Exiger expert whose military nous keeps supply chains safe
Given it was the military world that gave rise to the term ‘logistics,’ it seems fitting that the supply chain security expertise of Theresa Campobasso was forged during her years in the US Marine Corps.
Theresa served four years active duty in the Corps, working in intelligence, learning along the way that a military force is only as secure and effective as its supply chain.
Those are lessons that provided precisely the right mindset for her current role, as SVP, Strategic Accounts, Government Solutions, Exiger.
Exiger’s technology helps clients maintain regulatory compliance and minimise supply chain risks. The company’s AI solutions illuminate supply chains down to the ‘nth tier’, to deliver quick, verifiable insights that help stakeholders make informed decisions to mitigate risk, identify strategic cost savings, and boost resilience.
Founded in 2013, the company offers solutions tailored to diverse industries including manufacturing, defence, technology, finance, healthcare, and government.
In her government-facing role, Theresa helps customers build high-performing teams across areas of risk management including national security, supply chain security, entity risk, personnel risk and emerging technology.
On the commercial side, Exiger works with a lot of healthcare customers, who Theresa says are “really concerned right now with physical and digital supply chain security and integrity.”
Exiger also helps many textile companies mitigate risk, particularly around the challenging and ever-evolving ESG compliance environment they face.
In the public sector-facing side of its business, in which Theresa works, Exiger customers fall into four categories: the defence industrial base community (contractors that provide technology to the government); federal civilian organisations, including the FBI and Department of Justice; the Department of Defense; and Critical Infrastructure.
Exiger supply chain expertise helps government bodies
To date, Theresa’s supply chain security expertise has helped 46 government organisations, including the US Department of Defense and the Department of Energy, as well as federal bodies that handle civilian programmes and defence customers.
It is a long way removed from Theresa’s start in the Marine Corps.
“I was passionate about intelligence, geopolitical analysis and counterintelligence,” she says. “It was around 2008, so the US was firmly entrenched in the Iraq and Afghanistan conflicts, and counter terrorism was obviously a big focus.”
Which was why, following basic training, she was surprised to be posted to Japan. It proved to be a sliding-doors moment, because it was there that she got her first taste of supply chain security.
“China is right on Japan’s doorstep,” she says. “There was a big focus on supply chain security, on securing our technology and maintaining that advantage.”
She served as an intelligence officer for around four years, eventually deploying to Iraq and then later returning to Afghanistan as a contractor. Upon returning to the US, Theresa left active duty, and sought her place in the civilian workforce – a process that was not without its difficulties.
“I had to learn how to articulate my military experience in a way employers would value,” she says. “Corporate America isn't looking for many counter intelligence officers.”
And so she focused on transferable skills, such as her understanding of emerging technology-threats, her grasp of leadership and management under stress, and her ability to secure stakeholder buy-in from people with different viewpoints.
“Once I figured out how to speak the language of business, I was able to make a positive impact in the commercial sector,” she recalls, ”but it was a challenge.”
Asked what her experiences were of supply chain risk in a military context, Theresa says these fell into two categories – one of which was traditional logistics.
“It’s about getting equipment to the point of need,” she says. “Whether that's the front line or a cyber capability or a software capability. There are additional complexities these days, because supply chains are both digital and physical.”
Supply chain security ‘a challenge’
The other challenge, she says, was security in the supply chain: “You want continuity of operations; but you also need to understand that when it comes to military technology and equipment, there is an adversarial threat, because the enemy will always look to your military supply chains.”
Theresa says the avoidance of disruption is where her intelligence skills came into play: “You have to discover if a technology has been compromised, or if it’s counterfeit. You have to slow down the acquisition process just enough to make it secure, because if you don’t then you might end up sending compromised equipment to the front line, or you could inadvertently expose a sensitive military-technology supply chain to an economic competitor.”
Theresa feels things are not so different in the commercial world, where averting threats is every bit as important in supply chains as ensuring compliance.
She says: “In the commercial world you have sensitive intellectual property and proprietary information, and economic competitors will exploit the complex nature of the supply chains by inserting things that will hurt the competition. So being able to map the full supply chain – to have transparency across its complete surface – means you can gain a potentially decisive advantage.”
Theresa stresses that an economic competitor might seek to disrupt a key supply chain by targeting its soft underbelly: the software supply chain.
“Take military technology,” she says, “such as a fighter jet like the F35, or maybe a big military platform, or a weapons system. An economic competitor has no need to infiltrate a military base to compromise supply chain security.”
She adds: “All they need to do is target a third-tier supply chain vendor who is providing important intellectual property and then whatever competitive advantage that that supplier’s technology offers is lost, and you then have to re-engineer something else, and you then have both a military and an economic loss.”
