Showing posts with label collaboration. Show all posts
Showing posts with label collaboration. Show all posts

Tuesday, July 11, 2023

How WFH Accelerated IT and Security Transformation at Global Publisher HBG

Transcript of a discussion on how the rapid shift to remote work accelerated the digital transformation of a New York-based publishing organization to reduce risk while preserving a highly creative and distributed culture. 

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.

 

Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.

 

Gardner

Our next security innovations discussion examines how the rapid shift to remote work has accelerated a rethinking of security and IT processes at a New York-based publishing organization.

 

Rearchitecting the security posture of a business means adjusting work patterns and IT in ways that both reduce risk and heighten performance. But the trick is to do so without alienating workers -- wherever they may be -- and maintaining strong productivity.

 

Here to share her story on how to digitally transform a traditional business structure, reduce risk factors, and preserve a highly creative culture is Heidi Holmes, Senior Director of Information Technology Services at Hachette Book Group (HBG) in New York. Welcome, Heidi.

 

Heidi Holmes: Thank you. It’s nice to be here and I’m looking forward to this.

Gardner: Let’s start by having you tell us about HBG and why you needed to significantly adjust your security objectives over the past couple of years.

 

Holmes: HBG is one of the world’s largest publishers. The United States branch is part of a larger global Hachette, and we have some very, very big authors, such as James Patterson and David Baldacci.

 

Holmes

We literally print almost every kind of book you can think of. So, our company is highly creative, and very intelligent. On a personal note, it amuses me because at other IT organizations I’ve been with, I could send out an email and never think twice about it. But here, you send out an email and you’re going to be critiqued from every editor across the board. It’s amazing. Even the CEO, he spots things that aren’t quite in the right order. It’s awesome.

So, Hachette: We’re a pretty amazing company. I’ve been here since 2019. I came into a very different IT organization. The leadership in place was great, but around some of the security practices, we really had to mature, to grow our business, and to grow how we monitor, maintain, and secure everything -- from the PC all the way to the edge.

 

Gardner: It sounds like – being global and dealing with so many authors, editors, and artists – that you were already a fairly distributed organization. And then we all had the move to more remote work in 2020. How did that rapid shift impact your digital transformation journey?

 

Diversity strengthens security strategies

 

Holmes: In such a diverse organization, no two sets of tools are the same. Just in the IT organization, every group is unique. And we’re talking five to 20 people. We are an amalgamation because we’ve acquired many different companies over time.

 

For example, Orbit, which is our science-fiction department. They are amazing, but they operate in one way, whereas Little, Brown Books for Young Readers, which is all of our young readers’ literature, operates completely differently. It’s almost as though it’s IT for a ton of small businesses that operate within a large business structure. It’s pretty interesting.

Once people began working from home, then all their data lived in their laptops. How do you manage and secure that? This is where our new challenges arose. 

So, they were diversified to begin with. But when more people began working from home, supporting them all became even more critical. The traditional IT model was moat and castle. We had to protect ourselves by using the best firewalls. You can protect anything, but once you’re outside the castle, everything is looser.

 

Once people began working from home, then all of their data lived in their laptops. How do you manage and secure that? What do you do to get your arms around that? This is where our new challenges arose. If you’re used to the castle technology, you have to create high-speed connections to and from every office to access all of your data for home workers.

 

Gardner: So, you had constellations of different businesses and cultures – as well as legacies of different IT. To corral that together, you almost have to be a managed service provider (MSP) as an IT organization. Is that fair?

 

Holmes: I do manage the help desk infrastructure. We also serve up all of the data, all the data center services, and the cloud data management, as well as cybersecurity. From my position, we are set up to service different groups on different platforms and support a wide range of tools across the larger IT organization.

 

It’s amazing. We’ve taken those requirements and built the tools to service the overall organization. And some of them are complex. Then we come back in with the security and managing compliance around how users access data inside of the tools and how it’s all unique across each of those separate publishing entities. It’s fascinating.

 

Gardner: In addition to a focus on endpoint security to support a distributed and remote work force, you’ve also had to look at transforming IT.

 

A lot of times, people have architected their IT -- and then they add on security. Did you try to simultaneous engineer for security and IT productivity and digital transformation? Is there a new way of doing security from your vantage point given your responsibilities?

 

Security as speed bump, not roadblock

 

Holmes: Yes, there is a new way of doing security. When I entered, security was a bolt-on, after-the-fact approach. For example, they may have already built a tool. But have they tested it? Or an application. What has been done with them?

 

We were at the ground floor, as new projects were coming up, on security. The teams were coming to us from a cybersecurity standpoint and saying, “What’s the best way for us to secure this? How about outside software-as-a-service (SaaS) providers?” Things like that.

 

We needed to make sure that they filled out the security forms to make sure that their architecture and best practices matched with what we were looking for with security. But we found out early in the game that they weren’t compliant. They didn’t have security as their first thought. 

It’s more about balancing risks and building in security. As I tell everybody here, cybersecurity is about being a speed bump -- and not a roadblock. Everything we do should be about slowing down, so you don’t bottom-out your car. You want to keep going, not come to a full stop. There’s no productivity if we have to come to a complete stop. We need to keep moving. We’re getting there.

