HfS Network
Christine Ferrusi Ross
Research Vice President, Security, and Blockchain 
Learn more about Christine Ferrusi Ross
Ask the Experts: Security Gurus Offer Their Advice for Non-technical Buyers
February 09, 2017 | Christine Ferrusi Ross

A big challenge for sourcing specialists is needing to rely on security domain experts internally to judge provider quality. The internal team, already working on their day jobs, often doesn’t have as much time to devote to the selection and negotiation process as sourcing leaders want. It’s important for sourcing teams to get smarter about security themselves to lessen their dependence on domain experts for preliminary RFP screening and downselecting.

In our upcoming security services Blueprint, we asked the client references (themselves security experts) what advice they’d give non-technical teams on buying security services. Some of them are general sourcing best practices, and some are very specific to security. But they’re all important to ensuring the success of your security services engagement. Here are some of their key recommendations: 

  1. Make a map of your security landscape. You need to cover your bases regarding what kinds of security technology you’re using – end point, antivirus, etc. -- so you can ask the provider about its expertise in each one. Ask in-depth questions about what kind of expertise it has with those tools, and look for specific clients and places where it can demonstrate the details of its experience. Have the provider pull it all together into a diagram and one vision so you can see it and make sure it matches your expectations.
  2. Communicate. A lot. How you interact with the provider will have as much bearing on the engagement’s success as the technical security. Make sure you’re not so focused on technical questions that you ignore challenges in communication. Remember the provider’s on its best behavior during the RFP process and it’s unlikely that communication problems get better after signing the contract. As one client reference said, “if the communication is good, you'll get it right 90% of the time.”
  3. Ask references about mundane details. Beyond the technology expertise, talk to references about what their daily experiences are like. Ask about little things like how quickly the provider answers emails and responds to questions that aren’t part of a service issue. Talk to people who have direct experience with the processes and skills you’re buying to make sure what the provider wrote in the RFP response is actually borne out in client engagements. For example, one client we spoke with mentioned a situation where its incumbent provider proposed expanding scope based on its process for innovation – yet the process described in the proposal looked nothing like the process the client experienced every day with the provider. So even tactical steps within a proposed process need to be explored.
  4. Weight flexibility and potential highly when grading. One client reference expressed sympathy for his sourcing counterparts: “It's hard to know what questions to ask and know how to evaluate the answers,” he said. But he then explained that evaluating a provider’s flexibility is critical to engagement success. He points out that flexibility matters because even if you ask the right question, your questions will change over the course of the work. So flexibility and potential capability are better than specific current capability that may not be relevant in another year.
  5. Pick a supplier that can meet you in the middle. It’s been a truism of outsourcing to hire for areas where you’re weak. But this often leads to provider teams that can’t effectively work with client teams because they have no common skill sets. One client pointed out that she relies on her provider’s ability to speak “business language” when discussing security. Can the provider talk about security from a business perspective or are they expecting you to translate their technical discussions for your stakeholders? What you really want is a provider that can go deep in the technology but still have a business discussion, while you’ll match those skills with your internal security experts and stakeholders.

Bottom line: Don’t be intimidated by the lack of deep technical security knowledge. It’s important to bring in domain experts as much as possible, but sourcing teams can dramatically improve their own efforts by making sure they focus on the business side of security.

Make Sure Your Managed Security Services Provider Keeps Current With Your Changing Security Posture
January 26, 2017 | Christine Ferrusi Ross

A company’s security posture changes often. The change can be company-created, for example, by opening an office in a new geography or entering a business with different regulatory requirements for data protection. Security posture also changes as new threats like previously unknown malware emerge, and more sophisticated techniques for hacking evolve.

When engaging a managed security services provider, it’s tempting to believe that keeping up with changing security posture is “being handled” by the provider. But is it?

Providers Often Forgo Innovation For Operating Efficiency

A very common complaint among outsourcing and managed services clients is that the providers rarely suggest changes unless the client brings it up – unless, of course, that change benefits the provider’s ability to run the process. In security environments, this heads-down approach goes beyond ineffective – it can cause significant damage to clients as threats and mitigation options change quickly.

