Category Archives: Technology

An Absolutely Fabulous Article by Cory Doctorow on the (Gen) AI Bubble …

and how it’s going to pop like every other tech bubble since the first dot com bust!

What Kind of Bubble is AI?
  by Cory Doctorow

Cory doesn’t say it, but he makes it pretty clear that when the bubble pops, like every tech bubble that has come before, there may not be much less to salvage when it does (especially since no one is thinking about what happens when it does pop).

So I’ll clarify:

A lot of people are going to lose a lot of money

(and while stupid investors hyping this bandwagon heading for a cliff probably deserve to lose every penny, all of the pensioners in the pension funds they scammed don’t; so if you run a pension fund, please pull out of ridiculously overvalued Gen AI NOW!)

A lot of people are going to lose their jobs

(and it’s going to be more devastating to the tech sector than the Silicon Valley Bank failure this year combined with the recession forecast that resulted in over 250K IT jobs being slashed in the USA alone)

A lot of hardware is going to suddenly go idle

and smaller cloud providers are going to go under when the big name cloud providers all of a sudden drop their prices to the floor just to keep the revenue coming in (resulting in the monopolies of Amazon, Google, and Microsoft controlling most of the servers outside of China and Russia)

The problem is, as Cory clearly lays out, when you take one step back and look at the ridiculous hype from a business/revenue lens, all of the big, exciting use cases for AI are either

a) low dollar [and low-stakes and fault-tolerant] (helping us cheat on our [home]work or generating stock-art for bottom feeders [who won’t pay an artist and don’t mind ripping off the IP from thousands of artists]) or

b) high-dollar but high-stakes and fault-intolerant (self driving cars, radiological cancer detection, worker screening and hiring, etc.)

and when you consider the data center costs of these super-sized models (as these data centers consume MORE energy than a small town), low-dollar AI applications won’t pay the bills and high-dollar AI applications cost MORE to deploy than to just do it the traditional way with an educated and capable human!

E.g. self-driving cars don’t work (and “Cruise” needs to employ 1.5 times as many supervisors as a taxi service would employ drivers to keep their cars, which still hit and critically injure people, relatively safe)

E.g. radiological cancer detection requires a human expert to spend the usual amount of time in diagnosis before consulting the AI, and then, if the AI doesn’t agree, spend that much time again

Not that we’re not stopping you from jumping on the (Gen-)AI bandwagon or selling that silicon snake oil that Open AI and Microsoft AI are selling. We’re just not joining you on the (Gen-)AI bandwagon as the steering algorithm is defective and it’s heading straight for a very high cliff at a very high speed …

Merry Christmas!

Good Questions to Ask If Procuring Tools With AI, Especially If You’ve Answered the First Question Wrong!

Continuing on with our statement that sometimes you have to listen to a lawyer, a recent article over on Bloomberg Law noted that Companies Should Ask These Risk Questions When Procuring AI Tools and gave us four questions in particular that were good:

Do I Understand the Data

The article gets it right when it says that AI tools are only as robust as the data they’re trained on, as well as the need to know what data is collected, how, and if all rights are respected when doing so. But what they didn’t get is that the data determines what models and techniques can be used, and what models won’t be that effective or reliable. A vendor sales rep will tell you that whatever technique it’s using is just right for your problem, but the reality is that the sales rep likely doesn’t have anywhere close to the mathematical knowledge to know if its appropriate or not, especially since that sales person may have barely passed remedial junior math (as not all US states require remedial senior math to graduate High School). Furthermore, there’s no guarantee that even the tech teams know if the model is appropriate or not. If the company just hired a bunch of developers with maybe a year of university math, gave them access to a bunch of libraries, and all they did was test out various machine learning models until one appeared to work to a sufficient degree of accuracy on the test suites they compiled, it doesn’t mean they understand the model, why it worked, or even the appropriate characteristics of the data set that allowed the model to work — it just means that they can say for data sets that look like this, it should work. (But what is look like?) You need to understand the data, and find someone who understands the models that it is appropriate for.

Have I considered Regulatory Scrutiny?

Not only do you have to take note that The Department of Justice, Federal Trade Commission, and other regulators are focused on whether technology companies and their tools create anti-competitive environments or put consumers at a disadvantage, but many jurisdictions are considering or implementing laws against the use of black-box technology where the output — which determines whether or not a person can get a loan, be insured, or even apply for a job or government program — and the logic behind the decisions, and the rules that were applied, cannot be explained. You could also be in trouble if the process is fully automated and there isn’t a human in the loop to validate the decision, if the systems uses (third party) data that it has no right to use, or if the output data is not sufficiently protected if it was generated from input data that must be protected and the output can be reverse engineered.

Have I Mitigated Security Risks?

It’s not just traditional cyber attacks on the system, it’s well calculated queries that can slightly perturb the system over time until the outputs after the 10th, 100th, or 1000th slight, imperceptable, perturbation result in an output the system never should have given in the first place, such as approving a ten million dollar loan to a high-risk foreigner who will take the money and run or denying insurance to all people with a genetic defect likely to result in a specific condition down the road that can only be treated by a single drug owned by a single pharmaceutical who will drive people into bankruptcy for a pill that costs $5 to make.

Did I include Best Practices in the Contract?

More specifically, did you include the best practices you want followed in the contract? Don’t leave best practices up to the vendor to define however they want to define them. Make sure you cover all necessary security measures, compliance with all government and regulatory guidelines on AI in the regions you intend to use it (and open standards if there are none, guidelines from the UN, the Responsible AI Institute, or something similar), and so on.

And these are great questions, but the first question you should always ask is:

Do I Really Need AI?

And only when you choose the wrong answer, and say yes, do you need to ask the questions above. The reality is that you don’t ever need AI. AI means that you, or the vendor, were just unwilling to take the time to understand the problem and design an appropriate solution. Remember that when you try to jump on the AI bandwagon heading off the cliff (for the sixth decade in a row).

Source-to-Pay+ Part 9: Cyber

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk, in Part 4 we took on Third Party Risk (in Part 4A and Part 4B), in Part 5 we laid the foundation for Supply Chain Risk (Generic), in Part 6 we addressed the first major supply chain risk: in-transport, followed by the second major supply chain risk: lack of multi-tier visibility in Part 7. In our last article, Part 8, we discussed the baseline Analytics that should be part of all of the different risk systems we covered in Parts 3 through 7, as well as a control centre.

Today, in Part 9, we move onto Cyber Risks. In today’s hyperconnected SaaS world, nearly half of an organization’s data breaches originate in the cloud (see this recent article by Illumio on Cyber Magazine, for example). So cyber security is important, but not just for your organization — for your entire supply chain.

Note that we are not going to dive deep, there are plenty of security firms that will do that for you. We’re just going to highlight key points of risk that must be covered in your cyber security plan.

Internal Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
E-mail Plenty of risks come in through e-mail. The biggest one you are likely aware of is fraudlent requests for payment from fraudsters posing as fake suppliers / service providers / consultants or new employees in a remote office asking you to approve an emergency payment. However, since fraudsters blast these far and wide (as it takes less work to create them), the most common fraudulent emails are usually phishing/ransom attempts where you have to click an email and enter your system login information to retain access to your email account (or another system you use). (Then they use those credentials you freely gave them to login to your systems, lock you out of them, and demand payment to unlock your account.)

Your email system needs to do more than identify an external sender. It, or the security plug in, needs

  1. to verify the originating domain of the email (since most fraudsters can’t mask the domain they send from),
  2. to identify the domain and location of the first intermediate server the message hits (since that can’t be masked unless they’ve hacked that) as well as if it matches the locale of the domain the email purports to come from, and
  3. to identify the domain of each embedded link and the company it belongs to (as fraudsters are great at registering domains just ONE letter of an actual domain and cloning the contents of the faked domain; e.g. chaEse.com vs chase.com … one is your bank, one will soon be scooped up by a fraudster who will skim account logins for a day during a “maintenance window”, then drain all the accounts dry (or at least to the transfer limits) the next day and wire the money to a foreign account in a jurisdiction with no extradition or banking treaties with the US, then empty the account the day after that, and then disappear never to be seen again …
Hacking Hackers will constantly be trying to penetrate your firewalls, the web servers and underlying operating systems of machines in the DMZ, the applications you are running, and the underlying security systems you use for monitoring and detection (but these are likely the most secure, especially if you are having them maintained and monitored by a professional, big name, IT security firm); You need to be monitoring for unusual activity, (D)DoS attacks, repeated login failures or access abandonments at particular ports or in particular application logs, and so on; You also need a few attractive honeypots that emulate the systems the hackers would want to access most, and if you don’t understand this, or why, talk to your security guru.
Ransomeware Hackers want to access your systems for two reasons, to steal money and IP or lock you out of them (if they can’t access any IP worth stealing or you don’t use any finance systems capable of [authorizing] payments) so you will pay them to get back into your systems. You need to be very careful to not only detect hacking attempts, but the installation of new software that is unrecognized / not authorized by security. This is because you could be totally screwed and have no choice but to pay the ransomware even if you do complete, incremental, daily backups across all systems because smart hackers will install the ransomware, let it sit for a few weeks or so, and then activate when you can’t roll back to a backup because you’d lose weeks or months of data (as you’d have to roll back to just before the ransomware was installed because the majority of backup systems would not be able to identify the actual file changes and there’s no way you could do a restore and not restore the ransomeware after the ransomware was discretely installed).
Infected Websites Your users love to surf, surf, surf the web and go where the hidden links take them. You can’t expect they will all keep their browsers up to date, keep the underlying OS up to date, and, simply put, not be careless. You need to enforce security software on their machine, and check for it, before that machine accesses your network and that the security software is up to date because if they visit the right infected website (from a fraudster’s point of view), it can be an instant hack and/or backdoor for the automatic installation of ransomware on their machine and/or your network.

External Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
Compromised Supplier Site If a supplier site or system is compromised, and you engage with that system in any way, then your system could be compromised. You need a system that monitors for supplier system/site/cloud risks as well as (known) supplier breaches.
Compromised Data All of your systems run off of data. Compromised data is the easiest way to compromise a system. If an email gets intercepted and altered in-transit with a man in the middle account and the hacker changes bank account information, you’re paying a fraudster and not the supplier. If the third party risk metrics are adjusted, your system can be tricked to diverting all business to a single, new, supplier which, while a legal entity, was setup by the founder to take your money and run. And so on.
Compromised Identities Identity theft is on the rise, and it’s often the easiest way for a fraudster to get funds from a business. You need to track all known cases of identify theft associated with all individuals associated with all businesses associated with your business as you will need to do extra verifications on requests from those individuals.
Web-Based Vulnerabilities You need to be aware of where the biggest web-based vulnerabilities are in your suppliers and partners, make sure your suppliers and partners monitor and address those, and make sure you lock down your security to the max when you have to interact with their systems that are classified as high risk for vulnerability.

And more. There’s a lot of risk in cyberspace thanks to the fact that the information and financial worlds have merged, and your organization needs to be on top of it. Identify appropriate providers, or you will need very good luck to not fall victim to a significant cyber-based threat.

SaaS is everywhere. Are you SaaSy?

Back in our 39 Part Series to Help You Figure Out Where to Start with Source-to-Pay in part 13 we gave you some vendors to shop around to the rest of your organization if you thought you can’t touch the sacred cows of Legal, Marketing, and, new-to-the-sacred-cow-list, the SaaS used in other organizational departments.

While the management of SaaS spend was not that important in the early days, and even only moderately important near the end of the last decade, it’s become critical since COVID (when everyone had to go on-line) as software spending has now become the third largest expense for many organizations after employees and office costs (that many organizations, who realized that employees don’t have to be in an office everyday to do office tasks and who don’t feel the need to force people to go back to buff the egos of the micromanagers who have no useful skillset and feel they need to micromanage to add value, are now trying to minimize, even to the tune of paying huge penalties to reduce office space).

A recent article in the FinTech Times really puts this into perspective. Summarizing the EagleEye SaaS Spend Report (2023), which analyzed over 400M worth of SaaS transactions, recently released by CloudEagle, the article noted that companies spend an average of $1,000 to $3,500 per employee on SaaS, while smaller companies, with less than 100 employees, spending (up to) 1M annually (on 50 to 70 apps) and mid-size organizations, of up to 5,000 employees, spending up to 100M annually on 300 to 400 apps! OUCH!

The article also noted that the highest departmental spenders were Engineering (45%), Marketing (19%), Sales (17%), Finance (7%), Customer Success (7%), and HR (5%). (Note there is no Procurement in this list, and that any apps are obviously classified as finance or Engineering [which includes cloud providers], which is sad.) Engineering/IT makes sense, it supports the entire organization, but that’s a pretty high percentage for Marketing and Sales. However, it makes more sense when it notes that, in terms of the number of applications used, marketing leads with 76 and sales is third with 42. Why? (The answer: because there is no central management or strategy, there are multiple tools doing almost the same thing, and it’s just total chaos in those departments.)

Obviously, it is becoming vital to scrutinise how their software budgets are allocated and ensure every dollar spent returns a significant value, and the article gets it right when it notes this, and while it should be on the radar of every CFO and CIO to get this spending under control, the article really misses the mark when it doesn’t mention the CPO — who is probably best positioned to help the organization come up with a sound spending strategy, as it not only puts every purchase it makes under the microscope, but gets put under the microscope for every purchase it makes (as most organizations still see it as a cost center despite the enormous value it brings by containing costs under chaotic cadences of the markets it has to buy in).

Furthermore, the first step is to get a true understanding of SaaS spend across the organization, which is likely buried on P-Cards to hide just how much rampant, off-contract, off-protocol spend there is. To this end, we do recommend engaging an expert SaaS Analytics firm which has pricing benchmarks on the most commonly used SaaS applications across the major areas (IT/Engineering, Marketing, Sales, Finance, and HR) to help identify all the SaaS spending and the best opportunities for cost reduction through termination of under/un-utilized licenses, consolidation to one provider for a specific function, and re-negotiation. Most mid-size or larger organizations that do this the first time will identify almost 30% of cost savings opportunity, which can typically be fully materialized within two years (given typical contract lengths and how long it takes to make all the migrations).

And while the doctor can’t say which firm is likely the best for you without a consultation, he can say that many of the firms on that list can do a do a good job and you should quickly be able to zoom in on the top two or three for you with an RFP and a few phone calls. Basically, you’re looking for a company that’s in your region, has analyzed the SaaS spend of a number of companies in your industry, has good spend analytics technology, and benchmarks on the major player that you feel comfortable working with. (And has really good spend analysis. Yes, we said it twice. Because it is important.) Since you don’t have to enter into a subscription for an initial project, you can easily get started because if the company is not the best for you, you’ll still get value and can redo the project with a different company in a year or two. There’s no reason not to do it and you’re guaranteed to identify savings. So why not Get SaaSy, now, get SaaSy!

“Ooh, the way that you spend it
Makes me go crazy, show me you can end it
You could be saving more
Ooh, the way that you buy
Makes me go crazy, show you I can end it
You could be saving more

Much more
Much more
Much more

Get SaaSy, now, get SaaSy
Get SaaSy, now, get SaaSy
Get SaaSy, now, get SaaSy

Savings
Now (much more) …”

A Good Negotiation is Key in Technology Acquisition

But whatever you do, please don’t mistake cost savings with value generation. But, as usual, let’s backup.

A recent article over on The Financial Express on the importance of a technology procurement negotiator noted that the art of negotiation has taken on a whole new level of complexity, especially in technology procurement and that discovering the most equitable pricesis a strategic imperative at a time when maximizing returns on investments is paramount.

And this is certainly true, as are most of the other messages in their article. Specifically, such a negotiator must:

  • understand the digital disruption
  • have high intelligence, which must go beyond technical expertise
  • understand the high stakes of technology investments
  • have the personality, worldview, and knowledge to navigate the negotiation beyond the technical aspects
  • be able to reflect on the bigger picture
  • be able to sync with the project

… but the criticality of ensuring that the technology procured provides exceptional value for the money spent cannot be over-emphasized. One cannot understate the importance of understanding the product’s role, functionality, and how it aligns with organisational goals. It doesn’t matter how much you save if the product isn’t the right fit. It’s critically important to not only have the technology experts identify the products that could serve your needs, but the right configurations, the associated services that will be required, and the right partners for the organization.

Additional savings is worthless if it comes at the expense of the vendor removing a key module from the reduced offer, not including necessary implementation or integration services, limiting computing or storage, and so on. If you end up paying significantly more after implementation as a result of change-orders, you not only haven’t saved, but you’ve cost the organization more. This is what often gets missed when negotiators lead. While the eventual owners shouldn’t lead, as they’ll always go with their top ranked provider (even if three systems can do the job equally well, and it’s just a preference as to which system is easiest to use), if they’re not kept in lock stop, it’s easy to miss key details or requirements or stray away from what is truly needed for value generation and ROI in the search for the ultimate deal. This is especially true if the negotiator brings a new vendor in at the last minute for price pressure, believing the new vendor, if not perfect, meets all the key requirements, when in reality the vendor’s platform doesn’t.

This is especially important to remember in SaaS negotiations, where it’s common knowledge that most organizations that buy without using a skilled negotiator are overpaying by an average of 30% or more. This is because an average negotiator’s inclination is to drive for massive discounts to prevent overspend, which might result in not only choosing the less optimal vendor, but the less optimal agreement. At the end of the day, price matters, but ROI matters more, especially in Procurement where the right solution will generate a 5X ROI or more and the wrong solution will barely pay for itself.