HfS Network
Christine Ferrusi Ross
 
Research Vice President, Security, and Blockchain 
Learn more about Christine Ferrusi Ross
WannaCry emphasises the dire need for automation and cognitive in security
May 16, 2017 | Christine Ferrusi Ross

This is me jumping on the bandwagon with an opinion about the global WannaCry ransomware attack last Friday. As of my writing this, this attack hit over 200,000 companies, hospitals, universities, and other groups in more than 150 countries according to Europol. It’s been headline news.[1]

While bandwagon jumping generally has a bad connotation (doing or supporting something just because it’s hot at the moment,) security is one of the bandwagons you should proactively jump on. Right now. Really.

Security tools, services, articles, etc. are all popular because security attacks are popular – and increasing. So yes, if in the past you thought your passive following of whatever standards were placed in front of you was good enough, you need to break out of that rut and get proactive. Too often, standards aren’t keeping up with the changing threat landscape. You need to constantly search for new security tools, skills, and services to help you protect your firm, your employees, and your customers to achieve digital trust in the market.

In fact, the recent attack only brings findings from HfS’ recent Managed Security Services Blueprint into clearer perspective. We heard from both providers and security executives that effective security programs shared key characteristics:

  • Automation everywhere possible. There are too many threats and attempts for your security team to monitor them without automation – you’ll never collect the necessary data manually. Your automation investments need to include appropriate analytics to evaluate and find patterns in the data so your team can take appropriate next steps.
  • Investment in cognitive computing. Predictive analytics and cognitive computing investments for tomorrow aren’t negotiable. Today’s environments can collect and analyze, but you also need to be focused on systems that learn from current data to build predictive models and help you prevent attacks, not just respond to attacks as they happen.
  • Focus on employees and the human element. This takes two tracks: 1) Educate employees more often and more consistently about phishing and other techniques that attackers can use to get credentials and other sensitive information from workers to attack company systems. And 2) keep your security team’s skills up to date. The talent shortage in security is exacerbated by the skills gap – staying current on all security trends is daunting but necessary. And security teams are so overwhelmed already that it may seem they don’t have time for training. It’s time to evaluate your hiring and training for security to look for ways to bring in non-traditional talent and get them up to speed faster to ensure you’re protected.

Bottom Line: Treat security as your business, not as an enabler

Without effective security your business won’t survive – either your company systems will be brought down, or more likely, customers won’t want to do business with you if they see you as a threat to their own information security. The WannaCry ransomware attacks is another proof point that security threats are increasing in number, scope, and scale. Jump on the security bandwagon and follow practices of leading edge security practioners for effective programs.

 

[1] A few of the news stories include:

https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html

http://www.bbc.com/news/technology-39924318

https://www.cnet.com/news/watch-wannacry-attack-geography-in-real-time/

“Igniting Innovation”: KPMG features an experiential approach to digital transformation in its Analyst Day
May 05, 2017 | Christine Ferrusi RossBarbra McGannMelissa O'Brien

Just about 90% of CEOs who participated in a KPMG survey are concerned with the issue of changing customer loyalty, and the majority believe current their company’s products and services won’t be relevant to current customers in 3 years. That means they need innovation – now. They see technology (often referred to as “digital”) as an opportunity to move, but 85% of the surveyed CEOs feel they don’t have time to think about disruption and how to respond to it with innovation. This sets the scene for KPMG’s Analyst day recently in Boston. KPMG looks to bring purpose and passion for helping clients be successful in making innovation a part of the core of their businesses – through a diverse workforce, solutions, and collaboration.

With this backdrop, four themes stood out to us during the day about how KPMG is working with its clients:

  1. A vision for “OneOffice” – work designed to address customer needs using “digital labor” and systems. Digital transformation is (finally) moving from the front office (customer touchpoints) to include the middle and back office (business functions and transactions) – and talk is moving from “how do we use ‘digital’” to “what problem do we want to solve for our customers and how do we use the possibilities of talent and technology to do it.” At HfS, we refer to this concept as “OneOfficeTM” – the need for businesses to break down silos in their organizations to create a more effective data and workflow for business outcomes, so this theme resonated with us.