Yes, providers generally do a security posture assessment before beginning the engagement. However, in our current blueprint research we found little evidence that providers re-assess security posture formally during the ongoing engagements. 

Recently, in fact, we even heard of one provider that regularly discovered threats in a client environment but didn’t report them to the client because the particular threat types were out of scope of the engagement. The client found out only months later, and by accident, about the omissions.

Even with such egregious scenarios of intentionally not alerting the client, many providers miss threats. They miss them because they’re not looking for them and their analytics engines aren’t detecting new patterns.

Be Proactive With Incident Monitoring And Reporting

There are many ways you can work with your managed security services provider to ensure that changes to your security posture are being addressed. From most quickly implemented to longest, here are some actions you can take:

  • First and foremost, monitor news and trends in security and threat intelligence. Don’t wait for your provider to flag new threats types to you.
  • Be proactive in asking questions about changes and new threats. Sometimes even a quick email asking the provider about a new ransomware technique that you read about will spur discussion about making changes to the service scope.
  • Include security market changes and news as part of monthly meetings. Make it an agenda item to discuss what’s happening in the market. And build into the provider’s mindset not to wait for the regular meetings to bring up new events.
  • Expand the scope of your engagement to include regular security posture re-assessments. This can depend on your industry and other factors, but it might be quarterly, semi-annual, or annual.
  • Include a new engagement metric on the provider’s ability to find and address new threats. The provider’s ability to keep your data and organization protected from threats even as those threats change needs to be part of the provider’s success metrics if it isn’t already.

Bottom Line: Don’t let inertia set in on your security managed services engagement—make sure your engagement includes specific, proactive approaches to staying current with your security posture.

Talking Blockchain Business Models and Network Ownership With HCL
January 20, 2017 | Christine Ferrusi Ross

Since we published our first report on blockchain, we continue to talk to players in the industry about how this fast-moving market is changing and growing. Compared to last year, there’s more discussion about security and privacy (evolving from the “blockchain is unhackable” talking point that was popular last summer,) there’s more talk about non-financial examples like using blockchain to help with supply chain compliance issues, and a hunger to get beyond POCs into valuable operational execution.

Recently we spoke to Santosh Kumar, Rob Ellis, and Mani Nagasundaram from HCL about blockchain trends. HCL shares many characteristics with the players we included in the report, such as:

  • Basing its blockchain expertise within its financial services practice
  • Building expertise in some key industry hot buttons like international money transfer, asset tracking, and trade operations
  • Creating POCs with global banks like one HCL did on cross-border money transfers across subsidiaries
  • Exploring partnerships with several key blockchain technology vendors like Ethereum and ERIS Industries

Regarding trends, HCL sees a lot happening in security and privacy, as well as regulatory agencies stepping up to help businesses form some governance policies around blockchain. We’ve seen in the past few months that while maybe the blocks in the chain aren’t hackable per se, there have been identity thefts, fraudulence, and further concerns about public blockchain networks.

The HCL team notes that transactions are well executed in blockchain, but identity validation and asset validation are less mature. And valuation of assets still needs to happen in the real world, so they caution over-optimism in moving quickly to broad blockchain adoption.

Also, adoption may be slowed down until we can answer the key question, “who owns the network?” HCL’s current thinking is that there’s likely to be one or two per industry and that moving or crossing networks will be difficult (HfS agrees that network interoperability is a big problem. See my prior blog on network interoperability issues here.)

They also believe that maturity in blockchain comes in three phases and that blockchain mirrors the Internet itself in this maturity curve:

  • Operating business processes better with blockchain
  • Changing operations using blockchain
  • Using blockchain to create new business models, processes, and activities

When you get to the discussion of new business models, HCL has a few scenarios that they share (see Exhibit 1 for an example.) We like HCL’s ability to not just explain the technology in-and-outs, but blockchain’s impact on business. In the blueprint guide on blockchain, we scored providers highly on innovation when they have strong business stories and the ability to demonstrate blockchain’s potential to prospective clients.

