How to Get Your Start in a Supply Chain Career

Hi, this is Lindy Kyzer with ClearanceJobs.com and welcome to this episode. What is the supply chain and what is supply chain security? Today we’re going to find out if you work in and around national security, whether it’s insider threat or supply chain security, those are certainly hot topics that we see around and being talked about. They’re not new topics, but I really wanted to bring in an expert on this. Theresa Campobasso is the senior vice president for strategic accounts at Exiger Government Solutions where she delivers customer success for both government agencies and contractors. She’s also an expert on the supply chain. Again, whatever that is. Thank you so much, Theresa, for taking the time to chat with me today.

Supply chain security. I know there’s a lot of folks in the national security space, whether they’re willing to admit it or not, who don’t entirely understand the term. I think it takes incorporates a lot of what we know. It’s cybersecurity, it’s critical infrastructure, it’s logistics. Sometimes when we think supply chain, we can also go back to a 1990s view of it. Can you just give the quick definition, you’re an expert in this space. I’ve heard you speak on it before. You have a great command of the issue and topic of supply chain security. So what is from your vantage, the definition of supply chain security and how does it exist as an industry or career field?

Absolutely. Great question. I feel like this is a really timely question because it’s changed so much and especially the last 10 years, the term supply chain originated around the eighties kind of exclusively logistics term. So that’s why still a lot of folks today really exclusively think about supply chain, supply chain management, supply chain risk management, and we can kind of go into some of those differences in a second. Really mostly in terms of logistics and they’re optimizing those programs for two variables. One is resilience, so preventing the risk of disruption of a supply chain, making sure that as a business is able to continue its operations, make sure that things like natural disasters or geopolitical tensions, things like that don’t prevent a supply chain from being able to function. And then also the other optimization kind of priority has historically been cost. So that risk, when we talk about supply chain risk is the risk of waste in the process.

(02:27)
So that’s where you get a lot of things like modeling and smart warehouses, lean six Sigma, more of that process engineering really focused on efficiency in a supply chain. So again, today you’ll see a ton of people talking about supply chain risk, and those are the two risks that they’re really talking about, fear of disruption, fear of waste in the process. And security never really entered into this for a long time, certainly not at the level of those other two variables. And so what we unfortunately saw an increasing risk of supply chain compromise because the supply chain traditionally was not a big security focus. If you have a critical asset, if you have a military installation or a sensitive new crypto logic technology, security is an immediate factor. People have really good physical security plans, they have personnel risk management plans that go into those things.

(03:16)
The supply chain number one, people most of the time weren’t even sure who was in their sub-tier supplier network. They weren’t sure where those raw materials were even coming from. So it was a lack of transparency, made it really difficult to even look at security. It was kind of ignored for a little bit, which is really sad to say because it was such a soft target. It was really easy for economic competitors or foreign adversaries, what have you, to target those sub-tier elements of the supply chain and either steal access to intellectual property or sensitive information about a technology. And obviously I’m using the example that’s really in the physical space, but we can talk about the digital supply chain later as well because a lot of the same concerns apply because it’s such a soft target because security wasn’t really built in the same way that it is for other programs.

(04:02)
People were targeting it very heavily. And I think it was 2019, it was a big report that came out and it was really in the context of intellectual property. Definitely a loss of intellectual property is a big impact to national security and economic security. And it was something like trillions of dollars, a trillion dollars had been lost through supply chain compromise, intellectual property theft and sub-tier supplier network infiltration. And so people started paying attention. They were saying, wow, this is most frequently targeted elements of the supply chain for an emerging technology. Just like we protect that finished product and just like we investigate all the individuals involved in that finished product, we really need to have that same critical risk management mindset from a security standpoint for the entire supplier ecosystem. So that means we need to figure it out. How are we going to identify and illuminate that sub tier supplier ecosystem, and then how do we put security into that whole process? And that’s what we have to do to prevent compromise. So that’s been a little bit of the evolution, I guess.

I just feel like I got a whole TED talk, but you bring out so many good points here because we’ve worked in and around government contract and you see that struggle if you’re a supplier, you’re thinking about your wicket and what you build or develop and the concept you have for the government. And I think in the broader security clearance community, we’ve kind of realized to address risk, you can’t kind of keep the typical stove pipes. We kind of have that kind of back and forth like yes, we want information compartmentalized, yes, we want the protection there, but you also need to look at the other wickets that went into getting this product here and there and having some responsibility in that from a company. And you bring up a great motivation to do that, not only regardless of whether the government creates a policy or compliance issue for you, which they are I think starting to do a lot more.

