Category Archives: Technology

Ninety Years Ago Today …

The world lost a great physicist by the name of Heike Kamerlingh Onnes. While this is not a name most people know, he was the first person to liquify helium and to discover superconductivity — both of which are critical to the modern technological age. Liquid helium, which has a temperature of 4K (4 degrees above absolute zero on the Kelvin scale, and 73 degrees below the boiling point of liquid nitrogen which can freeze a banana in as little as 3 minutes) is a key ingredient in superconducting magnets and the primary cryogenic refrigerant.

But more importantly, superconducting is used to make ultra-fast digital circuits, microwave filters for your movie phones, and, most importantly, superconducting magnets (which are the most powerful electromagnets that are required by MRI machines, mass spectrometers, and particle accelerators).

Have We Reached B2B 3.0 Yet? Part 3: B2B 3.0, A Definition

As per Part I, over seven years ago, Sourcing Innovation published Introducing B2B 3.0 and Simplicity for All, which is available as a free download, to help educate you on the next generation of B2B and prepare you for what comes next. The expectation was that, by now, we would be awash in B2B 3.0 (Business to Business 3.0), which was simply defined as the first generation of technology that actually puts business users on the same footing as consumers, but are we?

In Parts I and II we discussed the history of B2B 1.0 and B2B 2.0 in order to conclude that, neither B2B 1.0 and 2.0 was not enough. B2B 1.0 launched the internet era, but proved that connectivity, and even basic functionality, is useless without content (that helped buyers find what they needed and sellers provided what buyers needed) and community (as the right parties need to come together). B2B 2.0 brought the internet era to the mid-sized business, but ultimately proved that creating private networks and marketplaces didn’t add anything because while redundancy in data centres is good, network redundancy is bad and only increases costs, not value.

That’s why we need B2B 3.0 but is it? First we need to discuss B2C 3.0.

B2C 3.0, which was kicked-off by sites like Froogle (Google Product Search), PriceGrabber, and PriceWatch, allowed consumers to search and browse product listings from multiple sites. TechRepublic, CraigsList, and ComputerShopper provided the community for these consumers to discuss providers and products and find what they wanted at the price they wanted. And C2C 3.0 sites like MySpace, FaceBook, and Twitter connect more users than ever before.

B2B 3.0 is the business equivalent. It’s the next generation of B2B that adds content, community, and open-connectivity to B2B platforms. More specifically, open connectivity that is free to all to access, open community that allows all buyers and sellers to come together though dynamically created virtual networks on an open, shared, secure, and decryption-supporting API to conduct business as needed, and the depth of content required to support complex direct purchases. It’s what B2B 2.0 should have been, but without the unnecessary redundancy and the necessary cost.

B2B 3.0 is an open platform enabled by:

  • web services
    like Google Maps that allows supply chains to be plotted
  • intelligent agents
    that can automatically place re-orders and identify market data of interest to the buyer or supplier
  • meta-search
    that works over multiple catalogs, on multiple sites, accessed using multiple EDI, (c)XML, or other standard protocols
  • real-time collaboration
    instant messaging, (visual) VOIP, screen sharing, and collaborative document authoring
  • semantic technology
    that can identify news stories and reports of interest
  • mashups
    to normalize data from hundreds (or thousands) of file and data formats into a common taxonomy
  • analytics
    that can process, and make sense, of all of the information streams and present meaningful information and actionable insight
  • workflow
    as a good process is an effective and efficient process

But are we there yet? To be continued …

Data Breach Response Planning Part II


Today’s guest post is from Torey Guingrich, a Project Manager at Source One Management Services, LLC who specializes in helping global companies drive greater value from their IT and Telecommunications investments.