Exhibit 1: HCL’s Blockchain Ecosystem Example

Click to enlarge. Source: HCL, copyright HCL

Bottom Line: 2017 will be an important validation year for blockchain

As HfS continues to research HCL and its competitors, we’re looking for the following in 2017:

  • Movement beyond POCs into live implementations
  • An example of inter-company blockchain work (remember, most POCs right now are intra-company, which is why the network question didn’t come up much this year)
  • Some hardening lines in the partnership area as the winners and losers on the technology side become clearer and providers get pickier about which vendors they bring into client engagements

Trump Intel Story: A Stark Example Of A Predictive Security Management Dilemma
January 13, 2017 | Christine Ferrusi Ross

This week the Internet blew up based on news that Intel officials briefed President Obama and Donald Trump on the possibility that Russia had information on Donald Trump that was damaging to him personally and might even have implications for the entire US government. (And while one never expects a hashtag like #goldenshowers to trend on twitter, the feed was hilarious.) 

Politics aside, this story is a textbook case of problems with being proactive with threats. Notice: I wrote “threats” not “events” or “incidents” because the incident hasn’t happened yet, there’s just a high potential for it to be true and for it to happen.

You get lots of finger pointing in hindsight. The common question is “what did you know, and when did you know it?” Because, after something bad happens, anyone who knew of the potential for the event comes under fire for not saying something sooner, not being more forceful if in fact they HAD said something, and for not doing something to stop it from happening.  The fact is something happened and someone has to somehow get blamed.

And in the Trump intel story, you see the opposite of that, with everyone retreating to respective political corners, defending or dismissing the intel reports based on emotion and personal perspective. And since now that everyone’s already picking sides, it will be that much harder to make the right decision on how to treat the threat risk. So, how do you ask the right questions and take action in time to avoid the impending threat?

Here are the questions predictive security and risk management brings:

  • When do you flag a threat to executives? It’s important to have a policy in advance so there isn’t confusion later. It could be something like “a risk has been increasing steadily for the past 3 months” to “a risk increased very quickly in a short period” or similar idea. When you raise the flag may have a drastic impact on which actions you take to address the treat, since risks are often time sensitive.
  • How much do you tell them? Even if you’ve decided to tell executives, you must decide how much information to give. Too much detail and you may panic them unnecessarily, too little and they may not appreciate the implications of the threat. This question is usually harder to answer than the first one.
  • What do executives need to DO because of the rising risk? Another tricky area, what do you propose be done about the threat? Wait it out and seek more confirmation? Deal with it proactively, even if there’s potential for the threat to not happen? Take interim steps? This is the most important question to be answered when talking about predictive security management.

Focus Predictive Security On Remediation Not Reporting

We don’t know what advice the intel team gave to the government leaders, but we do know there are a few general ways you can deal with a threat or risk:

  • Accept the risk and go on with what you were doing. Sometimes there’s not much that can be done – or worth doing. For example, there could be a heightened risk of a terrorist attack, but you don’t want to be seen to be weak and encourage them further and choose to ignore it, safe in the knowledge airport security is already prepared for such a threat.
  • Try to remove or reduce the risk. In a political context, it might involve finding the people who are informants and stopping their ability to keep helping the other government. In a corporate setting, it might involve cutting a contract with a supplier you think has illegal dealings, for example.
  • Make a strategic bet to increase the risk. In a political context like yesterday’s story, increasing a risk strategically could involve cutting diplomatic ties, mobilizing troops or invoking sanctions, among others (these increase risk because they may cause the original threat actor to escalate further or move more quickly with the original threat.) In a corporate context, an example would be to work with a startup vendor even though you know it’s a highly risky supplier because that vendor has some amazing new technology that you want to use.

Unfortunately, if you didn’t have a remediation plan in place BEFORE the risk became likely, you’re facing much more confusion about what to do and even whether to do anything at all. This puts your company at risk and in fact, negates the value of having predictive security capabilities.

Bottom Line: Security professionals need predictive security management and prescriptive treatment plans to protect their firms from looming threats.

