Earlier this year, HfS Research and Accenture surveyed over 200 cybersecurity professionals around the globe to better understand how enterprises are securing their digital assets and dealing with increasingly sophisticated, and all too frequent, cyber attacks.
I recently had the opportunity to sit down with Bill Phelps, Managing Director, Accenture Security, to discuss our report. Bill was one of my co-collaborators in this research effort, and I was curious to get his take on both the survey and its implications for the cybersecurity sector moving forward.
Fred McClimans, Research Vice President, Digital Trust and Cybersecurity, HfS: So Bill, we spent several months surveying security professionals on a global scale—different verticals, different geographies, different size organizations—to really uncover what the state of cybersecurity and digital trust are today. What were your expectations when we first started and what surprised you coming out of the report?
Bill Phelps, Managing Director, Accenture Security: Fred, I was really excited about doing this report together because we were taking a new perspective looking at security through the lens of digital trust, not purely as a technical or an operational issue, and I think a lot of the findings reflect that. I think honestly one of the most amazing things was that our respondents said over a third of their management doesn’t see the value in the money they spend on security, and they are disengaged. So in spite of security being a front-page headline item almost every day of the week, we still have leadership in organizations that don’t make it a priority.
Fred: That was a bit of a surprise to me as well. I would have expected closer alignment between security operations and the executive management in these organizations.
Bill: The best CISOs I know spent the majority of their time with their business counterparts, and that typically creates a good alignment. But there are still a lot of what I think of as old school CISOs—very technical, very capable individuals who often came up through a technical track. They haven’t learned to engage with their business counterparts, and so the business counterparts don’t necessarily appreciate the value of the security organization and how it can team with them.
Fred: One of the elements that might be fueling closer alignment between CISOs and their business counterparts is the shift away from cybersecurity as a way to protect assets and more towards a way to develop assets that can be leveraged to create a greater feeling of digital trust for the enterprise and its consumers.
Bill: I think that’s absolutely right. I think that people have viewed security as a very tactical discipline. We know we have to authenticate users and prevent data breaches. When we are talking right now to CISOs, especially for global organizations, privacy and trust are coming up more in the agenda and it’s becoming more and more about the brand and about how organizations convey to their customers how seriously they take privacy and trust around the digital identity.
Fred: One of the things that came out of the report that was a bit surprising to me was the number of organizations that acknowledged they have had insider data theft over the prior 12 months, and in fact they expect that to increase for the next 12 to 18 months.
Bill: The reality is that the easiest person to steal information inadvertently or intentionally is an insider. They have the credentials. Perhaps more importantly they understand the value of the information. They have access to it. And I do believe that we are going to continue to see more of that until organizations not only have the right controls in place but have the right value system in place and can convey to their leaders and to their employees the importance and sensitivity of the information to the customers.
Fred: One of the things that was encouraging in the report was that while firewalls and encryption technologies are still core to cybersecurity, moving forward a lot of the CISOs said they see a lot more reliance on things like automation, analytics, and cognitive shifting into AI moving forward.
Bill: I think there are two things going on. One is better analytics around user behavior, around where information is flowing so that we can quickly spot anomalies and patterns. The second thing is what I call a rebirth or resurgence of the importance of identity management. And organizations are realizing that so many of the breaches are the result of a misuse of an identity.
In some cases it’s by a malicious insider and in other cases it’s by an insider who has been tricked. Sometimes it’s a stolen identity¾an identity that’s been acquired maliciously and is being used All of those can be addressed through better analytics but fundamentally they also need to be addressed through better management of those identities and we are seeing a huge uptick in interest in that.
Fred: From an identity management perspective there is also the possibility of blending behavior analytics with digital and physical security analytics. This combination has the potential to expose something that’s out of the norm from typical behavior, such as the right person, in the wrong location with the wrong credentials or at the wrong time of the day.
Bill: An interesting finding in the report was the immaturity of organization governance reporting lines¾who the CISO is working with. One of the places this manifests itself is the link between physical security and information security, or logical security. Many organizations have completely different cultures, reporting lines, accountability, budgets. If we bring them together we can answer these questions around why is somebody accessing the financial system in New York at 1:00 AM? Shouldn’t it raise a question? We can’t understand this simply through the information security systems, but as soon as we overlay the physical items it’s an obvious question.
Fred: Now you mentioned reporting structures. One of the surprises to me was that across the board there was a dissatisfaction with who cybersecurity professionals were reporting to.
Bill: First, I think it’s an indication of the immaturity of this area. We don’t know what the right answers are in many ways in information security. We are working through it and we know that some things don’t work. But in terms of reporting lines, I can say that roughly half of CISOs report to a CIO. Sometimes that’s a very good and positive relationship and sometimes it’s not. One of the reasons it’s not always a positive relationship is that the CISO and CIO have conflicting motivations. The CISO’s job is to protect the organization first and foremost while a CIO’s job is to deliver business functionality and business outcomes. If the CIO is under a great deal of budgetary pressure and time pressure and the CISO is saying you need to slow down and spend more money on the security of the code that is being delivered and the security of the architecture, you have a conflict. Sometimes that’s been rationalized, at other times it hasn’t, and I could give you similar examples with CISOs reporting to CEOs, CISOs reporting to COOs, CISOs reporting to CROs.
I also think that the autonomy of the CISO is critical as is their access to the senior level executives across the organization; but we don’t have a one size fits all in the organizational alignment yet.
Fred: In the report, we identified five gaps that are having a significant impact on the ability of CISOs to execute on their role within an organization. I’d like to walk through those gaps. The first gap is the talent gap – the requirement on the part of CISOs to fully staff the organization with the right number of bodies but also the right skill set, against the available talent pool in the market.
