Category Archives: Guest Author

Data Breach Response Planning Part II


Today’s guest post is from Torey Guingrich, a Project Manager at Source One Management Services, LLC who specializes in helping global companies drive greater value from their IT and Telecommunications investments.

In our last post, we indicated that no industry or company can escape the potential of a data breach, including yours. Given that large retailers, health insurance companies, financial services firms, and the U.S. federal government have had to deal with reporting and responding to large-scale data breaches in the last few years, it’s becoming more and more of a certainty that if your organization is of a significant size and has a fair amount of valuable (or secret) data, at some point it will be desirable enough for a third party to try and obtain it illegally through a hack or systems breach. And bolstering prevention alone might not be enough, any weakness at all in any system used by your organization, or a supplier, could be enough to let a black-hat in. Thus, the best preparation, and prevention, is often that which assumes a breach will occur and has plans, and relationships (as per our last post), to identify, patch, and deal with the breach as fast as possible. A quick response can be the difference between a breach that is only able to capture a few dozen credit card numbers at one point of sale and a breach that continues to infiltrate the system until thousands of credit card numbers across dozens of points of sale are compromised.

In order to insure a quick identification and response to a data breach, along with choosing partners to work with for a breach, the key to quick action is to have the internal processes and systems in place to respond accordingly. As part of preparation, companies are beginning to define data breach response teams to develop response plans and define clear roles for the key departments that would need to spring into action. Typical roles/areas that companies would need to include are:

  • IT
    Companies look to their IT departments to immediately identify and rectify the point of entry for any breach. IT will need to work with forensic IT partners to get as much information as possible in terms of scope and scale of the breach, as well as ensure systems are up and running to keep regular operations functional.
  • Communications
    The Communications team needs to take a lead role in responding to a breach and developing key materials (e.g. for the call centre scripts, press releases) within a data breach response plan. Appoint a role or individual as the spokesperson for the company and ensure that all employees, and even BOD members, know to reference back to this person when contacted regarding a breach.
  • Operations
    The call centres are one of the first areas that are overloaded when a breach occurs. Work with Communications to prepare scripts and materials to provide to the call centre (both in-house and outsourced) to ensure a consistent message and avoid unwanted confusion. Your Operations team also needs to ensure that internal operations are adjusted as necessary and continue to run given that a breach has occurred.
  • Legal
    Your Legal department (and likely outside counsel) will need to look at the compliance and regulatory implications of a breach. Depending on what industry your company is in, data breaches can carry hefty fines. To report a breach accurately, key individuals will need to work with IT to understand scope and scale and report to the necessary governing bodies. As this landscape evolves, ensure that the Legal department is aware of any new regulation that your industry may become subject to, e.g., proposed cybersecurity regulations for banks and insurers. The Legal team will likely need to engage with law enforcement, either local or federal, and manage the company’s duties along with direction received from law enforcement.
  • Suppliers
    A supplier may in fact be the point of entry for a breach in your system, as has been the case with many of the breaches in recent years. It is important to understand that your customers will still be looking to your company to respond and correct that breach. Because you will need to work with your suppliers to correct and adjust operations as necessary, Procurement should consider including language in contracts or RFXs that obligates suppliers to comply with your response plan in the event of a breach.
  • CEO/C-Suite
    Within each of these groups, it is vital to have individuals within the response team that can make decisions. Typical delegation and “chain of command” decision making will only delay the process and response that your company is able to provide. Executives and team members also need to understand that they may need to make decisions with incomplete information; this can be difficult for organizations who are accustomed to making decisions only when all variables are identified. Due to the scrutiny and reputational risk at stake, it should be made clear to customers that decisions are being made given the information available at the time.
  • Procurement
    Procurement will need to support supplier selection, contracting, engagement, and performance management of all necessary outsourced response services. Procurement will be managing different priorities and requirements from various stakeholders involved in a breach, i.e. all of the departments above, and will be expected to act as a cornerstone in ensuring that different requirements are met and balanced when and where they need to be.

As indicated at the start of this post, in today’s atmosphere, the possibility of a breach cannot be ignored and relying too heavily on breach prevention without a focus on response preparation can be a costly mistake. To avoid this, make sure your organization has a validated response plan and key materials primed in advance of a breach to be able to promptly respond to customers and return to normal operations as quickly as possible. Given the department’s experience in supporting process improvement and collaboration, Procurement is in a unique position to champion a proactive approach to response planning by bringing together stakeholders and identifying strategic partners that can enable the entire organization to respond to the dreaded data breach.

