Monthly Archives: January 2016

Data Breach Response Planning Part I


Today’s guest post is from Torey Guingrich, a Project Manager at Source One Management Services, LLC who specializes in helping global companies drive greater value from their IT and Telecommunications investments.

It seems as if no industry or company can escape the potential of a data breach. Over the past few years, we have seen large retailers, health insurance companies, financial services firms, and the U.S. federal government deal with reporting and responding to large-scale data breaches. The first reaction to the threat of a breach is to bolster prevention. While there are clear ways that companies can mitigate the risk of a breach, there will always be someone looking to exploit weaknesses in security systems and protocol. While preventing a breach would be ideal, prevention should work hand-in-hand with preparation for a breach, including having the necessary partners identified or in place to respond to, cease, and mitigate damage. Procurement plays a key role in preparation by working with IT and various stakeholders to determine which types of services are needed for a data breach, as well as supporting the selection and management of the specific suppliers.

There are a few key supplier partners that Procurement should look to establish relationships with in preparation for, or in the event of, a breach:

  • Forensic IT
    While your IT department is very familiar with the systems in place and is able to manage them, they may not have the expertise needed to identify the source of a breach. Forensic IT firms can help identify the source and extent of a breach so that your IT team can focus on securing against the breach and ensuring operations can return to working condition. Procurement should work with IT to evaluate potential suppliers for forensic services based on the organization’s architecture, network, and potential entry points and vulnerabilities. Procurement can look to leverage sourcing activities or existing relationships for IT managed services to identify potential suppliers for forensic IT services.
  • Outside Council
    Unless your internal legal team is well versed and qualified to respond to a breach, you will likely need to bring in additional resources with specific expertise to direct your company on compliance and regulatory implications. When evaluating potential legal firms, Procurement should look for those who have expertise in notification requirements in all fifty states of the U.S. as well as in other countries, as appropriate for the company’s operations, and in your company’s specific vertical (e.g. healthcare, banking, insurance). Because these requirements are evolving, be sure to identify firms that are keeping pace with the most recent rulings and regulations.
  • Credit Monitoring/Identity Theft Repair
    With the increase of cyber threats and attacks over the past few years, firms that used to be seen primarily as credit monitoring tools are leveraging their experience and insight to offer response services that include customer notifications and call centre support, along with credit monitoring and identity theft repair services for affected customers. Procurement should ensure the chosen supplier is able to meet the expertise and capacity needs of the organization and can offer value-add services to bolster your response plan. Some suppliers offer services such as data breach simulations that can help identify holes or potential gaps in the designed response plan.

Procurement will need to consider the best-fit way to contract these services in order to utilize them in an efficient way. These services can be contracted in advance of a breach; this approach guarantees capacity, provides a faster response, but comes with both a monthly or annual retainer and variable costs that correspond with the breach.

You can also looks to purchase these services when a breach occurs; this would eliminate the retainer portion of costs, but would not guarantee capacity, may put you in a less favourable position in terms of negotiating variable rates, and will have a longer lead time. If you chose not to retain services, it would be prudent to establish beforehand a short-list of potential suppliers to approach for the necessary services when breach occurs.

Another option to obtain these service is through a data breach insurance plan; this is certainly an option for many organizations, but do consider your company’s ability to fully develop a response plan, ability to control the response, and reputation risk when working within the confines of an insurance policy. Deciding which services are used, and how they are purchased, will likely depend on your organization’s aptitude for risk and budget that can be allocated to these services. Procurement will need to explore the different purchasing methods against the risks associated with a data breach to determine the appropriate approach for securing these services for the organization.

Whatever supplier partners you decide to work with (whether proactively or reactively) Procurement should identify what they will need to begin working on your behalf and mobilize as quickly as possible. The development of your data breach response plan should also identify the types of data at risk (i.e. beyond customer data) and how a breach of that data will affect your business. This practice will allow you to identify business areas that may need to be involved in the creation and execution of the response plan in order to properly prompt internal action as you engage suppliers.

Now that you have your response partnership (plan)s in place, in our next post we will discuss the next key to a successful data breach response.

Thanks, Torey.

How Do You Value Cloud Services?

The clouds are here to stay. Whether they are dark nimbostratus storm clouds filled with hail or fluffy white cumulus clouds that dot the clear blue skies, they’re here. (That’s why the doctor recently co-authored a series over on Spend Matters Plus with the prophet on Supply Chains in the cloud.) Regardless of the doctor‘s opinion on whether your supply chain should be in the cloud, the clouds are sweeping supply chains up and the situation has to be addressed. (Thus, one has to do one’s best to insure that one’s supply chain is in the way of the right cloud.)