Bill: Of the five gaps, I would put talent as the second in importance. It’s clear from the findings of this research and from all of my discussions in the industry that we need talented security professionals, almost nothing else matters. Without them, we can’t configure the tools properly or communicate effectively to the business. And these are people that in many cases it takes time to develop. It’s not putting them through a brief certification program. It’s education plus on the job training and apprenticeship with professionals. We are not satisfying the demand for talent quickly enough and it’s one of the top things that comes up in every single discussion around security with my business clients.
Fred: One of the ways that some organizations are starting to address the talent gap is through automation; looking to lighten that level one burden for the individual and let them bump up to a level two in capability is a good step but it may also have a negative impact because the entry level position into the cybersecurity talent pool is now level two, not level one.
Bill: I think that’s true. Robotic Process Automation is a huge buzzword in IT right now and really valuable for automating tasks that are easier to teach people to do. But the toughest jobs to fill in security are those of seasoned individuals who know how to spot telltale behaviors, who know how to respond to the problem or the issue they haven’t seen before. So you need those people to train human labor, you need those people to train the robotics and the analytic system. So while there is a benefit to process automation, I’m not sure how much it’s going to help create the very talented senior level security professionals and as you pointed out it may even be a hindrance.
Fred: The second gap that we identified was around technology. One of the challenges we saw was just keeping pace with the technology that’s available out there.
Bill: The threat actors have very good talent and are not necessarily using expensive commercial software. Instead they use technology that is available via open source or on the dark net and they know it extremely well. The technology that’s being used to defend the organization many times comes off the shelf, is highly sophisticated and capable, but we don’t have the people who understand how to use it well. It is evolving very rapidly as the newest brightest shiniest object is funded by the venture capitalists or comes out as a feature from a large vendor.
I think what the research says, and what I have found is that you need to really make it simple. The problem in technology is that what we have we are not using well, not that we don’t have the latest technology.
Fred: Cybersecurity is an asymmetric battle today.
Bill: It is totally an asymmetric battle and there is no end in sight. I’d love to sit here and tell you that two to three years from now the defenders are going to catch up, but there are so many vulnerabilities in the environment. The attackers have a real advantage in their collaboration, in their understanding of the technology.
Fred: The third gap that we uncovered was what we are calling the parity gap – the differences between different capabilities that exist within an extended enterprise. To give an example of that we asked respondents to rank how secure they thought various business elements were. The sales organization: not that secure. IT: very secure. Customer support? Kind of in between.
Bill: This is one of the top challenges I see. We sit down with a CISO or a Chief Risk Officer and they explain how much they have invested in security in IT or in security education. And then I ask them if they know all the organizations in their supply chain, or if they recently acquired a company – have they assessed the security if the acquired organization. It completely comes down to this weakest link problem, and with computers and automation it’s not hard to find that weak link.
We think about so called security by obscurity, but when the adversaries are running scanners against the environment, they can quickly go through every single IP address. The idea that you can protect only a part of the organization really well is completely inadequate. So many of the major breaches we have seen have been the result of exactly that, compromising some obscure part of the ecosystem and using it as an entry point into the broader enterprise. It’s a huge problem.
Fred: When we asked CISOs what were the top inhibitors to complete enterprise cybersecurity and digital trust, one of the top inhibitors was lack of budget for either technology, or more importantly, for staffing and training.
Bill: My bias in this is that the security professionals are not doing an adequate job of educating the business. I have heard business executives, board members, and others all say a variation of “We are willing to spend the money. We have the money. But we need to understand where the money is being spent and the value that is being created”. I am not saying this is easy, but the security organizations are struggling to answer those questions. There is a cynicism that the money is not actually improving the problem.
Fred: That leads nicely into the fifth and final gap – the management gap. When we asked CISOs how they viewed the management’s position on cybersecurity, we saw a third of the respondents indicate they believed management views cybersecurity as an unnecessary cost.
Bill: We are still seeing cybersecurity in too many organizations as a discrete function, not as a value system and a part of the brand that is broadly embedded in the organization. I’ll use an example from the energy industry, which has embedded employee safety as a fundamental value. If you go to most of the oil exploration production companies, the first thing they will talk about or do is a safety minute. You have to sign something that says you understand their safety policy. We are so far from that in cybersecurity. In so many organizations, if you say “What are you doing Mr. Vice President of Sales for security?” You get a blank stare and they say, “Well, that’s the job of the CISO”.
We have a long way to go. In the most successful organizations, the CISO has become a peer of the business executives both in substance and in style. They spend a great deal of their time with the business. There is top down support for making security part of the culture, part of the brand and that’s where we are going.
You never want security to be an inhibitor. Security maturity and state-of-the-art starts with the alignment of the security function to the business. It starts with how security is perceived as enabling the business, enabling trust amongst the customers, the suppliers and the others within the organization. It’s asking “do we have enough of the sufficiently talented security people in our organization and are they respected by the business?” Then of course it comes down to specific capabilities in technology and things like that, but those are almost an outcome, not a starting point when I think about what the state-of-the-art looks like.
Fred: From Accenture’s perspective, how has this report affirmed your position on digital trust or shaped the way you view digital trust in cybersecurity moving forward?
Bill: I think it was tremendously validating for some of the direction that we were already taking, and I think in some ways may accelerate that. We are moving away from thinking about security as a technical issue to talking about it as a brand attribute, as something that is communicated to customers, and that’s a business value. So what does that mean in our business? It means we are selling to business executives. It means we are engaging with the broad business leadership in security. It means we are talking about digital trust not just about security. It means we are asking, “what do you want your customers to think about you in terms of whether or not they trust you, whether or not they are confident in your protection of their private sensitive information, whether it’s medical records or financial information or whatever?”
Fred: I think if your cybersecurity approach doesn’t reinforce the brand promise and your ability to deliver on that, you’re probably wasting your time.
Bill: You certainly are thinking it’s not valuable and that it’s a cost, not an investment. As soon as you start thinking about it as a brand attribute it becomes an investment.