Security teams need clear treatment plans that address potential risks and how to mitigate them. As a simple example, if there is a threat of insiders giving information to third parties, then the remediation plan would involve something like “when someone downloads more than one file they don’t normally access, that person’s manager must ask why the person needed those files within 4 hours of the download.” Without this proactive treatment planning, companies likely do nothing and then get harmed even by risks they could have addressed.


Getting The “A” Team From Your Provider – Or, More Realistically, Getting The Team You Deserve
December 22, 2016 | Christine Ferrusi Ross

My colleague Mike Cook and I are in the middle of a blueprint on Managed Security Services, and as we talk to client references and review provider information, I’m reminded again about how difficult it is for clients to feel like they’ve really gotten the best possible team for their engagement, based on their investment outlay.

You might be disappointed with the quality of your team, and maybe you think it’s because it isn’t as good as you thought. Maybe they oversold their capabilities or flat-out lied about what they could do. While this is possible, in my experience, it’s more likely that clients confused the provider’s corporate image with the capabilities of the specific delivery and account team on their engagements. A provider’s capabilities are never evenly distributed across the entire company and the reality is that some delivery people are better than others.  Plus, providers can often be very crafty with how they allocate their best and brightest to their clients.

A while back, I was at an event, and chatting with several vendor executives. A vendor management person from a buyer client that we all knew came over and started chatting. He looked at the company names on everyone’s badges and mentioned that his company worked with every provider represented there. Then, company-by-company, he pointed at each one and said things like “Yup, we hate you guys. We’re suing you. Your team is terrible. You never give us good people.” That broke up the circle quickly as everyone made excuses to move to other conversations!

And afterwards, two things that stuck with me: the first was that buyer getting up as a speaker at the event to talk about creating shared value and better relationships with suppliers (I kid you not!) The second was one of the providers sharing with me privately his frustration with that particular buyer, saying “he wants the “A” team, but he’s paying for the “C” team. And even still, all he talks about is cutting our rates in the next negotiation. Why would I invest in a client like that?”

This story highlights several reasons that a company many not get the “A” team from a supplier that have nothing to do with the supplier at all:

1. You aren’t mature enough. Providers can tell what your internal team is capable of – both for execution and understanding. A supplier won’t give you “A” level resources if they think you can’t appreciate the value. Now, of course, the question is “if you can’t tell the difference, how do you know it’s not the ‘A’ team?” And the answer is, you probably can’t put your finger on it but you’re vaguely unhappy and realize things aren’t progressing the way you want even if you don’t know why. Smarter clients get smarter teams.

What to do about it: This one starts with increasing your own expertise first so you can ask better questions, understand the answers better, and make your own suggestions of how to remediate so you can have productive discussions with the provider. When the provider sees that you know what you’re doing, they’ll give you better resources. In the story above, you wonder why the company was suing a provider – that’s the kind of thing that happens when you didn’t scope properly or weren’t smart enough to ask for the right things.

2. You’re cheap. I hear this one a lot. As a client, you’re complaining that you got the “B” team. But when you look at your rate card, you’re getting “C” team pricing. You may even have gotten the “C” team instead of the “B” team. This is exactly what frustrated the provider executive in the story – he was delivering better resources than the client paid for and yet the client wasn’t grateful, instead the client only complained that the resources weren’t good enough!

What to do about it: If you pay for the “C” team and got the “B” team, be happy. You’re doing better than most others in your situation. If you’re paying for the “C” team and actually have the “C” team, then you need to have a discussion internally about what your goals are. Maybe you’re actually ok with the service you’re getting and the complaints are just water cooler venting. If you’re actually having a delivery problem, then you need to look at increasing what you’re paying or changing the delivery model. You can change a delivery model by seeking to automate some part of the engagement and paying a little more for the resources you’re keeping.

3. You’re a bad client. Maybe you complain about things that aren’t actually wrong. Maybe you blame the provider for problems that really resulted from your internal team. Maybe you constantly want things that aren’t in the contract and get mad when you don’t get them. There are lots of variations on this theme. Here’s the thing: no one wants get abused as work, and top talent doesn’t have to put up with bad behavior. They’ll get switched to better clients. Or, worse, you HAD the “A” team and you beat them down until they’ve devolved into “C” quality work. While I don’t know the inner workings of the buyer’s organization, I can tell you that in this conference setting where provider normally love the chance to socialize with their buyer clients, providers avoided this person at all costs. That speaks to the poor relationships this person built.

