Embedding Stronger Product and Supply Chain Security

Secure by Design is no longer a technical aspiration; it’s a strategic necessity.

Bryan Willett
May 28, 2025
Sbd Vadim Shechkov
iStock.com/Vadim Shechkov

In today’s manufacturing landscape, cybersecurity is no longer an afterthought—it’s a foundational business imperative. As cyber threats have grown in sophistication and frequency, the concept of Secure by Design has emerged as a critical framework for safeguarding not only products, but also the complex web of third-party suppliers that underpin modern industrial operations.

The Threats Driving Secure by Design

The past decade has seen a seismic shift in the threat landscape. High-profile breaches—from Target’s infamous HVAC vendor incident to ransomware attacks that crippled global supply chains—have made it clear that attackers are adept at exploiting the weakest link, whether it’s a software vulnerability, an unpatched device, or a trusted supplier with lax controls.

For manufacturers, this risk is compounded by the convergence of IT and operational technology (OT), the proliferation of IoT devices, and the increasing reliance on cloud-based services. Printers and other networked endpoints, once considered innocuous, have become prime targets for cybercriminals seeking entry into corporate networks. According to Quocirca’s 2024 Print Security Landscape report, 67 percent of respondents experienced at least one print-related data breach in the past year, an increase from 61 percent in 2023.

As a result, Secure by Design is no longer just a technical aspiration; it’s a strategic necessity. This approach embeds security principles throughout the product lifecycle—from initial design and development to deployment, maintenance, and end-of-life—ensuring that security is not bolted on, but built in.

The Maturity of Hardware Manufacturers

The good news is that awareness of these risks has driven significant progress among hardware manufacturers. Industry leaders now embrace Secure by Design as a core tenet, integrating secure development lifecycles (SDLC), regular vulnerability testing, and robust supply chain oversight.

At Lexmark, our journey began with customer demand. In the mid-2010s, we formalized our security policies and processes, recognizing that customers were asking increasingly sophisticated questions about both our products and our supply chain. We adopted industry best practices—drawing inspiration from frameworks like Microsoft’s SDL and ISO standards—and tailored them to our culture and products.

Key elements included mandatory developer training, threat modeling, static and dynamic code analysis, rigorous open-source component evaluation, and layered security testing. Importantly, we required executive sign-off on security evidence before any product release—a step that ensured accountability and buy-in across the organization.

But Secure by Design extends beyond internal development. It demands a holistic view that encompasses IT infrastructure, build pipelines, and—critically—the third-party vendors and contract manufacturers who contribute to the final product.

Based on industry research and practical experience, here are five best practices manufacturers should consider when building or maturing a Secure by Design program:

  1. Make Security Everyone’s Responsibility. Security cannot be the sole responsibility of a dedicated team; it must be woven into the fabric of the organization. Invest in role-specific training, empower security champions across departments, and ensure everyone—from R&D to procurement—understands their role in protecting the business.
  2. Formalize and Enforce Secure Development Lifecycles. Adopt a structured SDLC that includes:
    • Mandatory security training for developers.
    • Threat modeling and architectural reviews for new features.
    • Automated code analysis and vulnerability scanning.
    • Rigorous evaluation of open-source components.
    • Regular penetration testing and red-teaming exercises.
    • Continuously improve this process based on emerging threats and lessons learned from incidents—both internal to your company and those happening to your peers in the industry.
  3. Protect the Entire Product Ecosystem. Security doesn’t stop at the product boundary. Safeguard build environments, code repositories, and communication channels used by developers. Implement strong access controls, monitor for anomalies, and maintain hygiene in all supporting systems.
  4. Integrate Third-Party Risk Management Vendors and contract manufacturers must be held to the same high standards as internal teams. Key steps include:
    • Risk-based segmentation of suppliers.
    • Requiring security attestations (e.g., SOC 2, ISO 27001) where appropriate.
    • Using standardized questionnaires and independent scoring services.
    • Performing on-site audits for high-risk partners.
    • Embedding security requirements in contracts, including SLAs for vulnerability remediation. At Lexmark, for example, we personally audit our contract manufacturers, reviewing everything from component quality inspections to IT system controls on the production line.
  5. Plan for Resilience and Transparency. No security program is infallible. Prepare for incidents by developing robust response plans, conducting tabletop exercises, and ensuring clear lines of communication—internally and with customers. When vulnerabilities are discovered, disclose them promptly and provide actionable guidance for mitigation.

Secure by Design as a Competitive Advantage

Regulatory pressures—from NIST guidelines to SBOM (Software Bill of Materials) requirements—are raising the bar for product security across industries. But forward-thinking manufacturers recognize that Secure by Design is more than compliance; it’s a differentiator that builds trust with customers, partners, and regulators alike.

By making security a foundational element of product and supply chain strategy, manufacturers can reduce risk, accelerate innovation, and strengthen their market position in an era where resilience is paramount.

The journey to Secure by Design is ongoing, and every organization’s path will be unique. But by embracing a holistic, proactive approach—and learning from both successes and setbacks—we can collectively raise the standard for security in manufacturing.


Bryan Willett is Chief Information Security Officer (CISO) at Lexmark.