 

Gardner: Of course, if you have a security breach, that’s one way of coming to a full stop. You need to have a balance between reducing risk, but also maintaining productivity and creativity.

 

What have you learned the past couple years about those balances? Has it changed with the remote work? How does digital transformation give you the tools to have the insights to reach that balance better?

 

Holmes: One of the tools we use, and why I’m here, is Bitdefender. We’re looking at their dashboards all the time. We can see what’s commonly going on. The [endpoint detection and response (EDR)] tools are great for our digital transformation because they’re on every one of our computers, on all of our servers, monitoring and automatically blocking risks.

 

If Bitdefender sees lateral movements on the network, it will block and halt those or delete certain files. It’s really given us an advantage. It gives us the capability to look at what’s going on. Because if we see a large increase, then we can look into our other tools that complement Bitdefender and say, “What are we seeing on our firewalls? What are we seeing in our security information management (SIM) tool? What are we seeing on our email filtering? Do we see a coordinated attack or is this just a run-of-the-mill type of attack?”

If Bitdefender sees lateral movements on the network, it will block and halt those or delete certain files. It's really given us an advantage. ... Bitdefender helps us be proactive on what's going on. For us, it's been great.

Bitdefender helps us be proactive on what’s going on. For us, it’s been great.

 

Gardner: And being proactive means you want to react swiftly. Is there a way that you’ve adjusted to the remote workforce -- all of those laptops and home desktops -- rather than being  inside the moat? Is there a way for you to take the information you’re getting from your Bitdefender dashboards and be more actionable with it?

 

Holmes: Absolutely. If we see a large number of attacks, even if they’ve stopped, we can open up a help desk security ticket and reach out to the user. If the incursion seems to be trying to install something or to attack others in the environment, we can remotely deactivate that device. We just have them ship their laptop to us so we can take a closer look, and we ship them out a new one.

 

We don’t play games with anything in our environment. It’s better to stop it at the source and move on. But, yes, the tools give us the capability to get out ahead of it all. And we’ve developed a team that is constantly monitoring, seven days a week. Our dashboards look for any correlation, anything ahead, and then work with us to automate or alert us if something needs to be acted on more quickly.

 

Gardner: And, Heidi, how does your background as a network engineer help in your digital transformation and with security concerns? Have you been able to bring more of an architect’s perspective to how you’re modernizing your IT and security?

 

Architecting for change

 

Holmes: Yes, I have. For the past 20-plus years, I’ve worked as an architect, network engineer, and network security engineer. The biggest thing I’ve learned is to go back to the business risk. We understand what the business risk is, and how to mitigate or isolate that risk. But that also means understanding the business you’re working with.

 

Part of an architecture isn’t designing the fanciest, most secure tooling -- because that’s how you get the balance versus the speed bumps. You have to learn the business, learn about the people, know where their risks are, and then architect around that to say, “Okay, stage one is where we see in our transformation the need to move certain things to the cloud.”

Or, “Our most vulnerable systems need to be isolated because some of them might be near end-of-life and we can’t do certain things with them anymore. We’re going to move them over to something such as a different layer or to firewall them with intrusion prevention and monitor it that way. Maybe some of our websites are older and we need to do something with that.”

We might put some sort of a web application firewall (WAF) in front of it. But you have to lay it all out in stages. And the easiest way to architect and build is to know what the business needs. And then you start designing to have the least productivity impact while giving the most security. So, the biggest bang for your buck: “Let’s start there, let’s hit the quick wins while we’re still planning out the other things.”

 

And part of architecture is understanding that when you build a process and a project that it changes. It’s a constant re-evaluation. What are the latest tools? The tools from 2019 are not the same tools that I’m working in at this point. Because every year, every six months, every month, something else is out there offering a better way to do things.

 

For example, a zero-trust architecture was at first a little bit nebulous. Trust nobody and everybody’s like, “Why can’t we trust people?” That’s like, “Well, not everyone’s your friend and even the computer next to you isn’t your friend necessarily either.”

 

Gardner: Well, that’s a perfect transition to my next question. In an organization like Hachette Book Group, the goal is for people to communicate, collaborate, be creative, and be open.

 

When you come to them with a security mentality of, “You need to be very suspicious and zero trust-oriented,” that creates potentially a cultural conflict. How have you been able to get people’s buy-in on what you need? Behavior is such an important part of security. At the same time, you want to allow them to be as open as possible and share ideas as they are used to.

 

Make wide, yet light, security footprints

 

Holmes: The right mentality is to have the least visible footprint in the things that you’re communicating on, on any given computer. But you also have to trust the communication tools. The things that you use such as Zoom or Teams or something like that. Those are commonly known ports and IP addresses.

 

We don’t have to overthink it like 15 or 20 years ago, when I needed to know every port that the teams used and qualify that. Our security tools will automatically understand, and part of the artificial intelligence (AI) built into them, knows that these are okay communication methods and it’s fine for us to continue to communicate that way.

 

So, there’s an openness with video communication and collaboration with a level of security and staying away from custom-built tools to communicate. That will protect you because inherently, custom-built tools usually need extra updating and the people who develop them don’t always keep them up to date. That also will protect you in a zero-trust environment.