What to do about it: Of course, if there are legitimate problems with the provider’s work, address it. But if the problem is really your team, then fix your internal situation. You can train your team to address challenges differently, swap your internal provider liaison or even fire staff that are creating a bad environment. You definitely need to get realistic about your expectations of the engagement. Then let these internal changes get demonstrated to the provider staff to show them you’re no longer the client from hell.

4. You’re not important. Sometimes you can be a great client from all sides – you pay well, you’re a pleasure to work with, and you have interesting work. But maybe you aren’t a big client, or you’re not a brand name, or you in fact have a weak brand (the “loser in your industry?) The provider is likely putting top talent onto clients that spend a lot of money or that have brands that with star power or they use as client references. In the story above, the client was important in its industry but had a reputation as a bad place to work, so there wasn’t the “star power” that often comes from a well-known brand.

What to do about it: This one’s trickier than the rest, because the only way to really fix it with your existing provider is to spend more money until you’re a bigger and more important client. Sometimes you can fix it by being willing to be a reference client, tell your account team if they fix the talent situation, you’ll agree to be a reference for future prospect or analyst calls. However, if you’re willing to go through a transition, you can solve this one by switching providers. You can look for a smaller provider so you can become a “bigger fish in a smaller pond” or a player who specializes in your industry so your brand becomes more important to that provider.

The Bottom Line: You’ll only be satisfied with your service providers when you deal with your own responsibilities to the engagement.

Get more realistic with your expectations based on the factors above and decide what’s good enough for your needs. Hold the supplier’s feet to the fire, but do the same to your own team. Addressing these internal issues will give you more value from your existing deals and also position you better for future work with your key suppliers.

New Year’s Resolution For All Of Us: Put More Business Into Our Security Discussions
December 15, 2016 | Christine Ferrusi Ross

Security’s a hotbed of complexity – many different kinds of threats, technology that’s evolving all the time, and businesses can’t keep up. Changing standards and incredibly complicated threats make most non-technical buyers either throw the problem over the wall to their technology team (and miss out on the value of a business-led security approach) or their eyes glaze over at the mere mention of security and never really give it the attention it requires.

And what’s worse is that this complexity isn’t getting better, it’s getting worse. That’s why we all need to get over our apprehension, fear, boredom, and whatever else is keeping us from really understanding what we need to do in security. The best way to do that is to keep a business-value focus on it, making sure we learn what we need without digging too deep into the weeds and getting frustrated?

Bridge the divide between the highly complex and the need-to-know by focusing on three core, interrelated areas:

  • Digital trust: Your ability to succeed in the digital environment requires that your trading partners (customers, suppliers, external stakeholders) trust you to be ethical, legally operating, and practicing up to date security procedures to protect their data and IP. If others start to doubt your ability to secure your own data or theirs, you are dead as a business. It’s pretty simple as a concept and amazingly complex when executing.
  • OneOffice: Digitization and the renewed rise of customer-centricity mean that the wall between back office and front office has collapsed – everyone in a company is customer facing in this age where customers have significant visibility into our internal operations. That means your security policies, procedures, and risk approaches need to be brought up from the basement and shared across your entire organization.
  • Shared responsibility: Security isn’t just something you worry about within your four walls anymore. As data and IP get shared across trading partners, the need for a shared view on securing digital assets becomes critical. Everyone in a trading network owes the other members a secure environment, so sharing accountability for security will become the new normal.

We started our security resolution early by publishing new research that defines the eight prerequisites of digital trust, including data integrity, business alignment, and device security, among others. And then we’ll be building on that by publishing our findings on how well service providers can help clients with managed security services for digital trust in February 2017.

Don’t be intimidated by security challenges, put them in the context of your business and make progress toward digital trust. Here’s to a secure, business-focused 2017!