Fred: Bill, I can’t thank you enough, and I look forward to following up again a few months down the road. We’ll see how this is playing out.
Bill: That’s great Fred. Thank you very much! I think this is some very exciting research.
I have been researching the notion of Intelligent Automation and, in particular, the rapid uptake of Robotic Process Automation (RPA) for more than 4 years. It was this work that eventually brought me to HfS. Over the years, I have made many good friends and acquantances in the automation community – and many of those good folks have graciously suggested I have become a spokesperson for this community. Yet, it is time to take a stance and declare: RPA is dead!
This is not meant to try to grandstand my esteemed colleague Phil, who’s eloquently stated that RPA 1.0 is a done discussion. Phil suggested: “We know what it is, we know what it can do, we know how it can augment operations and help digitize broken processes.” I rarely disagree with Phil, but I would argue that that broader market, outside of specialized services, technology and process areas, has no clue as to what RPA really is. We have no common reference points, we have no definitions, we have no clarity as to how successful deployments really are. What we have, is a set of reference technologies and respective case studies that demonstrate potentially significant efficiency gains, if implemented effectively. What we have is a set of innovative technology providers who use the term “RPA” to get a seat at the table to transform service delivery. However, to quote Lee Coulter, who chairs our Sourcing Executive Council, “In the context of automation we have a Tower of Bable; we have many languages, but we don’t really understand each other”.
RPA has dominated the conversation with industry novices and this needs to advance to the broader automation outlook
Yet, it is about much more than just semantic nuances. RPA currently is largely about the automation of tasks that can be implemted from the bottom up, then land and expand within enterprises. RPA is about rules-based processes. RPA is being delivered for specific accounts, often at sub-process levels, but does not sit at the heart of a delivery backbone. Nevertheless, RPA, for the wrong reasons, or just the lack of reference points, is the focal point for all the innovation that we at HfS tend to subsume under the notion of Intelligent Automation. However, if we move beyond the confines of the BPO and operations world, we see automation deployments at much larger scale – and beyond clearly defined processes. The current market development and opportunity in IT-centric automation scenarios in a lot more advanced, has more breadth and scale than business process centric scenarios, yet, in the discourse on Intelligent Automation these tend to get marginalized. It is in those IT-centric scenarios where the impact of Cognitive Computing and Artificial Intelligence is most pronounced. Yet, as an industry, we appear to be stuck in the “RPA” mindset, largely due to the heavy influx of marketing investments from the emerging RPA software suppliers which is influencing sourcing advisors and analysts new to the automation discussion.
Examples for a broader, more holistic approach to Intelligent Automation is Accenture’s artificial intelligence engine that provides an architecture abstraction layer for interacting with various autonomics services such as natural language processing and machine learning. Thus, underlying components can be swapped out according to client preferences or as new solutions become available, leveraging a broad autonomics ecosystem. Suffice it to say, not many providers have merged IT and operations like Accenture has done. But we also see a convergence of IT and business process centric scenarios starting to happen on a tool level. IPsoft and Arago trying to get traction in operations while the prominent RPA tool providers invest in analytical and cognitive capabilities. Thus, we are seeing virtual agents to gain traction of virtual agents in in operations and RPA tools in IT helpdesk use cases. These activities have to be reflected in the discussions on Intelligent Automation – not in isolated use cased but as part of a holistic strategy to scale out automation initives.
Therefore, as an industry, we really have to change the perspective. The focus should be on top down, the point of view of process owners and on taking a much more holistic point of view. That is what we had in mind when we launched the HfS Intelligent Automation Continuum back in 2015. All the approaches on the Continuum are both interdependent as well as over-lapping. Put in simple terms, life is complex. There is no such thing as a silver bullet or a turn-key solution. Intelligent Automation is about transformation. We have to wean ourselves off the drug that is task automation. Off course, it is prudent to automate low-hanging fruit. Though how do we optimize the processes after the effect of that drug starts to subside. Thus, we shouldn’t lose sight of the direction of travel. We at HfS call it the journey toward the As-a-Service Economy. Crucially, Intelligent Automation is just one building block among others along this journey.
Away from the headlines and away from the confines of business processes, we see some indications for market maturity as providers like Atos, TechMahindra and Hexaware start to standardize delivery on ServiceNow, linking it up with service orchestration engines that allow the plethora of Intelligent Automation tools to be plugged in. Put in simple terms, we see a much more holistic approach to Intelligent Automation. The crucial question is how do we cross fertilize all these approaches across the boundaries of trational and established business units? Flipping this to the client side, how are service provider supporting their clients with Intelligent Automation on their journey into the As-a-Service Economy? This is not about RPA alone anymore, but the broad notion of Intelligent Automation in all its complexity. To assess how far the industry has matured on this journey, HfS has just launched the RFI for the Intelligent Automation Blueprint to take stock where the industry really is at.
The Bottom-line: All the stakeholders in technology and operations need a much more effective education on the impact and potential of Intelligent Automation. Confining the discussion to “RPA only” is doing everyone a disservice
What I hope to hear in our discussions on that Blueprint is around broader notions of service orchestration, about integrating broad data sets, about moving beyond clearly structured processes. My gut tells me much of the future of Intelligent Automation will be about deep and unsupervised learning, about vertically-infused insights, about technologies for which we don’t even yet have monikers. To advance all those discussions, we urgently need a much more effective and actionable education of all the stakeholders. So once again I declare:”RPA is dead – long live Intelligent Automation.” But I want you to challenge me in that, be it to convince me that RPA is the best thing since sliced bread, deconstruct my arguments, unmask my assumptions. But most importantly I love hear about new approaches and new ideas.
This is a very odd confession, but I love market sizing and forecasting. Strong language, I know, but I just love it. I think it is the combination of attention to detail and precision calculation, coupled with the intellectual leaps of faith needed when assumption making. Starting with a blank sheet and a new market gives me the opportunity to spend hours on pure thought, and there are very few things that excite me that much (and only a couple of those are legal!) I just wanted to share a few of my thoughts about the market sizing and forecasting.
