Cybersecurity has become one of the top concerns in our supply chain discussions. When we gathered with directors last year the broad view was that cyber sits with IT. That may be true in a narrow technical sense but it leaves an uncomfortable question hanging. If an attack halts your production, prevents suppliers from being paid and delays deliveries, can supply chain leaders really afford to stand back?
I raised this in a LinkedIn post recently, pointing to the recent incidents at JLR, Marks & Spencer and Co-op. In each case, the technical breach was felt in operations. At JLR, production lines stopped and the government stepped in with a £1.5bn loan guarantee to stabilise the supplier base¹². At M&S, ransomware disrupted online operations and was forecast to cost more than $400m³. Co-op’s attack forced its food network onto manual workarounds and resulted in a hit of over £200m to revenue and profit⁴. These were not IT stories. They were supply chain disruptions in the most practical sense.
In discussions with leaders the question of ownership comes up frequently. Security is often assumed to sit with IT, procurement manages supplier contracts and supply chain teams deal with the fallout. One director described it as “everyone’s problem but no one’s job.” The result is that innovation initiatives can move forward with unclear accountability.
That lack of clarity becomes visible when pilots rely on new vendors, external platforms or supplier data. Without supply chain involvement in governance, risks can creep in unnoticed. When something goes wrong, operations are the ones that bear the brunt.
The JLR case in particular has reset expectations. When a cyber incident forces production to a standstill and requires government support, boards start to see the risk less as an IT matter and more as systemic exposure. IBM has reported that the average cost of a breach has risen to $4.45m worldwide and higher in logistics where physical flows are disrupted as well as information⁵. These are not abstract figures when we have UK examples of losses in the hundreds of millions.
Regulators are reinforcing this pressure. GDPR was the first step but Europe’s Digital Operational Resilience Act now makes supply chain ICT resilience a regulatory requirement⁶. In the UK, the classification of the M&S and Co-op incidents as Category 2 systemic events suggests that authorities also see these breaches as national resilience issues⁷. For supply chain directors this means cyber governance is no longer optional. It is part of the licence to operate.
This is where the link to innovation becomes clear. Supply chain leaders are often asked to make the case for new capabilities. In the past it was easy to assume that security was someone else’s problem. Today boards want to know not just what an initiative will deliver but how it will affect resilience.
That makes business cases harder to land. Every proposal must balance the promise of efficiency or visibility with the assurance that it will not introduce new fragility. The hurdle rate for approval rises. Some directors tell me they now deliberately scope programmes to be smaller and modular, so that the blast radius of any incident is limited. That creates tension with the legacy preference for big platform bets. Boards want innovation to move faster but also to be safer.
When I ask directors whether they feel responsible for security, most still say no. Yet when we explore the consequences of recent incidents, they quickly recognise that they are accountable to their boards and customers for outcomes, even if they do not own the technology. That accountability is now forcing a shift.
Some companies have responded by aligning IT and supply chain leadership directly. Gartner has pointed to Unilever, where the supply chain leader also serves as CIO and to Microsoft, which has given supply chain leaders direct ownership of IT⁸. Those examples show one way of closing the gap. For most companies the change will be less dramatic but the principle is the same. Supply chain leaders need to be part of the conversation about resilience and governance, not just the recipients of its consequences.
The recent UK incidents show why governance and security can no longer be treated as separate from innovation. Supply chain leaders may not manage firewalls or patch servers but they are the ones who face halted production, unpaid suppliers and disappointed customers when things go wrong.
Innovation is already under pressure from financial constraints and long payback cycles. The addition of cyber risk raises the bar further. Unless security is designed into new initiatives from the start, boards will remain hesitant and the gap between ambition and execution will grow.
The challenge is not to make supply chain leaders into IT directors but to recognise that resilience, security and innovation are inseparable. Until governance reflects that reality, the current model of innovation will remain under strain.
JP Doggett
*this article was update on 30th September 2025 to include the JLR cyber attack impacts on its supply chain.