Thanks, Torey.

The Island of IT, Part II


Today’s guest post is from Torey Guingrich, a Project Manager at Source One Management Services, LLC who focuses on helping global companies drive greater value from their indirect expenditures, such as IT and Telecommunications investments.

In our last post we noted that even some of the most mature Strategic Sourcing departments tend to struggle with IT because IT spend is off limits or out of reach for traditional sourcing and procurement efforts. We then examined the three most common excuses, or hurdles, and provided some guidance on how to overcome them. Once you convince IT to give Procurement a chance, the next step is to …

DELIVER THE VALUE

Once you have overcome these hurdles with IT stakeholders, it is critical to follow through with the value that Procurement has promised in the sourcing and contracting process. Looking at a need identified by IT through a sourcing lens will likely lead to better defined requirements and a better relationship between the IT department and the supplier with whom they ultimately work.

  • Sourcing: Competitive bids and the RFx process can, and should, be used for IT and telecommunications initiatives. Because IT departments tend to partner more closely with their supply base as compared to other indirect categories, it can be easy to accept a proposal or pricing from a supplier who knows the company’s systems and basic requirements quite well. While this may be a faster route, Procurement needs to help IT ensure that the supplier’s proposal is the best fit for the organization’s needs and is competitive in the market. Work with IT to develop an RFP that allows suppliers who may not be as intimately connected with the department to propose innovative solutions and competitive pricing.
  • Scope and Deliverables: Once Procurement and IT have worked together to award an initiative to a supplier, Procurement’s value will be further demonstrated while going through the contracting process. Press your IT stakeholders to clearly define their expectations, the scope of the project, and the deliverables that the supplier will provide. Many business owners tend to think in “end state” deliverables, but be sure to inquire whether there are processes or defined stages that the supplier is expected to go through to get that end state, e.g., system, integration, and/or user acceptance testing. While there may be assumed expectations, work with IT to ensure those assumptions and expectations are defined.
  • Timelines and Acceptance: While working with IT to define the agreement deliverables, tie in timelines and dates for the company’s acceptance of mid-stream deliverables. Ensure there are key checkpoints prior to the final acceptance testing window to minimize rework or changes that need to be made. Also, be sure to use a critical eye when defining acceptance procedure and timing; often suppliers will insert language that assumes acceptance if no formal communication is received by a certain number of days. While this is intended to keep projects moving forward, you can change this language to require an affirmative acceptance by the company or at the very least, ensure the timing for default acceptance is ample enough to allow for any internal reviews that may take place.

While IT systems, products, and services may not be second nature, treat your business owners in a way that lets them know you are there to help ensure their requirements are met and their budget is maximized. IT — more than any other area — seems to consistently have budget on the chopping block, have projects pushed out year after year, and be asked to do “more with less”; by becoming a solid partner and delivering value to this group, you can not only help them make better buying decisions, but actually achieve their departmental goals.


Thanks, Torey.

The Island of IT, Part I


Today’s guest post is from Torey Guingrich, a Project Manager at Source One Management Services, LLC who focuses on helping global companies drive greater value from their indirect expenditures, such as IT and Telecommunications investments.

Even some of the most mature Strategic Sourcing departments tend to struggle with IT. IT spend is off limits or out of reach for traditional sourcing and procurement efforts. Let’s look at a few excuses that tend to pop over why IT can, and needs, to act independently, how to bridge that gap, and what value can ultimately be delivered by Procurement.

HURDLE #1: IT IS TOO COMPLEX

Often Procurement professionals can feel intimidated by the technical aspects of IT initiatives which results in IT departments tending to make decisions in a silo. Consider other “highly complex” categories that sourcing takes on (e.g., chemicals, raw materials, assemblies). While these may seem complex to those who have not worked with them in the past, with experience, training, and research these categories fit very well into the core competency of Procurement departments.

Overcome the “complexity” hurdle: It is vital to partner with stakeholders for sourcing and spend management within all categories. Devoting time and energy to gain a basic understanding of the IT software and services being purchased comes with the territory of working in Procurement. Begin reviewing past contracts, SOWs, and the structure of IT-related initiatives to become familiar with different components of these projects. By simply reviewing what has been done in the past, you can begin to see the patterns in the way these services are provisioned and priced. Also, utilize the knowledge of IT counterparts; more than likely they will be very open to explaining the purpose and goals of the services needed and impart critical knowledge to help you get up to speed within the category.