And while you should be well aware by now of how to cost a cloud-based platform, and compare it to a hosted ASP solution and an on-premise solution (as the referenced series and a number of posts here on SI have addressed this issue in detail in the past and even provided you with spreadsheet templates), you might not be aware of how to value a cloud-based solution.

When it comes to the cloud, valuation is a very difficult concept. There’s the hardware infrastructure and the reliability that comes from multiple locations that can store your data and run your applications. There’s the cloud-OS layer that handles real-time on-site and off-site data replication and back-up, automatic start-up of new processes and machines when a process or machine fails or becomes unavailable, automatic allocation of more processors and memory and storage when usage spikes, and so on. There’s the application layer that not only enables your processes but that is accessible anywhere with a data signal on any device your people happen to be carrying, that supports real-time data sharing and collaboration with your supply chain partners, and that supports innovative new capabilities not possible in on-premise apps.

There is a lot of value in each of these layers. Access to more hardware than you need, or can even afford, is valuable. Real-time off-site backup and failover is valuable too – compared to having to manually bring up an off-site location. And a better application with more capability and innovation is valuable too, but just how valuable?

In the traditional hardware world, the cost of filling a data centre is the cost of hardware plus the cost of a network engineer setting it up. Hardware is the cost of production plus a fair margin – there are enough essentially equivalent providers that costs are kept in check.

In the traditional software world, the cost of software is generally computed as the overhead cost of the company that produces it plus a margin that will produce an acceptable margin that the company can get away with based upon the perceived value differential between it and its competition that it can sell.

But the cloud is not set in the traditional world. In fact, the real-tine off-site backup and failover in a virtual OS layer didn’t even exist before the cloud. How much more valuable is having access to as many machines as is needed to power your application at full capacity at all times? While this power is known, failure — be it machine failure, power failure, or communication line failure — cannot be predicted and sometimes the entire application infrastructure must be ported in real time to a different part of the cloud.

And how much more valuable is having software that is maintained and regularly updated by the provider as compared to having software that must be manually updated and kept up by in-house development staff? Especially when that software might be capable of offering more real-time collaboration, real-time product tracking, market intelligence, and analytics than an on-premise platform. This is a much harder question to answer.

But one that should be asked. Just because a cloud solution is the cheapest alternative, that doesn’t mean that you are getting the full value you could be from your money. There are multiple providers, and they won’t all charge the same. Plus, if the technology is relatively simple, if its implemented as a true multi-tenant cloud based platform, and it doesn’t need to be updated very often to meet your needs, then the platform likely doesn’t cost the provider very much and may not have the value the provider claims if another provider offers essentially the same platform for three quarters of the cost.

There are no good answers here, but the questions should be asked and good answers should be expected before you commit to a solution, even if you are a non-profit that was donated a certain amount of cloud services — because you might not be getting what you think and may get hit with a big bill at the end of the year if your acceptance entails an agreement to pay for any usage above the donated amount of services.

Since there are no standards, providers are more or less free to “Value” services anyway they want, make extravagant claims as to support costs, and value a service at 5X its cost, or more. So be careful.

Economic Sustentation 05: Currency Conservation

As we have previously indicated, there is no salvation, at least not now. It’s only going to get hotter, and the best you can do for now is survive. But survival will be easier if you know what to do, or at least know what you might try, so, in this post, and the posts that follow in this series, we will present some of the options at your disposal, starting with currency (conservation).

So how can you protect against the currency fluctuations that can cause you significant economic damnation?

As indicated in our original damnation post, one preventative measure you can take is to determine the Purchasing Power Parity (PPP) of a currency to determine whether it is undervalued, and likely to rise, or overvalued, and likely to fall, and base your total cost of ownership models not on the current value against your base currency but the expected (average) value over the course of the contract.

But of course, this is not enough to predict every fluctuation in currency as some currencies rise and fall as the result of significant investment being pushed into a country (because of low wages, energy costs, etc.), being pulled out (because of new, burdensome, tax laws, etc.), or political actions that cause boycotts of goods from a certain country, or even trade embargoes. The latter situations can cause currencies to rapidly rise or fall seemingly overnight. So what can you do?

First, whenever possible, try to buy in the standard, or preferred, currency of the organization, and, in particular, the currency that most of the customers are paying in. If the organization is being paid in US dollars, then it should, whenever possible, try to buy in US dollars. This even eliminates (potentially costly) exchange fees from the picture.

Second, if this is not possible, because demand exceeds supply and the supplier has more negotiating leverage or the customers are buying in a currency that is not the preferred currency of the organization going forward, try to negotiate discounts as a result of currency strength increases against a major currency or gold. If the supplier suddenly has considerably more buying power from their dollar and their customers have considerably less, then it might be in the best interest of the supplier, especially if it is producing its goods from raw materials bought in a different market using a weaker currency, to pass on a bit of savings to its customers that might otherwise have to default on a contract or risk bankruptcy otherwise. It won’t always be possible, but if your organization is a major customer whose absence would be felt financially by the supplier, it’s worth a try.

Third, if you have to deal with multiple currencies, keep investments in multiple currencies so that trades can be made at strategic times to allow the profits in the currency trades to cover the increased costs of an unexpected rise in the currency required to pay a supplier. While the currency markets aren’t a zero sum game, generally speaking, value lost in one market always appears in another. And while SI realizes that, in the eyes of an economist this is a gross simplification, economics and trade works because, at any one time, there is a fixed amount of GDP in the world and a fixed value of a currency related to that GDP. Thus, at any point in time, value is conserved just like energy is conserved in our universe under thermodynamic laws.

There’s no silver bullet, but there’s enough lead that, if properly sprayed, will get the job done.

Four Hundred and Forty Five Years Ago Today

The Royal Exchange opened in London, and while only the exchange of goods took place until the 17th century, it has a long and rich history as the fifth oldest exchange in the world (preceded only by Antwerp Bourse, Lyons Bourse, Toulouse Bourse, and Hamburg Bourse). It was destroyed by fire twice (the first time in the great fire of 1666 and again in 1838) but still stands, in its third instantiation, today.

It serves as a reminder of just how long established trade has been taking place in the western world and how old Global Supply chains really are.

The Song Remains the Same – So Why Can’t We Sing It?

As the world’s second oldest accepted profession (or is it the third as maybe astronomy came first, as we have examples of astronomy dating back 17,300 years), Purchasing should be well understood by now.

Even the first Purchasing Manual, The Handling of Railroad Supplies — Their Purchase and Disposition, written way back in 1887 by Marshall M. Kirkman and printed by Chas, N. Trivess, has the basic definition of the requirements of a purchaser down flat:

The purchase of goods embodies many varied talents and experiences. The ability to buy advantageously, depends largely upon the knowledge of men possessed by the purchaser and his skill in taking advantage of this knowledge. His value will, moreover, be dependent upon the discretion allowed him, and his judgment in exercising it. The position also requires technical skill. The person filling it must be experienced, otherwise his acts will not command the confidence or respect of his associates. His wisdom and fairness must be such that if he selects material contrary to the requisition made upon him, the person thus over-ruled will tacitly acquiesce therein and abide by the demonstration of its wisdom afterwards. (Pages 38 and 39).

Even though today we might write this paragraph as:

The purchase of goods requires talent and experience. The ability to take advantage of supply market dynamics depends on having the appropriate knowledge and the skill to take advantage of that knowledge. The ability to deliver value depends on having the discretion, and authority, to do so. The position also requires technical skill and the ability to use the tools, old and new, provided to the purchaser. Moreover, the purchaser must be experienced and skillful, otherwise others will not respect her decisions. Her wisdom much be such that if she selects new products or services than the ones the organization, and its employees, are used to, the organization, and employees, will understand that she made the best decision taking all of the information from all of the stakeholders, and suppliers, into account.

A few new words, but the same old wisdom. However, in addition to these few new words, now we have to deal with much more complicated words and a plethora of acronyms like:

  • ABC
  • ATP
  • B2C
  • CLM
  • DPO
  • EOL
  • FIFO
  • GRC
  • HIS
  • HTS
  • ITU
  • etc.

that will drive even the sanest of men mad as a hatter. In an effort to capitalize on a newly recognized opportunity, the consultancies have invented a new language to make the simple complex, and the practical improbable, and the vendors have followed suit. The only thing new since the introduction of the telephone is the platforms that exist to support you, powered by the internet and the latest advances in computing technology. So while most consultancies go on and on and on about EQ, you’ve always needed EQ, just like IQ, and the critical factor is TQ. Today’s purchaser requires much more than the ability to use a phone, keep a ledger, add some numbers, create a shipping schedule, and navigate trade law to succeed. Advanced analytics and optimization. Automated workflows and P2P automation. Complex cost modelling and CAD/CAM skills. Not your traditional everyday purchasing situation that existed before the information age.

So learn the tech, and your job will be a lot easier. And keep reading SI which will, as it has always done, continue to alert you to the technology platforms and skills that you need.