In our last post, we indicated that no industry or company can escape the potential of a data breach, including yours. Given that large retailers, health insurance companies, financial services firms, and the U.S. federal government have had to deal with reporting and responding to large-scale data breaches in the last few years, it’s becoming more and more of a certainty that if your organization is of a significant size and has a fair amount of valuable (or secret) data, at some point it will be desirable enough for a third party to try and obtain it illegally through a hack or systems breach. And bolstering prevention alone might not be enough, any weakness at all in any system used by your organization, or a supplier, could be enough to let a black-hat in. Thus, the best preparation, and prevention, is often that which assumes a breach will occur and has plans, and relationships (as per our last post), to identify, patch, and deal with the breach as fast as possible. A quick response can be the difference between a breach that is only able to capture a few dozen credit card numbers at one point of sale and a breach that continues to infiltrate the system until thousands of credit card numbers across dozens of points of sale are compromised.

In order to insure a quick identification and response to a data breach, along with choosing partners to work with for a breach, the key to quick action is to have the internal processes and systems in place to respond accordingly. As part of preparation, companies are beginning to define data breach response teams to develop response plans and define clear roles for the key departments that would need to spring into action. Typical roles/areas that companies would need to include are:

  • IT
    Companies look to their IT departments to immediately identify and rectify the point of entry for any breach. IT will need to work with forensic IT partners to get as much information as possible in terms of scope and scale of the breach, as well as ensure systems are up and running to keep regular operations functional.
  • Communications
    The Communications team needs to take a lead role in responding to a breach and developing key materials (e.g. for the call centre scripts, press releases) within a data breach response plan. Appoint a role or individual as the spokesperson for the company and ensure that all employees, and even BOD members, know to reference back to this person when contacted regarding a breach.
  • Operations
    The call centres are one of the first areas that are overloaded when a breach occurs. Work with Communications to prepare scripts and materials to provide to the call centre (both in-house and outsourced) to ensure a consistent message and avoid unwanted confusion. Your Operations team also needs to ensure that internal operations are adjusted as necessary and continue to run given that a breach has occurred.
  • Legal
    Your Legal department (and likely outside counsel) will need to look at the compliance and regulatory implications of a breach. Depending on what industry your company is in, data breaches can carry hefty fines. To report a breach accurately, key individuals will need to work with IT to understand scope and scale and report to the necessary governing bodies. As this landscape evolves, ensure that the Legal department is aware of any new regulation that your industry may become subject to, e.g., proposed cybersecurity regulations for banks and insurers. The Legal team will likely need to engage with law enforcement, either local or federal, and manage the company’s duties along with direction received from law enforcement.
  • Suppliers
    A supplier may in fact be the point of entry for a breach in your system, as has been the case with many of the breaches in recent years. It is important to understand that your customers will still be looking to your company to respond and correct that breach. Because you will need to work with your suppliers to correct and adjust operations as necessary, Procurement should consider including language in contracts or RFXs that obligates suppliers to comply with your response plan in the event of a breach.
  • CEO/C-Suite
    Within each of these groups, it is vital to have individuals within the response team that can make decisions. Typical delegation and “chain of command” decision making will only delay the process and response that your company is able to provide. Executives and team members also need to understand that they may need to make decisions with incomplete information; this can be difficult for organizations who are accustomed to making decisions only when all variables are identified. Due to the scrutiny and reputational risk at stake, it should be made clear to customers that decisions are being made given the information available at the time.
  • Procurement
    Procurement will need to support supplier selection, contracting, engagement, and performance management of all necessary outsourced response services. Procurement will be managing different priorities and requirements from various stakeholders involved in a breach, i.e. all of the departments above, and will be expected to act as a cornerstone in ensuring that different requirements are met and balanced when and where they need to be.

As indicated at the start of this post, in today’s atmosphere, the possibility of a breach cannot be ignored and relying too heavily on breach prevention without a focus on response preparation can be a costly mistake. To avoid this, make sure your organization has a validated response plan and key materials primed in advance of a breach to be able to promptly respond to customers and return to normal operations as quickly as possible. Given the department’s experience in supporting process improvement and collaboration, Procurement is in a unique position to champion a proactive approach to response planning by bringing together stakeholders and identifying strategic partners that can enable the entire organization to respond to the dreaded data breach.