HURDLE #2: IT SPEND IS ALWAYS SOW AND/OR LICENSE DRIVEN.

While this may seem the case more often than not, SOWs and licensing agreements can be improved when reviewed from a sourcing perspective and should still be under Procurement’s scope.

Overcome the “SOW and license” hurdle: First, for those projects that are truly unique, by defining deliverables and tracking the details of an SOW within spend management tools, Procurement and IT will gain real visibility into the spend figures within the organization. Secondly, there are plenty of components of IT that tend to be more standard or follow a relatively simple pricing structure (equipment, telecommunications, etc.). You can use these inherently simpler areas as a starting point for review of categories within IT. Look at an IT need and try to breakdown the components for a better understanding. For example, software contracts typically have the same components (license fee, maintenance, support, and fees for any customization/unique support) and these can be looked at as separate components to gain a full understanding of the software and services being provided.

HURDLE #3: IT CAN’T BE STANDARDIZED.

While IT services and products are less likely to be standard, there are portions of spend and pricing methodologies that can be standardized within an agreement. It is Procurement’s role to seek out these standard components and get past the sales-speak that suppliers may present to end users.

Overcome the “non-standard” hurdle: Similar to the “SOW and license” hurdle, it is important to seek out the portions of project that are, or can be made, standard. Armed with the market intelligence and past contracting experience that Procurement brings to the table, suppliers are more likely to work on defining rates for specific roles, the number of trouble tickets/service calls included, license discount bands, and other components where Procurement can push for standardization. As we discussed above, you can work with IT suppliers to unravel the bundled components of spend to first understand the components and then determine what is actually standard. You will find that while a supplier may claim that an entire solution is custom, there are large portions of that solution that are very standard and should be treated as such.

Once Procurement has overcome the hurdles, the next step is to deliver the value. We’ll discuss this in Part II.


Thanks, Torey.

The Marketing Spend RFP – Everyone is debating over the death of it — I think it needs to be improved Part II


Today’s guest post is from Mat Langley, a Strategic Advisor and Procurement Executive with 14 years experience in leadership roles in strategic sourcing and category management in Europe, Africa and Asia across Finance, IT Outsourcing and Oil & Gas industries who is currently associated with Shortlist.co.

In this post I am suggesting three areas the tools we’re implementing need to change to give Marketing what they need and then I’d love to hear any more ideas/suggestions that you have.

The ideas below are based upon the fact that a significant percentage of marketers (greater than 50% according to a July study by Walker Sands2) believe that we’re not investing enough in the right amount or the right type of solutions for them.


eMarketer.com Marketing Attitudes
1. The tools we’re providing need to improve usability – day 1

A recent international survey of Procurement Executives by Ivalua shows that we are focused on transforming the toolsets we’re using today — 80% of us consider Digital Transformation an opportunity3. That’s fantastic – now our focus needs to continue finding tools that are simple for marketers to use — on day 1 — not year 1. Preferably they should have modern interfaces and be SaaS so Marketers don’t have to use one brain at home and another at work.

2. The tools we’re providing need to improve access to qualified agencies

With the significant increase in channels and the number of content components that need to be created – access to a broader set of qualified specialist agencies to meet campaign needs is required. We need to provide tools that let marketers find, engage and then partner with agencies big and small across the specialist spectrum regardless of whether they are across the street or across the globe. And no, I’m not recommending that long-term relationships or that strategic and broad partnerships aren’t important — I’m simply pointing out that Marketing needs an agile toolset to deliver against compelling (and evolving) challenges — and they need access to partners ‘on demand’. This needs to be done in a way that meets our obligations to protect the organization commercially while bringing in the best and brightest vendors.

3. The tools we’re providing need to improve the creation of Request for Partnerships (RFPs) – perhaps they could even be user friendly?

Everyone in the organization has too much work… We need to provide tools that allow Marketers to find and share best practice workflows, templates for briefs, easy access to current best practice questions and that have the maximum amount of automation built-in for comparisons, approval workflows, agreement signatures, and so on. And our tools need to integrate with other tools marketers are using to get the job done – whether that’s Dropbox for file storage, Slack for communication, Office365 for email and yes, even your ERP system! And most of all the tools we choose need to help engage agencies and build long-term partnerships – not drive them all into a single box as described by Kirk Cheyfitz in his piece on ‘6 New Reasons to Kill the RFP4:

I think the fact that you put your RFP out only to agencies you really like is a demonstration that it wasn’t too closely allied to the mass, mindless cattle calls that I rail against. Then you actually seem to ask open-ended questions that invite the respondents to define or re-define the conversation. And that puts you completely outside classic RFP territory. Even I would respond to an RFP like that.

