Tuesday, May 13, 2014

Microsoft SharePoint at a Crossroads — Both Opportunities and Challenges for Users to Advance Productivity

Transcript of a BriefingsDirect podcast on how the rapid adoption of cloud and mobile are driving new challenges for Microsoft SharePoint users.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: harmon.ie.

Dana Gardner: Welcome to a panel discussion on how one of the most broadly deployed collaboration platforms, Microsoft SharePoint, is rapidly evolving from its local portal roots into the new cloud and mobile era.

Gardner
Delivering information as an actionable asset in a widely collaborative and increasingly mobile environment has clearly become a top business priority. Business architects need the agility enabled by such unshackled information sharing and contextual collaboration to keep pace with distributed services and a boundaryless enterprise approach to business.

It's why IT leaders worldwide recognize that they must better manage knowledge, share information more safely -- and yet rapidly and securely enable mobility among workers and their activity.

We’ll now hear from a group of recently selected top SharePoint influencers about where they think Microsoft SharePoint is headed, along with newer services like Office 365, and learn how companies can best exploit and extend the value around such services.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this sponsored journey into how enterprise collaboration and document management are being transformed by new cloud and mobile requirements.
Delivering information as an actionable asset in a widely collaborative and increasingly mobile environment has clearly become a top priority.

So, please join me in welcoming our panel: Christian Buckley, Director and Chief Evangelist at Metalogix Software in Redmond, Washington; Yaacov Cohen, Co-founder and CEO of harmon.i.e; Joel Oleson, Director of Marketing and Technology Evangelism at ViewDo Labs in Salt Lake City, and Laura Rogers, Manager of SharePoint Consultants at Rackspace Hosting. [See more on top SharePoint influencers.]

New role in cloud

Gardner: Laura, SharePoint was designed quite some time ago to play a somewhat different role. Organizations need to start thinking about cloud, or even clouds -- and learn how to manage across them, to do collaboration and safely shared documents. How well suited is SharePoint to take on this new role?

Rogers: It's interesting, because some of the bread-and-butter of SharePoint is being able to collaborate on documents. One of the main things that people have done with SharePoint over the years is in moving from file-shares to SharePoint. So that’s just getting things from file-shares to being able to collaborate with them easier.

Rogers
Now, a lot of things are moving to the cloud. Everything that people do in their daily lives is based on the cloud. It becomes something that people are used to. People are used to being able to pick up their iPhone and have a FaceTime conversation. They’re used to being able to pick up their phone and check Facebook.

All these different applications are in the cloud, and it's part of people’s daily life. Now, they have this expectation of being able to have all this live information and collaboration going on with what they're doing at work as well.

Microsoft is moving to Office 365 and is doing a lot with the integration between Office 365 and the Office apps, being able to take files, quickly edit them on the phone, and then quickly upload them to SharePoint. In general, people have expectations of being able to collaborate wherever they are.

That’s where the pressure is coming from for enterprises to either physically move their data to the cloud and go to Office 365, or at least upgrade and keep all of their on-premises technology up-to-date, so that the end users have that seamless experience.

But that gets more and more complicated, because of all the different servers you would need to have involved -- like the latest version of SharePoint, the latest version of Exchange, the latest version of Lync. As it gets more and more involved to do those things on-premises, that’s where some companies are saying, “Let's just go do it in the cloud. It might be easier.”

Gardner: Christian, given the fact that we’re seeing increased complexity, it's one thing to move storage to the cloud and share documents across a cloud service. It's something quite more complex to bring a process into the cloud, manage the process, and have it extended across the boundaries of the organization. Are companies yet progressing to that point?

Buckley
Buckley: You've hit on the complexity of what actually moves across. Look historically at intranets. I started getting involved in the intranet knowledge management space in the mid ’90s, and organizations approached building out those intranets and building the complexity of their work processes into digital form. That’s why automation, whether it's your dashboarding, workflows, and all those capabilities, fit into how SharePoint has been built out.