 

But honestly, it’s gotten so much easier with zero trust … because Bitdefender is fantastic for that. It’s always monitoring. The AI is telling us as it’s looking at patterns instead of always at a specific port where you can lock people down and isolate them. So, it can see a lot of the lateral movements, you can see different firewall rules that are not industry-standard and as attacks try to pass through. It’s the only real way to go.

Gardner: You’re describing what people have come to think of as what a security operations center (SOC) as a service could be. Is that how you’re starting to view something like Bitdefender? Or is that a place you’d like to see it go, of where you have a SOC as a service benefit all the time and everywhere?

 

Holmes: Well, that would be fantastic. And we have spoken to Bitdefender about this. From my past experience, I’ve worked with SOCs, did a little bit of management of SOCs, and brought that into a new organization.

 

What you see a lot of times is they give you a lot of data. And traditionally, any SOC will overwhelm you with 3,000 alerts and events in a day. And you have a team of three and you’re hiring a SOC to help you. But instead, your team of three needs to remediate all of these things, otherwise they’ll keep showing up, and the SOC’s going to keep reporting and then it becomes completely useless to you.

Bitdefender is using more AI to filter out the things that are less meaningful. It's no longer every single thing that comes across your dashboard. That helps you dive in quicker when there's a problem. 

The modern SOCs, and a lot of what I understood from the Bitdefender side is, they’re using more AI to filter out the things that are less meaningful. It’s no longer every single thing that comes across your dashboard. That helps you dive in quicker when there’s a bigger problem. A SOC can become a benefit instead of a hindrance to a small team because the teams are always already trying to remediate their problems. They only need to know about the things that are brand new major holes because patching everything else should take care of the rest.

 

Another thing I wanted to mention on SOCs: Back to our transformation, when I mentioned the SIM tools, and having the different dashboards, it takes a while to bring a security team up to speed on what they should be watching for. That’s about identifying what’s meaningful to you. And then to fix the problems they’re finding from doing the scans. The last few years, we’ve been training security staff to do just that. When a SOC comes into play now is when the team is already expert at security and then everything is meaningful. Sometimes you can take the jump to a SOC too fast.

 

Gardner: A lot of what we hear in the marketplace now is that people are resisting tool sprawl. Too many security tools are not a good thing. They also want tools that will integrate, that play well together.

 

How are you looking at that balance between having the right number of tools, but also tools that are integrated well in advance?

 

Just say ‘no’ to tool sprawl

 

Holmes: I literally just said “no” this week to a couple of security tools because it was just more sprawl. We need to use our tools right. Tools should be useful. They should give you information you don’t already know, or they should coordinate multiple things into one tool so that you can easily discern where a problem is.

 

So, if a tool doesn’t have multiple uses and it’s not cost-effective, then we don’t want it. There has to be a very specific reason to look at it. Also, every tool needs to be easy to use because we can’t send somebody to three weeks of training. We can’t train a second person for when the first person goes on vacation.

 

And it has to be automated, it has to be able to page us if it hits certain thresholds. All of that needs to be set up very quickly. Because when we take holidays, there are always less eyes on dashboards. And we still need to know if something’s going on. We need to get paged, woken up, and brought back to the dashboard.

So that’s what we’re looking for. The tool sprawl: Everybody has a tool that they want to sell you -- everybody. It needs to work for on-premises, and it also needs to work in the cloud. It needs to give us all of the information we need. It needs to work in your home to tell me what’s going on in your laptop there. That’s what we need from our security tools.

 

Gardner: Whenever you ask folks to qualify and quantify how their security is working, the number one response is, “Well we’re not getting hacked, so that’s good.” But because you’re involved with not just security but IT and digital transformation, there’s probably more ways that you can measure the effectiveness of your security approach in terms of productivity, team collaboration, and how your IT support group is able to please your end-users.

 

Do you have specific ways of looking back and saying, “We made good choices, and we can prove it by blank?” How do you measure your success in digital transformation and security?

 

Holmes: As far as the users go with collaboration, the easiest way for us to tell is the number of help desk tickets we get. If the users aren’t calling us because they can’t work on their computer -- either because they’ve had an attack or because they just can’t use it because it’s still in lock down -- that’s a good measure.

 

And if we’re not seeing a proliferation of viruses and malware in our environment then those metrics are great for us, too. We’re constantly watching them, we’re updating them, and we’re reporting all those metrics to our senior leadership in the company. So, it’s been amazing.

 

Gardner: Let’s briefly look at costs. We’re also seeing many organizations that need to do more with less. Is there a way for you to balance the economic side of the equation with these metrics of success?

 

Holmes: With the metrics for success, if we purchase tools that help us get ahead of a problem and we don’t have any downtime or a loss of productivity, that is our number one way of evaluating that. So, know your risk, your way of knowledge, and the tools. Tools must do multiple things, be easy to use, and be cost effective.

 

That’s huge for us because I don’t have to hire extra people, which is cost. I don’t have to have extremely skilled people. I can weigh the cost and the amount that we’re spending in our security and IT budgets and say, “We are doing the right things for our people with the right level of protection and our downtime is in individual users -- not systems.”

 

That’s how we measure it. Productivity; not lost time. The ability to shift if there is a problem. And that gets back to the training. For example, we recently had a security incident. It turned out to be something from something very old, more than 10 years old, that was transferred to our environment, and we found it with our tools. We shut down a portion of the network and -- because of the training – we only lost about two hours while we investigated it.