As well as stealing an advantage, competitors might also look to compromise key components of the supply chain.
“This is very difficult to do when you're looking at a military target,” says Theresa, “but is fairly easy if you're looking at a small business that doesn't have a security-based mindset.”
Mindset key to mitigating supply chain risk
And mindset, she says, is everything when it comes to mitigating risk, and adds that the kind of companies likely to have a threat-based mindset include emerging technology firms, and those that work in fields like synthetic biology or quantum cryptography.
“They’re all really concerned about cyber compromise,” she says. “They get hacked a lot and get a lot of phishing attempts, which is why they have a very defensive mindset and have to build robust cybersecurity programmes.”
But organisations in other sectors, such as health and retail, have been slower to adopt basic defensive measures, such as properly vetting vendors from whom they're procuring parts from, or having oversight of “the chain of custody of a part, or its provenance.”
“When you don’t have this visibility, the risks are higher,” Theresa says, and warns that it is the same story with software: “Knowing the provenance of code is vital, especially if there is open- source software in a product.”
Inadequate software security measures are enormously costly. In 2019, it was estimated the US has lost more than a trillion dollars to intellectual property theft through the digital supply chain.
“Software assurance, cybersecurity and digital supply chain mapping are three things that have to go together,” says Theresa. “That's a big part of supply chain risk management today that really didn't exist even five years ago.”
She says that although the COVID -19 pandemic “woke people up to the importance of supply chain security,” many organisations remain vulnerable because of the mindset problem.
“It really does all come down to whether you have a compliance-based mindset or a threat-based mindset,” says Theresa. “If compliance with regulatory requirements is all you care about, you are never going to be set up to counter the true drivers of threat.”
Holistic approach to supply security ‘vital’
Which is precisely why Theresa stresses to her customers the importance of a holistic approach to supply chain security.
She says business leaders “need to be properly educated about supply chain,” adding that this often means “redefining your legacy definition of what supply chain actually is.” This reworked definition, she adds, “needs to include both the tangible, and intangible, supply chain”.
Yet Theresa has sympathy with businesses who struggle to comprehend the risks inherent in such a rapidly changing world, and says an important part of her role is as an educator.
“Supply chain threats are changing all the time,” she says. “We live in an era where there's so much data that it's very difficult for organisations to understand how to make sense of it.”
She adds: “Supply chains are globalised and complex, and getting transparency into that is very difficult, and this is why educating folks is so important. They need to know what an effective approach looks like. They need to be walked through the process of standing up a programme. Many people think the supply chain is so massive there's no possible way to be able to map everything out, and that's not true.”
Exiger specialises in “illuminating the supply chain,” Theresa explains, adding that most of the hidden risks for a business do not arise from third parties.
“Typically, risk occurs between tiers three to five in the supply chain, and you have to be able to map that to ensure you have a clean bill of health.”
Even with such help, she says other obstacles must be overcome – such as securing stakeholder engagement, and funding, for supply chain security programmes. Again, she has sympathy with the executives who are being asked to embrace such change programmes.
“First,” she says, “supply chain leaders were advised to update legacy supply chain functions, through digital transformation, smart warehouses, and things like that. Now, we’re asking them to think about how they can use big-data analysis and AI to map out the entire supplier ecosystem, both tangible and intangible.”
This, she says, “is a paradigm shift,” and is something “people feel some discomfort about.”
Although her focus is on supply chain security in the public sector, Theresa says the issues and challenges here are “remarkably similar” to those faced by commercial organisations.
“Many of the supply chain challenges are the same,” she says. “Generally speaking, everybody's concerned about resilience. If COVID-19 taught us anything, it was that diversification of the supply chain is essential to prevent disruption.”
She concedes, though, that public sector supply chain leaders are more concerned about “security and threat-based supply chain risk than their commercial counterparts.”
Asked what sets Exiger apart in a crowded risk-management marketplace, Theresa says it is the holistic nature of its offerings.
“Many companies offer ESG compliance, or cybersecurity, or supplier vetting,” she explains. “But for supply chain security, you need to cover all these bases, and more.”
“We're looking to make the world a safer place for organisations, whether public or private. Our supply chain risk management solutions cover everything from entity vetting, supplier network illumination and mapping, resilience, predictive obsolescence, software assurance, cybersecurity, foreign ownership and investment, and really everything within that spectrum.”
That spectrum, she says, includes “everything from network analysis to deep, rapid and technology-enabled risk management on an entity, a product, a piece of software, a set of research or emerging technology.”
In a world riven with supply chain risk, Theresa Campobasso is one person you most definitely want on your team, riding point.
**************
Make sure you check out the latest edition of AI Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
**************
AI Magazine is a BizClik brand