What's changed is that as all of these consumer-based technologies, which are primarily out in the cloud, have progressed, organizations want to focus less on infrastructure and focus more on actual business systems. End users on the other side of that want their corporate solutions to match more closely to their personal habits, to their personal tools. They're doing everything in the cloud, everything via a mobile phone.

Just want access

As you look at those changes to the traditional intranet model, how you approach and develop those solutions, build and maintain an infrastructure, and all the complexity, the difficulty is that end users are ahead of the curve. They want to have everything in the cloud flexible, dynamic, and real time via their phone or their tablet. They're out on the road. No matter how they're accessing the information, they just want access to it.

The difficulty is that not all of the technology is yet at parity with what you have on-prem, and that’s where SharePoint is at this crossroads. That’s what we’re starting to experience. The consumer is driving what's happening within the corporation, rather than corporate IT driving what end users have access to. That’s a huge change.

Gardner: Joel, it sounds as if we have businesses seeking agility and trying to find any way to improve the speed of doing business, but that there is tension between allowing on-premises systems to catch up, versus leap wholesale out to a cloud. Is that how you see it and how does that portend the future of SharePoint?

Oleson: There's an interesting transition happening right now where there is a big move to the cloud and a lot of companies are looking out at things, asking, "Is this Tinkertoys? Is this something that’s a trend? Is it something bigger? Do we need to invest here?"

Oleson
In the beginning, it was seen as more of a hosting move where there are companies that are doing this hosting, and now Microsoft wants to do hosting, and there are these various companies that are out there doing hosting. What we’re seeing now is a transition of a technology, where it’s this trend of "cloud first," and where the actual product is being developed and the features are showing up first in the cloud.

This trend of hitting features a year ahead of time and being able to validate and get richer experiences in the cloud that may never have come on-premise, is really making customers look at it quite differently. There are business solutions that enable, in terms of making it easier, and someone else is taking care of upgrades and someone else is taking care of your infrastructure needs. So you really focus on your business value from that perspective.

Also, when you look at it from the perspective of this approach of cloud first, on-premise second, on-premise comes across as the second-class citizen. A lot of these arguments that have held people back are around security, such as not wanting other people managing your data, and that bigger concern around how to best handle the situation. With SharePoint, that trend is going to continue.

Gardner: Yaacov, thinking about the complimentary nature of cloud services and mobile devices, we’re seeing not just an interest in going to cloud for cloud's sake, but being able to better deliver services across boundaries and out to mobile devices -- maybe even to bring-your-own device (BYOD). After listening to our panelists, our top influencers, how do you see something like the on-premise world readily adapting to both the needs of the cloud and mobile?

Cohen: Our panelists talk about these very significant transitions. Not only is Microsoft at a crossroads, but the customers and the large SharePoint shops are also at a crossroads. It's about a "cloud first" for Microsoft, and now with the recent announcements, it's also about "mobile first."

Now, we see that Microsoft is very serious about iOS, about the iPad, and also about Android. Your question was well pointed. There are two different types of scenarios when you're accessing the cloud and Office 365 for mobile devices. I know we're talking SharePoint, but in fact, there are two different products now: the OneDrive which earlier used to be SharePoint Online, and the SharePoint On-Premise.

Different scenarios

There are two different business scenarios where a lot of what Microsoft is looking at, including on mobile access, is more of a document-saving, document-storage, document-sharing capacity. It's very consumer centric, very competitive to Dropbox, and may also compete with Box, and be very easily accessible from mobile devices.

Cohen
Now we have Office on the iPad. That’s really a huge statement from Microsoft’s standpoint. But then, there is a totally different scenario looking at SharePoint as a knowledge center, as a record management center, and as the core of the business processes for the enterprise.

That’s not quite addressed right now by Microsoft with the "cloud first" and "mobile first" approach. With the "mobile first" approach, there's no real attempt by Microsoft to try to continue to support Office 365 or SharePoint Online as a knowledge center. We've also made our data and tags and taxonomy.

The focus is much simpler. They want to be a Microsoft-centric Dropbox, providing very easy access for mobile devices. So we're talking about two very different scenarios. This is a pretty interesting time also for end users. They need to be a lot more accurate in the business requirements they're trying to solve either with OneDrive for document sharing or SharePoint for knowledge management.