(05:46)
But even outside of that, the risk to the bottom line and the dollars and cents that are going out the door, if you’re not protecting your company brand reputation, supply chains, there’s a significant cost to the federal government also to all these contractors supporting the space. And then you also touched on this, the cyber versus the physical domain. And I think sometimes, again, in my 1980s, I’m this closet 1980s person, I’ve been dropped into the wrong decade. I tend to think of it in logistics and the typical supply chain, but I know it’s a lot more than that. Are they two separate functional areas for supply chain thinking, cyber and thinking physical? Or are they more intertwined today or how does that work? I

Love this question so much. I think the more intertwined that you can approach them, the more effective your program is going to be. Because if you don’t have one central view of all the different drivers of risk, those legacy risks, we talked about resilience and disruption and geopolitical events, weather events, but then also the transparency element, just figuring out who’s even in the supply chain, the people and the entities, and then that digital component and then that cybersecurity component. They’re all different elements, I guess are lenses of risk. But if you don’t have one centralized view of that, you’re definitely going to miss something. And no matter how much money you put into it, no matter how professionalized your program is, if you’re only looking at one fraction of those indicators, you are not really making a measurable positive impact on the security of your business, of the security of the product that you are producing, whether it’s physical or digital, and then really that impact ultimately to national security.

(07:14)
So what I would suggest, and well actually I’ll illustrate with an example. So if you are purchasing, let’s say government acquisitions, everybody’s favorite topic because it’s so easy, we’ll take the government acquisitions process. I am a military department and I want to acquire some hardware. I’m looking at vendors that I could potentially acquire it from. And maybe all of the vendors that I’m working with are really low risk, they’re very safe. They’re US businesses and the product itself, very low rates of compromised counterfeit. There’s a lot of security built into it. Maybe they even mapped out their full sub-tier supply chain. This never happens, but a girl can dream and it’s so secure and we have such trust and confidence in it. That’s amazing. The physical standpoint looks good, the product looks good, the entities that you’re working with and the people involved there look great, but they don’t have a great cyber hygiene posture.

(08:02)
How are we going to know if we don’t look at their cybersecurity, how is that company and that network, how are they likely to safeguard government information or are they going to inadvertently introduce a cyber vulnerability into my supply chain as the acquiring organization? So if I’m not looking at their cybersecurity practices, that’s one area I could miss a potential vulnerability. That would be a huge problem for me. So even if we’ve established trust in that network of entities, if we’re not looking at their cybersecurity behaviors, that’s a potential opportunity that could really come back to bite us. And then the second use case there is really more kind of towards what you were talking about as far as the software assurance with the digital supplier ecosystem. So just like we have a physical supply chain, there’s also a digital supply chain. So you have things like, does this product use open source code?

(08:46)
How are we doing software assurance? Where are they hiring the developers that are creating this software? Those kind of questions. Those all go into some of the supply chain digital supply chain risk management questions that you would want to ask. So that ties really nicely in with the physical, but then also looking at things like digital signatures and trying to link different digital networks together. And you mentioned regulation. There’s a lot of discussion right now about things like SOM, which is a software bill of materials, but also there’s a lot of integration. If we look at ICT, how many internet of things, smart hardware, a lot of physical products that we acquire today have a digital component. So I think you have to do them in conjunction. You have to consider it even though one is tangible and one is intangible, you have to do them together and you have to consider it all as part of supply chain. I think it’s just the reality we live in that part of the supply chain these days is intangible.

And so I want to talk a little bit about supply chain as a career track. So you teased this again in your intro a little bit. It’s been around as maybe a terms as the 1970s. I really haven’t seen it as a professionalization or even a career track that I’ve seen people pursue just into the past several years. And then I loved, I saw you, I don’t know if I told you this, I think it was literally the best breakout panel at Nat Set Girl Squad that you hosted about supply chain. And it was so exciting to see all these young women into the room really interested in this. And I’m always looking for those kind of lanes of opportunity for women in national security especially because I think sometimes it can seem really big and complex, and I hate to be a little gender bias here, but I think women are good at consolidating topics and reading between the lines and seeing different ways that things can work together and come together. So I love that it seems like within this arena of national security where there is certainly room for everyone to succeed, women have kind of carved out a branch in supply chain. So I would love to have you speak to that a little bit. And then also just talk about as a career track, is it something that you can specialize in and what does that look like from a career standpoint?

So I would definitely say previously kind of our discussion about how the terms have changed, the understandings have changed what it takes to be certified and in supply chain, that kind of whole understanding has changed. I think a lot of programs that are out there are still pretty focused on supply chain management as we understand it, kind of logistics focused. But I have noticed that more and more programs are building in at least a cybersecurity element, which I think is indicative of the shift that we’re going to see in the market over the next five years around a lot of certifications and a lot of graduate programs and specializations. And as far as undergrad, if you are a younger person looking to major in something that would get you into supply chain security, the great news is that the options, I mean the supply chain is everything, right?