Sizing a Market – more about common sense than rocket science
There is sometimes a mystery that surrounds the market sizing process, that I don’t think is necessary. There are very few ways to size any market – and none of them are rocket science. The accuracy and quality of any market size is primarily dependant on the quality of sample being used, and the way you segment the market to create representative groups.
For example, if I were to size the market for business PCs in the US using a buy side model (sizing the market from companies actually buying the PCs), I would segment the market into company size, by industry and by geography – I am using PCs as an example because often product markets, particularly a ubiquitous one like the PC is more universally understood and has less problems. The sample in each segment would be interviewed (or use another source of primary data) to discover annual spend on PCs by each sample company. The sample portion would represent a quantifiable proportion of the segment, which if it were 10%, the market size for the segment would be 10 times the total spend of the sample. Then you add all the segments up to produce the market size. The main assumption you make is that the samples spending is representative of the segments, so it is crucial that you divide the market into segments where spending is more consistent, this is why segmenting by industry is often used as it is likely banks spend is more similar to each other than to, for example, an agricultural business.
The main source of inaccuracy is ensuring the responses are representative, which is why this method of sizing always needs a cross reference, usually with service provider revenues. This provides a check on any mis-sampling where by chance you sampled the only 30 utility companies that only upgraded their PCs once a decade. These problems appear when you have markets which are less saturated, like many services sectors, particularly outsourcing. For example, if only one utility company has signed up for an HR outsourcing deal, and your sample misses it, then your market size is shot, likewise if you stumble upon just the companies that outsourced in a market that has few deals, you’d skew the market upward.
Verifying signed deals and revenues with the suppliers in a market helps to rectify these types of errors, and can mean either using an estimation for the industry garnered from the demographics/service provider revenues, or enlarging the sample or looking for new data points to guide the market size.
This is why most market sizing models used by analysts start with supplier revenues – you build a list of known suppliers in the market, which for the PC market is fairly easy for the top 10. You estimate the specific market revenues from the financials, which you may cross check through interviews / feedback. Then, you build a probability model to fill in the gap, estimating the part of the market not covered by the providers that you know. Essentially saying what is the probability that I am missing a supplier in the top 5, top 10, top 25 and in the remainder. This is where the analyst needs to be honest about her or his knowledge of the market and be realistic about the likely number of smaller firms. Which is why having good demographics to build out a buy-side model helps set the parameters for the market – and helps to double check the probably.
It is these things that provide us forecasters with the biggest challenge, especially building a market sizing model that works in a fragmented (ad often hard to define) market like outsourcing, managed services or process automation. However, the saving grace is deal data, this gives another way of building the market size. You can estimate the annual revenue flow from each contract, segment it into service type and produce a market size. The issue here is again one of sampling, no database of contracts is complete. So we compare the data produced from the contracts with the vendor revenues and with the survey data to complete the picture. Hopefully producing an accurate market size!
Forecasting a Market – the joy is finding that consensus of inputs to perform one trendline
Market forecasting is a similar task in many respects to market sizing, but, for me, it is where most of the joy in the process comes. I suspect this is because you can draw on more information and it is about bringing together and distilling contrasting data into a simple trend.
The simple forecast method that is typically used for technology markets, is euphemistically called an assumption-based or judgement-based forecast. Largely, I tend to rely on a mixture of methods and tend to combine them.
For an outsourcing market, I would typically use a model that predicted the sales of a product from past data, generally a time series model. This provides a base trend line for the market, typically the market would accelerate or decelerate in line with the established trend for the particular market. This essentially extrapolates the existing trends, part of this process would also include looking at economic growth and making assumptions for how a particular market is likely to grow given the economic outlook.
The next stage would be to alter the predicted growth based on likely forthcoming events in the market. This tests the analysts and my knowledge of the marketplace mapping out the likely market drivers and inhibitors, quantifying their effects, weighting them by probability/strength of impact and summing the drivers and inhibitors to produce an overall market impact. Part of this equation is also the adjusting the forecast based on survey work, providing the forecast with direct input from the customers and suppliers. In the outsourcing markets, we also sample specialist advisors and consultants which can add another perspective – broader than a single client and, typically, more realistic (or is that cynical) than suppliers.
It is the balancing of the different factors and the bringing all the data together to produce a single growth rate that I find the most satisfying. A forecast at its best is a distillation of survey work, market data and analyst expertise, the marriage of the objective and subjective in as precise a way as possible.
The Bottom-line: There’s nothing more beautiful that quantifying that view of the market at that particular point in history and occasionally getting it right
The thing I love most about sizing and forecasting a market is that balance between fact and foresight. When people look back at historical forecasts, the size of the market at that particular point in time should always be solid, providing said forecast is doing their job properly. The forecast was simply what we all thought the market was going to do based on the available inputs we had at the time. It doesn’t matter if it was widely wrong, as long as the inputs were sound the the forecaster was not smoking something too dubious =)
However, if we really got (some of) those forecasts in line with what eventually happened, then we can die happy knowing we performed some genuine wizardry doing something that we loved to do.
Being an industry analyst, our work differs greatly from day to day and as such, today more than ever, we are wearing an ever increasing number of hats and taking on more responsibilities. Although, rather like the transition to the As-a-Service Economy, which dominates our research at HfS, overcoming the specter of legacy is one our key concerns.
The scene: a dinner party with unknown persons. Polite small talk ultimately leads to the question, “So what do you do?” I suppress a sigh, take a fortifying sip of whatever is lying around and announce, “I’m an industry analyst” (or something along those lines). Now the response can vary dramatically here, the most common been “A what?”, “You work with numbers??” or, in more polite company, a vague “Oh…”. Following this I feel compelled to explain what I do. Now there is of course another, less savory, reaction to my announcement of employment, this often comes from those working in the industry and having had too much contact with legacy analysts of old who plied their trade in arrogance, assumptions and skepticism bordering on derision.