A couple years ago, we would have had vice presidents down our throats saying, “Why can’t we do this?” But because we’ve trained our team so well, it was literally, “Okay, let us know when it’s available again. We want to support you. We’ll work on something else.” It was great.

 

So, it’s all about having the tools, the costs managed, and being able to measure all of our training and practices around the knowledge and people that are behind us. They want a secure environment, and they’re willing to pause if they need to for a little bit while we look at things.

 

Gardner: You had a speed bump, not a car crash. So that’s a really good indicator.

 

Holmes: Yes, it was great.

 

Gardner: Before we end, let’s look to the future. I’ve heard a few words from you, Heidi, like “automation,” “AI,” and “SOC as a service.” What new challenges do you foresee, and what are the best tools or approaches for you to meet them proactively?

 

Detection advances to patterns

 

Holmes: The problem is, we don’t know what we don’t know or what the next security problem will be. You need to be prepared for everything. You need to stay ahead as a leader in this field and just listen, watch the articles, and be prepared to pivot when things happen.

 

The AI and the new tools are great because they are looking for patterns. It’s not like the old days where I would just look for a signature. So, somebody would do something that applies a specific signature, and it could only catch that. It’s now looking for the pattern and then correlating the pattern. As a result, we’re getting many less false positives because it doesn’t look for just one minor anomaly. It looks for a pattern of anomalies, and then it might immediately block it.

 

There may still be some false positives because of the old applications out there.

We love the tools we use, such as the Bitdefender console. It delves into so many things. I personally look at the executive dashboard on a regular timeframe because out of all of our tools, it is one of the best and easiest to drill into. 

We love the tools that we use, such as the Bitdefender console. It delves into so many things. I personally look at the executive dashboard on a regular timeframe because out of all of our tools, it is one of the best and the easiest to drill into. I can say, “Wait, there’s a spike in viruses.” I click on it even though they’re blocked. It shows right there on the line if any of them got through. Then we can raise the flag, even though it’s already been blocked. But who is affected and where? I can click, and it shows me the actual machines, and it shows me what it was trying to do.

 

That’s the best way to stay ahead. That is part of the automation; it is automatically blocking. So, our firewalls automatically block, or quarantine, or do whatever needs to be done. We get automated alerts that ring our cellphones, that send us messages depending on what it is, and we have bridges. We also have automated [processes] where we can automate traditional patching or fight zero days [attacks] or anything that comes up. We have that all scheduled to go. So, that’s not a manual process anymore.

 

Gardner: Heidi, before we sign off, for those who are also going on a journey where they want to change the way they’ve done security, where it becomes simultaneous to and maybe even in advance of IT decision-making or IT architecting, what advice do you have for them now that you’ve gone through this? What words of advice do you have for people who can make security part-and-parcel with their digital transformation activities?

 

Start where you are, then dig deeper

 

Holmes: Get to know your business. Learn. Learn what your business is doing. Then, while you’re learning, start with the fundamentals. What are you doing well in your business right now or in your security?

 

Do you have good malware protection? Firewalls on your laptops? Things like that. Start with your servers, with your laptops, every device in your environment. That’s an easy place to start. Make sure your patching is up to date.

 

And then you can start looking a little bit deeper. Vendors -- understand what your vendors are doing. Just because it’s in the cloud doesn’t mean it’s secure. It is not the same thing. You need to understand where you’re putting your data, and what your people are doing. And that goes back to learning the business. 

Lastly, shadow IT. Because everything can go to the cloud, every business is going to try, and every department is going to try, to find their own tool in the cloud. But they won’t necessarily vet it the way your IT security organization will.

 

So, get to know the business, gain their trust, and help them by giving them speed bumps and not roadblocks. That’s my advice.

 

Gardner: Well, I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how the rapid shift to remote work accelerated a rethinking of security and IT processes at a New York-based publishing organization.

 

And we’ve learned how Hachette Book Group digitally transformed a traditional business structure successfully, reduced risk factors, and preserved a highly creative culture.

 

So, please join me now in thanking our guest, Heidi Holmes, Senior Director of Information Technology Services at Hachette Book Group. Thanks again. 

Holmes: Thank you. It’s been great talking with you.

 

Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing series of BriefingsDirect discussions. A big thank you to our sponsor, Bitdefender, for supporting these presentations.

 

Also, a big thank you to our audience for joining us. Please pass this on to your IT and security communities, and do come back next time.

 

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.

 

Transcript of a discussion on how the rapid shift to remote work accelerated the digital transformation of a New York-based publishing organization to reduce risk while preserving a highly creative and distributed culture. Copyright Interarbor Solutions, LLC, 2005-2023. All rights reserved.

 

You may also be interested in:

Monday, January 14, 2013

The Networked Economy Newly Forges Innovation Forces for Collaboration in Business and Commerce, Says Author Zach Tumin

Advanced business networks are driving innovation and social interactions as new technologies and heightened user expectations converge.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on how new levels of collaboration have emerged from an increasingly networked world, and what that now means for business and society.

