HfS Network
Christine Ferrusi Ross
 
Research Vice President, Security, and Blockchain 
Learn more about Christine Ferrusi Ross
Ariba And Everledger Want Blockchain To Help Supply Chains Become More Ethical And Make The World Better
March 23, 2017 | Christine Ferrusi Ross

Last summer I wrote about my desire to be a superhero –to help companies buy IT products and services ethically and help suppliers create new opportunities for themselves and their people. When people source ethically they can reduce a lot of bad in the world – child labor, human trafficking, working conditions that harm and kill people, and a host of other problems.

Yesterday at SAP Ariba Live, the software company announced that it was partnering with blockchain provenance firm Everledger to explore the use of blockchain across Ariba’s suite of applications. As a first step, the two companies are working on a track and trace (provenance) application.

 

Everledger CEO Leanne Kemp and SAP Ariba Senior Vice President Joe Fox discussed the application and broader blockchain implications at the event, talking about empowering an ethical supply chain. They see a future where using blockchain to track goods from their raw materials through their final delivery would help companies have visibility into the entire supply chain. This would then allow companies to avoid problems such as:

  • Counterfeit goods being swapped in for the original goods at some point in the journey
  • Unintentionally supporting illegal and unethical conduct by suppliers and other third parties involved in conflict minerals like blood diamonds because you couldn’t tell where the diamond originated
  • Being out of compliance with government or industry regulations because related to the point above, you couldn’t prove that the product was made without conflict minerals or other illegal inputs

Undoubtedly, this announcement is a huge win for blockchain technology. It’s a major software company investing in a specific commercial application. It also reinforces the importance of provenance as a key blockchain “killer app,” coming soon after IBM’s announcement with Maersk that the two firms would work together to trace shipping containers. We’ve written before that provenance will get adopted faster than many fintech blockchain applications. These two deals show movement in that direction.

Even more powerful is the business and human story about making the world a better place. SAP Ariba’s and Everledger’s message of using blockchain to help business work more effectively AND to improve the lives of people is inspiring. It’s what technology is supposed to do, and we’re hoping to see more companies explicitly make corporate social responsibility a key factor in their technology decisions.

The Boston FinTech Showcase: Blockchain’s Slow Evolution Into An Enterprise Solution
March 09, 2017 | Christine Ferrusi Ross

This past Monday at the Boston FinTech Showcase over 300 people gathered to talk shop around emerging Financial Technology (fintech) and see demos from several hot startups in the space. There’s a lot of activity in fintech right now, demonstrated by the excitement around the event, which was at capacity with a waitlist.

There were startups for asset management, payments, analytics, and risk management, among others. And each startup had a point of view about how to transform fintech. There were also several incubators, investors, and corporate innovation groups. But what wasn’t? Blockchain. (Author Note: Check out my colleague Reetika Joshi’s blog for a broader perspective on the technologies and solutions that were highlighted at the Boston FinTech Showcase.)

Last Fall, we looked at what’s happening with blockchain services in BFSI and found that the market was mostly still in the proof-of-concept (POC) stage. At the showcase, we talked to several innovation teams at big financial services corporations about their progress on blockchain and found that they’ve gotten past the research stage and are in development in some specific areas like payments/settlements (something that was also big in our research) and derivatives. They all pointed out that they picked areas where they saw ROI. In other areas, they decided that blockchain was not better than current or alternative solutions.

Investors echoed this perspective. Network costs, interoperability and switching costs, and first-mover costs of picking a platform that might not wind up as the industry standard were among some of the reasons they felt that adoption hadn’t progressed faster and why the business cases were stronger in specific areas like cross-border payments.

Bottom Line: Blockchain and fintech tend to get used together a lot as if blockchain was the major trend in fintech, but in fact, the two markets aren’t as intertwined as we’d expected. Instead, fintech is developing quickly in areas unrelated to blockchain, like analytics and automation. Meanwhile, blockchain is finding a foothold in some specific areas but isn’t the driving force in fintech.

We also think that this shows some further evidence that other applications like provenance (proving the origin and chain of custody of materials through a supply chain,) anti-counterfeiting efforts and compliance reporting will overtake financial applications as the “killer apps” for blockchain, as HfS has written before. In fact, a recent study from Deloitte recently found this as well: it recently published results that showed 58% of consumer goods and manufacturing companies had already deployed or would deploy blockchain this year, compared to only 36% of financial services firms.provenance

We’re going to keep digging further, as my colleague Reetika Joshi and I research blockchain’s evolution in BFSI and I kick off reports in supply chain-related blockchain applications. Stay tuned.

Overcoming Blockchain’s Obstacles to Adoption
February 21, 2017 | Christine Ferrusi Ross

Industry adoption is the biggest obstacle to blockchain becoming important in banking, according to 78% of participants in a study. Wait, what? It’s an odd data point to me, because adoption happens (or doesn’t) because of obstacles like cost and complexity. Slow or late adoption is a symptom of a challenge, not the challenge itself. So let’s take a quick look at what might slow or stall adoption, and what to do about it.

Blockchain is an element of “the platform revolution” that’s based on user economies of scale

Recently I had the chance to speak with Marshall Van Alstyne, co-author of The Platform Revolution and a professor at Boston University. He discussed the network and platform model of many new digital businesses like Airbnb. Airbnb is successful because it can exist and profit from user economies of scale instead of company-based economies of scale, according to Professor Van Alstyne. Essentially, this type of platform business allows users to create and share value themselves instead of relying on a company to create the value. The role of the business is to provide the infrastructure and support. While Airbnb doesn’t use blockchain as its base technology, the concept applies because firms can use blockchain as the basis of new platform-based business models.

Blockchain, with its design point of peer-based approvals for transactions and distributed ledger data storage, is a great example of a platform technology. It’s the enabler of a business that needs users to help define how it will scale.

What to consider in using blockchain as a platform for business

If blockchain can help companies build a platform business, what might slow or stall adoption? Professor Van Alstyne mentions a few:

  • Network ownership – who manages the network and gets to decide the rules? Is that owner in a position to run the network effectively?
  • Cost/transaction friction – how much does it cost to join or participate? And do you have to pay before you get value out? Can you design the network so participants pay only after they’ve gotten value to reduce the transaction friction?
  • Monetary policy (for financial transactions) – who or what agency is going to ensure the network isn’t too volatile? Who will ensure that there are guardrails to give users comfort that the system will have some inherent stability?
  • Standards – can players on different blockchain implementations work together rather having to agree on the same implementation? Who creates and manages those standards to ensure adoption isn’t hindered by interoperability problems? A good example of how standards can help is to solve issues like block sizes and reducing network consensus time, both of which significantly hinder the speed with which transactions can be completed.

The end user is at the center of the platform-based business

Customer-focused businesses need to exist in an environment where user economies of scale have become the norm. That means the business needs to understand the user and the users’ needs—doing so, will help identify and drive scale. And understanding the users and what they value, and how that then fits into a business model (addressing compliance, for example) can help drive the answers to the questions above. Rather than trying to scale internal operations like manufacturing, firms that adopt this customer-centric “Digital OneOffice” need to focus on user value and associated data. As Professor Van Alstyne points out, platform businesses can scale indefinitely because they don’t require internal company investment (beyond some compute power.) Instead, platform businesses that use technology like blockchain can scale as quickly as user adoption grows because there are no marginal costs of that growth.

Going back to that study I saw – blockchain may not get adopted, but if it doesn’t, it’s because companies didn’t take advantage of user economies of scale and learn lessons from older network-based businesses like eMarketplaces.

Bottom line: Focus on solving the obstacles to adoption, not adoption itself – especially transaction friction and interoperability standards – if you want your blockchain implementation to succeed and move you forward in your digital transformation.