I believe that with a renewed or for many an on-going focus on the above 3 items we can align with Marketing and let them take control of their Request for Partnerships which will, hopefully with the right tools, lead to RFPs being done in days and weeks – not months and with less frustration and pain for all stakeholders involved: Marketing, Procurement and Agencies. This should lead to more of the Marketing spend being influenceable and competitive, thereby addressing both obligations of procurement to the marketing team and the broader organization.

Thanks, Mat.

2 Walker Sands State of Marketing Technology 2016 Understanding The New Martech Buyer Journey
3 Ivalua. (2015, 3 November). “International Survey Procurement Executives”, PROCUREMENT IN THE DIGITAL AGE: Measuring the impact of Digital on Procurement Departments.
4 Kirk Cheyfitz. (2015, April 02). 6 New Reasons to Kill the RFP: Find Innovators, Not Commodities.

The Marketing Spend RFP – Everyone is debating over the death of it — I think it needs to be improved Part I


Today’s guest post is from Mat Langley, a Strategic Advisor and Procurement Executive with 14 years experience in leadership roles in strategic sourcing and category management in Europe, Africa and Asia across Finance, IT Outsourcing and Oil & Gas industries who is currently associated with Shortlist.co.

I want to start with a bold statement — in Procurement, the most challenging group to work with is most often Marketing. Almost every other function in the organization easily identifies the value we aim to deliver. When it comes to who’s really leading, the RFP there shouldn’t be a ‘hot potato scenario’ — we guide, as Procurement experts, and collaborate in a mutual partnership. Marketing, by comparison is still evolving their views on how to collaborate with Procurement. In a late 2014 study conducted by the ANA (Association of National Advertisers), nearly half of all Marketing and Procurement respondents stated that the relationship between them needed to be more collaborative. Nearly 50% of Marketing and Procurement professionals admit that they aren’t collaborating the way they need to in order to deliver maximum value to their brands.

Now, on the flip side, my experience with Marketing colleagues is that they are passionate, energetic and constantly focused on being creative. For Procurement (or Marketing) people reading — I’m guessing you’ve had more than a few debates and I’m sure that debate often centers on how Marketing feels like they’re wearing an RFP straightjacket designed, fitting and sewn by Procurement!

With agencies currently rebelling against RFP’s and even some very high profile CMOs like Linda Boff from GE calling for the ‘death of RFPs’1 — organizations can quickly get themselves in a downward spiral, ‘hot potato scenario’. It’s a relatively simple problem at its root: when Marketers don’t fully collaborate and provide the necessary support at the beginning of the RFP process, someone has to jump in and grab the ball (find the agencies, write the brief and RFP questions, and run the process) — that often ends up being Procurement — which doesn’t always lead to the best results for anyone involved: Marketing, Procurement, Agencies … everyone.

Hot Potato Was Fun as Kids — Not Today

To be clear, no one is at fault here. Marketing hates RFPs because they feel they are old and outdated; in stepping in to assist Marketing with their agency selection, Procurement ends up writing more of the RFP than they should, often using out of date questions; then it gets sent to more Agencies (just in case) because Marketing doesn’t have a short list or have time to find a strong and competitive agency panel; and finally, Agencies are overloaded responding to bloated RFPs and remember above – they’re also hoping that RFPs die. In the end, we’ve all played our part in proving exactly why RFPs are so terrible and ‘out of date’ – and the easy answer is just to kill them — and the tremendous value they can provide to everyone involved.

Now is not the time to kill the RFP (nor is that what we are suggesting) — it’s time to enhance our focus on improving communication, collaboration and building great internal and external partnerships. The marketing industry is changing so rapidly, with new channels and divisions, new technology, broader yet flatter reach requiring even more agility and calls for more focus on driving value out of every dollar spent. It’s an exciting time but also daunting and we need to ask ourselves, if the CMO is struggling to keep pace with this change, how are we going to support and bring value?

Time for more focus on what’s working and less ‘tossing blame around’ — Time to give Marketing the tools they want

Ok, I know that there is no perfect world where Marketing loves Procurement, Agencies love Procurement and Procurement loves procurement workloads… But there are things we’re doing really successfully that we can build upon. In Part II, I’ll suggest three areas the tools we’re implementing need to change to give Marketing what they need.

Thanks, Mat.

1 Marketers: It’s Time to Say RIP to the Media RFP