Gardner
We'll hear from a Harvard Kennedy School researcher and author on how deeper levels of collaboration -- more than ever -- can positively impact how organizations operate. And we'll learn from a global business-commerce network provider how these digital communities are redefining and extending new types of business and collaboration

To learn more about how new trends in collaboration and business networking are driving innovation and social interactions, please join me now in welcoming Zach Tumin, Senior Researcher at the Science, Technology, and Public Policy Program at the Harvard Kennedy School. Welcome, Zach.

Zach Tumin: Good morning, Dana.

Gardner: Zach, you're also the co-author with William Bratton of this year’s Collaborate or Perish: Reaching Across Boundaries in a Networked World, published by Random House. We welcome you to the show.

Tumin: Thank you.

Gardner: We're also joined today by Tim Minahan, Senior Vice-President of Global Network Strategy and Chief Marketing Officer at Ariba, an SAP company. Welcome back, Tim.

Tim Minahan: Thanks, Dana. Good to be here. [Disclosure: Ariba is a sponsor of BriefingsDirect podcasts.]

Gardner: Gentlemen, let's set the stage here, because we have a really big topic. Zach, in your book "Collaborate or Perish," you're exploring collaboration and you show what it can do when it's fully leveraged. It's very interesting. And Tim, at Ariba you've been showing how a more networked economy is producing efficiencies for business and even extending the balance of what we would consider commerce to be.

I’d like to start with looking at how these come together. First, we have new types of collaboration and then we have the means to execute on them through these new business networks. What should we expect when these come together? Let's go to you first, Zach.

Tumin: Thanks, Dana. The opportunities for collaboration are expanding even as we speak. The networks around the world are volatile. They're moving fast. The speed of change is coming at managers and executives at a terrific pace. There is an incredible variety of choice, and people are empowered with these great digital devices that we all have in our pockets.
Tumin

That creates a new world, where the possibilities are tremendous for joining forces, whether politically, economically, or socially. Yet it's also a difficult world, where we don't have authority, if we have to go outside of our organizations -- but where we don't have all the power that we need, if we stay within the boundaries of our charters.

So, we're always reaching across boundaries to find people who we can partner with. The key is how we do that. How do we move people to act with us, where we don't have the authority over them? How do we make it pay for people to collaborate?

A lot of change

Gardner: Tim, we've seen lots of change in last 20 years, and a lot of times, we'll see behavioral shifts. Then, at other times, we'll see technology shifts. Today, we seem to be having both come together. Based on what Zach has described in this unprecedented level of change in adaptation, where do you see the big payoffs for business in terms of leveraging collaboration in the context of a vast network?

Minahan: Collaboration certainly is the new business imperative. Companies have leaned out their operations over the past couple of years and they spent the previous 30 years focusing on their internal operations and efficiencies and driving greater performance, and getting greater insights.

Minahan
When they look outside their enterprise today, it's still a mess. Most of the transactions still occur offline or through semi-automated processes. They lack transparency into those processes and efficiency in executing them. As a result, that means lots of paper and lots of people and lots of missed opportunities, whether it's in capitalizing on getting a new product to market or achieving new sales with new potential customers.

What business networks and this new level of collaboration bring is four things. It brings the transparency that’s currently lacking into the process. So you know where your opportunities are. You know where your orders are. You know where your invoices are and what your exposure to payables are.

It brings new levels of efficiencies executing against those processes, much faster than you ever could before through mostly automated process.
It brings new levels of efficiencies executing against those processes, much faster than you ever could before through mostly automated process. It brings new types of collaboration which I am sure we will get into later in this segment.

The last part, which I think is most intriguing, is that it brings new levels of insights. We're no longer making decisions blindly. We no longer need to double order, because we don’t know if that shipment is coming in and we need to stockpile, because we can't let the refinery go down. So it brings new levels of insight to make more informed decisions in real time.

Gardner: One of the things I sense, as people grapple with these issues, is a difficulty in deciding where to let creative chaos rein and where to exercise control and where to lock down and exercise traditional IT imperatives around governance, command and control, and systems of records.

Zach, in your book with William Bratton, are there any examples that you can point to that show how some organizations have allowed that creativity of people to extend their habits and behaviors in new ways unfettered and then at the same time retain that all-important IT control?

Tumin: It's a critical question that you’ve raised. We have young people coming into the workforce who are newly empowered. They understand how to do all the things that they need do without waiting online and without waiting for authority. Yet, they're coming into organizations that have strong cultures that have strong command-and-control hierarchies.

There's a clash that’s happening here, and the strong companies are the ones that find the path to embracing the creativity of networked folks within the organization and across their boundaries, while maintaining focus on set of core deliverables that everyone needs to do.

Wells Fargo

There are plenty of terrific examples. I will give you one. At Wells Fargo, for the development of the online capability for the wholesale shop, Steve Ellis was Executive Vice President. He had to take his group offline to develop the capability, but he had two responsibilities. One was to the bank, which had a history of security and trust. That was its brand. That was its reputation. But he was also looking to the online world, to variability, to choice, and to developing exactly the things that customers want.

Steve Ellis found a way of working with his core group of developers to engage customers in the code design of Wells Fargo's online presence for the wholesale side. As a result, they were able to develop systems that were so integrated into the customers over time that they can move very, very quickly, adapt as new developments required, and yet they gave full head to the creativity of the designers, as well as to the customers in coming to these new ways of doing business.

