Cyber Security: Don’t be a Victim

Cyber Security is a very real and an increasingly omnipotent reality for both the public and private sector; with cyber-attacks becoming more evolved, the immediacy of the problem warrants a level of security previously unseen.

The misconception of Cyber Security being an IT issue is as myopic as it is commercially disastrous; because it involves people, the complexity of an insider threat ranks as the highest risk of data loss. Indeed, personal IT may be more valuable to attack than Corporate IT resources.

Sensitive data may be susceptible to breaches that can cause untold damage to brand & reputation, with exposure of client information, interests, IP, trade secrets and serious business interruption. The end result, direct & indirect financial and economic loss.

In the latter years companies are beginning to address the issues that Cyber Security raises and are taking logical steps toward protecting their systems. The key protocols being to prevent and defend; protecting data whilst mitigating risk is key to managing organisation’s privacy and ensuring the security of confidential client information. By employing prudent measures & fostering the right relationships, organisations can increase their security and minimise risk exposure exponentially.

Increasing Awareness

Sadly & somewhat unsurprisingly the insider threat arises from employees & partners who’ve become compromised.

Whilst most incidents are not maliciously motivated, they nevertheless arise from people’s fallibility and misinformation. A somewhat alarming statistic is that 60% of people will put an erroneous USB drive into their system.

Targeted attacks are a different ball game completely with criminals leading industrialised attack methods, hoodwinking traditional information security. A game changer indeed, with industries in the position of having to raise their game, significantly. The number one cause of supply chin failure is IT/telecom outage, with cyber-attack at number 4.

RISK Assessment

By undertaking this 6-step risk assessment companies will receive a review of their existing capability with a roadmap that will ensure continued safe operation.

Understanding Objectives

Focus on business objectives to appreciate aims and to form the “To-Be” future state Cyber Security strategy

 Business Impact Assessment

Determine the potential business impact in the event of a compromise

Threat Assessment

Assessment of the Cyber Security threat & identify sources that seek to compromise the firm’s sensitive assets

Vulnerability Assessment

Identify document security vulnerabilities in existing technology, people & protocols; create “As-ls” current position

Risk Evaluation

Evaluation of remaining risk factors & the risk rating for each. Output is a prioritised Cyber Risk Register

Strategy & Roadmap

Roadmap of tactical & strategic measures to ensure ongoing defence of systems and assets

Executive Views

  •  Sept (2014) The UK gov announced suppliers bidding for public contracts would have to meet new cyber security standards
  •  May (2015) Aon Risk Solutions highlighted cyber risk had moved into the top 10 global threats for business for the first time
  •  Rory Moloney, Chief Executive, and Aon Global Risk Consulting, said: While new risks such as cyber have moved to the centre stage, established risks such as damage to reputation or brand are taking on new dimensions and complexities. The interconnected nature of these risks reinforces the importance…..”
  •  According to a 2015 global Private Equity survey conducted by EY, entitled ‘Positioning to Win’, a top risk highlighted by CFOs is cyber security
  •   Andrew Coulcher, Director of Customer Solutions, CIPS said: “This is one of the biggest issues of our time as procurement professionals we need the right tools and support to meet these challenges head on.”
  •   Costs of cyber security breach are estimated by CIPS as anywhere between £600k to 1.15m for large businesses or 65k to 115k for small businesses.
  •   The Ponemon Institute estimated that a breach in the financial services sector would cost $217 per record. For example, for Target’s 110 million records breached, the costs would be substantial enough to put a fund out of business.

Cyber Essentials

UK Government ‘Cyber Essentials’ is a set of controls offering Public and Private Sector organisations a sound foundation of basic cyber hygiene measures.

  •  Firms such as AIG are offering incentives to businesses to become certified.
  •   Larger organisations, such as HP, are also beginning to demand accreditation.
  •   The five key controls are: boundary firewalls and internet gateways; secure    configuration; user access control; malware protection; and patch management.
  •   There are two levels of assurance available to satisfy the requirement; ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.
  •   Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber-attack.
  •  Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt
  •  The UK standards are based on the ISO/ESEC 27000 series, providing a basis for checking the IT security of elements in the global supply chain.

Conclusion

The battle against cyber threats is not a finite one, with a one solution fits all approach, nor is it a problem that can be easily circumvented, but rather a multifarious entity that organizations must continuously adapt and evolve to. Even more alarming is the advent of zero-day threats where malware agents exploit unknown vulnerabilities; this is arguably the next generation of security threat.

With cyber criminals employing yet more sophisticated strategies to displace and rupture systems, organizations must adopt a robust appraisal of the current exposure level, seek an expert roadmap to counteract key risks and an on-going system which allows for the amorphous and unpredictable nature of the threat.

 

 

 

IT & Procurement: Getting The Most From Vendors

According to Gartner, IT departments are relying more and more on external vendors, but their commercial management and negotiation skills may not be keeping pace.

How many IT departments have professionally qualified buyers?How many procurement functions have IT experienced buyers?

Not many remains the unfortunate answer.

An often overlooked area is the field of contract negotiations and procurement. Regarding procurement as something of a dusty, back-shelf function, siphoned off between departments is as perilous to business growth as is the lack of a dedicated procurement function.

There is a fundamental skills difference and mindset between technical IT staff and procurement experts with few organisations successfully harmonising the two when buying IT. The end result is that business needs frequently suffer.