So back to the explanation, what do I actually do?
Well, it really depends on the day. Right now I’m blogging, whilst reading a press release and getting a tweet or two out (coffee is obviously a given). Last week I was sat in Blenheim Palace (google it!) enjoying a glass of wine, listening to an orchestra and speaking to some serious industry leaders in the BPO world. Other notable activities include consulting calls and strategy sessions with both buyers and service providers, Blueprint project briefings, Soundbite, PoV and Blueprint production, travel, events and more travel. Needless to say not many two days are the same, or, end at 17:30. This largely represents todays working environment. The ability to be flexible, work on the fly and multi-task have all become hygiene in the industry analyst world of today.
So back to these “legacy” analysts I mentioned earlier. The industry analyst community has garnered a checkered reputation in years gone by. The age of the pompous, overly and aggressively opinionated analysts are gone and in has come industry analyst 2.0. Who aim to work alongside industry, commentating on development and of course calling out bad practice, but ultimately assisting in educating the market and facilitating change as the industry moves towards the As-a-Service Economy.
So with this in mind, what does it mean to be an industry analyst in 2016?
At the end of the day it is content. Relevant, timely, accurate, consumable and thought provoking content. As analysts, we need to keep a continual eye on the pulse of the industry, all the while dodging the marcomm puffery from suppliers and getting to the overarching themes in the market. In addition, working with enterprise service buyers in formulating sourcing decisions in one’s field of analysis is key. The watch word here is “analysis”, not simply research. Research gets you to the door but real insight and analysis gets you invited to the party. Therefore, the most successful analysts in today’s world don’t only sit in an office working on single research projects but rather analyze, educate, track and engage the market with the goal been the betterment of industry.
My husband and I have three children, including twins with autism. Over the past few years we have become accustomed to thinking outside of the box and trying different approaches as parents. We’ve learned the importance of good planning to meet a desired outcome (often the hard way!). We have also had to unlearn many parenting techniques employed with our eldest child to best support the twins. Service providers have undergone a similar transition, as they battle with how best to support the high growth area of SaaS services compared with the requirements of the on premise world of yesteryear.
I’ve been an analyst for 20 years, a period dominated by legacy systems, on premise applications and a very strict view of the IT services Value Chain of Plan, Implement and Manage. Service providers and analysts alike list relevant services that should appear in each of these boxes to facilitate product development for service providers and market tracking for analysts. Since I started out as an analyst, I’ve tracked all sorts of services markets, from network professional services, to security services to application services. Jumping from topic to topic was never a major problem, as I applied the same basic principles of the IT service Value Chain to every area I covered. It was simply a case of coming up to speed on the new technology, understanding buyer needs, and identifying which service providers could throw a practice together to make money out of a growing hot trend. The Value Chain itself hardly altered. Sure, the specifics had to be tweaked but generally speaking service providers, analysts and buyers all knew exactly what you would get in each individual box:
Plan: this is the consulting phase of the engagement and includes a whole host of advice services for business strategy, deployment design, blueprinting, governance, security, regulatory compliance, and so on. It used to be a lengthy engagement, typically at least one year, as service provider and buyer teams tried to tick off every possible eventuality in the upcoming scary deployment phase.
Implement: this includes implementation, integration, testing, training, any customizations and so on. If the roadmap set out in the consulting phase was airtight, the implementation phase was as easy as pie. Of course this seldom happened, and tweaks were made as the project evolved. Typically this was a technical and tactical project with the focus on execution excellence in a cost effective way.
Manage: ah yes, the management phase. That thing that most enterprises don’t think they actually need or convinced that they can do it all in-house. But as all the markets I tracked evolved, management services inevitably became more important and in high demand. These were typically stale in nature, keeping the light on type of activities. I saw more proactive monitoring type of services in the network and security market, with some service providers independently making changes to improve network communication or security settings (shock, horror!) but I didn’t witness too much of this proactive engagement in the application services space.
I still use an IT services Value Chain at HfS for the three main SaaS Blueprint reports I have authored: Workday, Salesforce and SuccessFactors services. It is useful because it outlines the main services that should be included in each IT service area. Here is our Workday Services Value Chain:
Exhibit 1: Workday Services Value Chain
Source: HfS Research June 2016
The silos still serve a purpose, if mainly an informative one – and frankly, this diagram wouldn’t look half as good without the pretty columns. But this illustrates the ‘what’ rather than the ‘how’ – and it’s the ‘how’ that is radically changing in the SaaS services market.
SaaS Services Requires a Different Approach
SaaS application adoption is changing IT service delivery requirements. The consulting phase remains an important first step because, as with most things in life, successful outcomes often rely on the best planning. But service providers can no longer just use the best brains and collaborative approach in the consulting phase – and then sweep them away to be replaced by technical teams that focus purely on specific module implementation. Moreover, consulting is no longer a drawn-out process. Buyers want fast deployments, with go-lives expected within a year. The implementation phase requires strong account management and project management teams who align all decisions to the desired business outcomes outlined in the planning stage. Management services increasingly look like consulting-as-a-service offerings, with users often purchasing a bundle of hours to use as they wish per month or year. Management services requests could be answered by remote assistance or they may require onsite work. As a result some service providers are investing in in-region delivery centers to be able to deploy consultants to client sites more easily.
In terms of skills and delivery the lines between the Value Chain phases are blurring. The best consultants have a deep understanding of organizational and technical issues that can arise in the deployment phase. Some service providers offer rotation programs for their consultants in implementation and management services as understanding both makes them more effective in their primary roles.
The Buyers Are The Eventual Winners
Buyers have finally had enough of being presented with a catalogue of services to select. They just want the solution to work and for the service provider to share best practice on running the relevant process. Enterprises are more mature about what they can demand from service providers, and they’re frankly not as easy to work with as they were 20 years ago. Several buyers I have spoken to in my Workday Services Blueprint, tell me that they insisted on interviewing the proposed delivery team during the service provider selection process. They want to meet the people they will be working with on a daily basis, as ultimately that relationship will determine the success of the project. Buyers are also demanding that service providers challenge them more. Something I hear regularly from buyers is: “I wish the service provider just said ‘No’ more”. SaaS is a relatively new adoption area and buyers rely on service providers to provide sound advice based on their experience. In addition, many of the HfS ideals of the As-a-Service economy are increasingly important to success, notably Collaborative Engagements, Design Thinking, Intelligent Automation, and of course helping clients to Write off Legacy.
Bottom Line: Unlearn or Fail
So can service providers unlearn their old engagement and delivery practices for on premise deployments and embrace the new IT services world of SaaS services? The leading service providers will, or indeed have been investing in this forecasted eventuality in recent years. To succeed they need to adopt new approaches, think outside of the box, and demonstrate real commitment to succeed (trust me, I know!).
Everyone is talking about how to get to the right strategy for omnichannel customer communications, yet no one really knows what it means. First of all, let’s just get it out there that omnichannel is one of those terms everyone loves to hate. It’s ubiquitous, it’s vague, and it’s a misnomer– “omni” is impossible and customers don’t think in terms of channels. That said, omnichannel is an aspirational goal pointing many service providers and enterprises in the right direction toward really getting customer experience right. So with that in mind, it has become my mission to dissect the subject, get past the hype, and figure out where the opportunities lie for the services industry.
The keys to creating an omnichannel experience are the following:
Non-creepy Individualization: “We know the name of your cat because we stalk your Facebook updates” (we’ve seen these creepy mistakes backfire bigtime). And please stop talking about customer “intimacy.” Customers don’t want you to be intimate with them, they just want to be acknowledged as individuals (especially those self-centered millennials), and for you to know their buying patterns and preferences. This is part of the Amazonization of the consumer experience that just isn’t going away anytime soon – and striking the right balance is essential.
Simplicity: Making it easy for the customer to do business with you is at the heart of customer satisfaction. More than anything, customers want want to be able to get information, interact, and buy products and services easily, without jumping through hoops. Our “one-click” ordering culture has raised the bar for the way we expect to get things done. Look at reservation systems for example—why should I have to call, sit on hold, and speak to a person when I could simply use an online scheduling system?
Consistency: Whether it’s about product pricing and discounting, visual design or cultural feel, it’s crucial to the omnichannel experience to have consistency across devices, physical experiences and interactions. Making a brand one that customers relate to and develop an affinity with goes a long way toward generating loyalty. Apple for example, has done this well with creating an in-store and online consistent experience as well as developed a culture that people want to be a part of.
Executing on these concepts is no easy task, involving many facets of the organization, and most companies are coming nowhere near these ideals. One of the biggest opportunities, and yet most troubling elements of this omnichannel notion is where contact center fits into the paradigm. The conversations consumers have with businesses are at the heart of creating a differentiated experience, but let’s face it, right now contact centers are not pivoting to be strategic differentiators. Most of us deal with this pain regularly in our personal lives. Just last week I called my bank with a simple question (which could have likely been answered via self-service), was transferred and repeated information 3 times before I even reached the right department. As much promise as there is for a utopian omnichannel world, most are struggling with the basics.
The Bottom-line: work on fixing broken customer service (keeping the goal of omnichannel in mind)
Contact center service providers are acutely aware of these opportunities and desperately trying to carve out an omnichannel story and capabilities. As we noted in our recent Contact Center Operations Blueprint, while many of the pilots and messages are spot on, client adoption is low and stories of omnichannel success are few and far between. Many buyers are just grappling with implementing digital channels, and a total redesign of customer experience is far too daunting. Service providers need to help their clients (with the goals of personalization, consistency and simplicity in mind), to start making some real changes in bite sized pieces to improve customer experience. Instead of trying to “delight and surprise” the customer at every turn, just taking some basic steps to make customers’ lives easier could go a long way. Omnichannel is the future of customer experience (or whatever the next buzzword that encapsulates a seamless customer journey may be), and one of the biggest steps toward that is a clear and focused contact center strategy.
This is my all new spot on Horses for Sources. The home of razor-sharp analysis and the place where hypes are crushed and real trends are born. Phil has set the bar incredibly high over the past decade. Inspired by the best analyst blogger around, my aim is to be as edgy as you are used to on Horses for Sources.
What you can expect on Berzerk with Derk I lead the energy, utilities and natural resources practice at HfS. I’m passionate about these industries and the huge shifts they need to make to stay relevant to this world. These are the largest and most fundamental industries in the world. The looming departure from fossil fuels mean the world’s energy systems, which have historically been slow to change, are in an unprecedented period of rapid transformation.
Renewable energy is the next normal – but the world has not woken up to this new reality yet This blog will help you stay abreast of all these fast-moving trends plus cut through all the hype that is out there. We’ll be covering the energy markets and the ongoing energy transition; away from fossil fuels and toward renewables. And specifically zoom in on the transformation of energy companies and service providers. The As-a-Service Economy has arrived in the services world and holds the potential to play a critical role in the energy transition.
The holy triangle of services; People, Process and Technology In my focus areas, besides aforementioned Energy, these are Supply Chain Management and Procurement, we see a fast convergence of people, process and technology, forever changing market demand and the offerings of service providers. Talent is a major topic for enterprises and service providers; there is a deficit of skills needed in the As-a-Service Economy. We need more people who can be strategic, experiment, play with business and revenue models, design new organizational structures and cultures, implement and pivot rapidly. People who have a keen eye for societal, political and technological developments and its ensuing opportunities and threats. There is an enormous opportunity for technology and business service providers to become part of the solution. This requires investment from both sides, real partnerships and the application of leading-edge technologies: intelligent automation, IoT ecosystems, actionable data and analytics are essential ingredients of digital transformations designed to push energy providers forward on the energy transition journey.