So here's an example of a pretty staid organization, 150 years old with a reputation for trust and security, making its way into the roiling water of the networked world and finding a path through engagement that helped to prevail in the marketplace over a decade.

Gardner: Tim Minahan, for the benefit of our audience, help us better understand how Ariba is helping to fuel this issue of allowing creativity and new types of collaboration, but at the same time maintaining that the important principles of good business.

Minahan: Absolutely, Dana. The problem we solve at Ariba is quite basic, yet one of the biggest impediments to business productivity and performance that still exists. That's around inter-enterprise collaboration or collaboration between businesses.

We talked about the deficits there earlier. Through our cloud-based applications and business network, we eliminate all of the hassles, the papers, the phone calls, and other manual or disjointed activities that companies do each day to do things like find new suppliers, find new business opportunities as a seller, to place or manage orders, to collaborate with customers suppliers and other partners, or to just get paid.

They can connect with known trading partners much more efficiently and then automate the processes and the information flows between each other.
Nearly a million business today are digitally connected through the Ariba Network. They're empowered to discover one another in new ways, getting qualifying information from the community, so that they know who that party is even if they haven’t met them before. It's similar to what you see on eBay. When you want to sell your golf clubs, you know that that buyer has a performance history of doing business with other buyers.

They can connect with known trading partners much more efficiently and then automate the processes and the information flows between each other. Then, they can collaborate in new ways, not only to find one another, but also to get access to preferred financing or new insights into market trends that are going on around particular commodities.

That’s the power of bringing a business network to bear in today’s world. It's this convergence of cloud applications, the ability to access and automate a process. Those that share that process share the underlying infrastructure and a digitally connected community of relevant parties, whether that’s customers, suppliers, potential trading partners, banking partners, or other participants involved in the commerce process.

Gardner: Zach, in your book and in your earlier comments, you're basically describing almost a new workforce and some companies and organizations are recognizing that and embracing it. What’s driving this? What has happened that is basically redefining a workforce and how it relates to itself and to the customer or, in many cases, for businesses across the ecosystem of the suppliers and then the channels and distribution? What’s behind this fairly massive shift in what workforces are?

It's the demographics

Tumin: It’s in the demographics, Dana. Young people are accustomed to doing things today that were not possible 10 years ago. The digital power in everyone’s pocket or pocket book, the digital wallet in markets, are ready, willing, and able to deal with them and to welcome them. That means that there’s pressure on organizations to integrate and take advantage of the power that individuals have in the marketplace and that come in to their workforce.

Everyone can see what's going on around the world. We're moving to a situation where young people are feeling pretty powerful. They're able to search, find, discover, and become experts all on their own through the use of technologies that 10 years ago weren’t available.

So a lot of the traditional ways of thinking about power, status, and prestige in the workforce are changing as a result, and the organizations that can adapt and adopt these kinds of technologies and turn them to their advantage are the ones that are going to prevail.

Gardner: Tim, with that said, there's this demographic shift, the shift in the mentality of self-started discovery of recognizing that the information you want is out there, and it’s simply a matter of applying your need to the right data and then executing on some action as a result. Your network seems ready-made for that. I know that you guys have been at this for some time. It seems like the events, these trends, have coalesced in a way that that really suits your strength.

Tell me why you think that’s the case that this vision you had at Ariba a decade or more ago has come about. Is there something fundamental about the Internet or were you guys just in the right place at the right time?


The reality of the community is that it is organic. It takes time to grow.
Minahan: The reality of the community is that it is organic. It takes time to grow. At Ariba we have more than 15 years of transactional history, relationship history, and community generated content that we've amassed. In fact, over the past 12 months those, nearly a million connected companies have executed more than $400 billion in purchase, sales, invoice, and payment transactions over the Ariba network.

Aggregate that over 15 years, and you have some great insights beyond just trading efficiencies for those companies participating there. You can deliver insights to them so that they can make more informed decisions, whether that’s in selecting a new trading partner or determining when or how to pay.

Should I take an early-payment discount in order to accelerate or reduce my cost basis? From a sales standpoint, or seller’s standpoint, should I offer an early payment discount in order to accelerate my cash flow? There are actually a host of examples where companies are taking advantage of this today and it’s not just for the large companies. Let me give you two examples.

From the buyer side, there was a company called Plaid Enterprises. Plaid is a company that, if you have daughters like I do who are interested in hobbies and creating crafts, you are very familiar with. They're one of the leading providers for the do-it-yourself crafts that you would get at your craft store.

Like many other manufacturers, they were a mid sized company, but they decided a couple of years ago to offshore their supplies. So they went to the low cost region of China. A few years into it, they realized that labor wages were rising, their quality was declining, and worse than that, it was sometimes taking them five months to get their shipment.

New sources of supply

So they went to the Ariba Network to find new sources of supply. Like many other manufacturers, they thought, "Let’s look in other low cost regions like Vietnam." They certainly found suppliers there, but what they also found were suppliers here in North America.

They went through a bidding process with the suppliers they found there, with the qualifying information on who was doing business with whom and how they performed in the past, and they wound up selecting a supplier that was 30 miles down the road. They wound up getting a 40 percent cost reduction from what they had previously paid in China and their lead times were cut from more than 120 days down to 30.