Gardner: It seems to me that having the ability to compete with Dropbox and share documents is really table stakes at this point. The larger proposition is enabling a hybrid transition and enabling better management and control over the complexity, even as we expand the extent to which we’re collaborating.

Laura, as users begin to think about how to not just deal with this tactically, but to think about that larger hybrid cloud capacity -- where the control remains internal with the best of cloud access -- how do you think they're viewing SharePoint? Is there a change in the perception of what SharePoint does?
Now we have Office on the iPad. That’s really a huge statement from Microsoft’s standpoint.

Rogers: The perception of SharePoint is changing a little bit, but it depends on who you are, where you are coming from, and what type of organization you are in.

For some people, especially smaller companies that are a little bit more flexible as to where they can store their data and how fast they can get their data moved, their perception is that if they can't move to Office 365, they want to quickly figure out a way to get hosted SharePoint and get all of their data into the cloud.

So they're analyzing Office 365 and they're figuring out if it will do everything they need it to be able to do. Of course, if you're a smaller or a mid-size company, you're a little bit more flexible, because you might have fewer custom applications and things like that. So they're analyzing that, they're analyzing other methods of putting things in the cloud, and they are comparing them.

When it comes to bigger organizations, and organizations that have more restrictions such as governments and healthcare and things where you have to have HIPAA and different regulations considered, they have a whole different perspective.

Very hesitant

They're thinking how they can keep SharePoint where it is right now in a lot of cases. Then, they're researching to see how other companies that have their same sort of stipulation and are going into the cloud. They're going to be very hesitant.

The perspective is going to be that the cloud to them is a little bit more dangerous and scary, because they don’t want to have anything happen to their very sensitive data. But they're researching and figuring out all the different ways that they can do hybrid environments, so they can still have some of their intranet in the cloud and have it connected to their on-premises solution. So there is going to be a lot of hybrid situations going on as people gradually get weaned over to the cloud.

They're going to have combinations of some information here and some information there. The trick is going to be to make it look seamless to the end user and have them be able to just go to SharePoint, whatever SharePoint happens to be, wherever it happens to be, do a search and have the search come up with everything.

So it's "SharePoint wherever" in all the different locations that it might be, have it just look like a seamless interface to end users, and have everything that they do in that environment be seamless. Because when it comes to the IT people and the decision makers, they have a lot of things to worry about when it comes to where to put the data, how to migrate it, and how to be able to get to it for backups and things like that.
As long as those decision makers don’t forget that the end users just want to be able to do their jobs and not have everything be more complicated than it needs to be.

They have to keep remembering that the end user wants to be able to have something simple, that they know where to go, the interface is familiar, and then just be able to do their jobs. As long as those decision makers don’t forget that the end users just want to be able to do their jobs and not have everything be more complicated than it needs to be.

Gardner: Christian, it seems that the opportunity for Microsoft here is to make SharePoint the entry point, the face, if you will, of both hybrid cloud activities and mobile collaboration activities. It's a tremendous opportunity for them.

How do you feel about the perception of people in the field, those users and those managers at enterprises? Are they seeing SharePoint as the potential silver bullet for managing this complexity, or do they see it more as a steppingstone to something else?

Buckley: There are a couple of things. We're talking about perceptions, right? There's some talk within the expert community about SharePoint as the brand, when I talk about going out to my SharePoint system. You're hearing the word SharePoint less and less. It doesn’t mean that the technology is going away. It's more that it's becoming ubiquitous.

When you think about the various Microsoft properties that they’re building on top of, OneDrive, Yammer, and within Office 365, a lot of those various components, where there is content and where there is a process or workflow and other things that are related.

When you're talking about some of the PowerBI, the dashboarding capability, you're talking about SharePoint. That’s where the data is stored behind that. It's the unifying technology underneath the platform.

Current perception

Backing up a bit, the perception is about the control, administration, compliance, auditing, and all those options. The perception is that that you have less of an ability to do those things out in the cloud.

