Technological Damnation 92: Data Loss

It is the information age and data is the life blood of the company and the supply chain. The financial chain is controlled by data. The physical flow of goods is dictated by data. People communicate electronically through data packets. It’s all data. And losing that data is a damnation. Not just because data is lost, but because:


Lost Intellectual Property data is a loss of competitive advantage

Sometimes the only edge a company has is it’s intellectual property that it can use to create a slightly better product, do better in a foreign market, or lower its costs enough to undersell the competition when its products are no better. If that gets stolen, and one or more competitors get their hands on it, the advantage is gone and all of a sudden the product is no better, the edge in the foreign market is lost, and there is no cost advantage to exploit in the end product.


Intrusions that result in lost or stolen data are hard to trace

If your systems or networks get hacked, and your data is stolen, good luck figuring out who got your data, because chances are that not only will you not be able to figure out who hacked you, but you will not even be able to figure out where the hack came from. Right now, there are free hacking toolkits for every major OS on the deep web that can bounce packets off of dozens of anonymous proxy servers, fake TCP/IP headers, and exploit dozens upon dozens of security holes that can be launched successfully against the average system by budding script kiddies — so imagine what real black-hats can do if this is what they give away for free. Do you know how many zero-day exploits are in your systems? They do!


Even if the intrusions are traced, loss is hard to recover

Let’s say you are able to afford, and hire, the best white-hat trackers from the top security firms on the planet and they trace the hack to, let’s say, a rogue hacker in China or Russia. Do you think you’re going to recover anything? Nope. And even if you can trace the hack to your country or a country that you operate in, do you think suing a hacker who got an untraceable payment to a Swiss or Cayman Islands account is going to net you anything? No way!


Data loss prevention requires very powerful, expensive, digital vaults

The only protection your organization has is to install the best systems with the best encryption configured by real security pros. This is not easy to do. Considering that most web sites are full of security holes that are easily uncovered by open source products like PortSwigger’s Burp Scanner, imagine how hard it is to properly secure a database, an ERP, an OS, and the communication lines between them. So not only do you have to buy a top of the line system with embedded security, but then you have to find a real security expert to properly configure and harden the system — who is extremely pricey if you manage to find that person.


And loads of security training, awareness, review, and enforcement.

The majority of data thefts are not the result of hacks, but the result of disgruntled employees with access or social engineering. That’s why you need good policies, training, and enforcement. An admin should not grant carte-blanche access to data in a system to an employee who does not need it just because it’s too hard to set up the roles based security, even if the employee is happy and trust-worthy. Chances are that security will never be reviewed and if, in two years, the employee gets disgruntled or falls on hard times, that’s an exploit waiting to happen.

But the biggest risk is the average employee who writes her password on a post it inside her drawer, a receptionist who does a system test when asked over the phone, or an office admin who grants a workman access to the server room because they look like they should be there. The most common way a hacker gets access to your system is by posing as the janitorial staff who gets to go into every cubicle to empty garbage (and check desks for password post-it notes), as the vendor rep who wants to test the server connection (and has the rep go to a site that looks like the vendor portal admin screen and login for a speed / reliability test when all it does is capture the authentication data before passing through to a real site), or by dressing up as an IT shop employee there to fix the server — because once you’re on the live system, you can suck all the admin codes you want for a remote access later. Poor security practices opens holes bigger than the Vredefort crater.

And the average person does not understand this, even after repeated instructions and explanations as to why writing the password down is dangerous. So this damnation will be with us for quite some time.

It’s Not Optimization. It’s Strategic Sourcing.

Last week in my post on how The Trade Extensions Event Was Different. Their View is Different. It’s Time for Different I noted that the reason the event was different is because, unlike most purveyors of perplexing optimization software, they did not focus on their the capability, uniqueness, and savings potential of their optimization software, choosing to barely acknowledge the concept, and instead took the viewpoint that it’s not optimization, it’s just sourcing.

And as I indicated in that post, said in Monday’s Post on how It’s NOT a Suite, It’s JUST Sourcing Part II, SI has a very similar view. SI is now convinced that it’s not optimization, it’s strategic sourcing as SI believes it has become practically impossible to do true strategic sourcing without optimization.

Why? Because we have not only reached the point where it is impossible to define a sourcing event of any magnitude without hitting at least a few of the nine dimensions of complexity (outlined in “what defines complex sourcing and why does it matter” on Spend Matters) but we have also reached the point where the data collection, manipulation, and analysis requirements are so intensive that only a sourcing solution built on, and backed by, a true optimization engine is going to be able to handle the data, manipulation, and analysis required.

Now, we’re not saying that the right strategy for every event is optimization, but we are saying, as per SI’s already classic paper on Optimization, What Comes Next, that you cannot determine the right strategy without optimization to at least build and solve a baseline cost model given current market prices and expected bidder increases or decreases from the last event. For example, while a 3% savings potential might be enough for a (strategic) sourcing auction or optimization-based multi-round RFX, a 3% drop in expected product cost does not necessarily imply a 3% savings potential. If that drop is from remote suppliers that ship down lanes where costs have risen 10% and shipping is 30% of the overall total cost model, there is no savings potential. The right strategy is a renegotiation with the incumbent for a contract extension or a spot market buy. Similarly a 2% drop in price combined with a 5% drop in logistics costs could equate to a 3.5% savings potential under the right circumstances, which is substantial on a 50M+ category.

Plus, with bundled discounts, volume discounts from suppliers and carriers that take effect at different price points, different import and utilization costs for each supplier, and an ever increasing plethora of capacity constraints, mandatory award splits to minimize risk, secondary goals of minimal environmental impact, and so on, it’s often impossible to determine what the lowest cost solution is and, thus, if the cost increase associated with assigning a (greater percentage of the) award to a preferred supplier seen as being more valuable in the long term is actually worth it.

There’s just no way to do a strategic analysis and justify a strategic decision without a basic level of true mathematical optimization capability. Spreadsheets were breaking under the strain of basic sourcing requirements years ago. Now these sheets are just shards of glass — which will eventually cut you if repeatedly handled.

So if you want to source, use what you want. But if you want to strategically source, use an optimization-backed sourcing solution. You won’t need optimization for every event, but since you won’t know when you’ll need it until you have it, you still need it.

Technological Damnation 78: e-Privacy

Privacy is a good thing, and e-Privacy is a better thing, but that doesn’t mean it’s not an eternal damnation to Procurement. Why?

Customers are always demanding more privacy rights.

Including rights that they do not have in the off-line world. While you definitely should not post online that they shop at your location, they some consumers don’t even want you to keep records that they do. But in the real world, you can keep your security feeds, that show them, your physical credit card receipts for at least seven years, that show they shopped their, and the associated transaction receipts, that shows what they bought. But as soon as you store that data in a system, aggregate it, and use it to build a loyalty program and target appropriate rewards (even if you do so in a private way and don’t share the data with anyone), you’re trying to invade their privacy rights. So you have to be extra careful in Procurement that any systems you source have the highest safeguards and are only going to be used for legal, responsible uses.

Oversight requirements are increasing as regulatory acts are multiplying.

As more and more consumers demand their e-Privacy rights, and as more and more data breaches happen as a result of lax (or nonexistent) security, more and more regulations are being proposed and passed. There are so many provincial and federal acts addressing e-Privacy across finance, health-care, and technology that it’s dizzying. It’s impossible to keep up, and when something is missed, Procurement, who will be made responsible for Procuring the technological systems needed by the organization and the third party services providers to help with proper configuration, will be the organization given the blame.

The technological sophistication required to achieve an acceptable level of security and privacy safeguards is through the roof.

It’s not just buying a new database with built in 256-bit encryption, it’s getting all of the data into the database, making sure the data is encrypted on the way in, making sure it goes through a secure, encrypted channel from the port from the old database to the new database, and making sure the new database is appropriately configured and locked down to only authorized access through only authorized channels. This configuration is not easy, given the complexity of today’s encryption technology, the complexity of the tools that need to be encrypted, the arsenal of freely available hacking tools on the deep web, and the average security and third party systems knowledge of an average system administrator. Procurement has to first identify true security experts with experience security the systems and software that need to be secured, source a firm, vet the experts presented, and ensure that the person who shows up is the person who is actually the person whom they are expecting. A tall order for an organization typically tasked with sourcing products to keep production and operations going.

Consumer fear combined with the a lack of technological understanding of the underlying security requirements makes this a difficult damnation to tackle, but one that is only going to get more relevant and immediate as time goes on.

It’s NOT a Suite, It’s JUST Sourcing, Part II

In our last post we made the rather bold claim, which is probably going to irk a lot of vendors, that it’s NOT a Suite, It’s JUST Sourcing. SI likes vendors that are trying to build solutions to solve their customers’ pain points, and has chronicled the efforts of many over the years, and isn’t doing this to be irksome. SI is doing this because it’s not 2005 anymore, it’s 2015 and the nature of, and need for, Sourcing has changed. Today, Sourcing absolutely has to be more strategic and Suite Sourcing is NOT Strategic Sourcing. In today’s post, we’re going to begin to clarify why.

Then, also in our last post we outlined a hypothetical, but realistic, example in the high-tech space, discussing a typical, primary, sourcing event for a company that assembled custom-built high-end workstations for software developers and engineers. We started by discussing the primary factors that the Sourcing analyst was likely to identify as well as two strategies the analyst was likely to take. This led to a perceived event progression and a plan that looked like it was easily executable in you average modular sourcing suite. We did this to make it clear why many companies fall for the falacy that you can attack sourcing in a step-wise fashion using a modular suite, and, as a result, why some vendors still believe that a modular suite is the way to go. The reality is that, at a quick glancce, it does look like this is the right approach and that there is no reason to question it — even though there is a big reason. Namely, this approach is wrong.

The reason being is that, in reality, the event is not going to go as planned.

Specifically, it will not be an analysis followed by an RFP followed by a single auction / optimization analysis followed by a push into the contract management system. One or more, with emphasis on the more, of the following will happen:

  • the RFX will come back and some of the requested bid fields will be empty because the supplier is no longer producing the product
  • the RFX will come back and there will be new products that the buyer did not know about with new bids (and new interdependencceis to be mapped)
  • the logistics carriers will come back with quotes much higher than expected and/or a logistics carrier or 3PL will withdraw (due to overcommitments) and lanes will vanish
  • stakeholders or key customers will change requirements post RFX issue and you will have to go back and ask for prices on next gen products, which might still be in final design stages
  • the baseline optimization will come back with completely unexpected results and once the analyst uses spend analysis to dive in, will find a number of outliers in the incumbent bid and realize that she has to go back and ask for verified or corrected data
  • the auction will end with three suppliers almost equal on baseline scoring and extensive analysis will be needed to determine which supplier gets 50%, which supplier gets 30%, and which supplier gets 20% in the 50/30/20 split dictated by the shareholders to minimize risk

In these situations, respectively

  • the analyst will have to identify a larger supply base and send the RFX to more suppliers
  • the analyst will have to research the new products and decide whether to accept them or not and then, possibly, ask the supply base to bid on (comparable) products in a revised RFX
  • the analyst will have to invite more carriers to bid and consider alternate lanes, possibly from secondary (air)ports to secondary (air)ports
  • the analyst will have to create revised specs and go back to the supply base for additional prices and options
  • the analyst will have to backtrack to the spend analysis step on the submitted data, followed by a request for bid verification and a repeat of the optimization on revised data
  • the analyst will have to go back to the analysis step to identify which bid components were strongest for each supplier and then compare that to existing supplier scorecards (to determine likelihood of on-time delivery, quality guarantees, price consistency, etc.)

In other words, the event is not going to go as planned and it’s not going to be a sequential progression from analysis to RFX to auction/optimization to award. Moreover, most events are going to see multiple occurences of the above hiccups and require an almost random workflow that uses all of the sourcing capabilities of a suite multiple times.

Moreover, the transitions back and forth will need to be seamless. If an analyst has to push data out of the optimization “module” into the “analysis” module for detailed data and outlier analysis, than push the data, with insights, back into the “RFX” module for revised RFX data collection, and than push the revised RFP data back into the “Optimization” module for revised analysis only to find out that the lane cost is coming out higher than expected in the preferred award, indicating that there is still an additional opportnity if logistics costs can be lowered, then this “modular” workflow quickly becomes a nightmare.

Plus, in this situation, the analyst will have to do an in-depth analysis of the logistics cost to determine if costs can be lowered simply by inviting more carriers to bid, analyzing primary and secondary lanes, or doing something progressive like using the organization’s sourcing expertise to help a provider lower their overhead with better insurance rates, communication plans, and office & computer supplies from the organization’s GPO contract. Then, after this analysis has been done, which will likely take the form of multiple what-if optimizations using various cost models, the analyst will have to go back to the RFP, issue the revised RFP with more options to current and new suppliers, push the data back into the optimization module and continue.

In a modern Sourcing project, one cannot separate data collection from cost modeling from analysis from bidding from optimization — it is all one integrated sourcing process that lathers, rinses, and repeats until the solution is found and the event is done. And any provider that thinks you can separate pieces out and take a modular, piecemeal approach and build up to a suite is still living in 2005 and should be approached with caution. It’s not a suite, it’s just Sourcing. And, as indicated in our previous post, and as will be discussed in more detail in a future post, it’s not optimization, it’s strategic sourcing.

One Hundred and Forty Five Years Ago Today

The first federal registration in response to the first federal trademark application was issued to the Averill Chemical Paint Company for a design with an eagle and a ribbon and the words, “Economical, Brilliant”.

This particular trademark may not be in use today, but trademarks can survive a long time. For example, the lodes U.S. trademark still in use was registered on May 27, 1884 — over 131 years ago. That’s a long time for a company to have exclusive rights to a mark, label, name, signature, or logo that exclusively identifies that companies products and/or services.

And given the importance of brand, societal damnation 39, this is an important legal advantage that cannot be overlooked.