Ask the Experts: Security Gurus Offer Their Advice for Non-technical Buyers
February 09, 2017 | Christine Ferrusi Ross

A big challenge for sourcing specialists is needing to rely on security domain experts internally to judge provider quality. The internal team, already working on their day jobs, often doesn’t have as much time to devote to the selection and negotiation process as sourcing leaders want. It’s important for sourcing teams to get smarter about security themselves to lessen their dependence on domain experts for preliminary RFP screening and downselecting.

In our upcoming security services Blueprint, we asked the client references (themselves security experts) what advice they’d give non-technical teams on buying security services. Some of them are general sourcing best practices, and some are very specific to security. But they’re all important to ensuring the success of your security services engagement. Here are some of their key recommendations: 

  1. Make a map of your security landscape. You need to cover your bases regarding what kinds of security technology you’re using – end point, antivirus, etc. -- so you can ask the provider about its expertise in each one. Ask in-depth questions about what kind of expertise it has with those tools, and look for specific clients and places where it can demonstrate the details of its experience. Have the provider pull it all together into a diagram and one vision so you can see it and make sure it matches your expectations.
  2. Communicate. A lot. How you interact with the provider will have as much bearing on the engagement’s success as the technical security. Make sure you’re not so focused on technical questions that you ignore challenges in communication. Remember the provider’s on its best behavior during the RFP process and it’s unlikely that communication problems get better after signing the contract. As one client reference said, “if the communication is good, you'll get it right 90% of the time.”
  3. Ask references about mundane details. Beyond the technology expertise, talk to references about what their daily experiences are like. Ask about little things like how quickly the provider answers emails and responds to questions that aren’t part of a service issue. Talk to people who have direct experience with the processes and skills you’re buying to make sure what the provider wrote in the RFP response is actually borne out in client engagements. For example, one client we spoke with mentioned a situation where its incumbent provider proposed expanding scope based on its process for innovation – yet the process described in the proposal looked nothing like the process the client experienced every day with the provider. So even tactical steps within a proposed process need to be explored.
  4. Weight flexibility and potential highly when grading. One client reference expressed sympathy for his sourcing counterparts: “It's hard to know what questions to ask and know how to evaluate the answers,” he said. But he then explained that evaluating a provider’s flexibility is critical to engagement success. He points out that flexibility matters because even if you ask the right question, your questions will change over the course of the work. So flexibility and potential capability are better than specific current capability that may not be relevant in another year.
  5. Pick a supplier that can meet you in the middle. It’s been a truism of outsourcing to hire for areas where you’re weak. But this often leads to provider teams that can’t effectively work with client teams because they have no common skill sets. One client pointed out that she relies on her provider’s ability to speak “business language” when discussing security. Can the provider talk about security from a business perspective or are they expecting you to translate their technical discussions for your stakeholders? What you really want is a provider that can go deep in the technology but still have a business discussion, while you’ll match those skills with your internal security experts and stakeholders.

Bottom line: Don’t be intimidated by the lack of deep technical security knowledge. It’s important to bring in domain experts as much as possible, but sourcing teams can dramatically improve their own efforts by making sure they focus on the business side of security.

Make Sure Your Managed Security Services Provider Keeps Current With Your Changing Security Posture
January 26, 2017 | Christine Ferrusi Ross

A company’s security posture changes often. The change can be company-created, for example, by opening an office in a new geography or entering a business with different regulatory requirements for data protection. Security posture also changes as new threats like previously unknown malware emerge, and more sophisticated techniques for hacking evolve.

When engaging a managed security services provider, it’s tempting to believe that keeping up with changing security posture is “being handled” by the provider. But is it?

Providers Often Forgo Innovation For Operating Efficiency

A very common complaint among outsourcing and managed services clients is that the providers rarely suggest changes unless the client brings it up – unless, of course, that change benefits the provider’s ability to run the process. In security environments, this heads-down approach goes beyond ineffective – it can cause significant damage to clients as threats and mitigation options change quickly.

Yes, providers generally do a security posture assessment before beginning the engagement. However, in our current blueprint research we found little evidence that providers re-assess security posture formally during the ongoing engagements. 

Recently, in fact, we even heard of one provider that regularly discovered threats in a client environment but didn’t report them to the client because the particular threat types were out of scope of the engagement. The client found out only months later, and by accident, about the omissions.

Even with such egregious scenarios of intentionally not alerting the client, many providers miss threats. They miss them because they’re not looking for them and their analytics engines aren’t detecting new patterns.

Be Proactive With Incident Monitoring And Reporting

There are many ways you can work with your managed security services provider to ensure that changes to your security posture are being addressed. From most quickly implemented to longest, here are some actions you can take:

  • First and foremost, monitor news and trends in security and threat intelligence. Don’t wait for your provider to flag new threats types to you.
  • Be proactive in asking questions about changes and new threats. Sometimes even a quick email asking the provider about a new ransomware technique that you read about will spur discussion about making changes to the service scope.
  • Include security market changes and news as part of monthly meetings. Make it an agenda item to discuss what’s happening in the market. And build into the provider’s mindset not to wait for the regular meetings to bring up new events.
  • Expand the scope of your engagement to include regular security posture re-assessments. This can depend on your industry and other factors, but it might be quarterly, semi-annual, or annual.
  • Include a new engagement metric on the provider’s ability to find and address new threats. The provider’s ability to keep your data and organization protected from threats even as those threats change needs to be part of the provider’s success metrics if it isn’t already.

Bottom Line: Don’t let inertia set in on your security managed services engagement—make sure your engagement includes specific, proactive approaches to staying current with your security posture.

Talking Blockchain Business Models and Network Ownership With HCL
January 20, 2017 | Christine Ferrusi Ross

Since we published our first report on blockchain, we continue to talk to players in the industry about how this fast-moving market is changing and growing. Compared to last year, there’s more discussion about security and privacy (evolving from the “blockchain is unhackable” talking point that was popular last summer,) there’s more talk about non-financial examples like using blockchain to help with supply chain compliance issues, and a hunger to get beyond POCs into valuable operational execution.

Recently we spoke to Santosh Kumar, Rob Ellis, and Mani Nagasundaram from HCL about blockchain trends. HCL shares many characteristics with the players we included in the report, such as:

  • Basing its blockchain expertise within its financial services practice
  • Building expertise in some key industry hot buttons like international money transfer, asset tracking, and trade operations
  • Creating POCs with global banks like one HCL did on cross-border money transfers across subsidiaries
  • Exploring partnerships with several key blockchain technology vendors like Ethereum and ERIS Industries

Regarding trends, HCL sees a lot happening in security and privacy, as well as regulatory agencies stepping up to help businesses form some governance policies around blockchain. We’ve seen in the past few months that while maybe the blocks in the chain aren’t hackable per se, there have been identity thefts, fraudulence, and further concerns about public blockchain networks.

The HCL team notes that transactions are well executed in blockchain, but identity validation and asset validation are less mature. And valuation of assets still needs to happen in the real world, so they caution over-optimism in moving quickly to broad blockchain adoption.

Also, adoption may be slowed down until we can answer the key question, “who owns the network?” HCL’s current thinking is that there’s likely to be one or two per industry and that moving or crossing networks will be difficult (HfS agrees that network interoperability is a big problem. See my prior blog on network interoperability issues here.)

They also believe that maturity in blockchain comes in three phases and that blockchain mirrors the Internet itself in this maturity curve:

  • Operating business processes better with blockchain
  • Changing operations using blockchain
  • Using blockchain to create new business models, processes, and activities

When you get to the discussion of new business models, HCL has a few scenarios that they share (see Exhibit 1 for an example.) We like HCL’s ability to not just explain the technology in-and-outs, but blockchain’s impact on business. In the blueprint guide on blockchain, we scored providers highly on innovation when they have strong business stories and the ability to demonstrate blockchain’s potential to prospective clients.

Exhibit 1: HCL’s Blockchain Ecosystem Example

Click to enlarge. Source: HCL, copyright HCL

Bottom Line: 2017 will be an important validation year for blockchain

As HfS continues to research HCL and its competitors, we’re looking for the following in 2017:

  • Movement beyond POCs into live implementations
  • An example of inter-company blockchain work (remember, most POCs right now are intra-company, which is why the network question didn’t come up much this year)
  • Some hardening lines in the partnership area as the winners and losers on the technology side become clearer and providers get pickier about which vendors they bring into client engagements

Trump Intel Story: A Stark Example Of A Predictive Security Management Dilemma
January 13, 2017 | Christine Ferrusi Ross

This week the Internet blew up based on news that Intel officials briefed President Obama and Donald Trump on the possibility that Russia had information on Donald Trump that was damaging to him personally and might even have implications for the entire US government. (And while one never expects a hashtag like #goldenshowers to trend on twitter, the feed was hilarious.) 

Politics aside, this story is a textbook case of problems with being proactive with threats. Notice: I wrote “threats” not “events” or “incidents” because the incident hasn’t happened yet, there’s just a high potential for it to be true and for it to happen.

You get lots of finger pointing in hindsight. The common question is “what did you know, and when did you know it?” Because, after something bad happens, anyone who knew of the potential for the event comes under fire for not saying something sooner, not being more forceful if in fact they HAD said something, and for not doing something to stop it from happening.  The fact is something happened and someone has to somehow get blamed.

And in the Trump intel story, you see the opposite of that, with everyone retreating to respective political corners, defending or dismissing the intel reports based on emotion and personal perspective. And since now that everyone’s already picking sides, it will be that much harder to make the right decision on how to treat the threat risk. So, how do you ask the right questions and take action in time to avoid the impending threat?

Here are the questions predictive security and risk management brings:

  • When do you flag a threat to executives? It’s important to have a policy in advance so there isn’t confusion later. It could be something like “a risk has been increasing steadily for the past 3 months” to “a risk increased very quickly in a short period” or similar idea. When you raise the flag may have a drastic impact on which actions you take to address the treat, since risks are often time sensitive.
  • How much do you tell them? Even if you’ve decided to tell executives, you must decide how much information to give. Too much detail and you may panic them unnecessarily, too little and they may not appreciate the implications of the threat. This question is usually harder to answer than the first one.
  • What do executives need to DO because of the rising risk? Another tricky area, what do you propose be done about the threat? Wait it out and seek more confirmation? Deal with it proactively, even if there’s potential for the threat to not happen? Take interim steps? This is the most important question to be answered when talking about predictive security management.

Focus Predictive Security On Remediation Not Reporting

We don’t know what advice the intel team gave to the government leaders, but we do know there are a few general ways you can deal with a threat or risk:

  • Accept the risk and go on with what you were doing. Sometimes there’s not much that can be done – or worth doing. For example, there could be a heightened risk of a terrorist attack, but you don’t want to be seen to be weak and encourage them further and choose to ignore it, safe in the knowledge airport security is already prepared for such a threat.
  • Try to remove or reduce the risk. In a political context, it might involve finding the people who are informants and stopping their ability to keep helping the other government. In a corporate setting, it might involve cutting a contract with a supplier you think has illegal dealings, for example.
  • Make a strategic bet to increase the risk. In a political context like yesterday’s story, increasing a risk strategically could involve cutting diplomatic ties, mobilizing troops or invoking sanctions, among others (these increase risk because they may cause the original threat actor to escalate further or move more quickly with the original threat.) In a corporate context, an example would be to work with a startup vendor even though you know it’s a highly risky supplier because that vendor has some amazing new technology that you want to use.

Unfortunately, if you didn’t have a remediation plan in place BEFORE the risk became likely, you’re facing much more confusion about what to do and even whether to do anything at all. This puts your company at risk and in fact, negates the value of having predictive security capabilities.

Bottom Line: Security professionals need predictive security management and prescriptive treatment plans to protect their firms from looming threats.

Security teams need clear treatment plans that address potential risks and how to mitigate them. As a simple example, if there is a threat of insiders giving information to third parties, then the remediation plan would involve something like “when someone downloads more than one file they don’t normally access, that person’s manager must ask why the person needed those files within 4 hours of the download.” Without this proactive treatment planning, companies likely do nothing and then get harmed even by risks they could have addressed.

 

Getting The “A” Team From Your Provider – Or, More Realistically, Getting The Team You Deserve
December 22, 2016 | Christine Ferrusi Ross

My colleague Mike Cook and I are in the middle of a blueprint on Managed Security Services, and as we talk to client references and review provider information, I’m reminded again about how difficult it is for clients to feel like they’ve really gotten the best possible team for their engagement, based on their investment outlay.

You might be disappointed with the quality of your team, and maybe you think it’s because it isn’t as good as you thought. Maybe they oversold their capabilities or flat-out lied about what they could do. While this is possible, in my experience, it’s more likely that clients confused the provider’s corporate image with the capabilities of the specific delivery and account team on their engagements. A provider’s capabilities are never evenly distributed across the entire company and the reality is that some delivery people are better than others.  Plus, providers can often be very crafty with how they allocate their best and brightest to their clients.

A while back, I was at an event, and chatting with several vendor executives. A vendor management person from a buyer client that we all knew came over and started chatting. He looked at the company names on everyone’s badges and mentioned that his company worked with every provider represented there. Then, company-by-company, he pointed at each one and said things like “Yup, we hate you guys. We’re suing you. Your team is terrible. You never give us good people.” That broke up the circle quickly as everyone made excuses to move to other conversations!

And afterwards, two things that stuck with me: the first was that buyer getting up as a speaker at the event to talk about creating shared value and better relationships with suppliers (I kid you not!) The second was one of the providers sharing with me privately his frustration with that particular buyer, saying “he wants the “A” team, but he’s paying for the “C” team. And even still, all he talks about is cutting our rates in the next negotiation. Why would I invest in a client like that?”

This story highlights several reasons that a company many not get the “A” team from a supplier that have nothing to do with the supplier at all:

1. You aren’t mature enough. Providers can tell what your internal team is capable of – both for execution and understanding. A supplier won’t give you “A” level resources if they think you can’t appreciate the value. Now, of course, the question is “if you can’t tell the difference, how do you know it’s not the ‘A’ team?” And the answer is, you probably can’t put your finger on it but you’re vaguely unhappy and realize things aren’t progressing the way you want even if you don’t know why. Smarter clients get smarter teams.

What to do about it: This one starts with increasing your own expertise first so you can ask better questions, understand the answers better, and make your own suggestions of how to remediate so you can have productive discussions with the provider. When the provider sees that you know what you’re doing, they’ll give you better resources. In the story above, you wonder why the company was suing a provider – that’s the kind of thing that happens when you didn’t scope properly or weren’t smart enough to ask for the right things.

2. You’re cheap. I hear this one a lot. As a client, you’re complaining that you got the “B” team. But when you look at your rate card, you’re getting “C” team pricing. You may even have gotten the “C” team instead of the “B” team. This is exactly what frustrated the provider executive in the story – he was delivering better resources than the client paid for and yet the client wasn’t grateful, instead the client only complained that the resources weren’t good enough!

What to do about it: If you pay for the “C” team and got the “B” team, be happy. You’re doing better than most others in your situation. If you’re paying for the “C” team and actually have the “C” team, then you need to have a discussion internally about what your goals are. Maybe you’re actually ok with the service you’re getting and the complaints are just water cooler venting. If you’re actually having a delivery problem, then you need to look at increasing what you’re paying or changing the delivery model. You can change a delivery model by seeking to automate some part of the engagement and paying a little more for the resources you’re keeping.

3. You’re a bad client. Maybe you complain about things that aren’t actually wrong. Maybe you blame the provider for problems that really resulted from your internal team. Maybe you constantly want things that aren’t in the contract and get mad when you don’t get them. There are lots of variations on this theme. Here’s the thing: no one wants get abused as work, and top talent doesn’t have to put up with bad behavior. They’ll get switched to better clients. Or, worse, you HAD the “A” team and you beat them down until they’ve devolved into “C” quality work. While I don’t know the inner workings of the buyer’s organization, I can tell you that in this conference setting where provider normally love the chance to socialize with their buyer clients, providers avoided this person at all costs. That speaks to the poor relationships this person built.

What to do about it: Of course, if there are legitimate problems with the provider’s work, address it. But if the problem is really your team, then fix your internal situation. You can train your team to address challenges differently, swap your internal provider liaison or even fire staff that are creating a bad environment. You definitely need to get realistic about your expectations of the engagement. Then let these internal changes get demonstrated to the provider staff to show them you’re no longer the client from hell.

4. You’re not important. Sometimes you can be a great client from all sides – you pay well, you’re a pleasure to work with, and you have interesting work. But maybe you aren’t a big client, or you’re not a brand name, or you in fact have a weak brand (the “loser in your industry?) The provider is likely putting top talent onto clients that spend a lot of money or that have brands that with star power or they use as client references. In the story above, the client was important in its industry but had a reputation as a bad place to work, so there wasn’t the “star power” that often comes from a well-known brand.

What to do about it: This one’s trickier than the rest, because the only way to really fix it with your existing provider is to spend more money until you’re a bigger and more important client. Sometimes you can fix it by being willing to be a reference client, tell your account team if they fix the talent situation, you’ll agree to be a reference for future prospect or analyst calls. However, if you’re willing to go through a transition, you can solve this one by switching providers. You can look for a smaller provider so you can become a “bigger fish in a smaller pond” or a player who specializes in your industry so your brand becomes more important to that provider.

The Bottom Line: You’ll only be satisfied with your service providers when you deal with your own responsibilities to the engagement.

Get more realistic with your expectations based on the factors above and decide what’s good enough for your needs. Hold the supplier’s feet to the fire, but do the same to your own team. Addressing these internal issues will give you more value from your existing deals and also position you better for future work with your key suppliers.

New Year’s Resolution For All Of Us: Put More Business Into Our Security Discussions
December 15, 2016 | Christine Ferrusi Ross

Security’s a hotbed of complexity – many different kinds of threats, technology that’s evolving all the time, and businesses can’t keep up. Changing standards and incredibly complicated threats make most non-technical buyers either throw the problem over the wall to their technology team (and miss out on the value of a business-led security approach) or their eyes glaze over at the mere mention of security and never really give it the attention it requires.

And what’s worse is that this complexity isn’t getting better, it’s getting worse. That’s why we all need to get over our apprehension, fear, boredom, and whatever else is keeping us from really understanding what we need to do in security. The best way to do that is to keep a business-value focus on it, making sure we learn what we need without digging too deep into the weeds and getting frustrated?

Bridge the divide between the highly complex and the need-to-know by focusing on three core, interrelated areas:

  • Digital trust: Your ability to succeed in the digital environment requires that your trading partners (customers, suppliers, external stakeholders) trust you to be ethical, legally operating, and practicing up to date security procedures to protect their data and IP. If others start to doubt your ability to secure your own data or theirs, you are dead as a business. It’s pretty simple as a concept and amazingly complex when executing.
  • OneOffice: Digitization and the renewed rise of customer-centricity mean that the wall between back office and front office has collapsed – everyone in a company is customer facing in this age where customers have significant visibility into our internal operations. That means your security policies, procedures, and risk approaches need to be brought up from the basement and shared across your entire organization.
  • Shared responsibility: Security isn’t just something you worry about within your four walls anymore. As data and IP get shared across trading partners, the need for a shared view on securing digital assets becomes critical. Everyone in a trading network owes the other members a secure environment, so sharing accountability for security will become the new normal.