Government bodies, highly regulated industries, went to SharePoint and on-prem because they had that level of control and the ability to go in and configure and customize and add-on and extended all those things. SharePoint grew so rapidly, because of that ability, but they are very correct in some of those perceptions about not having the same degree of control out in the cloud.

There is not yet parity when you think of it in those terms. The tools need to mature. The application programming interfaces (APIs) need to be expanded. On the flipside, those perceptions of what you can and can't do and control out in the cloud is because many organizations have overbuilt SharePoint. End-user adoption is a serious issue, as it is for every enterprise collaboration solution out there. Any competitor in the space that tells you otherwise is marketing to you.

The reality is that end users want something that is streamlined and that’s simple. They want to click once, twice at the most, get in, and get their jobs done. They don’t care what the brand is. Microsoft needs to extend and add, increase the parity between Office 365, the software-as-a-service (SaaS) solution, the SharePoint Online, version of the on-prem version, get that parity across it.
Microsoft still has some messaging to improve on to help change some of those perceptions of what SharePoint is, where it's going, and how people can make that transition.

They need to make it easy to access, easy to invite people in, easy to click once or twice, get to the information that you need through the interface that you’re most comfortable with, whether it's Exchange or Yammer or OneDrive or going into SharePoint, going into your intranet or an extranet, with all of those things. SharePoint underlies all of those things.

Microsoft still has some messaging to improve on to help change some of those perceptions of what SharePoint is, where it's going, and how people can make that transition.

Gardner: Joel, thinking about a more practical approach for the user organization, rather than waiting for Microsoft to simplify SharePoint, maybe reduce some of this overbuilding, making it more appropriate for cloud activity, what can organizations do to take the best of what SharePoint can do, leverage the investments they’ve made and yet still be able to break out across boundaries, into cloud, into mobile?

Is there some basic blocking and tackling advice you can offer for using SharePoint, but in this new environment?

Oleson: Some advice for customers ... They really need to dip their toe in the water. Some customers, when they decide they want to go Office 365, go all in and then they have second thoughts. It's not that people shouldn’t invest in Office 365, but they need to be cautious about understanding some of those limitations around customizations and some concerns that other departments may have: IT, for example.

So there's a cautious approach, and a pilot needs to happen. OneDrive, as an example, is an amazing way to start getting involved with the cloud. Yammer, as well, is a great way to get into the cloud and also to, all of a sudden, be able to support with mobile devices  great conversations with fellow employees.

Taking advantage

But part of that approach is getting the right kind of policies and procedures in place that can support the users and the departments that want to, and need to, take advantage of the new technology.

But I don’t think that it's throwing everything out there willy-nilly. There's that approach of going service by service. Another example is people who are going to move their email. It's a no-brainer to move your email out there, but there is some identity work that has to be done, and the budgets have to be right to be able to understand the investments and the time it's going to take.

But that hybrid process of moving things out there is a multi-year approach, and the investment that’s going to be required has to be a conscious decision in having the right engines firing on all cylinders and making that transition. It takes all eyes open as you make that transition.

Gardner: Yaacov, what advice do you have for organizations that are in SharePoint deeply, who want to continue to leverage that investment, recognize that their users are getting a lot of value from it, but also want to start extending their activities using hybrid approach to more application by application transitions, as Joel mentioned?
The “cloud first”/"mobile first" marketing is very nice, but it's not ready yet to deliver a sole business solution.

Cohen: Joel had some good points about the progressive approach, looking service by service. Also, it's about defining your business requirements and, for example, to differentiate between collaboration scenarios, which are more ad hoc, more social, and which say more about project management and not so much about knowledge management. So in this case, Office 365, OneDrive, and Yammer is a great way to go. We're already investing a lot of preparation in taxonomy and the information architecture.

But if you're looking at more enterprise-wide projects to share knowledge across multiple business lines or you're trying to reduce the liabilities with record management, that’s where you probably need to take a more comprehensive approach with more preparation and design. You need to know that the “cloud first”/"mobile first" marketing is very nice, but it's not ready yet to deliver a sole business solution.

Gardner: Laura, tell us about what you’re doing as a SharePoint Consultant Manager and what Rackspace Hosting is doing vis-à-vis collaboration and SharePoint Services?

Rogers: At Rackspace around SharePoint we have a couple of major divisions. We have people that support our hosted SharePoint environments and we also have SharePoint consulting. A lot of our hosted SharePoint customers will make use of the consulting services. But we also provide consulting services to people who aren’t necessarily hosted at Rackspace.

We have different types of hosting that you can get there. We have a per-user environment, which basically means you're buying site collection, and it's similar to Office 365 and there is one big farm that’s managed in a central place. You’re not necessarily in control of your SharePoint environment.

Different levels

There is also one where you can have your own SharePoint server. So there are all different levels of being able to have a hosted environment. As consultants, we can take care of those clients.

But we get a lot of clients that come to us and say they're looking at Rackspace hosting and also looking at Office 365. They ask why they should do one or the other. We go through their requirements and what they want to be able to do in SharePoint. Then, we help them to talk about the pros and cons. We explain "You have this custom app over here and you wouldn’t necessarily be able to do that in Office 365."

They have all this super custom branding, little technical things that they have, and we go through some of the tradeoffs they might have to make, one way or the other.

We have different groups of consultants. I manage the group that deals with business solutions. We have a group of developers. We have a group of branding guys, and then my business-solutions guys have out-of-the-box functionality, business intelligence (BI), user adoption, governance,  documentation, and things like that. Business solutions includes things that don’t involve custom code and things that don’t involve branding. I also teach at SharePoint 2013 Power Users class online for a week each month.
There are all different levels of being able to have a hosted environment. As consultants, we can take care of those clients.

Every Wednesday at 11 Central, my team and I get together and we have a free YouTube broadcast, where we just talk about some business-solution topic, do demos, and things like that. That’s the SharePoint at Rackspace YouTube channel: http://www.youtube.com/sharepointrax.

Gardner: Christian at Metalogix, tell us a little bit about what you do there, and what your organization does in the SharePoint community, or eco-community.

Buckley: My role is Chief Evangelist. So I sit across multiple areas. I work very closely with product management and product marketing. I work very closely with our partner and alliance management team. I do a lot of meeting with customers, meeting with partners, and setting up and investigating various technology partnerships.

From a community standpoint, I'm also very involved in helping organize various community efforts and, in that way, spreading goodwill for the brand out there within the community. I've helped launch about a dozen SharePoint Saturday events primarily out in the Western U.S. states.

Then, I travel around the world speaking at conferences, sharing perspective, usually to the IT business decision-maker and executive crowd. I do events where I travel on behalf of our partners and meet with their customers. I try to help fill the pipeline from a sales perspective and help partners on my own sales team close on deals and things that people traditionally expect an evangelist to do.

Metalogix is the largest, fastest growing SharePoint ISV. Two areas that we are really known for are migration and governance and administration solutions. I write a lot of content around those topics, as well as things like storage optimization and replication.

Helping people

We're very much involved in working with Microsoft and with our partners in helping people manage and migrate between SharePoint environments, as well as moving people from on-prem into Office 365.

We're the only ISV that has a solution that migrates Exchange, public folders, file shares, and SharePoint content to Office 365. So I'm doing a lot of promotion and talking about those options out there on a regular basis.

Gardner: Joel, tell us similarly about yourself and ViewDo Labs as well.

Oleson: ViewDo Labs is focused on Yammer analytics. My role has been working with the community around writing, speaking, and blogging.

I've gathered a group of influencers in the enterprise social space. We get together and talk about various topics around enterprise social and take on the biggest challenges. I participate in a lot of conversations, Tweetups, and variety of activities as they relate to enterprise social, moving forward maturity around enterprise social as it relates to Yammer and other technologies in that space.
Basically, we wanted to bring a customer-like user experience to the enterprise world. We've built a one-screen user experience across emails, mobile devices, and cloud.

As an example, Christian talks about his travel. Travel is something that’s been a big passion of mine, connecting with folks around the globe and building communities. Just a week ago I was in Jamaica running a SharePoint Saturday, but also launching a user group. I’ll be speaking at a European SharePoint conference. Following that, I'll be doing some travel in Central Asia and launching a community in Uzbekistan.

A passion of mine is expanding global reach and connecting communities that otherwise would never meet people that are on the top tier speaking circuits. I try to go to those locations where they’re underserved markets, you could say. But the big focus is on enterprise social and working transparently, working like a network, and just getting excited and working with businesses around how that big transformation is happening.

Gardner: Yaacov, tell us a little bit about why you co-founded harmon.ie and what harmon.ie does and how that fits into the SharePoint ecosystem?

Cohen: We founded harmon.ie in 2008. Basically, we wanted to bring a customer-like user experience to the enterprise world. We've built a one-screen user experience across emails, mobile devices, and cloud.

We provide a suite of connected apps on mobile devices like iOS, Android, Windows Phone and BlackBerry. Within Outlook, we provide an Outlook plug-in, delivering the same consistent user experience across on-premise SharePoint, Yammer, and Office 365.

The idea is to help the business users to get a complete view of their network and their colleagues’ network in order to be more efficient at the enterprise level in the ways they manage knowledge management, knowledge centers, record management, and how they can really evolve into more of a social enterprise, which is really collaborating and working like a network. That’s what we try to do.

Social collaboration

Gardner: I’d like to just address one more issue before we sign off, and it's the impact of social collaboration. People are now looking at the walled interface, being used to things like Facebook, and LinkedIn, and Twitter, and then recognizing that that’s a powerful way to get knowledge transferred and allow for people to work together, but now also recognizing that more and more people are using mobile devices.

And so there's this combination, this Reese’s cup of peanut butter and chocolate, when it comes to mobile and social. How do you all think that this is going to be driven into use -- will the technologies keep up with the demand on the user experience and behavior?

First to you, Christian. What do you foresee as the methods that the IT department will have to adopt and the technologies that they will have to exploit in order to start allowing users to do what they want on a mobile device and be more collaborative in a social type of way?

Buckley: It's evolving so rapidly. To say what technologies they need to start considering, I take a very pragmatic, project program management approach to this. That’s a lot of my background. Working with customers, it would be to fully understand what you are trying to accomplish for the business.

If you're recognizing that your end users are requesting more social and mobile capabilities and yet you have certain constraints, compliance and auditing, regulatory requirements, sometimes legal requirements that you need to make sure all systems comply with, you just need to make sure that the solutions that you are building out, the technologies that you go investigate, can comply with those needs.
You need to ask those questions and then make some decisions, which could mean paring back on your requirements.

And certainly, if you go with Office 365 and social through Yammer, whether a standalone Yammer or Office 365, and if you're going to build a hybrid solution, these are questions you need to ask and understand, which may determine how you configure the platform or which options you choose.

We're not at a place where you can plug and play, even in the Microsoft stack, any of those tools and just assume that you're going to meet all of those standards that you need to be held to. You need to ask those questions and then make some decisions, which could mean paring back on your requirements. It may be a phased approach, as you wait for further advances, but it's just something. Ask the questions and go into it with your eyes wide open.

Gardner: Joel, the same question. How do you see organizations being able to manage this risk-and-benefit balance between allowing users to get what they want for functionality and collaboration, but also keeping it inside the organization and limiting them in some other way? How do you balance this best, and how will that balance perhaps change over the next few years?

Oleson: Well, that’s really interesting. This is really a battle between wills. Microsoft is making some major bets, and some of those bets aren’t just with the IT department. It's the business departments that are really going to make and drive some of these decisions. And if the IT department essentially holds back the business, they may find that they are going to go around.

So there are going to be some pros and cons and cost benefits, especially as it relates to licensing, but I think you'll find that some of the businesses are needing these technologies, and so it will essentially be business IT units that will test the waters and may drive ahead of the IT department in some cases.

IT as the enabler

It's not going to be everybody all nodding their heads at the same time. There's going to be some pilot theory happening and it's going to be the proof is in the pudding. Where it's going is that IT is the enabler. Are they going to be helping us make that transition and move, or is it going to be marketing, or is it going to be HR or some of these other business departments that essentially make that first bet in making some of those decisions?

