Representative quotes underlying second-order seizing themes
| Second-order theme First-order concepts | Representative quotes |
|---|---|
| Seizing Prioritizing short-term cyber risk-related SC collaboration | “Exactly this whole topic also plays a role in customer discussions. Then it is usually the case that our customers also ask us, have you looked at this, what is the status of this and then they ask for information.” Supplier ComSC2 “Have clear and end-to-end risk management, also in terms of failures of any kind of the sourcing sources and risk management operations, look at and accordingly have failure scenarios. Especially with such single-source things and with such important raw materials.” InsCo-SCM-1 “We have to make a risk assessment for each supplier if there are any risks that could arise, so that we can make appropriate arrangements with the supplier.” CriCo-Product-Management “Yes, I think the challenge is, in terms of the new approach, to develop further from the classic risk management, concerning common knowledge of the damage event, from which damage is to be foreseen. I think that is where you reach an agreement, through communication, through confidential communication, to get that information. But just this one, so as not to be flooded by too much information. I think that this is the new discipline that has to emerge. Between 0 and 1, risk management and non-delivery must happen.” SteCo-IT-Security-1 “We have to weld our IT department together with that of the supplier, so that we naturally try to achieve some kind of information exchange as quickly as possible. That, I would say, is the link that we would make there.” Customer-InsSC2-Purchsing |
| Building cyber risk-related SC flexibility | “The advantage of our SC is the flexibility in finding a task force across divisions that quickly takes care of such problems.” InsCo-SCM 1 “The homepage was down, and the customers were informed relatively quickly on the homepage that we had been hacked.” Supplier-InsSC1-CEO “And I was primarily responsible for communication with customers and employees. So, that was my role, and I just tried to create awareness among the team quickly. That means, of course, that was a challenge. How to get the right information to everyone on short notice. Because there are no emails, not everyone has a telephone, field staff has a telephone, and office staff does not have a telephone. First, it was very challenging to find a channel to reach everybody. That was one of the main things we did at the very beginning.” Supplier-InsSC1-CEO “That is, we first, of course, communicated with the customers, informed the field staff, who then also had contact with the most important customers via their cell phones. Everyone was encouraged to communicate quickly and to create an understanding of the delays among the partners.” Supplier-InsSC1-Sales “Yes, to a certain extent, to prepare something like that perfectly, that is, of course, difficult. I think we had to work agilely there as well. And there were contingency plans and scenarios, but that you can do that down to every detail – you realize how it really is when it is there, that is why, such a mixture, I would say. Today, of course, on a completely different level, so we know immediately what we are doing and how.” Supplier-InsSC1-Sales |
| Building SC cyber risk culture | “Our CERT is also looking at the whole issue of situation awareness.” Customer-CriSC1-IT-Security-2 “If, for example, one of our partners is attacked, they inform us, and this then goes straight to our cyber security. And then from there – the steps are initiated; IT is well aware of the scope of the SC.” Supplier-InsSC1-Sales “The Cyber Range was officially inaugurated last year. There is no comparable institution in our country. Internationally, there are similar ones. But in general, the difference from some other training facilities is that, for example, the substations are not simulated here, but there is the related technology. So, the secondary technology, primary technology as simulators. But you really have a piece of hardware that is there. And with many other training facilities, it is also the case that this is completely virtualized.” Customer-CriSC1-IT-security-1 “If something should happen, and I do not think you can get by without cyber insurance anyway.” Customer CriSC2 “We have a cyber security insurance policy, which the parent company holds, but of course applies to the group as a whole, which is the umbrella for everyone.” SteCo-IT-Purchasing “This has also led to a rethinking of certain things, for example, the entire data security at our company, when a hacker attack occurs, and we have to press the shutdown button and pull the plug, so that we really only lose five minutes.” CriCo-SCM “And simply that one recognizes that – and also really takes into account that there are extreme risks out there. And for me, above all, a soft factor that I feel to this day that is also important is that you have the understanding of the department for each other and together for the customer – this – this has always been anchored in our culture but was never as strongly livable as at this moment, and I think that is still there today.” Supplier-InsSC1-Sales |
| Second-order theme | Representative quotes |
|---|---|
| Seizing | “Exactly this whole topic also plays a role in customer discussions. Then it is usually the case that our customers also ask us, have you looked at this, what is the status of this and then they ask for information.” Supplier ComSC2 |
| Building cyber risk-related SC flexibility | “The advantage of our SC is the flexibility in finding a task force across divisions that quickly takes care of such problems.” InsCo-SCM 1 |
| Building SC cyber risk culture | “Our CERT is also looking at the whole issue of situation awareness.” Customer-CriSC1-IT-Security-2 |
Source:
Sharing content requires targeting cookies to be enabled. Please update your cookie preferences to use this feature.