As we are focused on “ making it real” and providing examples of where it is happening, we appreciated the story that KPMG told about a client they worked with to map out the customer experience. They registered a number of customers on an app and these customers recorded their experience in real-time, as did employees. KPMG captured the data in the Pathfinder tool and used it as input during a journey mapping session with employees from across the organization, front and back office, including a finance director, a customer service manager, and a valet. They talked through the points in time when the customers and employees had a poor experience and came up with ideas that were then prioritized for addressing through the client’s own innovation management approach. What stands out here is the breadth of people included in capturing the experience (customers and employees from different business units and IT) and the way the experience was captured (an app in real-time), which led to in-person workshops to map out various customer journeys and an action plan.

 Additionally, staying true to the “ embedding innovation” theme, KPMG trained a number of the employees in departments throughout the client on the design thinking principles and methods used in the initiative. These people are networked as a COE. The team also has access to an analytics tool to continue to capture and analyze data on their journey.

2. A focus on defining and enabling the evolving role of workers and work. “Even in a digital world, humans are still the most important investment, the secret element of our brands, and the magic asset in the company,” said Robert Bolton, capturing the tone of the recent day. One example of a workforce transformation in progress was launched when a client started a discussion about the size and shape of the workforce of the future. This has led to questions such as “How do you know you have the right size?” “How does it have to change because of the advent of RPA and artificial intelligence?” “What are the impact on entry level jobs and the way those jobs provide a launching pad for careers?” “How does it impact learning, training, career paths?”

KPMG is not just working with clients to address these questions but shared its own experience in a changing workforce through the use of digital labor. For example, instead of having new hires who are eager, smart MBAs do mundane and repetitive audit work while they “pay their dues,” KPMG is able to automate much of that work and provide a more stimulating and challenging role for the talent they’re bringing on board.  It’s changing the culture and employee work allocation models.

This area of “ digital labor” is one that the shared services and outsourcing group at KPMG is hearing a lot of questions about as well, according to the group’s global head, Dave Brown. Digital labor and cognitive are on the forefront of activity in evolving operating models and defining who (or what) does what. “Digital labor, simply put, is another form of outsourcing,” said Dave Brown.

4. Innovation starts with culture. Innovation needs to be a way of working in companies – it can’t just be siloed in one department or area. Key features of a culture that embrace innovation include diversity – of workforce and partner ecosystem; collaboration; and experimentation (these are also principles of design thinking). Having a culture and environment where it’s “OK to fail” is also a lynchpin of innovation.  To provide a “space” and showcase for innovation, KPMG has broken ground for a new facility in Orlando to provide its clients and train its workforce with a multidisciplinary, hands-on, collaborative, high-tech experiential approach. And it’s partnering with the academic community to help develop (via technology, data sets, and case studies) the future workforce during the university years – for example, combining soft skills like teaming, collaboration, and critical thinking with critical technology skills for analytics and the subject matter expertise of accounting.

5. Deep investments in software to improve and automate complex processes. KPMG’s Spectrum unit created several “business intelligence engines” to automate and analyze several complex corporate processes like third party risk, contracts, and regulatory compliance like Automatic Exchange of Information (AEOI.) Beyond Spectrum, other tools KPMG discussed at the event include its KPMG Digital Responder, for security threat discovery and analysis and its KPMG FIRE regulatory reporting automation tool. While the KPMG teams mentioned a number of tools and IP throughout the day, and showcased a handful, a little of it felt “mysterious” – they were referenced by name and not explained or shown. These days when everyone is still exploring what digital really can do for them, showcasing case studies and tools can be really impactful in getting the message across.

What does this mean to you?

Digital transformation and innovation continue to dominate corporate boardrooms as buzzwords. But actually implementing requires a lot of complex detailed decisions that spur significant changes to the ways companies operate every day. What’s impressive about KPMG’s message is the firm’s ability to talk at the 100,000-foot strategy level but then dig into the last mile delivery details.

For clients that already work with KPMG, if you’re not seeing the kinds of messages the firm presented at the analyst day, then it’s time for a meeting with your account team. Talk about how some of KPMG’s new (and even not so new) techniques are being or could be, applied to your engagement. Don’t take it for granted that your account team will automatically propose new ideas so be proactive in asking for innovation.

For non-clients, take a look at Spectrum and other KPMG tools as stand-alone solutions. The Spectrum team told us they do sell the tools separately – they don’t just get embedded into larger services deals. This gives you the opportunity to get access to KPMG IP and operational expertise without having to exit any existing services engagements you have in place.

For an organization that candidly admits it was on the slower end of developing a stake in front office, its recent investments and acquisitions (a whopping 51 in the last 3 years) show that it’s quickly catching up, and also tying together the concepts of front, middle and back office nicely and in a forward-thinking way.  Using their own interpretation of OneOffice, KPMG is forging ahead to help clients (and itself) break down the legacy barriers to become more intelligent and responsive client-centric enterprises.

Dealing With Failed Attempts On A Blockchain Application: Security And Fraud Prevention Questions To Ask Your Vendors
May 05, 2017 | Christine Ferrusi Ross

A client asked me recently what happens to attempted transactions that are unsuccessful and do not go through. Does a blockchain implementation capture that data anywhere? The answer, barring the potential of some apps I’m not aware of, is no. Blockchains record completed transactions but attempted transactions that get rejected just go back out into the ether. 

From a technology and business operations perspective, this isn’t a big deal. The system works just like it’s supposed to work. But if you’re interested in capturing data on failed transactions so you can monitor for fraud threats or do a forensic investigation if someone manages to execute a fraudulent transaction, then you’ll need a way to capture, store, and analyze the failed attempts.

Also, we need to distinguish a couple of points about blockchain security: 1) In this blog we’re writing about failed transaction attempts, not hacking attempts. Managed security services provider SecureWorks told me, “Hacking attempts are not the same as failed transaction attempts. Security systems don't often monitor failed transactions in blockchain just as they don't track failed attempts to use credit cards. The credit card systems capture that data about failed attempts." 2) We’re writing about individual failed transactions that one particular company would care about. For example, Ethereum has penalties for trying to load bad blocks onto the network that dissuades bad behavior by participants. Also, at the network level, there isn’t a need for a system to capture failed attempts across all the participants, only the ones that pertain to one participant. Because a company wants to track how many times another party has attempted a fraudulent transaction specifically with it, not with all participants. 

In essence, a failed transaction in this context is when someone uses stolen or fake credentials to try and create a transaction. This is the same as, for example, someone who uses stolen credit cards – sometimes successfully and sometimes unsuccessfully. It’s not a hacking attempt in the way security professionals think of them. But for those transactions that fail, companies might want to keep track and determine if any further action is needed, depending on the nature and criticality of the process. Actions could include suing the person or company attempting the fraudulent transaction(s) or changing some of the smart contract business logic to prevent such attempts in the future. 

This leads us to the crux of the matter: you can’t expect your security team to protect you from threats they’re not able to detect. Instead, detection and monitoring of failed attempts need to be built into the application or integrated at the application level. Then your action plan should follow similar action plans that you follow with other applications regarding attempted transactions.

Bottom Line: As you experiment with blockchain and do some proofs of concept, make sure to ask your application vendor AND your blockchain services provider about blockchain security around failed attempts.

Here are some questions you can ask:

  • What’s your perspective on security considerations regarding failed transaction attempts?
  • Do you have any capability to detect and analyze failed transaction attempts? If not, why not?
  • What recommendations do you have to reduce fraud in your blockchain-based implementations and how are they different from recommendations for other kinds of applications?

Simplify Blockchain by Refusing to Let Interoperability Issues Bog You Down
April 18, 2017 | Christine Ferrusi Ross

We’ve previously written how interoperability will hold back blockchain adoption, at least until we can find ways around the problem. The cost and friction of joining multiple blockchains may hinder widespread adoption until we can figure out how to get them to talk to each other and reduce the cost of joining a blockchain implementation. However, recent thinking suggests there are some shortcuts we can take to make better use of blockchains in the short term, as their development and adoption matures.

 

For example, recently I met with the Deloitte blockchain team, and Principal Eric Piscini disagreed with my premise. He believes that interoperability really isn’t that big of an issue. First, he points out that, today, we have multiple environments that don’t connect to each other and the work still happens effectively. For example, different credit card payment vendors each have unique systems but everyone can still use any of them without an issue.

He also notes that interoperability seems like a bigger issue if you look at the blockchain implementation as needing to do every part of a transaction. However, he thinks of blockchain as having three layers:

  • Recording (actual transcribing of data into a block)
  • Transacting (an activity or transfer, such as moving money from one participant to another)
  • Business logic (the rules and controls of a process coded into the system)

You don’t have to do all three things in blockchain. You can use it for any of the three, or some combination. And as a result, you start to see how it’s possible to use blockchain technology and not necessarily have to worry about interoperability.  It’s not dissimilar to evaluating automation technology, where you will, simply, fail if you try to automate everywhere possible – you’d run out of time, money and patience trying!  Most experts will tell you to first focus on what not to automate, which is similar with blockchain:  first figure out where you can carry on just fine without all the expense and disruption of a blockchain implementation. 

Piscini also believes, in some instances, that firms do not need interoperability, but more a single blockchain per asset class, as it will be near impossible to transfer the same value across multiple blockchains. 

So, where does this leave us with our interoperability decisions?

1) Blockchain interoperability needs both a technology choice and business reason to exist. We need to separate the technology of blockchain from the business application of blockchain and from the business model of blockchain-based systems. From a technology perspective, for example, multiple blockchain implementations can exist and drive value even if not connected to other blockchains.

2) Network ownership may be more important than technical interoperability. For networks that are, essentially, owned and controlled by one party (the credit card examples above) and other parties just access those networks but don’t need to integrate per se, then Piscini’s view makes total sense. It also works in situations like Ariba’s, which we’ve written about before, where participants on don’t need blockchain implementations themselves to use Ariba’s blockchain. (Ariba also notes that clients can choose to do just recording on the blockchain, further supporting Piscini’s point of separating blockchain into layers.) However, in networks where the peer-to-peer aspect is more important, and no one participant has strong power, we believe interoperability will continue to be a barrier to widespread adoption.

Bottom Line: Clarity around when/if/how interoperability is really needed for the blockchain market to mature.

We expect that, by the end of this year, as companies continue to tackle implementation challenges like interoperability and the development of common industry standards continues[1], will the market will begin to pick winning platforms and technologies.

 

[1] Many consortia are dealing with this issue as we speak, and government agencies are beginning to weigh in. Expect a lot of activity in standards development this year.

Once Upon A Time…To Hold Management Attention, Security Execs Became Storytellers
April 14, 2017 | Christine Ferrusi Ross

Security is a complex space – changing and emerging threats, multiple interconnected technologies that each do one small piece of the security landscape, and an ever-changing regulatory and legal environment. And frankly, most senior executives don’t have the patience to really understand the threats to their business in great depth.

So what can a smart security executive do to capture and hold management attention on security issues? Become a great storyteller. There are lots of reasons storytelling helps in the security space:

  • People remember stories much more than they remember a bunch of data points or random facts
  • Stories connect emotionally as well as intellectually, making them more impactful, and increasing stakeholders’ investment in the topic
  • Having people re-tell stories is both a great validation of your original point but also a powerful way to make sure that your point is shared throughout the organization so that everyone understands security better

Start by studying storytelling. There are some basic plots for stories, such as boy meets girl, hero vanquishes evil, etc. There’s also a basic narrative structure you can use (see Exhibit 1):

 

So with this structure, you can explain security threats to your executives.

  • Exposition – threat the business faces, including what part(s) of the business, are affected (sales, brand reputation, data, etc.)
  • Rising action – how that threat is evolving
  • Climax – impact on the business if that threat occurs
  • Falling action – steps being taken to address the risk and protect the business
  • Denouement – any residual implications, requests for support or budget, etc.

You leave out the details that will take the focus off the overall story but leave the ones that add color and help people connect with the story. So, examples of how other companies are handling the threats can stay, but likely the reporting spreadsheets of the quarantined threats should go. This balance of the details is key to effective storytelling. Your team may find deep data invaluable, but it may cause your audience to give up trying to follow your story.

You’ll also save a lot of time. How? Typically, when something happens, you give the details and then try to explain those details in context. If you’ve told a story people understood, then when you have a conversation about details, you can refer back to the story and have the person “get it” faster. You can tell this works when stakeholders start asking more, and more relevant, questions. People who don’t understand a topic don’t ask as many questions.

How will you know the storytelling approach is working? When more people in your organization start to change their behaviors to support your security goals. And when senior executives begin to get more invested in your work.

Bottom line: To really improve security, get outside of security data and details and become a great storyteller.

Ariba And Everledger Want Blockchain To Help Supply Chains Become More Ethical And Make The World Better
March 23, 2017 | Christine Ferrusi Ross

Last summer I wrote about my desire to be a superhero –to help companies buy IT products and services ethically and help suppliers create new opportunities for themselves and their people. When people source ethically they can reduce a lot of bad in the world – child labor, human trafficking, working conditions that harm and kill people, and a host of other problems.

Yesterday at SAP Ariba Live, the software company announced that it was partnering with blockchain provenance firm Everledger to explore the use of blockchain across Ariba’s suite of applications. As a first step, the two companies are working on a track and trace (provenance) application.

 

Everledger CEO Leanne Kemp and SAP Ariba Senior Vice President Joe Fox discussed the application and broader blockchain implications at the event, talking about empowering an ethical supply chain. They see a future where using blockchain to track goods from their raw materials through their final delivery would help companies have visibility into the entire supply chain. This would then allow companies to avoid problems such as:

  • Counterfeit goods being swapped in for the original goods at some point in the journey
  • Unintentionally supporting illegal and unethical conduct by suppliers and other third parties involved in conflict minerals like blood diamonds because you couldn’t tell where the diamond originated
  • Being out of compliance with government or industry regulations because related to the point above, you couldn’t prove that the product was made without conflict minerals or other illegal inputs

Undoubtedly, this announcement is a huge win for blockchain technology. It’s a major software company investing in a specific commercial application. It also reinforces the importance of provenance as a key blockchain “killer app,” coming soon after IBM’s announcement with Maersk that the two firms would work together to trace shipping containers. We’ve written before that provenance will get adopted faster than many fintech blockchain applications. These two deals show movement in that direction.

Even more powerful is the business and human story about making the world a better place. SAP Ariba’s and Everledger’s message of using blockchain to help business work more effectively AND to improve the lives of people is inspiring. It’s what technology is supposed to do, and we’re hoping to see more companies explicitly make corporate social responsibility a key factor in their technology decisions.

The Boston FinTech Showcase: Blockchain’s Slow Evolution Into An Enterprise Solution
March 09, 2017 | Christine Ferrusi Ross

This past Monday at the Boston FinTech Showcase over 300 people gathered to talk shop around emerging Financial Technology (fintech) and see demos from several hot startups in the space. There’s a lot of activity in fintech right now, demonstrated by the excitement around the event, which was at capacity with a waitlist.

There were startups for asset management, payments, analytics, and risk management, among others. And each startup had a point of view about how to transform fintech. There were also several incubators, investors, and corporate innovation groups. But what wasn’t? Blockchain. (Author Note: Check out my colleague Reetika Joshi’s blog for a broader perspective on the technologies and solutions that were highlighted at the Boston FinTech Showcase.)

Last Fall, we looked at what’s happening with blockchain services in BFSI and found that the market was mostly still in the proof-of-concept (POC) stage. At the showcase, we talked to several innovation teams at big financial services corporations about their progress on blockchain and found that they’ve gotten past the research stage and are in development in some specific areas like payments/settlements (something that was also big in our research) and derivatives. They all pointed out that they picked areas where they saw ROI. In other areas, they decided that blockchain was not better than current or alternative solutions.

Investors echoed this perspective. Network costs, interoperability and switching costs, and first-mover costs of picking a platform that might not wind up as the industry standard were among some of the reasons they felt that adoption hadn’t progressed faster and why the business cases were stronger in specific areas like cross-border payments.

Bottom Line: Blockchain and fintech tend to get used together a lot as if blockchain was the major trend in fintech, but in fact, the two markets aren’t as intertwined as we’d expected. Instead, fintech is developing quickly in areas unrelated to blockchain, like analytics and automation. Meanwhile, blockchain is finding a foothold in some specific areas but isn’t the driving force in fintech.

We also think that this shows some further evidence that other applications like provenance (proving the origin and chain of custody of materials through a supply chain,) anti-counterfeiting efforts and compliance reporting will overtake financial applications as the “killer apps” for blockchain, as HfS has written before. In fact, a recent study from Deloitte recently found this as well: it recently published results that showed 58% of consumer goods and manufacturing companies had already deployed or would deploy blockchain this year, compared to only 36% of financial services firms.provenance

We’re going to keep digging further, as my colleague Reetika Joshi and I research blockchain’s evolution in BFSI and I kick off reports in supply chain-related blockchain applications. Stay tuned.

Overcoming Blockchain’s Obstacles to Adoption
February 21, 2017 | Christine Ferrusi Ross

Industry adoption is the biggest obstacle to blockchain becoming important in banking, according to 78% of participants in a study. Wait, what? It’s an odd data point to me, because adoption happens (or doesn’t) because of obstacles like cost and complexity. Slow or late adoption is a symptom of a challenge, not the challenge itself. So let’s take a quick look at what might slow or stall adoption, and what to do about it.

Blockchain is an element of “the platform revolution” that’s based on user economies of scale

Recently I had the chance to speak with Marshall Van Alstyne, co-author of The Platform Revolution and a professor at Boston University. He discussed the network and platform model of many new digital businesses like Airbnb. Airbnb is successful because it can exist and profit from user economies of scale instead of company-based economies of scale, according to Professor Van Alstyne. Essentially, this type of platform business allows users to create and share value themselves instead of relying on a company to create the value. The role of the business is to provide the infrastructure and support. While Airbnb doesn’t use blockchain as its base technology, the concept applies because firms can use blockchain as the basis of new platform-based business models.

Blockchain, with its design point of peer-based approvals for transactions and distributed ledger data storage, is a great example of a platform technology. It’s the enabler of a business that needs users to help define how it will scale.

What to consider in using blockchain as a platform for business

If blockchain can help companies build a platform business, what might slow or stall adoption? Professor Van Alstyne mentions a few:

  • Network ownership – who manages the network and gets to decide the rules? Is that owner in a position to run the network effectively?
  • Cost/transaction friction – how much does it cost to join or participate? And do you have to pay before you get value out? Can you design the network so participants pay only after they’ve gotten value to reduce the transaction friction?
  • Monetary policy (for financial transactions) – who or what agency is going to ensure the network isn’t too volatile? Who will ensure that there are guardrails to give users comfort that the system will have some inherent stability?
  • Standards – can players on different blockchain implementations work together rather having to agree on the same implementation? Who creates and manages those standards to ensure adoption isn’t hindered by interoperability problems? A good example of how standards can help is to solve issues like block sizes and reducing network consensus time, both of which significantly hinder the speed with which transactions can be completed.

The end user is at the center of the platform-based business

Customer-focused businesses need to exist in an environment where user economies of scale have become the norm. That means the business needs to understand the user and the users’ needs—doing so, will help identify and drive scale. And understanding the users and what they value, and how that then fits into a business model (addressing compliance, for example) can help drive the answers to the questions above. Rather than trying to scale internal operations like manufacturing, firms that adopt this customer-centric “Digital OneOffice” need to focus on user value and associated data. As Professor Van Alstyne points out, platform businesses can scale indefinitely because they don’t require internal company investment (beyond some compute power.) Instead, platform businesses that use technology like blockchain can scale as quickly as user adoption grows because there are no marginal costs of that growth.

Going back to that study I saw – blockchain may not get adopted, but if it doesn’t, it’s because companies didn’t take advantage of user economies of scale and learn lessons from older network-based businesses like eMarketplaces.

Bottom line: Focus on solving the obstacles to adoption, not adoption itself – especially transaction friction and interoperability standards – if you want your blockchain implementation to succeed and move you forward in your digital transformation.

Ask the Experts: Security Gurus Offer Their Advice for Non-technical Buyers
February 09, 2017 | Christine Ferrusi Ross

A big challenge for sourcing specialists is needing to rely on security domain experts internally to judge provider quality. The internal team, already working on their day jobs, often doesn’t have as much time to devote to the selection and negotiation process as sourcing leaders want. It’s important for sourcing teams to get smarter about security themselves to lessen their dependence on domain experts for preliminary RFP screening and downselecting.

In our upcoming security services Blueprint, we asked the client references (themselves security experts) what advice they’d give non-technical teams on buying security services. Some of them are general sourcing best practices, and some are very specific to security. But they’re all important to ensuring the success of your security services engagement. Here are some of their key recommendations: 

  1. Make a map of your security landscape. You need to cover your bases regarding what kinds of security technology you’re using – end point, antivirus, etc. -- so you can ask the provider about its expertise in each one. Ask in-depth questions about what kind of expertise it has with those tools, and look for specific clients and places where it can demonstrate the details of its experience. Have the provider pull it all together into a diagram and one vision so you can see it and make sure it matches your expectations.
  2. Communicate. A lot. How you interact with the provider will have as much bearing on the engagement’s success as the technical security. Make sure you’re not so focused on technical questions that you ignore challenges in communication. Remember the provider’s on its best behavior during the RFP process and it’s unlikely that communication problems get better after signing the contract. As one client reference said, “if the communication is good, you'll get it right 90% of the time.”
  3. Ask references about mundane details. Beyond the technology expertise, talk to references about what their daily experiences are like. Ask about little things like how quickly the provider answers emails and responds to questions that aren’t part of a service issue. Talk to people who have direct experience with the processes and skills you’re buying to make sure what the provider wrote in the RFP response is actually borne out in client engagements. For example, one client we spoke with mentioned a situation where its incumbent provider proposed expanding scope based on its process for innovation – yet the process described in the proposal looked nothing like the process the client experienced every day with the provider. So even tactical steps within a proposed process need to be explored.
  4. Weight flexibility and potential highly when grading. One client reference expressed sympathy for his sourcing counterparts: “It's hard to know what questions to ask and know how to evaluate the answers,” he said. But he then explained that evaluating a provider’s flexibility is critical to engagement success. He points out that flexibility matters because even if you ask the right question, your questions will change over the course of the work. So flexibility and potential capability are better than specific current capability that may not be relevant in another year.
  5. Pick a supplier that can meet you in the middle. It’s been a truism of outsourcing to hire for areas where you’re weak. But this often leads to provider teams that can’t effectively work with client teams because they have no common skill sets. One client pointed out that she relies on her provider’s ability to speak “business language” when discussing security. Can the provider talk about security from a business perspective or are they expecting you to translate their technical discussions for your stakeholders? What you really want is a provider that can go deep in the technology but still have a business discussion, while you’ll match those skills with your internal security experts and stakeholders.

Bottom line: Don’t be intimidated by the lack of deep technical security knowledge. It’s important to bring in domain experts as much as possible, but sourcing teams can dramatically improve their own efforts by making sure they focus on the business side of security.

Make Sure Your Managed Security Services Provider Keeps Current With Your Changing Security Posture
January 26, 2017 | Christine Ferrusi Ross

A company’s security posture changes often. The change can be company-created, for example, by opening an office in a new geography or entering a business with different regulatory requirements for data protection. Security posture also changes as new threats like previously unknown malware emerge, and more sophisticated techniques for hacking evolve.

When engaging a managed security services provider, it’s tempting to believe that keeping up with changing security posture is “being handled” by the provider. But is it?

Providers Often Forgo Innovation For Operating Efficiency

A very common complaint among outsourcing and managed services clients is that the providers rarely suggest changes unless the client brings it up – unless, of course, that change benefits the provider’s ability to run the process. In security environments, this heads-down approach goes beyond ineffective – it can cause significant damage to clients as threats and mitigation options change quickly.

Yes, providers generally do a security posture assessment before beginning the engagement. However, in our current blueprint research we found little evidence that providers re-assess security posture formally during the ongoing engagements. 

Recently, in fact, we even heard of one provider that regularly discovered threats in a client environment but didn’t report them to the client because the particular threat types were out of scope of the engagement. The client found out only months later, and by accident, about the omissions.

Even with such egregious scenarios of intentionally not alerting the client, many providers miss threats. They miss them because they’re not looking for them and their analytics engines aren’t detecting new patterns.

Be Proactive With Incident Monitoring And Reporting

There are many ways you can work with your managed security services provider to ensure that changes to your security posture are being addressed. From most quickly implemented to longest, here are some actions you can take:

  • First and foremost, monitor news and trends in security and threat intelligence. Don’t wait for your provider to flag new threats types to you.
  • Be proactive in asking questions about changes and new threats. Sometimes even a quick email asking the provider about a new ransomware technique that you read about will spur discussion about making changes to the service scope.
  • Include security market changes and news as part of monthly meetings. Make it an agenda item to discuss what’s happening in the market. And build into the provider’s mindset not to wait for the regular meetings to bring up new events.
  • Expand the scope of your engagement to include regular security posture re-assessments. This can depend on your industry and other factors, but it might be quarterly, semi-annual, or annual.
  • Include a new engagement metric on the provider’s ability to find and address new threats. The provider’s ability to keep your data and organization protected from threats even as those threats change needs to be part of the provider’s success metrics if it isn’t already.

Bottom Line: Don’t let inertia set in on your security managed services engagement—make sure your engagement includes specific, proactive approaches to staying current with your security posture.