It is well documented that companies without procurement expertise are often exploited by software vendors; cue the ‘supplier-centric’ contract that is as onerous to the buyer as it is commercially disastrous.

These disaster deals are not restricted to upfront purchase price or even maintenance costs, but can manifest themselves in a number of different ways during the build phase or post go live.

This is why the ‘buyer awareness’ should be a valued commodity.

But We Already Buy Well

In terms of our buying expertise, we buy houses, cars and groceries without too much difficulty. So without thinking about it much, we tend to assume we can buy software too, perhaps leaving the legal technicalities to the lawyers and/or just taking the vendors ‘standard’ contract. Again, this can lead to commercial suicide, if not properly negotiated from the outset

We may do this as there is no procurement function to take the reigns, or a poor relationship with procurement. Worst of all a belief that procurement is glorified secretarial work / boring administration. Sadly it’s this myopia which ultimately causes  delays and cost overruns. End result: frustration, preventable cost and false economy.

So where do IT PM’s / IT departments go wrong?

  1. Viewing contractual negotiations as a price battleground to begin with, after which it’s boring detail which burns valuable time.
  2. In a market of smart vendors good at selling, with inevitable time pressure to go live, the contracts are viewed as important in the beginning but as negotiations drag on, lawyers get involved, attention spans suffer and the  end result?

 

  • Missed negotiation points on key service credits
  • Lack of exit strategy
  • Auto-renewals
  • Onerous T & Cs which are at best supplier centric

 

  1. IT staff that naturally focus on the technical offerings, often led by the vendor, leaving the many other areas of contract negotiation untouched “Use the lawyers once we’ve got the kit list and price sorted”
  2. You may be lucky and have a legal team that understand IT detail and negotiating, but this is not their core skill area.   It is essential for contracts to be fully legally compliant of course, but contracts also consist of many commercial IT points which can directly impact the delivery quality and timescales of your project, points which are not within the skill set of most lawyers.
  3.  When IT staff, who are uncomfortable & poorly versed at arguing with a voluble and strident sales team of a well established vendor, end up with a poor deal
  4. The Mexican stand-off: vendors are good at exploiting any gaps between an IT department and a procurement function. IT may perceive procurement as not understanding the complexities or the dynamic of business requirements or what the technical ramifications may be.

The Procurement Edge

Whilst professional buyers do obviously endeavour to get best commercial leverage, they also tend to have a wider perspective, being trained to negotiate on a wide range of commercial factors. Some of these factors have less immediacy but no less importance to the benefits of a ‘go live’ than pure license price.

Factors such as forcing regular review sessions, liquidated damages and penalties, contractualising clear roles & responsibilities, baking timescales in, forcing people to think about requirements, stopping scope creep.

They also have the semi-legal contractual experience, which can reduce the amount of lawyer-time required. Anyone who has been through a painfully slow process with their in-house legal team, and/or with the software vendors lawyers will know & understand the value of this. We’ll come back to this point.

So there are two different skill sets here – IT skills themselves are mosaic and complex, whilst the skills for good buying are entirely different but no less commercially critical; the two should not be regarded as mutually exclusive.

Within the procurement industry itself, ‘transactional’ buying of office equipment, travel, stationery etc is more straightforward than strategic buying of say a CRM system.

This overlap is the key area where many procurement departments fail & the division is problematic; in the worst case, vendors take advantage wherever they find it, and press home a more favourable deal for themselves.  This may be in terms of hard price, or in terms of risk exposure.

The end result is that you end up paying more, either when delays occur and your business case benefits are postponed, or in the worst situation where you pay more upfront than you should have.

What’s the solution?

IT itself has become steadily recognised as a key enabler and competitive differentiator for businesses. Deploying the right solutions quickly and on-cost naturally follows, regardless of the size of the organisation doing the deploying.

What’s the End Game?

Essentially this requires a change in general psychology and approach to merging the two departments. IT either need to learn procurement skills which is a tall order in itself or hire a specialist firm to provide IT procurement skills on demand. Ultimately IT would be well-served to develop a better relationship with in-house procurement function. This is been a proven reality time over.

Is There Any Real Benefit?

Whilst these may sound like they are straight out of the ‘Project Success Bible’, they are real

  1.  Cost savings – the obvious one which your CFO will love. It will be argued that ‘we are tough guys, we would have got this anyway’ but at the expense of what else? This is what procurement people specialise in ultimately
  2. Better delivery- through a harmonised commercial process, where requirements, acceptance criteria, rates and penalties are all part of the mix it does enhance the quality of the vendors delivery.

Whether it’s on a software project, where clear contractuals help the project planning, and the plan may actually be baked into the contract itself. If the contractual structure is complex, e.g. you have a systems integrator and say two software houses, it can easily dissolve into a blame game. Constructs such as tri-partite agreements with Memoranda of Understanding, clear roles & responsibilities are an example of the tools of the proc prof.
Conclusion

 If Gartner are to be believed, there is already an inexorable move within the IT industry away from large in-house departments full of programmers, toward a more commercial footing where external vendors are used.

Their established responsibilities are around delivering projects on time, departmental structure, commoditisation of technology and technical skill sets, customer centricity.

It’s your choice whether to develop this area and address the buying – sales dynamic next time your organisation goes to spend some money.

One thing is for sure, all your vendors have.