Blockchain Brings Us Into The Future, But Only After It Drags Up The Past: Interoperability Becomes An Actual Issue Again
December 05, 2016 | Christine Ferrusi Ross

Remember eMarketplaces (also called Supplier Networks)? They were networks of suppliers and buyers where the goal was to make information sharing easier by standardizing and consolidating platforms, products, prices and policies.  In many cases, clients got in “free,” but they still had to pay for some integration cost. Suppliers had to pay to be part of each network, and most clients each used different ones, making it expensive and complicated to decide which networks to join. 


As a buyer, you could try to insist suppliers join your preferred network, as long as you were a big enough client, or if you were willing to pay the supplier’s connection costs. As a supplier, you had to decide which networks were important to belong to, either because a lot of clients used them, they catered to specific industries, or offered some other unique benefit.

These supplier networks were a great idea, but the practicalities of connecting everyone was a big headache, and very few of these eMarketplaces survived. Many of those that did survive were bolted on to procurement apps. Without a way to make the networks talk to each other and give trading partners, on different networks, a way to work together, eMarketplaces achieved some limited value for customers, but ultimately failed to deliver the game-changing impact they envisioned with these “super networks” that never quite materialized.

In the example above, go back and replace the word “eMarketplace” with “blockchain.” Minus some of details, it’s pretty much the same problem we’re all about to face today, as companies struggle to understand where, why, and how they can get the most value from blockchain implementations.

When we researched blockchain this past summer, we found that almost all POCs and client examples were focused on internal operations – transferring funds across business units in a bank, for example. Yet, the foundation of blockchain is creating exponential value from a collaborative and engaged peer-to-peer network.

Everyone’s experimenting, and there are a lot of technologies and validation/authentication options being used and explored. There are also no standards at the moment, so everything’s getting siloed into one-off projects. Are you starting to see where the eMarketplace experience gets echoed?

Let’s say you’ve chosen the blockchain technology, as well as an authentication approach with which you are happy, that work for your needs. Now you want to expand your execution of blockchain to connect with partners.

Your partners likely made different choices They may have stricter authentication approaches than you use. And each trading partner’s blockchain implementation is different than everyone else’s, so you need to connect to each one using a separate connector, or you choose to get onto their blockchain. And then you have the initial cost of integration, plus compute costs. And blockchain often isn’t efficient with compute power, so connecting to multiple systems is more expensive that way than you might initially think.

And, of course, the market’s so new that we also don’t know how much cement we’re pouring when we build blockchains. We do know, for example, that no transaction or other data in the blockchain can get erased. Once it’s there, it’s there forever. But, what if we decide to switch to another network or technology? We don’t know the costs of switching from one network to another if we have a lot of data sitting in the blockchain.

In our blockchain guide for BFSI, we recommended that you start talking to trading partners, because the real value comes from using blockchains outside the walls of your company. And this issue of linking networks makes that recommendation all the more important.

Bottom-line: Make sure you fully understand the broader network of partners impacted by your blockchain options

Here are some questions to start asking trading partners (and yourself, if you haven’t already):

  • What validation/authentication approaches are you considering?
  • Which blockchain technologies do you like and why?
  • What criteria do you want to use to approve new members to join a network?
  • Who pays, if someone wants to join the network? What if we want them to join? Will we pay only for integration costs or other longer-term costs like the compute power needed to process blocks?

If you have thoughts on this, or know of companies who are already working on the interoperability problem, tell us. We’re always looking to talk to more people about what’s going on in the space.


The View From The Other Side: Service Providers Weigh In On The Blockchain Blueprint Guide
November 15, 2016 | Christine Ferrusi Ross

Click to enlarge.

Everyone loves to hate grading reports (including the analysts who write them!) If the evaluation criteria are too numerical, some people think the report lacks any strategic analysis. If the criteria favor analyst judgment over hard facts, some people think the report is biased based on the analyst’s emotions or other factors.

And unfortunately far too many people care only about the one evaluation graphic -- missing much of the depth and nuance about the market in the report itself needed to really put the graphic in perspective. In fact, the graphic isn’t about who’s good or bad at something, but about finding the best fit for a buyer’s needs and preferences.