(11:24)
So you can really pick whatever you want to major in and you can find your way here. I mean, for example, my undergraduate degree is in English and I just enjoy books a lot and here I am. So I mean really anything that you want to do. And I think to your point, some of the core capabilities that make someone really successful and effective in supply chain risk management, understanding relationships, understanding that network analysis and kind of surfacing risk trends and using them to drive decisions, and you can really arrive at that skillset from a variety of standpoints. I’ll take my own peer group, just people that I work with at my company. We have folks that come in from very technical backgrounds, systems engineering, process engineering. We have people that come in from the acquisitions community. We have people that come in from cybersecurity or software assurance.

(12:07)
We have people that come in from information and decision sciences, information assurance. So I feel like there are a lot of different disciplines that come in together that could make somebody really effective at supply chain. But basically if you are security minded, if you’re curious and if you enjoy identifying hidden relationships, I think that you could find it a really exciting career opportunity. And I think that it doesn’t hurt to have a background in traditional supply chain for those that want to go that route, it’s not going to hurt you to understand the more traditional elements of supply chain risk, especially around things like resilience and disruption. I mean, those are only going to get more important or more critical elements of a holistic program. But really I think that there are going to be more and more opportunities out there. I think a lot of the certification programs that are available now are a really good opportunity for someone to maybe try out a security focused approach.

(12:54)
I was just looking at one from University of Maryland the other day that’s seven weeks long, specifically about supply chain and security. So not just cyber, but the whole thing. I want to take that, right? I’m excited about that. What a great thing to do. So I think we’re going to see more and more of that. I think other programs are developing different kinds of supply chain programs and certificates with a security focus. The opportunities I think are definitely out there. And doing a certificate program I think is a good way to try it out and see what you think. But again, we’ve got people who come in from export control and other things. It’s so broad that I feel like isn’t one magic major minor combination in university that you would have to have.

Yeah, I mean, I think so. I mean, think it’s always tough when we have these career fields where there’s not a super linear career progression, but that’s where networking and getting to know people is super key in this industry. This is a good time to highlight. I met you through the Intelligence National Security Alliance, which is one of my favorite networking communities. I think there are committees and organizations and events that they have. I always say it’s funny, ClearanceJobs is a career site. You can certainly find career opportunities there, but we’re big on the community aspect of the site. So there’s a lot of things that we do enabling peer-to-peer networking, networking with other recruiters, because the hidden job market is real. It’s not that hidden. You just have to be out there and ask questions. So when you find somebody amazing like Theresa, you’re like, Hey, how’d you get your job?

(14:14)
And she’ll probably tell you. So I just think finding those career pathways that kind of lands you into the right opportunity and just taking some hoots, but to kind of put yourself out there. So yeah, let’s talk a little bit about INSA. I know that you’re on their insider threat subcommittee. I would kind of love to highlight that I’m used to working with the security wonks and I love them, but we can kind of put security in this very specific bucket. But as you know, supply chain is busting through all the parameters and security in different areas. Insider risk kind being a part of your professional toolkit. What do you see are some of the trends in terms of insider risk and how that relates to supply chain?

Phenomenal question. Actually. One of our goals for that subcommittee this year, focusing on two areas, and they’re both really also important for supply chain. One is AI, right? And all these big developments around AI, whether it’s generative AI, large language models, whatever it is, how are we bringing that to these hidden risk problem sets? And then the other is safeguarding intellectual property for defense related technology or national security related technology. Because as you can imagine, we see this a lot in the news. We get leaks, we get whistleblowers or whatever you want to call it, where somebody is taking information about sensitive technology and exposing that or leaking that in a way that makes the United States really lose whatever advantage that technology would’ve given us from a military technological superiority standpoint. So another way to emphasize this is the saying companies don’t do bad things, people do.

(15:36)
So I love that saying so much. It’s obviously very glib and kind of overly simplistic, but it really highlights the fact that if we don’t incorporate personnel risk management, personal security, insider risk management into a supply chain program, if we don’t ever look at the individuals that are involved in those supply chains and have access to those programs, then we’re just like we talked about with cybersecurity, if you don’t include that as part of your program, you’re leaving yourself compromised. And I’ll go back to that kind of trillion dollar loss of intellectual property from the 2019 report. That’s huge. And I mean just the economic impact and all of that research and all of that advantage that was compromised through insider risk, especially when we look at things like all of the research and development and innovation that happens in the US academic community, that’s an environment that really facilitates things like sharing and collaboration, especially internationally.