Change = new stuff = hype The common theme in much of our work at HfS is change. The old, legacy way of doing things is not cutting it anymore. Labor arbitrage, lift and shift and the traditional models of outsourcing are well past their prime and the services industry is transitioning into this new phase of As-a-Service. Before new things come to fruition, there is often a lot of hype and fluff surrounding them, clouding the view of what is real and what is not (yet). This is where HfS analysts come in… This blog won’t shy away to expose bs, calling out cookie cutter hype and identifying what is real.
All nice and well Mr Erbé, but why should I care? My goal is to tell you something you may not know with every post. I have been in the trenches of technology implementations, business transformations and operating model changes. I’ve managed the backlash of failed implementations on the business, designed business and IT functions. So in a lot of situations where theoretic solutions and vendor promises have broken down and the real issues still need to be fixed.
On this blog I will address the real-world issues screaming for real change, exploring what works, what doesn’t work and what needs to be done.
I will be:
– Harsh (sometimes)
– Real (always)
– Candid (the key to being an analyst isn’t it)
Are you of the curious variety, care about the world around you and the vast opportunities there are for business and you as a professional? I will introduce you to the most intelligent, innovative and forward looking folks in energy, supply chain and procurement. And help you navigate the real-hype divide, which solutions are aspirational and which solutions can bring scale, results and impact now.
When I entered the industry in 2008, working for a boutique research firm in Pune, India, the research themes floating around were about “what’s next for BPO, because this recession changes everything.”
We studied the knowledge process outsourcing (KPO) segment (“KPO” sounds so dated now!), which included service areas such as legal services, marketing, publishing and digital media management, e-learning, engineering services and market research and analytics. KPO services were perceived and categorized by the market to be different because they involve a) specialized skillsets, b) judgement based work with complex sub-processes, c) greater degree of partnership between client and service provider beyond process compliance and d) required a greater degree of specialization from the service provider in a horizontal/vertical, making them “higher value services” that came along with premium billing rates.
This definitional distinction that our research revealed between KPO services and “vanilla” BPO is worth unpacking today. Our conversations now are about enterprises operating in an As-a-Service Economy, heading towards Intelligent Operations. We’re actually seeing these traditional KPO markers becoming a core part of BPO and BPaaS service delivery.
Our Blueprint scoring methodology, based on HfS’ 8 ideals of As-a-Service has Collaborative Engagement as a key parameter for success, and we see promising examples of how a partnership-driven approach has helped set up engagements for success by focusing on business context and outcomes.
As for judgment based work and higher value services, this is very much the future of the industry for three reasons:
The robot will be taken out of the human. We will reach a point in the not-too-distant future where we can leverage talent to do meaningful, value-adding work, essentially taking the rules-driven robot out of the FTE. This is already happening in pockets as the services industry makes progress on embedding intelligent automation technologies, including robotic process automation, autonomics and cognitive platforms.
Industry domain knowledge is critical. Every service provider worth its salt lives in a “verticalized” client market, and our research in core operations outsourcing often reveals how buyers hang on to providers because their delivery staff has deep domain knowledge, “know more about our industry than we do” and have the certifications for their talent to prove it.
End to end service platform-based delivery demands deeper skillsets. Thirdly, service providers today (at least the preferred/strategic partners) manage a lot more parts of the services value chain than just backoffice transaction processing/call center operations. With more platform-based delivery of services that have straight-through processing and analytical insights baked-in, buyers are incentivized to carve out more end-to-end service delivery that includes both complex sub-processes and volume-driven processing.
The speed of change in today’s global environment can’t be captured any better than news coming this week of UK’s tentative departure from the EU, and speculations are flying wildly about the implications of this U.S. election year. And so here we are, as an industry, once again, wondering, what happens next, because emerging digital business models and the global environment is changing everything.
The Bottom-line: KPO really became “As-a-Service” – Smart talent and technology delivering value via the on-demand delivery model
HfS defines a future state for the services industry where As-a-Service is native to enterprise operations instead of a set of processes and technologies being retro-fitted in painful increments. Investments are made in outcome-centric services first, followed by talent acquisition to broker these capabilities and align them to the revenue-generating, customer-first activities of the business. In the next few years, as more outsourcing engagements o down this road…leverage actionable and accessible data, common standards, automation, digital tools and apps, powered by cloud delivery, priced As-a-Service, we will need a lot more judgement, and reimagination to navigate through it all. The KPO terminology might not make a resurgence, but its distinction will continue to blur as service providers morph the business they want to be in and the value they deliver to foster genuine, long term partnerships with their clients.
Procurement’s very existence is in trouble. The function must be part of the whole negotiation process, not only to protect the company from making deals that do not benefit the firm but also ensure they are sensible, cordial and well-balanced – and both supplier and buyer realize the outcomes they both want to achieve. Sadly, this is so not the case with so many pivotal business deals today.
The fact of the matter is, for some bizarre reason, most senior executives just don’t care about them, and they seem to show up when the deal is already made and “promises” have been made that are hard to break. All that transpires is both the senior executives from the supplier and the buyer end up frustrated – and feelings of mistrust can really break down what was a blossoming partnership with a very “transactional” experience.
The problem really is two-fold – executives doing the buying probably don’t even think about involving procurement, as they see no value in their contribution – or have no awareness of any potential value. They probably never even thought about involving them. In many cases, they never even intended to include them and procurement only inserted itself when they were asked to make the payment. Which means procurement’s role has been reduced merely to a last minute attempt to sabotage a deal; otherwise, its existence in the company is rendered completely useless, and you might as well phase it out (or replace with some software).