We started our security resolution early by publishing new research that defines the eight prerequisites of digital trust, including data integrity, business alignment, and device security, among others. And then we’ll be building on that by publishing our findings on how well service providers can help clients with managed security services for digital trust in February 2017.

Don’t be intimidated by security challenges, put them in the context of your business and make progress toward digital trust. Here’s to a secure, business-focused 2017!

Blockchain Brings Us Into The Future, But Only After It Drags Up The Past: Interoperability Becomes An Actual Issue Again
December 05, 2016 | Christine Ferrusi Ross

Remember eMarketplaces (also called Supplier Networks)? They were networks of suppliers and buyers where the goal was to make information sharing easier by standardizing and consolidating platforms, products, prices and policies.  In many cases, clients got in “free,” but they still had to pay for some integration cost. Suppliers had to pay to be part of each network, and most clients each used different ones, making it expensive and complicated to decide which networks to join. 

 

As a buyer, you could try to insist suppliers join your preferred network, as long as you were a big enough client, or if you were willing to pay the supplier’s connection costs. As a supplier, you had to decide which networks were important to belong to, either because a lot of clients used them, they catered to specific industries, or offered some other unique benefit.

These supplier networks were a great idea, but the practicalities of connecting everyone was a big headache, and very few of these eMarketplaces survived. Many of those that did survive were bolted on to procurement apps. Without a way to make the networks talk to each other and give trading partners, on different networks, a way to work together, eMarketplaces achieved some limited value for customers, but ultimately failed to deliver the game-changing impact they envisioned with these “super networks” that never quite materialized.

In the example above, go back and replace the word “eMarketplace” with “blockchain.” Minus some of details, it’s pretty much the same problem we’re all about to face today, as companies struggle to understand where, why, and how they can get the most value from blockchain implementations.

When we researched blockchain this past summer, we found that almost all POCs and client examples were focused on internal operations – transferring funds across business units in a bank, for example. Yet, the foundation of blockchain is creating exponential value from a collaborative and engaged peer-to-peer network.

Everyone’s experimenting, and there are a lot of technologies and validation/authentication options being used and explored. There are also no standards at the moment, so everything’s getting siloed into one-off projects. Are you starting to see where the eMarketplace experience gets echoed?

Let’s say you’ve chosen the blockchain technology, as well as an authentication approach with which you are happy, that work for your needs. Now you want to expand your execution of blockchain to connect with partners.

Your partners likely made different choices They may have stricter authentication approaches than you use. And each trading partner’s blockchain implementation is different than everyone else’s, so you need to connect to each one using a separate connector, or you choose to get onto their blockchain. And then you have the initial cost of integration, plus compute costs. And blockchain often isn’t efficient with compute power, so connecting to multiple systems is more expensive that way than you might initially think.

And, of course, the market’s so new that we also don’t know how much cement we’re pouring when we build blockchains. We do know, for example, that no transaction or other data in the blockchain can get erased. Once it’s there, it’s there forever. But, what if we decide to switch to another network or technology? We don’t know the costs of switching from one network to another if we have a lot of data sitting in the blockchain.

In our blockchain guide for BFSI, we recommended that you start talking to trading partners, because the real value comes from using blockchains outside the walls of your company. And this issue of linking networks makes that recommendation all the more important.

Bottom-line: Make sure you fully understand the broader network of partners impacted by your blockchain options

Here are some questions to start asking trading partners (and yourself, if you haven’t already):

  • What validation/authentication approaches are you considering?
  • Which blockchain technologies do you like and why?
  • What criteria do you want to use to approve new members to join a network?
  • Who pays, if someone wants to join the network? What if we want them to join? Will we pay only for integration costs or other longer-term costs like the compute power needed to process blocks?

If you have thoughts on this, or know of companies who are already working on the interoperability problem, tell us. We’re always looking to talk to more people about what’s going on in the space.