(16:27)
And that’s a good thing, and we want to be able to continue to do that, right? That benefits the US and it benefits our defense industrial base. It benefits really everybody. However, if we don’t have a good framework for risk management around people, then it’s difficult to facilitate that research and that collaboration while still taking action to make sure we’re not compromising intellectual property. We’re not inadvertently exposing a sensitive program or a potentially sensitive program to a bad actor who wants to exfiltrate that information and take it back to their home country. So insider risk, especially in that academic environment, I think is an essential part of supply chain. That’s a really exciting conversation for me to have as more of a supply chain security person involved in insider risk. I get to kind of educate both sides about the equities on the other side, because historically they are kind of talked about as two different disciplines, but I think they’re much, much stronger. There’s so much overlap. There’s much more opportunity for collaboration and action when you really talk about them in conjunction. That’s something I’m excited that that subcommittee is actually really going to focus on this year. So that’s great.

Awesome. I’m excited to see more, and I think those committees do a great job of producing thought leadership and moving topics forward on that. So I think that’s super important and love to see the interdisciplinary nature of what we’re doing in national security. Seeing that is certainly encouraging too. So now that we’ve been encouraging, I would like to get a little bit depressing as we close out 2024, what are we seeing? I feel like anytime we’re talking about risk or the threat landscape, we just see it as there being more and more and more. So do you have key areas that you’re watching into 2024? Do you agree with the assessment that when it comes to supply chain national security risks, we’re in this heightened state of attacks and issues, and how would you rate the year so far and year to come? I

Think that we’re going to see, I’ll talk about what I think about the challenges are going to continue to be, and then I’ll talk about hopefully some things that will give us a little bit of hope going forward. I do think that there are more challenges and there’s more knowledge of the challenges, which I think sometimes can make it feel like they’re multiplying. Once you know what to look for and you have that kind of predictive aggressive mindset when it comes to identifying threats, and then you find them, you kind of feel like you’re doing a bad job, but it’s like, oh, thank goodness you checked. So I think that there’s some of that where we’re looking for more and more drivers of risk, and so of course we’re going to find more types of threats. I would say that cyber and digital compromise is going to continue to be really big.

(18:46)
That’s something that we, and we already talked about, the importance of that integrated approach and including those indicators in any kind of program. I think that resilience, from a resilience standpoint, I do think that access to things like critical elements, critical minerals, some of the perhaps advanced ship sets and microelectronics that are currently almost exclusively produced outside the United States, that’s going to continue to be a pain point. That’s going to continue to be something that we need to plan for because it’s going to be impacted by things like geopolitical tensions, regulatory environment. There are a lot of different externally imposed constraints in that environment is pretty dynamic and we’ll continue to see a lot of change there. So I think ensuring that we have both physical and digital security and transparency in the supply chain is going to be increasingly essential. Ensuring we have increasing integration on breaking down those silos either within companies or between industry and government is going to be increasingly essential.

(19:38)
And then I think the last thing that’s really going to help us with this is leveraging emerging technology in how we’re looking to have a really threat informed or security informed approach to solving these problems. There are a lot of different problems out there, and we’ve talked about, yes, we want to be holistic. We want to look at everything, the broadest set of risk indicators. We want to look at the broadest set of data sources, and fortunately, a lot of the data is available open source, which is great if you’re looking at expanding a network of hidden relationships or identifying hidden risks or things like that. We just talked about the impact of ai. So using things like ai, using things like natural language processing or large language models or any kind of predictive analytics. There’s all sorts of different modeling out there that’s AI enabled.

(20:18)
A lot of that is going to allow us to get that better insight more quickly in a more scalable way, in a more standardized way than we’ve ever been able to do previously. So just as we feel like the risks are kind of multiplying and the different data sources and different kind of inputs for a really threat informed program are multiplying the tools that we have available to us to get that insight and illuminate those hidden trends and pull out those hidden risks, and then use that to drive a decision that’s going to have a measurable impact on either the security of our company, of our products, physical and digital, or of US national security, we’re going to have more and more opportunities to do that. So we’re going to see a big leap, I think, in AI for supply chain this year specifically. So that’s something that excites me a lot, as you could tell.

Hey, I love that. Hey, that’s always nice to be on this podcast and not be the only one that’s excited about the topic. So I mean, I know the topic is security clearance and security. I will say I feel very secure. I feel not insecure knowing that we have amazing folks like Theresa who’s working on this topic for Exiger. I always love to hear you out there speaking and talking about supply chain issues. I think it is a great career track. So again, I feel like I get a lot of folks who are always transitioning out of the military, younger people that reach out and they’re kind of looking for how to engage in this space. I think, again, if you can kind of read between the lines or read between the supply chains, it sounds like this could be a great career track to pursue. I really appreciate your sharing your time and expertise with us.

Absolutely. Thank you so much.