That’s from the buy side. From the sell side, the inverse is true. I'll use an example of a company called Mediafly. It's a fast growing company that provides mobile marketing services to some of the largest companies in the world, large entertainment companies, large consumer products companies.

They were asked to join the Ariba Network to automate their invoicing and they have gotten some great efficiencies from that. They've gotten transparencies to know when their invoice is paid, but one other thing was really interesting.

Once they were in the networked environment and once they had automated those processes, they were now able to do what we call dynamic discounting. That meant when they want their cash, they can make offers to their customers that they're connected to on the Ariba Network and be able to accelerate their cash.
You have extraordinary volatility on your network and that can rumble all the way through.

So they were able not only to shrink their quote-to-settle cycle by 84 percent, but they gained access to new financing and capital through the Ariba network. So they could go out and hire that new developer to take on that new project and they were even able to defer a next round of funding, because they have greater control over their cash flow.

Gardner: Zach, in listening to Tim, particularly that discovery process, we're really going back to some principles that define being human -- collaboration, word of mouth, sharing information about what you know. It just seems that we have a much greater scale that we can deploy this. As Tim was saying, you can look to supply chains in China, Vietnam, or in your own neighborhood that you might not have known, but you will discover.

Help me understand why the scale here is important? We can scale up and scale down. How is that fundamentally changing how people are relating in business and society?

Tumin: The scaling means that things can get big in a hurry and they can get fast in a hurry. So you get a lot of volume, things go viral, and you have a velocity of change here. New technologies are introducing themselves to the market. You have extraordinary volatility on your network and that can rumble all the way through, so that you feel it seconds after something halfway around the world has put a glitch in your supply chain. You have enormous variability. You're dealing with many different languages, both computer languages and human languages.

That means that the potential for collaboration really requires coming together in ways that helps people see very quickly why it is that they should work together, rather than go it alone. They may not have a choice, but people are still status quo animals. We're comfortable in the way that we have always done business, and it takes a lot to move us out.

It comes down to people

When crisis hits, it’s not exactly a great time to build those relationships. Speaker of the House Tip O'Neill here in United States once said "Make friends before you need them." That’s a good advice. We have great technology and we have great networks, but at the end of day, it’s people that make them work.

People rely on trust, and trust relies on relationships. Technology here is a great enabler but it’s no super bullet. It takes leadership to get people together across these networks and to then be able to scale and take advantage of what all these networks have to offer.

Gardner: Tim, another big trend today of course, is the ability to use all of this data that Zach has been describing, and you are alluding to, about what’s going on within these networks. Now, of course, with this explosive scale, the amount of that data has likewise exploded.

As we bring more of these coalescent trends together, we have the ability to deal with that scale at a lower cost than ever, and therefore start to create this dynamic of viral or virtual benefit type of effect. What I'm alluding to is more data, the more insight into what’s going on in the network, the more the people then avail themselves of that network, the more data they create, and therefore the better the analysis and the more pertinent their efforts are to their goals.

So, am I off in la-la land here or is there really something that we can point to about a virtuous adoption pattern, vis-a-vis, the ability to manage this data even as we explode the scale of commerce?
One of the reasons we're so excited about getting access to SAP HANA is the ability to offer this information up in real time.

Minahan: We've only begun to scratch surface on this. When you look at the data that goes on in a business commerce network, it’s really three levels. One is the transactional data, the actual transactions that are going on, knowing what commodities are being purchased and so on. Then, there's relationship data, knowing the relationship between a given buyer and seller.

Finally, there's what I would call community data, or community generated data, and that can take the form of performance ratings, so buyers rating suppliers and suppliers rating buyers. Others in the community can use that to help determine who to do business with or to help to detect some risk in their supply chain.

There are also community generated content, like request for proposal (RFP) templates. A lot of our communities members use a "give a template, take a template" type approach in which they are offering RFP templates to other members of the community that work well for them. These can be templates on how to source temp labor or how to source corrugated packaging.

We have dozens and dozens of those. When you aggregate all of this, the last part of the community data is the benchmarking data. It's understanding not just process benchmarking but also spend benchmarking.

One of the reasons we're so excited about getting access to SAP HANA is the ability to offer this information up in real time, at the point of either purchase or sale decision, so that folks can make more informed decisions about who to engage with or what terms to take or how to approach a particular category. That is particularly powerful and something you can’t get in a non-networked model.

Sharing data

Gardner: To that same point, Zach, are there some instances in your book, where you can point to this ability to share the data across community, whether it’s through some sort of a cloud apparatus or even a regulatory environment, where people are compelled to open up and share that is creating a new or very substantial benefits?

I am just trying to get at the network effect here, when it comes to exposing the data. I think that we're at a period now where that can happen in ways that just weren’t possible even five years ago.

Tumin: One of the things that we're seeing around the world is that innovation is taking place at the level of individual apps and individual developers. There's a great example in London. London Transport had a data set and a website that people would use to find out where their trains were, what the schedule was, and what was happening on a day-to-day basis.