Thanks, Torey.

Data Breach Response Planning Part I


Today’s guest post is from Torey Guingrich, a Project Manager at Source One Management Services, LLC who specializes in helping global companies drive greater value from their IT and Telecommunications investments.

It seems as if no industry or company can escape the potential of a data breach. Over the past few years, we have seen large retailers, health insurance companies, financial services firms, and the U.S. federal government deal with reporting and responding to large-scale data breaches. The first reaction to the threat of a breach is to bolster prevention. While there are clear ways that companies can mitigate the risk of a breach, there will always be someone looking to exploit weaknesses in security systems and protocol. While preventing a breach would be ideal, prevention should work hand-in-hand with preparation for a breach, including having the necessary partners identified or in place to respond to, cease, and mitigate damage. Procurement plays a key role in preparation by working with IT and various stakeholders to determine which types of services are needed for a data breach, as well as supporting the selection and management of the specific suppliers.

There are a few key supplier partners that Procurement should look to establish relationships with in preparation for, or in the event of, a breach:

  • Forensic IT
    While your IT department is very familiar with the systems in place and is able to manage them, they may not have the expertise needed to identify the source of a breach. Forensic IT firms can help identify the source and extent of a breach so that your IT team can focus on securing against the breach and ensuring operations can return to working condition. Procurement should work with IT to evaluate potential suppliers for forensic services based on the organization’s architecture, network, and potential entry points and vulnerabilities. Procurement can look to leverage sourcing activities or existing relationships for IT managed services to identify potential suppliers for forensic IT services.
  • Outside Council
    Unless your internal legal team is well versed and qualified to respond to a breach, you will likely need to bring in additional resources with specific expertise to direct your company on compliance and regulatory implications. When evaluating potential legal firms, Procurement should look for those who have expertise in notification requirements in all fifty states of the U.S. as well as in other countries, as appropriate for the company’s operations, and in your company’s specific vertical (e.g. healthcare, banking, insurance). Because these requirements are evolving, be sure to identify firms that are keeping pace with the most recent rulings and regulations.
  • Credit Monitoring/Identity Theft Repair
    With the increase of cyber threats and attacks over the past few years, firms that used to be seen primarily as credit monitoring tools are leveraging their experience and insight to offer response services that include customer notifications and call centre support, along with credit monitoring and identity theft repair services for affected customers. Procurement should ensure the chosen supplier is able to meet the expertise and capacity needs of the organization and can offer value-add services to bolster your response plan. Some suppliers offer services such as data breach simulations that can help identify holes or potential gaps in the designed response plan.

Procurement will need to consider the best-fit way to contract these services in order to utilize them in an efficient way. These services can be contracted in advance of a breach; this approach guarantees capacity, provides a faster response, but comes with both a monthly or annual retainer and variable costs that correspond with the breach.

You can also looks to purchase these services when a breach occurs; this would eliminate the retainer portion of costs, but would not guarantee capacity, may put you in a less favourable position in terms of negotiating variable rates, and will have a longer lead time. If you chose not to retain services, it would be prudent to establish beforehand a short-list of potential suppliers to approach for the necessary services when breach occurs.

Another option to obtain these service is through a data breach insurance plan; this is certainly an option for many organizations, but do consider your company’s ability to fully develop a response plan, ability to control the response, and reputation risk when working within the confines of an insurance policy. Deciding which services are used, and how they are purchased, will likely depend on your organization’s aptitude for risk and budget that can be allocated to these services. Procurement will need to explore the different purchasing methods against the risks associated with a data breach to determine the appropriate approach for securing these services for the organization.

Whatever supplier partners you decide to work with (whether proactively or reactively) Procurement should identify what they will need to begin working on your behalf and mobilize as quickly as possible. The development of your data breach response plan should also identify the types of data at risk (i.e. beyond customer data) and how a breach of that data will affect your business. This practice will allow you to identify business areas that may need to be involved in the creation and execution of the response plan in order to properly prompt internal action as you engage suppliers.

Now that you have your response partnership (plan)s in place, in our next post we will discuss the next key to a successful data breach response.

Thanks, Torey.

How Do You Value Cloud Services?

The clouds are here to stay. Whether they are dark nimbostratus storm clouds filled with hail or fluffy white cumulus clouds that dot the clear blue skies, they’re here. (That’s why the doctor recently co-authored a series over on Spend Matters Plus with the prophet on Supply Chains in the cloud.) Regardless of the doctor‘s opinion on whether your supply chain should be in the cloud, the clouds are sweeping supply chains up and the situation has to be addressed. (Thus, one has to do one’s best to insure that one’s supply chain is in the way of the right cloud.)

And while you should be well aware by now of how to cost a cloud-based platform, and compare it to a hosted ASP solution and an on-premise solution (as the referenced series and a number of posts here on SI have addressed this issue in detail in the past and even provided you with spreadsheet templates), you might not be aware of how to value a cloud-based solution.

When it comes to the cloud, valuation is a very difficult concept. There’s the hardware infrastructure and the reliability that comes from multiple locations that can store your data and run your applications. There’s the cloud-OS layer that handles real-time on-site and off-site data replication and back-up, automatic start-up of new processes and machines when a process or machine fails or becomes unavailable, automatic allocation of more processors and memory and storage when usage spikes, and so on. There’s the application layer that not only enables your processes but that is accessible anywhere with a data signal on any device your people happen to be carrying, that supports real-time data sharing and collaboration with your supply chain partners, and that supports innovative new capabilities not possible in on-premise apps.

There is a lot of value in each of these layers. Access to more hardware than you need, or can even afford, is valuable. Real-time off-site backup and failover is valuable too – compared to having to manually bring up an off-site location. And a better application with more capability and innovation is valuable too, but just how valuable?

In the traditional hardware world, the cost of filling a data centre is the cost of hardware plus the cost of a network engineer setting it up. Hardware is the cost of production plus a fair margin – there are enough essentially equivalent providers that costs are kept in check.

In the traditional software world, the cost of software is generally computed as the overhead cost of the company that produces it plus a margin that will produce an acceptable margin that the company can get away with based upon the perceived value differential between it and its competition that it can sell.

But the cloud is not set in the traditional world. In fact, the real-tine off-site backup and failover in a virtual OS layer didn’t even exist before the cloud. How much more valuable is having access to as many machines as is needed to power your application at full capacity at all times? While this power is known, failure — be it machine failure, power failure, or communication line failure — cannot be predicted and sometimes the entire application infrastructure must be ported in real time to a different part of the cloud.

And how much more valuable is having software that is maintained and regularly updated by the provider as compared to having software that must be manually updated and kept up by in-house development staff? Especially when that software might be capable of offering more real-time collaboration, real-time product tracking, market intelligence, and analytics than an on-premise platform. This is a much harder question to answer.

But one that should be asked. Just because a cloud solution is the cheapest alternative, that doesn’t mean that you are getting the full value you could be from your money. There are multiple providers, and they won’t all charge the same. Plus, if the technology is relatively simple, if its implemented as a true multi-tenant cloud based platform, and it doesn’t need to be updated very often to meet your needs, then the platform likely doesn’t cost the provider very much and may not have the value the provider claims if another provider offers essentially the same platform for three quarters of the cost.

There are no good answers here, but the questions should be asked and good answers should be expected before you commit to a solution, even if you are a non-profit that was donated a certain amount of cloud services — because you might not be getting what you think and may get hit with a big bill at the end of the year if your acceptance entails an agreement to pay for any usage above the donated amount of services.

Since there are no standards, providers are more or less free to “Value” services anyway they want, make extravagant claims as to support costs, and value a service at 5X its cost, or more. So be careful.