Who’s to blame when procurement comes along to mess everything up? Yourself!
To all executives out there who like to spend company money on things:
Ignoring procurement in the buying process nearly always ends in tears for everyone. I often feel the amount of time, negative energy and lost money tied to the procurement experience is simply not worth the investment of having them in the first place. So stop acting like they don’t exist and start communicating.
This means getting procurement into the loop regarding your intentions, once you know what it is you want to invest company money in. Train your sales people that procurement exists for a reason and that they are not the boogie man from the outset. The reason it often goes wrong at the end of a sales cycle is that procurement people feel they are not participating in the process and need to make last minute changes to the contract (which is usual to try and squeeze the supplier on price, which just pisses everyone off).
When procurement people are feeling ignored, all they will try and do is derail the buying process, as opposed to helping shepherd it through and add some value (or at least a few sensible suggestions) along the way. Procurement needs to feel it has a reason to exist, like any other business function. With HR, we often know it adds no “strategic” value in the hiring process, but at least it will run the background checks, the references, sort out the payroll, etc. At least HR has a role in the company, whereas procurement is in danger of extinction if its contribution is worthless. So while procurement still exists, you must involve it, or it will make everything unravel down the road.
To Procurement Executives:
Be a business relationship manager, not a transactional negotiator. Get off your backsides and serve the people who pay for your salary. Yes, we are a team, but sending these emails such as “No more discount or we need a minimum of 20% margin”, or “We only accept 90 days payment”, do not help at all. You’ve made it clear in the time your profession exists that you are not business people and care nothing for “customer service” or “employee experience”. The fact you feel you are the police of the people that call themselves “sales” is a fairy tale. You should get up and try to understand what your firm is doing, the clients you are serving and the history that exists between your company and your customers. Only looking at making a personal gain is not a solution for anyone but yourself. If you like to have war stories, join the army. Don’t pull this nonsense on the work floor.
Bottom line: Communicating with each other is the first step to getting business done
We all need to live with certain professions within a process. Some we like, some we just have to tolerate. But we can make it nice along the way to work more closely together and stop pretending we do not exist or need each other. If you listen, you will learn, if you keep doing what you always do, you keep getting what you always had. We have enough islands in this world, let us not fight internal battles all the time, but let us communicate and not harm the clients and eventually our business.
It’s easy to make a compelling case that ‘digital’ will ultimately replace what was once ‘IT’ at some point in the future as the former rapidly evolves and the latter become more and more associated with legacy technology and practices. hedging bets on what will happen and when however is a different matter entirely and hugely variable from business to business.
A historical analogy I’ve used frequently is the period when steam power slowly gave way to electrification. Steam enabled the industrial revolution and generations of power creation and transfer expertise. Simplifying, early manufacturing typically had one giant steam engine driving multiple leather belts to various ‘creating’ contraptions.
Along came electrification and boilermakers and belt tensioning experts started to work alongside electric motors and light, but the period when these two power sources co existed was surprisingly long as companies sunsetted their amortization of steam power and invested in electrical.
It wasn’t until the 1930’s that ‘as a service’ from the plug socket and light switch regulated electrical grids were established in north America. Prior to that electrification was very parochial and needs driven for the creation of electric light and to power specific factories.
Just as early use of digital media for marketing is analogous to the creation of neon signs and electric light arrays in cities as soon as their generation was possible, today the focus on ‘digital’ has been skewed towards marketing though social networks and ‘customer conversations’. Electric light displays in places like Times Square NYC were the wonder of the world only 100 years ago, initially hand switched on and off in sequence by staff.
All fascinating history, what has this got to do with our digital ‘as a service’ world? The period when steam power slowly moved to the less visible role of creation of distributed electrical power is analogous to the way enterprise computing has evolved. Cloud and mobile networks have transformed our world on an individual basis but as we all know there’s an awful lot of mainframes and cobol out there.
As HfS’s Phil Fersht recently wrote
When you consider only $15 Billion is being spent on public cloud services (IaaS) this year and $ 1 trillion being spent on services tied to traditional services delivery, there is a huge amount of “legacy” IT and BPO business in play – for another decade and beyond – to enable the enterprise digital experience.
It’s amazing to think that less than 100 years ago people would go by horse drawn carriage to see people turning arrays of lights on and off in Times Square on a Saturday night as ‘advertainment’. The pace of change has sped up enormously just within this century alone: as an example AWS delivered the first storage service (Amazon S3) in the spring of 2006 and compute (Amazon EC2) in the fall of that year.
For the services world the twin speed world we live in of legacy IT and digital evolution has some similarities to the past era of boiler makers and electricians – today most of the work is in keeping the steam boilers ever more efficient in the enterprise world, but everyone knows the increasingly automated grid is evolving fast. Making the decisions of what to focus on with staff and technology – what skill sets are needed and how and where to apply them – is doubly difficult when for decades most of your waking hours have been focused on ‘busy work’ to keep IT systems running. Quote to cash isn’t going to go away but it is certain to evolve and be ever more connected to other parts of the digital continuum most companies now have in focus strategically and aspire to.
Where steam power was rigid, brittle and inflexible despite enormous power generation, eventually ‘ always on’ electrical power provided plug and play secondary, tertiary and on usages (light, power, heat, production lines etc). This is the analogy the services sector are increasingly aware of and where ‘core digital’ is arguably emerging to supersede ‘IT’.
These are absolutely fascinating times, not least because this new world allows an astounding pace of innovation and appetite for the new. Steam power didn’t go away of course – as late as the 1960’s steam locomotives were the way people travelled by rail, and the electricity I am consuming to type this post may well have some steam generated electrons commingled. As the transition and automation of older services yield to newer digital needshere at HfS we will be commenting and informing on where the power and growth centers of the ‘as a service’ world opportunities are.