Latest in Supply Chain
B2B Digital-Assisted Selling at Its Best
Sponsored
B2B Digital-Assisted Selling at Its Best
June 18, 2025
President Donald Trump arrives to speak at U.S. Steel Corporation's Mon Valley Works-Irvin plant, Friday, May 30, 2025, in West Mifflin, Pa.
Trump Administration Offers Details of How It Would Control U.S. Steel
June 16, 2025
Piles of earth are seen in Ganzhou in southern China's Jiangxi province on March 19, 2025.
Critical Minerals Give China an Edge in Trade Negotiations
June 12, 2025
The Lancaster House, where the trade talks between the U.S. and China are taking place, London, June 9, 2025.
U.S., China Agree on Framework to Resolve Trade Disputes
June 11, 2025
Related Stories
The Lancaster House, where the trade talks between the U.S. and China are taking place, London, June 9, 2025.
Supply Chain
U.S., China Agree on Framework to Resolve Trade Disputes
I Stock 176417876
Supply Chain
Chemical Distributor Raises ‘Yellow Flag’ Over Tariffs
Optimas Solutions facility, Wood Dale, Ill.
Supply Chain
Convening a Tariff 'War Room'
Security Breach Podcast
Sponsor Content
Security Breach Podcast
More in Supply Chain
B2B Digital-Assisted Selling at Its Best
Sponsored
B2B Digital-Assisted Selling at Its Best
These capabilities help sales teams close deals, empower buyers, and consolidate the sales process into one platform.
June 18, 2025
President Donald Trump arrives to speak at U.S. Steel Corporation's Mon Valley Works-Irvin plant, Friday, May 30, 2025, in West Mifflin, Pa.
Supply Chain
Trump Administration Offers Details of How It Would Control U.S. Steel
The union has concerns.
June 16, 2025
Piles of earth are seen in Ganzhou in southern China's Jiangxi province on March 19, 2025.
Supply Chain
Critical Minerals Give China an Edge in Trade Negotiations
China has spent decades building an industrial chain for mining and materials.
June 12, 2025
The Lancaster House, where the trade talks between the U.S. and China are taking place, London, June 9, 2025.
Supply Chain
U.S., China Agree on Framework to Resolve Trade Disputes
Negotiations are back on track after a series of disputes threatened to derail them.
June 11, 2025
I Stock 176417876
Supply Chain
Chemical Distributor Raises ‘Yellow Flag’ Over Tariffs
The president of the Plaza Group on how changing conditions are impacting the supply chain.
June 9, 2025
Optimas Solutions facility, Wood Dale, Ill.
Supply Chain
Convening a Tariff 'War Room'
How Optimas Solutions put all hands on deck to navigate an unprecedented environment.
June 5, 2025
Contact Us Hero
Staffing Changes
Timken Names New Industrial Motion President
Tim Graham most recently served as vice president of operations for engineered bearings.
June 4, 2025
President Donald Trump talks to workers as he tours U.S. Steel Corporation's Mon Valley Works-Irvin plant, Friday, May 30, 2025, in West Mifflin, Pa.
Supply Chain
What We Know About Trump's Promise to Hike Steel, Aluminum Tariffs to 50%
Economists warn that the latest tariffs will squeeze the wallets of companies and shoppers alike.
June 4, 2025
Workers pack dumplings at a production line at a food factory in Suqian city in east China's Jiangsu province on Jan. 21, 2025.
Supply Chain
China's Factory Activity Contracts in May, but There Are Signs of Improvement
Some companies with U.S. business saw accelerated resumption of foreign trade orders.
June 2, 2025
Police cars stand outside EU headquarters in Brussels, Sept. 30, 2022.
Supply Chain
EU Readying 'Countermeasures' if Tariffs Deal with U.S. Crumbles
The actions would automatically take effect on July 14 or earlier.
June 2, 2025
I Stock 2151033019
Supply Chain
Valin to Distribute Parker Aerospace Solutions in the South Pacific
The company is now the authorized Velcon distributor in a territory including Hawaii, Guam, American Samoa, Wake Islands and Tahiti.
May 30, 2025
President Trump during an event to announce new tariffs in the Rose Garden at the White House, April 2, 2025.
Supply Chain
Court Blocks Trump from Imposing Tariffs Under Emergency Powers Law
The ruling rejects the legal underpinnings of some of Trump’s signature and most controversial actions.
May 29, 2025
Pxl 20230914 175228933 6578b5ed863c2 67e5c282a15bf
Staffing Changes
SureWerx Names Wesco Executive as New CEO
SureWerx’s longtime chief executive is shifting into an “M&A and advisory” role.
May 27, 2025
President Donald Trump speaks to reporters before boarding Air Force One at Morristown Municipal Airport in Morristown, N.J., Sunday, May 25, 2025.
Supply Chain
European Union 50% Tariff Delayed Until July
The European Commission's president told Trump she "wants to get down to serious negotiations."
May 26, 2025
Ep367
Supply Chain
Crime Ring Accused of Stealing $83M in Amazon Cargo
Some posed as truck drivers to enroll with Amazon as carriers.
May 23, 2025