My job is to give you my insights about a space but also to give enough context so you can make informed choices with that analysis. And that could include coming to the conclusion that you disagree with a result or a starting assumption.

With that in mind, I want to be more transparent about some of the disagreements with the recent blockchain primer I wrote. I gave the service providers evaluated in the report the opportunity to tell me their thoughts.

Below are the comments from the ones who replied. (I choose to believe the non-responses from other providers as agreement that the report was perfect…)

The Providers React

Many providers appreciate HfS Research’s effort to take on this emerging area, noting that the market wants more information. They also mention many improvement ideas. Here are the questions I asked, the answers I received, and any final comments I have on the question.

What do you think the report missed/didn’t cover sufficiently?

Generally, the providers don’t have too many issues with what was covered but offer some ideas of places the report could have drilled deeper, including:

  • The report could have included more specific offerings and capabilities, like the availability of a provider’s internal and external training on blockchain as well as the availability of a consultative framework to support clients in identifying and qualifying use cases to co-creating the client’s product. Other examples of specific offerings include sandboxes and design thinking sessions.
  • While the report focused on BFSI, it could have included a broader perspective on where blockchain technology is heading, and which industries and segments are building the first implementations.

CFR’s Take: We’ll be doing a full blueprint in 2017, where we’ll dig into specific offerings and get more detailed about capabilities. We’re also doing more research on many areas of blockchain, so the feedback on giving a broader perspective of the space makes a lot of sense, too.

What did the report get wrong?

Several providers feel that the report didn’t clearly define execution (the X axis) and innovation (the Y axis.) Some feel that they would have provided different information if the criteria were clearer during the research process and mention the following:

  • The lack of clarity meant they couldn’t fine-tune their answers to what we were seeking. One provider pointed out that we didn’t specify if our focus on client projects was focused on something like numbers of billable blockchain consultants on projects or if it was people who had been trained on blockchain internally, or capacity available to start new projects.
  • Related to explaining innovation and execution axes, it would have been helpful to explain each provider’s positioning specifically. For example, what made one player more innovative than another? The mini-profiles didn’t specifically call out the grid positioning.
  • Is the Blueprint Guide the right way to measure blockchain, given it’s so new? Maybe a different report format to explore a market before doing an evaluation is a better approach.

CFR’s Take: Since this was an early first-pass at assessment and not a full blueprint, we used a starting point set of criteria. Also, we recognize that this report switched from one analyst to another, so each analyst always brings a different perspective. But the broader point is taken to be clearer in how we define criteria.

What would be the next logical place for HfS to explore blockchain further?

There are some common requests here, including:

  • Cover more industries. Several providers mention healthcare, retail, media, and government as other industries they feel should be covered and where they had good client examples that the BFSI report by definition didn’t demonstrate. They also want us to keep studying blockchain in financial services and not stop with just this one report.
  • By domain area, IoT and supply chain demonstrate great use cases for blockchain and need further exploration.

CFR’s Take: We’re researching supply chain and IoT in blockchain and agree that they’re great places to explore further. We’re looking at other industries too, but that may take longer depending market developments and other factors. 

What Did The Report Miss Or Get Wrong About Your Firm?

Most providers didn’t take us up on the offer to publicly voice their issues with our assessments of their firms, but two did. I edited for space and clarity but otherwise used the exact wording from the providers.


At EPAM, we’re working on different use cases with different clients and we realize that we can group use cases by technical requirements towards blockchain. We created two prototypes (platforms) that cover over a dozen use cases from multiple industries. After review, we realized that this was not very clear in our initial presentation.

More generally, EPAM believes that when it comes to implementing software solutions there are multiple components/layers in the game: Front End, Integration layer, Backend (business logic + storage). Blockchain is a variation of a storage and limited business logic with some features to improve collaboration between parties. There are a number of different Blockchain frameworks available on the market. Most of the core crypto functionality will be addressed by framework developers so there is no urgent need for service providers to have an army of cryptographers (this is good if they have several).

Service providers need to have Architects, Business Analysts, Testers, and Infrastructure Engineers to be able to integrate/use Blockchain into projects. Their readiness should be measured by the core knowledge they have, ability to scale this knowledge, availability of consultative framework, projects completed (PoC, Production), infrastructure readiness, and client feedback. 


IBM thinks HfS may have underestimated IBM's innovation in blockchain and offered the following further details.  (CFR NOTE: IBM also referenced several documents on blockchain that are available on the company’s website for anyone who wants to get into the details behind the statements below.)

IBM thought leadership.  IBM, with the support of the Economist, recently surveyed 200 financial institutions in 16 countries on their experience and expectations with blockchains.  This study includes findings like:

  • Fifteen percent of banks and 14% of financial market institutions surveyed (the early adopters) intend to implement full-scale, commercial blockchain solutions in 2017, and roughly 65% expect to have blockchain solutions in production in the next three years.
  • Banks identified three business areas with the highest benefits (reference data, retail payments and consumer lending) and three areas where blockchain-based business models will have the most impact (trade finance, corporate lending and reference data).
  • Financial markets institutions are investing most in five areas: identity and KYC, clearing and settlements, collateral management, reference data and corporate actions.
  1. IBM client innovation leadership with the most centers around the world to help clients get started on their first blockchain project, with IBM Bluemix Garage for Blockchain centers in New York, London, Singapore, and Tokyo.  IBM can also dynamically open a "popup" center when and where needed. 
  2. IBM industry innovation leadership, as a founder and leading contributor to the Hyperledger Project.
  3. IBM offering innovation leadership with IBM Blockchain, based on the Hyperledger Fabric, and available on IBM Bluemix, which enables developers to easily and quickly develop applications while testing security, availability, and performance of a permissioned blockchain network.  IBM Bluemix also allows the IBM Blockchain service to be integrated with other Bluemix services such as IoT, Mobile, Analytics and Watson. 

Read through this and then don’t forget to add your own thoughts in the comments. Let’s get a dialogue going about blockchain services.

How To Buy When You’re Not Sure What You’re Buying: HfS’ First Evaluation Of Blockchain Service Providers
October 19, 2016 | Christine Ferrusi Ross

The funny thing about innovative projects is that everyone likes to talk about buying them as if innovation is a product you just pick up off the shelf at the store. But real innovation – exploring ideas, opportunities, risk, and implications of change – means you likely don’t even know what you’re buying. You’re not buying a packaged piece of software or a defined solution. You’re really buying someone who can be a co-creator with you, helping you wade through the mass of tangled and often conflicting options available to discover and build something that adds a unique value to your business.

When you’re experimenting with business opportunities it’s complicated enough, but when you add a technology or solution area that’s just emerging, it gets doubly complicated because often the service providers don’t have tons of experience themselves in the new area. Blockchain is a perfect example – most service providers are themselves exploring what blockchain can do for their clients and vertical industries. My latest research into emerging blockchain services shows this, with most providers still in the early days of the blockchain efforts (see Exhibit 1)

Exhibit 1:

Click to enlarge

Read More »

Christine's Chapel... Services Gospel
August 06, 2016 | Phil FershtChristine Ferrusi Ross


Christine Ross is Research Vice President, Strategy & Product Development,
HfS Research (Click for Bio)

Anyone with a real history in the services industry will be familiar with the insights of one Christine Ferrusi Ross, who spent many years leading the services and sourcing practice for Forrester Research, during the firm's heighday.  And in pre-HfS days, I used to enjoy meeting Christine for lunches when we would bemoan the state of the research analyst industry and what needed to be done to revitalize how analysts do research. Little did we realize back then we would be able to shake up the analyst industry together in an analyst firm not beholden to the whims of their paying suppliers and analysts confined to covering tiny slices of software markets.  So when we got the opportunity to bring Christine, or "CFR" as her colleagues like to call her, to help shape our events and research strategies, it wasn't a difficult decision... especially when you hear her views about moving to outcome-based contracts.

Welcome Christine!  Can you share a little about your background and why you have chosen research and strategy as your career path?

Read More »