HfS Network
Christine Ferrusi Ross
 
Research Vice President, Security, and Blockchain 
Learn more about Christine Ferrusi Ross
Simplify Blockchain by Refusing to Let Interoperability Issues Bog You Down
April 18, 2017 | Christine Ferrusi Ross

We’ve previously written how interoperability will hold back blockchain adoption, at least until we can find ways around the problem. The cost and friction of joining multiple blockchains may hinder widespread adoption until we can figure out how to get them to talk to each other and reduce the cost of joining a blockchain implementation. However, recent thinking suggests there are some shortcuts we can take to make better use of blockchains in the short term, as their development and adoption matures.

 

For example, recently I met with the Deloitte blockchain team, and Principal Eric Piscini disagreed with my premise. He believes that interoperability really isn’t that big of an issue. First, he points out that, today, we have multiple environments that don’t connect to each other and the work still happens effectively. For example, different credit card payment vendors each have unique systems but everyone can still use any of them without an issue.

He also notes that interoperability seems like a bigger issue if you look at the blockchain implementation as needing to do every part of a transaction. However, he thinks of blockchain as having three layers:

  • Recording (actual transcribing of data into a block)
  • Transacting (an activity or transfer, such as moving money from one participant to another)
  • Business logic (the rules and controls of a process coded into the system)

You don’t have to do all three things in blockchain. You can use it for any of the three, or some combination. And as a result, you start to see how it’s possible to use blockchain technology and not necessarily have to worry about interoperability.  It’s not dissimilar to evaluating automation technology, where you will, simply, fail if you try to automate everywhere possible – you’d run out of time, money and patience trying!  Most experts will tell you to first focus on what not to automate, which is similar with blockchain:  first figure out where you can carry on just fine without all the expense and disruption of a blockchain implementation. 

Piscini also believes, in some instances, that firms do not need interoperability, but more a single blockchain per asset class, as it will be near impossible to transfer the same value across multiple blockchains. 

So, where does this leave us with our interoperability decisions?

1) Blockchain interoperability needs both a technology choice and business reason to exist. We need to separate the technology of blockchain from the business application of blockchain and from the business model of blockchain-based systems. From a technology perspective, for example, multiple blockchain implementations can exist and drive value even if not connected to other blockchains.

2) Network ownership may be more important than technical interoperability. For networks that are, essentially, owned and controlled by one party (the credit card examples above) and other parties just access those networks but don’t need to integrate per se, then Piscini’s view makes total sense. It also works in situations like Ariba’s, which we’ve written about before, where participants on don’t need blockchain implementations themselves to use Ariba’s blockchain. (Ariba also notes that clients can choose to do just recording on the blockchain, further supporting Piscini’s point of separating blockchain into layers.) However, in networks where the peer-to-peer aspect is more important, and no one participant has strong power, we believe interoperability will continue to be a barrier to widespread adoption.

Bottom Line: Clarity around when/if/how interoperability is really needed for the blockchain market to mature.

We expect that, by the end of this year, as companies continue to tackle implementation challenges like interoperability and the development of common industry standards continues[1], will the market will begin to pick winning platforms and technologies.

 

[1] Many consortia are dealing with this issue as we speak, and government agencies are beginning to weigh in. Expect a lot of activity in standards development this year.

Once Upon A Time…To Hold Management Attention, Security Execs Became Storytellers
April 14, 2017 | Christine Ferrusi Ross

Security is a complex space – changing and emerging threats, multiple interconnected technologies that each do one small piece of the security landscape, and an ever-changing regulatory and legal environment. And frankly, most senior executives don’t have the patience to really understand the threats to their business in great depth.

So what can a smart security executive do to capture and hold management attention on security issues? Become a great storyteller. There are lots of reasons storytelling helps in the security space:

  • People remember stories much more than they remember a bunch of data points or random facts
  • Stories connect emotionally as well as intellectually, making them more impactful, and increasing stakeholders’ investment in the topic
  • Having people re-tell stories is both a great validation of your original point but also a powerful way to make sure that your point is shared throughout the organization so that everyone understands security better

Start by studying storytelling. There are some basic plots for stories, such as boy meets girl, hero vanquishes evil, etc. There’s also a basic narrative structure you can use (see Exhibit 1):

 

So with this structure, you can explain security threats to your executives.

  • Exposition – threat the business faces, including what part(s) of the business, are affected (sales, brand reputation, data, etc.)
  • Rising action – how that threat is evolving
  • Climax – impact on the business if that threat occurs
  • Falling action – steps being taken to address the risk and protect the business
  • Denouement – any residual implications, requests for support or budget, etc.

You leave out the details that will take the focus off the overall story but leave the ones that add color and help people connect with the story. So, examples of how other companies are handling the threats can stay, but likely the reporting spreadsheets of the quarantined threats should go. This balance of the details is key to effective storytelling. Your team may find deep data invaluable, but it may cause your audience to give up trying to follow your story.

You’ll also save a lot of time. How? Typically, when something happens, you give the details and then try to explain those details in context. If you’ve told a story people understood, then when you have a conversation about details, you can refer back to the story and have the person “get it” faster. You can tell this works when stakeholders start asking more, and more relevant, questions. People who don’t understand a topic don’t ask as many questions.

How will you know the storytelling approach is working? When more people in your organization start to change their behaviors to support your security goals. And when senior executives begin to get more invested in your work.

Bottom line: To really improve security, get outside of security data and details and become a great storyteller.

Ariba And Everledger Want Blockchain To Help Supply Chains Become More Ethical And Make The World Better
March 23, 2017 | Christine Ferrusi Ross

Last summer I wrote about my desire to be a superhero –to help companies buy IT products and services ethically and help suppliers create new opportunities for themselves and their people. When people source ethically they can reduce a lot of bad in the world – child labor, human trafficking, working conditions that harm and kill people, and a host of other problems.

Yesterday at SAP Ariba Live, the software company announced that it was partnering with blockchain provenance firm Everledger to explore the use of blockchain across Ariba’s suite of applications. As a first step, the two companies are working on a track and trace (provenance) application.

 

Everledger CEO Leanne Kemp and SAP Ariba Senior Vice President Joe Fox discussed the application and broader blockchain implications at the event, talking about empowering an ethical supply chain. They see a future where using blockchain to track goods from their raw materials through their final delivery would help companies have visibility into the entire supply chain. This would then allow companies to avoid problems such as:

  • Counterfeit goods being swapped in for the original goods at some point in the journey
  • Unintentionally supporting illegal and unethical conduct by suppliers and other third parties involved in conflict minerals like blood diamonds because you couldn’t tell where the diamond originated
  • Being out of compliance with government or industry regulations because related to the point above, you couldn’t prove that the product was made without conflict minerals or other illegal inputs

Undoubtedly, this announcement is a huge win for blockchain technology. It’s a major software company investing in a specific commercial application. It also reinforces the importance of provenance as a key blockchain “killer app,” coming soon after IBM’s announcement with Maersk that the two firms would work together to trace shipping containers. We’ve written before that provenance will get adopted faster than many fintech blockchain applications. These two deals show movement in that direction.

Even more powerful is the business and human story about making the world a better place. SAP Ariba’s and Everledger’s message of using blockchain to help business work more effectively AND to improve the lives of people is inspiring. It’s what technology is supposed to do, and we’re hoping to see more companies explicitly make corporate social responsibility a key factor in their technology decisions.

The Boston FinTech Showcase: Blockchain’s Slow Evolution Into An Enterprise Solution
March 09, 2017 | Christine Ferrusi Ross

This past Monday at the Boston FinTech Showcase over 300 people gathered to talk shop around emerging Financial Technology (fintech) and see demos from several hot startups in the space. There’s a lot of activity in fintech right now, demonstrated by the excitement around the event, which was at capacity with a waitlist.

There were startups for asset management, payments, analytics, and risk management, among others. And each startup had a point of view about how to transform fintech. There were also several incubators, investors, and corporate innovation groups. But what wasn’t? Blockchain. (Author Note: Check out my colleague Reetika Joshi’s blog for a broader perspective on the technologies and solutions that were highlighted at the Boston FinTech Showcase.)

Last Fall, we looked at what’s happening with blockchain services in BFSI and found that the market was mostly still in the proof-of-concept (POC) stage. At the showcase, we talked to several innovation teams at big financial services corporations about their progress on blockchain and found that they’ve gotten past the research stage and are in development in some specific areas like payments/settlements (something that was also big in our research) and derivatives. They all pointed out that they picked areas where they saw ROI. In other areas, they decided that blockchain was not better than current or alternative solutions.

Investors echoed this perspective. Network costs, interoperability and switching costs, and first-mover costs of picking a platform that might not wind up as the industry standard were among some of the reasons they felt that adoption hadn’t progressed faster and why the business cases were stronger in specific areas like cross-border payments.

Bottom Line: Blockchain and fintech tend to get used together a lot as if blockchain was the major trend in fintech, but in fact, the two markets aren’t as intertwined as we’d expected. Instead, fintech is developing quickly in areas unrelated to blockchain, like analytics and automation. Meanwhile, blockchain is finding a foothold in some specific areas but isn’t the driving force in fintech.

We also think that this shows some further evidence that other applications like provenance (proving the origin and chain of custody of materials through a supply chain,) anti-counterfeiting efforts and compliance reporting will overtake financial applications as the “killer apps” for blockchain, as HfS has written before. In fact, a recent study from Deloitte recently found this as well: it recently published results that showed 58% of consumer goods and manufacturing companies had already deployed or would deploy blockchain this year, compared to only 36% of financial services firms.provenance

We’re going to keep digging further, as my colleague Reetika Joshi and I research blockchain’s evolution in BFSI and I kick off reports in supply chain-related blockchain applications. Stay tuned.

Overcoming Blockchain’s Obstacles to Adoption
February 21, 2017 | Christine Ferrusi Ross

Industry adoption is the biggest obstacle to blockchain becoming important in banking, according to 78% of participants in a study. Wait, what? It’s an odd data point to me, because adoption happens (or doesn’t) because of obstacles like cost and complexity. Slow or late adoption is a symptom of a challenge, not the challenge itself. So let’s take a quick look at what might slow or stall adoption, and what to do about it.

Blockchain is an element of “the platform revolution” that’s based on user economies of scale

Recently I had the chance to speak with Marshall Van Alstyne, co-author of The Platform Revolution and a professor at Boston University. He discussed the network and platform model of many new digital businesses like Airbnb. Airbnb is successful because it can exist and profit from user economies of scale instead of company-based economies of scale, according to Professor Van Alstyne. Essentially, this type of platform business allows users to create and share value themselves instead of relying on a company to create the value. The role of the business is to provide the infrastructure and support. While Airbnb doesn’t use blockchain as its base technology, the concept applies because firms can use blockchain as the basis of new platform-based business models.

Blockchain, with its design point of peer-based approvals for transactions and distributed ledger data storage, is a great example of a platform technology. It’s the enabler of a business that needs users to help define how it will scale.

What to consider in using blockchain as a platform for business

If blockchain can help companies build a platform business, what might slow or stall adoption? Professor Van Alstyne mentions a few:

  • Network ownership – who manages the network and gets to decide the rules? Is that owner in a position to run the network effectively?
  • Cost/transaction friction – how much does it cost to join or participate? And do you have to pay before you get value out? Can you design the network so participants pay only after they’ve gotten value to reduce the transaction friction?
  • Monetary policy (for financial transactions) – who or what agency is going to ensure the network isn’t too volatile? Who will ensure that there are guardrails to give users comfort that the system will have some inherent stability?
  • Standards – can players on different blockchain implementations work together rather having to agree on the same implementation? Who creates and manages those standards to ensure adoption isn’t hindered by interoperability problems? A good example of how standards can help is to solve issues like block sizes and reducing network consensus time, both of which significantly hinder the speed with which transactions can be completed.

The end user is at the center of the platform-based business

Customer-focused businesses need to exist in an environment where user economies of scale have become the norm. That means the business needs to understand the user and the users’ needs—doing so, will help identify and drive scale. And understanding the users and what they value, and how that then fits into a business model (addressing compliance, for example) can help drive the answers to the questions above. Rather than trying to scale internal operations like manufacturing, firms that adopt this customer-centric “Digital OneOffice” need to focus on user value and associated data. As Professor Van Alstyne points out, platform businesses can scale indefinitely because they don’t require internal company investment (beyond some compute power.) Instead, platform businesses that use technology like blockchain can scale as quickly as user adoption grows because there are no marginal costs of that growth.

Going back to that study I saw – blockchain may not get adopted, but if it doesn’t, it’s because companies didn’t take advantage of user economies of scale and learn lessons from older network-based businesses like eMarketplaces.

Bottom line: Focus on solving the obstacles to adoption, not adoption itself – especially transaction friction and interoperability standards – if you want your blockchain implementation to succeed and move you forward in your digital transformation.

Ask the Experts: Security Gurus Offer Their Advice for Non-technical Buyers
February 09, 2017 | Christine Ferrusi Ross

A big challenge for sourcing specialists is needing to rely on security domain experts internally to judge provider quality. The internal team, already working on their day jobs, often doesn’t have as much time to devote to the selection and negotiation process as sourcing leaders want. It’s important for sourcing teams to get smarter about security themselves to lessen their dependence on domain experts for preliminary RFP screening and downselecting.

In our upcoming security services Blueprint, we asked the client references (themselves security experts) what advice they’d give non-technical teams on buying security services. Some of them are general sourcing best practices, and some are very specific to security. But they’re all important to ensuring the success of your security services engagement. Here are some of their key recommendations: 

  1. Make a map of your security landscape. You need to cover your bases regarding what kinds of security technology you’re using – end point, antivirus, etc. -- so you can ask the provider about its expertise in each one. Ask in-depth questions about what kind of expertise it has with those tools, and look for specific clients and places where it can demonstrate the details of its experience. Have the provider pull it all together into a diagram and one vision so you can see it and make sure it matches your expectations.
  2. Communicate. A lot. How you interact with the provider will have as much bearing on the engagement’s success as the technical security. Make sure you’re not so focused on technical questions that you ignore challenges in communication. Remember the provider’s on its best behavior during the RFP process and it’s unlikely that communication problems get better after signing the contract. As one client reference said, “if the communication is good, you'll get it right 90% of the time.”
  3. Ask references about mundane details. Beyond the technology expertise, talk to references about what their daily experiences are like. Ask about little things like how quickly the provider answers emails and responds to questions that aren’t part of a service issue. Talk to people who have direct experience with the processes and skills you’re buying to make sure what the provider wrote in the RFP response is actually borne out in client engagements. For example, one client we spoke with mentioned a situation where its incumbent provider proposed expanding scope based on its process for innovation – yet the process described in the proposal looked nothing like the process the client experienced every day with the provider. So even tactical steps within a proposed process need to be explored.
  4. Weight flexibility and potential highly when grading. One client reference expressed sympathy for his sourcing counterparts: “It's hard to know what questions to ask and know how to evaluate the answers,” he said. But he then explained that evaluating a provider’s flexibility is critical to engagement success. He points out that flexibility matters because even if you ask the right question, your questions will change over the course of the work. So flexibility and potential capability are better than specific current capability that may not be relevant in another year.
  5. Pick a supplier that can meet you in the middle. It’s been a truism of outsourcing to hire for areas where you’re weak. But this often leads to provider teams that can’t effectively work with client teams because they have no common skill sets. One client pointed out that she relies on her provider’s ability to speak “business language” when discussing security. Can the provider talk about security from a business perspective or are they expecting you to translate their technical discussions for your stakeholders? What you really want is a provider that can go deep in the technology but still have a business discussion, while you’ll match those skills with your internal security experts and stakeholders.

Bottom line: Don’t be intimidated by the lack of deep technical security knowledge. It’s important to bring in domain experts as much as possible, but sourcing teams can dramatically improve their own efforts by making sure they focus on the business side of security.

Make Sure Your Managed Security Services Provider Keeps Current With Your Changing Security Posture
January 26, 2017 | Christine Ferrusi Ross

A company’s security posture changes often. The change can be company-created, for example, by opening an office in a new geography or entering a business with different regulatory requirements for data protection. Security posture also changes as new threats like previously unknown malware emerge, and more sophisticated techniques for hacking evolve.

When engaging a managed security services provider, it’s tempting to believe that keeping up with changing security posture is “being handled” by the provider. But is it?

Providers Often Forgo Innovation For Operating Efficiency

A very common complaint among outsourcing and managed services clients is that the providers rarely suggest changes unless the client brings it up – unless, of course, that change benefits the provider’s ability to run the process. In security environments, this heads-down approach goes beyond ineffective – it can cause significant damage to clients as threats and mitigation options change quickly.

Yes, providers generally do a security posture assessment before beginning the engagement. However, in our current blueprint research we found little evidence that providers re-assess security posture formally during the ongoing engagements. 

Recently, in fact, we even heard of one provider that regularly discovered threats in a client environment but didn’t report them to the client because the particular threat types were out of scope of the engagement. The client found out only months later, and by accident, about the omissions.

Even with such egregious scenarios of intentionally not alerting the client, many providers miss threats. They miss them because they’re not looking for them and their analytics engines aren’t detecting new patterns.

Be Proactive With Incident Monitoring And Reporting

There are many ways you can work with your managed security services provider to ensure that changes to your security posture are being addressed. From most quickly implemented to longest, here are some actions you can take:

  • First and foremost, monitor news and trends in security and threat intelligence. Don’t wait for your provider to flag new threats types to you.
  • Be proactive in asking questions about changes and new threats. Sometimes even a quick email asking the provider about a new ransomware technique that you read about will spur discussion about making changes to the service scope.
  • Include security market changes and news as part of monthly meetings. Make it an agenda item to discuss what’s happening in the market. And build into the provider’s mindset not to wait for the regular meetings to bring up new events.
  • Expand the scope of your engagement to include regular security posture re-assessments. This can depend on your industry and other factors, but it might be quarterly, semi-annual, or annual.
  • Include a new engagement metric on the provider’s ability to find and address new threats. The provider’s ability to keep your data and organization protected from threats even as those threats change needs to be part of the provider’s success metrics if it isn’t already.

Bottom Line: Don’t let inertia set in on your security managed services engagement—make sure your engagement includes specific, proactive approaches to staying current with your security posture.

Talking Blockchain Business Models and Network Ownership With HCL
January 20, 2017 | Christine Ferrusi Ross

Since we published our first report on blockchain, we continue to talk to players in the industry about how this fast-moving market is changing and growing. Compared to last year, there’s more discussion about security and privacy (evolving from the “blockchain is unhackable” talking point that was popular last summer,) there’s more talk about non-financial examples like using blockchain to help with supply chain compliance issues, and a hunger to get beyond POCs into valuable operational execution.

Recently we spoke to Santosh Kumar, Rob Ellis, and Mani Nagasundaram from HCL about blockchain trends. HCL shares many characteristics with the players we included in the report, such as:

  • Basing its blockchain expertise within its financial services practice
  • Building expertise in some key industry hot buttons like international money transfer, asset tracking, and trade operations
  • Creating POCs with global banks like one HCL did on cross-border money transfers across subsidiaries
  • Exploring partnerships with several key blockchain technology vendors like Ethereum and ERIS Industries

Regarding trends, HCL sees a lot happening in security and privacy, as well as regulatory agencies stepping up to help businesses form some governance policies around blockchain. We’ve seen in the past few months that while maybe the blocks in the chain aren’t hackable per se, there have been identity thefts, fraudulence, and further concerns about public blockchain networks.

The HCL team notes that transactions are well executed in blockchain, but identity validation and asset validation are less mature. And valuation of assets still needs to happen in the real world, so they caution over-optimism in moving quickly to broad blockchain adoption.

Also, adoption may be slowed down until we can answer the key question, “who owns the network?” HCL’s current thinking is that there’s likely to be one or two per industry and that moving or crossing networks will be difficult (HfS agrees that network interoperability is a big problem. See my prior blog on network interoperability issues here.)

They also believe that maturity in blockchain comes in three phases and that blockchain mirrors the Internet itself in this maturity curve:

  • Operating business processes better with blockchain
  • Changing operations using blockchain
  • Using blockchain to create new business models, processes, and activities

When you get to the discussion of new business models, HCL has a few scenarios that they share (see Exhibit 1 for an example.) We like HCL’s ability to not just explain the technology in-and-outs, but blockchain’s impact on business. In the blueprint guide on blockchain, we scored providers highly on innovation when they have strong business stories and the ability to demonstrate blockchain’s potential to prospective clients.

Exhibit 1: HCL’s Blockchain Ecosystem Example

Click to enlarge. Source: HCL, copyright HCL

Bottom Line: 2017 will be an important validation year for blockchain

As HfS continues to research HCL and its competitors, we’re looking for the following in 2017:

  • Movement beyond POCs into live implementations
  • An example of inter-company blockchain work (remember, most POCs right now are intra-company, which is why the network question didn’t come up much this year)
  • Some hardening lines in the partnership area as the winners and losers on the technology side become clearer and providers get pickier about which vendors they bring into client engagements

Trump Intel Story: A Stark Example Of A Predictive Security Management Dilemma
January 13, 2017 | Christine Ferrusi Ross

This week the Internet blew up based on news that Intel officials briefed President Obama and Donald Trump on the possibility that Russia had information on Donald Trump that was damaging to him personally and might even have implications for the entire US government. (And while one never expects a hashtag like #goldenshowers to trend on twitter, the feed was hilarious.) 

Politics aside, this story is a textbook case of problems with being proactive with threats. Notice: I wrote “threats” not “events” or “incidents” because the incident hasn’t happened yet, there’s just a high potential for it to be true and for it to happen.

You get lots of finger pointing in hindsight. The common question is “what did you know, and when did you know it?” Because, after something bad happens, anyone who knew of the potential for the event comes under fire for not saying something sooner, not being more forceful if in fact they HAD said something, and for not doing something to stop it from happening.  The fact is something happened and someone has to somehow get blamed.

And in the Trump intel story, you see the opposite of that, with everyone retreating to respective political corners, defending or dismissing the intel reports based on emotion and personal perspective. And since now that everyone’s already picking sides, it will be that much harder to make the right decision on how to treat the threat risk. So, how do you ask the right questions and take action in time to avoid the impending threat?

Here are the questions predictive security and risk management brings:

  • When do you flag a threat to executives? It’s important to have a policy in advance so there isn’t confusion later. It could be something like “a risk has been increasing steadily for the past 3 months” to “a risk increased very quickly in a short period” or similar idea. When you raise the flag may have a drastic impact on which actions you take to address the treat, since risks are often time sensitive.
  • How much do you tell them? Even if you’ve decided to tell executives, you must decide how much information to give. Too much detail and you may panic them unnecessarily, too little and they may not appreciate the implications of the threat. This question is usually harder to answer than the first one.
  • What do executives need to DO because of the rising risk? Another tricky area, what do you propose be done about the threat? Wait it out and seek more confirmation? Deal with it proactively, even if there’s potential for the threat to not happen? Take interim steps? This is the most important question to be answered when talking about predictive security management.

Focus Predictive Security On Remediation Not Reporting

We don’t know what advice the intel team gave to the government leaders, but we do know there are a few general ways you can deal with a threat or risk:

  • Accept the risk and go on with what you were doing. Sometimes there’s not much that can be done – or worth doing. For example, there could be a heightened risk of a terrorist attack, but you don’t want to be seen to be weak and encourage them further and choose to ignore it, safe in the knowledge airport security is already prepared for such a threat.
  • Try to remove or reduce the risk. In a political context, it might involve finding the people who are informants and stopping their ability to keep helping the other government. In a corporate setting, it might involve cutting a contract with a supplier you think has illegal dealings, for example.
  • Make a strategic bet to increase the risk. In a political context like yesterday’s story, increasing a risk strategically could involve cutting diplomatic ties, mobilizing troops or invoking sanctions, among others (these increase risk because they may cause the original threat actor to escalate further or move more quickly with the original threat.) In a corporate context, an example would be to work with a startup vendor even though you know it’s a highly risky supplier because that vendor has some amazing new technology that you want to use.

Unfortunately, if you didn’t have a remediation plan in place BEFORE the risk became likely, you’re facing much more confusion about what to do and even whether to do anything at all. This puts your company at risk and in fact, negates the value of having predictive security capabilities.

Bottom Line: Security professionals need predictive security management and prescriptive treatment plans to protect their firms from looming threats.

Security teams need clear treatment plans that address potential risks and how to mitigate them. As a simple example, if there is a threat of insiders giving information to third parties, then the remediation plan would involve something like “when someone downloads more than one file they don’t normally access, that person’s manager must ask why the person needed those files within 4 hours of the download.” Without this proactive treatment planning, companies likely do nothing and then get harmed even by risks they could have addressed.

 

Getting The “A” Team From Your Provider – Or, More Realistically, Getting The Team You Deserve
December 22, 2016 | Christine Ferrusi Ross

My colleague Mike Cook and I are in the middle of a blueprint on Managed Security Services, and as we talk to client references and review provider information, I’m reminded again about how difficult it is for clients to feel like they’ve really gotten the best possible team for their engagement, based on their investment outlay.

You might be disappointed with the quality of your team, and maybe you think it’s because it isn’t as good as you thought. Maybe they oversold their capabilities or flat-out lied about what they could do. While this is possible, in my experience, it’s more likely that clients confused the provider’s corporate image with the capabilities of the specific delivery and account team on their engagements. A provider’s capabilities are never evenly distributed across the entire company and the reality is that some delivery people are better than others.  Plus, providers can often be very crafty with how they allocate their best and brightest to their clients.

A while back, I was at an event, and chatting with several vendor executives. A vendor management person from a buyer client that we all knew came over and started chatting. He looked at the company names on everyone’s badges and mentioned that his company worked with every provider represented there. Then, company-by-company, he pointed at each one and said things like “Yup, we hate you guys. We’re suing you. Your team is terrible. You never give us good people.” That broke up the circle quickly as everyone made excuses to move to other conversations!

And afterwards, two things that stuck with me: the first was that buyer getting up as a speaker at the event to talk about creating shared value and better relationships with suppliers (I kid you not!) The second was one of the providers sharing with me privately his frustration with that particular buyer, saying “he wants the “A” team, but he’s paying for the “C” team. And even still, all he talks about is cutting our rates in the next negotiation. Why would I invest in a client like that?”

This story highlights several reasons that a company many not get the “A” team from a supplier that have nothing to do with the supplier at all:

1. You aren’t mature enough. Providers can tell what your internal team is capable of – both for execution and understanding. A supplier won’t give you “A” level resources if they think you can’t appreciate the value. Now, of course, the question is “if you can’t tell the difference, how do you know it’s not the ‘A’ team?” And the answer is, you probably can’t put your finger on it but you’re vaguely unhappy and realize things aren’t progressing the way you want even if you don’t know why. Smarter clients get smarter teams.

What to do about it: This one starts with increasing your own expertise first so you can ask better questions, understand the answers better, and make your own suggestions of how to remediate so you can have productive discussions with the provider. When the provider sees that you know what you’re doing, they’ll give you better resources. In the story above, you wonder why the company was suing a provider – that’s the kind of thing that happens when you didn’t scope properly or weren’t smart enough to ask for the right things.

2. You’re cheap. I hear this one a lot. As a client, you’re complaining that you got the “B” team. But when you look at your rate card, you’re getting “C” team pricing. You may even have gotten the “C” team instead of the “B” team. This is exactly what frustrated the provider executive in the story – he was delivering better resources than the client paid for and yet the client wasn’t grateful, instead the client only complained that the resources weren’t good enough!

What to do about it: If you pay for the “C” team and got the “B” team, be happy. You’re doing better than most others in your situation. If you’re paying for the “C” team and actually have the “C” team, then you need to have a discussion internally about what your goals are. Maybe you’re actually ok with the service you’re getting and the complaints are just water cooler venting. If you’re actually having a delivery problem, then you need to look at increasing what you’re paying or changing the delivery model. You can change a delivery model by seeking to automate some part of the engagement and paying a little more for the resources you’re keeping.

3. You’re a bad client. Maybe you complain about things that aren’t actually wrong. Maybe you blame the provider for problems that really resulted from your internal team. Maybe you constantly want things that aren’t in the contract and get mad when you don’t get them. There are lots of variations on this theme. Here’s the thing: no one wants get abused as work, and top talent doesn’t have to put up with bad behavior. They’ll get switched to better clients. Or, worse, you HAD the “A” team and you beat them down until they’ve devolved into “C” quality work. While I don’t know the inner workings of the buyer’s organization, I can tell you that in this conference setting where provider normally love the chance to socialize with their buyer clients, providers avoided this person at all costs. That speaks to the poor relationships this person built.

What to do about it: Of course, if there are legitimate problems with the provider’s work, address it. But if the problem is really your team, then fix your internal situation. You can train your team to address challenges differently, swap your internal provider liaison or even fire staff that are creating a bad environment. You definitely need to get realistic about your expectations of the engagement. Then let these internal changes get demonstrated to the provider staff to show them you’re no longer the client from hell.

4. You’re not important. Sometimes you can be a great client from all sides – you pay well, you’re a pleasure to work with, and you have interesting work. But maybe you aren’t a big client, or you’re not a brand name, or you in fact have a weak brand (the “loser in your industry?) The provider is likely putting top talent onto clients that spend a lot of money or that have brands that with star power or they use as client references. In the story above, the client was important in its industry but had a reputation as a bad place to work, so there wasn’t the “star power” that often comes from a well-known brand.

What to do about it: This one’s trickier than the rest, because the only way to really fix it with your existing provider is to spend more money until you’re a bigger and more important client. Sometimes you can fix it by being willing to be a reference client, tell your account team if they fix the talent situation, you’ll agree to be a reference for future prospect or analyst calls. However, if you’re willing to go through a transition, you can solve this one by switching providers. You can look for a smaller provider so you can become a “bigger fish in a smaller pond” or a player who specializes in your industry so your brand becomes more important to that provider.

The Bottom Line: You’ll only be satisfied with your service providers when you deal with your own responsibilities to the engagement.

Get more realistic with your expectations based on the factors above and decide what’s good enough for your needs. Hold the supplier’s feet to the fire, but do the same to your own team. Addressing these internal issues will give you more value from your existing deals and also position you better for future work with your key suppliers.