As we all know, passengers on mass transit like to know what's happening on a minute-to-minute basis. London Transport decided they would open up their data, and the open data movement is very, very important in that respect. They opened the data and let developers develop some apps for folks. A number of apps developers did and put these things out on the system. The demand was so high that they crashed London Transport, initially.

London Transport took their data and put it into the cloud, where they could handle the scale much more effectively. Within a few days, they had gone from those thousand hits on the website per day to 2.3 million in the cloud.
You need governance and support people, and people to make it work and to trust each other and share information.

The ability to scale is terribly important. The ability to innovate and turn these open datasets over to communities of developers, to make this data available to people the way they want use it, is terribly important. And these kinds of industry-government relations that makes this possible are critical as well.

So across all those dimensions, technology, people, politics, and the platform, the data has to line up. You need governance and support people, and people to make it work and to trust each other and share information. These are the keys to collaboration today.

Gardner: We're coming up on our time limit, but I wanted to put myself in the place of a listener, who might be really jazzed by the potential here, but is still concerned about losing control. How do you take advantage of the mobile extended networks of social media and networks, but without losing your basic principles of good business practice and governance?

Is there something that you're seeing Tim, through your network and the way you're approaching this, that is a balancing act? How can you give some advice to someone who can start to enter these waters, but not drown or get lost?

Minahan: First, I want to talk about the dynamics going on that are fueling B2B collaboration. There is certainly the need for more productivity. So that's a constant in business, particularly as we're in tight environments. Many times companies are finding they are tapped out within the enterprise.

Becoming more dependent

The second is the leaning out of the enterprise itself with outsourcing more processes, more supply, and more activities to third parties. Companies are becoming more and more dependent on getting insights and collaborating with folks outside their enterprise.

The third is what Zach mentioned before, the changing demographics in the workforce, the millennials. They're collapsing the hierarchal command and control. They don't stand for sequestering of information with only a given few. They believe in sharing and in the knowledge of crowds. They want more collaboration with their peers, their bosses, and their business partners.

When you take that within a business context and how you put controls on it, obviously there needs to be some change. There is some change going on. There is change going on towards this wave of collaboration. Zach said before that it needs a good leader. There is change management involved. Let's not fool ourselves that technology is the only answer.

So policies need to be put down. Just like many businesses put policies down on their social media, there needs to be policies put down on how we share information and with whom, but the great thing about technology is that it can enforce those controls. It can help to put in checks and balances and give you a full transparency and audit trail, so you know that these policies are being enforced. You know that there are certain parameters around security of data.

You don't have those controls in the offline world. When paper leaves the building, you don't know. But when a transaction is shared or when information is shared over a network, you, as a company, have greater control. You have a greater insight, and the ability to track and trace.
When a transaction is shared or when information is shared over a network, you, as a company, have greater control.

So there is this balancing act going on between opening the kimono, as we talked about in '80s, being able to share more information with your trading partners, but now being able to do it in a controlled environment that is digitized and process-oriented. You have the controls you need to ensure you're protecting your business, while also growing your business.

Gardner: Zach, last word to you. What do we get? What's the payoff, if we can balance this correctly? If we can allow these new wheels of innovation to spin, to scale up, but also apply the right balance, as Tim was describing, for audit trails and access and privilege controls? If we do this right, what's in the offing? Even though it's early in the game as you pointed out, what's the potential here? When can we expect this payoff?

Tumin: I think you can expect four things, Dana. First is that you can expect innovations faster with ideas that work right away for partners. The partners who collaborate deeply and right from the start get their products right without too much error built-in and they can get them to market faster.

Second is that you're going to rinse out the cost of rework, whether it's from carrying needless inventory or handling paper that you don’t have to touch where there is cost involved. You're going to be able to rinse that out.

Third is that you're going to be able to build revenues by dealing with risk. You're going to take advantage of customer insight. You're going to make life better and that's going to be good news for you and the marketplace.

Constant learning

The fourth is that you have an opportunity for constant learning, so that insight moves to practice faster. That’s really important, because the world is changing so fast, you have the volatility, a velocity, a volume, variability, being able to learn and adapt is critical. That means embracing change, setting out the values that you want to lead by, helping people understand them.

Great leaders are great teachers. The opportunity of the networked world is to share that insight and loop it across the network, so that people understand how to improve every day and every way the core business processes that they're responsible for.

Gardner: Well, great. I am afraid we'll have to leave it there. I'd like to thank our audience for joining us. We've been discussing new levels of collaboration and how they have emerged within an increasingly networked world and how that's all coming together to impact both business and society.

I’d also like to thank our guests for joining us. Zach Tumin, Senior Researcher at the Science, Technology, and Public Policy Program at Harvard Kennedy School. He is also the co-author with William Bratton of this year's Collaborate or Perish.: Reaching Across Boundaries in a Networked World, and that’s published by Random House. Thanks so much Zach.

Tumin: Thank you, Dana.

Gardner: And, of course, Tim Minahan, Senior Vice-President of Global Network Strategy and Chief Marketing Officer at Ariba, an SAP company. Thanks so much, Tim.

Minahan: Thanks, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions and you’ve been listening to a sponsored BriefingsDirect broadcast. Thanks again for listening and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba.

Advanced business networks are driving innovation and social interactions as new technologies and heightened user expectations converge. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in: