lack of visibility is a key component of a significant challenge of the multi-tier supply chain: supply chain security.
A secure supply chain ensures that a product and associated software moves from original design to end-customer free of tampering, with authentic components, and at minimal risk of failure. The multi-tier supply chain, while lowering manufacturing costs, has opened multiple entry points for product quality to be compromised. Poor quality and improperly designed materials, counterfeit components and corrupt software are symptoms of the gap in security.
Poor supply chain security causes public and internal damage. The public damage to customers is visible and palpable. Internally, brand devaluation, recall costs, engineering and design changes as well as short- and long-term lost sales are but some of the costs to the companies involved. For high-technology companies, the external damage can be significant. For example:
- Faulty or compromised PCs, networking gear and mobile devices can lead to lost productivity and leaks of proprietary data;
- Insecure routers and switches expose private networks to external attacks; and
- Compromised networks and equipment can put national security at risk.
A secure high-tech supply chain provides end users with a high degree of confidence that both the physical asset and the embedded software they have purchased meet the OEM’s technical and quality specifications. This encompasses:
- Protecting hardware from poor quality and counterfeit components;
- Protecting against malicious code in embedded software, operating systems and applications; and
- Securing all components and finished goods to prevent diversion and tampering during transportation.
Tracking all components, subassemblies and finished goods as they move from point to point in the supply chain might provide the optimum level of security but is cost prohibitive. Still, high-tech companies can take important steps to intelligently improve supply chain security across the markets they serve.
High-tech companies can take a structured approach to supply chain security based on a consideration of a product’s complexity and criticality. “Complexity” is a reflection of the investment in hardware and software, ranging from commodity components such as transistors to highly customized or proprietary components and software. “Criticality” represents the potential impact that a counterfeit or poor quality component or product could have on its end use, from a minor inconvenience to a national threat.
Low-complexity products are relatively simple to manufacture. They have a limited number of often commodity parts in their bills of material and require a limited or less complicated logistics and manufacturing infrastructure. Typically, the end product is itself a commodity, such as a netbook, common mobile phone or set-top box. Low-criticality products, should they fail, have little impact on their end users beyond inconvenience and a few missed hours of content consumption.
Low-complexity, low-criticality products can be managed more from a quality than security perspective. Product defects may annoy customers, but the impact on the user and the OEM is less likely to be severe. High-complexity products often possess multiple, proprietary or costly parts. High-criticality products can have a serious impact on end-use applications. These include electronics for military applications, public internet, aerospace, power grid and public safety. The failure of any of these critical systems would be intolerable.
Companies can use such segmentation logic to help balance the investments in supply chain security for a specific product with cost and risk. Applying rigorous security standards across the full supply chain is costly and impractical. Investing based on product complexity and criticality is an initial step to an effective, cost-appropriate solution. This approach allows OEMs to create a differentiated set of supply chain security capabilities that accurately pair investment with potential risk.
Most OEMs have access to tools for managing low-complexity, low-criticality products. Rigorous sourcing processes that evaluate long-term quality, regularly scheduled audits and long-term supplier relationships are typically adequate safeguards. Existing data exchange and performance metrics with suppliers and logistics providers are typically sufficient. For those companies seeking a slightly higher degree of visibility the use of third-party auditors or certification agencies may be an option.
The highest end of the complexity-criticality range requires investments in process and technology, particularly product pedigree and track-and-trace solutions. Product pedigree solutions provide serialized tracking of components and finished goods, linking components and sub-components to their sources while providing overall visibility through a centralized data repository. Track-and-trace capabilities are the inclusive set of technologies and processes that continuously monitor the physical location of goods through the supply chain. Rather than fully bearing the cost of these investments, OEMs should also look to work with ODMs, CMs, logistics providers and professional service providers with elements of pedigree and track-and-trace solutions already in place.
Today’s multi-tier supply chains require pragmatic, cost-effective investments in supply chain security. The criticality of a product’s end application and the complexity of its design can be guideposts for supply chain executives responsible for supply chain security. As they consider supply chain security business cases, executives should also account for benefits beyond incident avoidance such as reduced costs, increased margins and improved working capital that arise from improved visibility and reductions in poor quality and counterfeit components. Investments in global supply chain operations have transformed how high-tech companies deliver innovative products and services to their customers. It is now time for pragmatic investments in security to protect those gains.