How Lenovo Addresses Supply Chain Resiliency in a Changing World
Geopolitical unrest and changing compliance requirements can trip organizations up. Lenovo Executive Director of Security Advocacy Skip Mann explains what security leaders should keep in mind.
From chip shortages to shifts in trade policies, your supply chain needs more flexibility than ever before. As organizations seek out new partners, however, there's always the chance that cybersecurity vulnerabilities can be introduced into the manufacturing process. Frequent updates to your different lines of security are crucial.
As one of the largest tech manufacturers in the world, Lenovo knows this well. The company has focused heavily on supplier diversification and proactive supplier management, efforts that secured recognition as the No. 3 high-tech supply chain and No. 8 global supply chain in 2023 by Gartner.
The tech giant, like many others, aims to be a first mover in AI adoption. "In supply chain, services and hybrid cloud, we're using AI to enable greater speed, transparency, efficiency, agility and responsiveness," reads a company press release. When viewed through a cybersecurity lens, if you're not adopting AI, bad actors still are, and you risk being overwhelmed.
Skip Mann, executive director of security advocacy at the Lenovo chief security office, answered some of ZDNET's questions on what technology and supply chain stakeholders should consider for the future.
How does Lenovo ensure the privacy and security of user data in the production process?
Lenovo is committed to being a trusted partner, innovator, and supplier of secure, high-quality products and services globally. Privacy and security are at the center of Lenovo's philosophy, reflecting our commitment to providing products and services that meet or exceed industry standards for customer security, privacy, and data protection. Lenovo believes our customers must be able to use Lenovo's products and solutions with confidence, including service offerings like Lenovo Security Assurance.
We maintain dedicated privacy, infrastructure security, product security, supply chain, and physical security teams, as well as policies, standards, and incident response mechanisms.
Can you explain for our audience the differences between infrastructure security, product security, and physical security?
Infrastructure security concentrates on protecting digital infrastructure and networks. Product security emphasizes securing the design and deployment of software and hardware. Physical security aims to safeguard tangible assets, facilities, and individuals within a physical environment.
These security domains are integral to a comprehensive strategy to mitigate the various types of risks and threats faced by organizations.
How does Lenovo proactively mitigate potential security issues within its supply chain operations?
Lenovo works diligently to prevent counterfeit components from contaminating our supply chain. We do this by tracing serial numbers or similar identifiers that are stamped or embedded during downstream manufacturing.
For software components, Lenovo works closely with our software vendors to ensure that only accurate, non-counterfeit software is ever installed on Lenovo devices. Once loaded, Lenovo has methods in place to ensure installed software is correct and has not been counterfeited. Testing and quality assurance continues throughout the life of our products and services.
Additionally, Lenovo's internal Trusted Supplier Program (TSP) evaluates suppliers' development and manufacturing processes to identify and mitigate security risks. Lenovo is also partnered with Intel and AMD on Lenovo's Zero Trust Supply Chain capability, which provides an exclusive OEM device hardware attestation capability.
How has supply chain security shifted within the last few years, and what has Lenovo done to adapt to these changes?
Global supply chain security has undergone a significant shift driven by increased awareness of cyber threats, geopolitical tensions, and the impact of unprecedented events, such as the COVID-19 pandemic and chip shortages. The evolving threat landscape has prompted a paradigm shift towards proactive risk management, with Lenovo placing a premium on resilience and diversification to mitigate vulnerabilities in our global supply chain.
Our unique global/local approach and increased control over in-house manufacturing sites provide us with a distinct advantage compared to others in the industry. We have adopted a multi-sourcing strategy that reinforces local manufacturing and diversifies sourcing capabilities across multiple markets. This model aligns with Lenovo's broader initiative to bring quality and security controls in-house.
We also have emphasized manufacturing globally in proximity to the customer, which boosts our ability to respond to market demands swiftly and maintain rigorous quality standards across our diverse supply chain network. It's a customer-centric manufacturing ecosystem.
What are some categories of technology Lenovo is using to increase in-house manufacturing control?
Innovative technologies like 5G, AI, AR/VR, blockchain, and IoT have significantly increased control over our manufacturing processes. We reduced shipping times by over 10 days and reached the ability to ship four devices per second.
Lenovo's global manufacturing facilities are designed for secure, reliable, and transparent operations. For example, our Hefei factory, LCFC, proudly joined the prestigious Global Lighthouse Network at World Economic Forum 2023 in Davos. This network, which now has over 130 leading manufacturers globally, acknowledges partners at the forefront of the Fourth Industrial Revolution (4IR). LCFC integrates cutting-edge technologies like AI, 3D-printing, and big data analytics to ensure a secure and transparent supply chain.
Say more about AI. What are some of the ways Lenovo is incorporating AI, specifically?
We've most notably implemented AI within products and services through our Lenovo Powers Lenovo transformative approach. This initiative delivers real-time analytics, predictive decision-making, and sustainable choices to our supply chain, services, and hybrid cloud. It harnesses AI to drive transparency, efficiency, agility, and responsiveness.
Results from LPL include a 98% speed acceleration in production scheduling, 60% faster supply chain decisions, and a 24% increased manufacturing production line capacity, among other significant improvements.
Additionally, we're optimizing our supply chain through in-house AI-powered Advanced Production Scheduling (APS) capabilities, which are seeing positive outcomes. These have included a 24% increase in production line capacity, 19% higher production volumes, a 3.5X surge in on-time deliveries, and a significant acceleration of production schedule planning from two hours to just two minutes.
What are some of the "must haves" that every enterprise should square away in their foundational data security efforts?
Some key aspects to consider would be:
Risk assessment and management
Regularly conduct risk assessments to identify vulnerabilities and develop strategies to mitigate them. This often includes implementing data loss prevention (DLP) solutions to monitor and control data transfer, which prevents unauthorized data exfiltration. Utilize SIEM tools for real-time analysis of security alerts, and conduct regular security audits to ensure compliance with industry standards and regulations like GDPR, HIPAA, or PCI-DSS.
Identity and access management systems
Use identity and access management (IAM) systems to ensure only authorized personnel have access to sensitive data. Enhance security by requiring MFA before granting access to systems or data. Regularly train employees on data security best practices and phishing awareness to reduce the risk of human error.
Deploy firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to safeguard network integrity. If using cloud services, ensure proper cloud security measures are in place, including cloud access security brokers (CASB) and secure cloud storage solutions.
Along with that foundation, what should C-Suite data professionals prioritize to ensure security remains ahead of any potential issues?
C-Suite data professionals should prioritize strategies to establish greater control and visibility over critical components. Sourcing diversification is key to help spread reliance across multiple suppliers and regions to mitigate risks associated with geopolitical or unforeseen disruptions.
Additionally, engaging product and service teams, along with key partners like sales, marketing, customer service, and procurement early on in development cycles is crucial.
What are the most pressing security supply chain issues facing the industry in 2024?
Shifts in trade policies, tariffs, and regional conflicts can disrupt the flow of goods and services, affecting not only the availability of critical components but also introducing potential vulnerabilities in supply chain security. Navigating geopolitical intricacies will be crucial for businesses to maintain resilience and security with their supply chain operations in the long run.
In 2024 and beyond, the supply chain industry will need to heighten focus on customer data protection compliance and geopolitical challenges. The ever-evolving landscape of data protection regulations means that companies must continuously adapt to ensure the secure handling and storage of customer data.