I'm finding that some of the IT environments are actually more conservative and more cautious, where some of the business departments see the benefits and they see that it's going to be easier. It gives them more of that device approach that they need, and they may get out ahead of IT. I expect that to happen in many organizations.

Gardner: And Laura at Rackspace, is it "damn the torpedoes, full speed ahead, adopt the cloud, and let IT figure out how to catch up later?" Or from strictly a cloud perspective, do you think that you can give those users what they want in terms of social and mobile collaboration and keep the risk at a managed level?

Rogers: Joel brought up a great point about the technology and people just going around it if they don’t have what they need. Not necessarily Rackspace, but a lot of companies are coming across financial restrictions, because they might decide that they do need x, y, z technology.
Because people are going to go around and they are going to figure out a way to do something with whatever the latest technology is, even if the company doesn’t provide a way to it.

They need to have their own private Yammer network and actually purchase the enterprise versions of that. Or they might need to purchase the enterprise version of SharePoint or Box.net or whatever they happen to be using, and it might be cost restrictive for them.

So this is going to be a case where when you think about all of the people that might go around and use different technologies, like using their personal OneDrive to share things with people outside the company. That’s not very secure. Neither is using other technologies they might come across on random apps on their phone or on the web and start using that with business information.

So when companies are thinking about technologies like this for the enterprise and how cost restrictive they are, how expensive they are, I think it's more something where you have to weigh what could possibly happen with people uploading sensitive information to all these uncontrolled locations and what's the risk there compared to what you benefit from going ahead and purchasing that enterprise level product or whatever it happens to be, and just pay for it, and therefore you will be able to have a lot more control over that data.

Because people are going to go around and they are going to figure out a way to do something with whatever the latest technology is, even if the company doesn’t provide a way to it.

Gardner: Yaacov, it seems that regardless of whether the IT department leads or the business leads and whether they use internal or external services, getting these services visible and usable across any and all needed screens and devices is going to be essential.

So, given that it's still an open question as to how mobile and collaboration and document sharing and social interactions evolve and become delivered, what do you think is an important part of being able to be in front of that and maybe accommodate whatever the outcomes are on the back end?

What's appropriate

Cohen: This is really a good point. When I work with IT, I advise IT to start thinking differently about their job. Rather than being the gatekeepers, they need to become enablers. They need to become like a systems integrator and a service provider within their own organization. And they need to take a look at mobile and cloud and see how they can take these technologies and package them in a way that is appropriate for their business users.

They need to look at the lines of business or the departments as their customers and they need to act and market solutions to these customers. This transforms also our relationship as a vendor with IT. Rather than selling to IT, we are partnering with IT in order to help them package and sell solutions internally, mobile solutions in order to improve the business experience and, as such, to boost the business initiative, collaboration, and mobile.
They need to look at the lines of business or the departments as their customers and they need to act and market solutions to these customers.

Gardner: You’ve been listening to a panel discussion on how one of the most broadly deployed collaboration platforms, Microsoft SharePoint, is evolving from its local roots into the cloud and mobile era.

And we’ve heard how a fast-changing SharePoint ecosystem, along with newer services like Yammer and Office 365, can be newly exploited by organizations, but they need to take proper steps and figure out a lot of complexity. It's still really an open question about how to do this. It's still time for innovation.

This sponsored discussion with a group of recently selected top SharePoint influencers comes to you thanks to harmon.ie.

Please join me now in thanking our guests, Christian Buckley, Director and Chief Evangelist at Metalogix Software in Redmond, Washington; Yaacov Cohen, Co-founder and CEO of harmon.i.e; Joel Oleson, Director of Marketing and Technology Evangelism at ViewDo Labs in Salt Lake City, and Laura Rogers, Manager of SharePoint Consultants at Rackspace Hosting. [See more on top SharePoint influencers.]

Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this deep exploration of how enterprise collaboration and document management are being transformed by the new cloud and mobile requirement.

Thanks again for listening, and don’t forget to come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: harmon.ie.

Transcript of a BriefingsDirect podcast on how the rapid adoption of cloud and mobile are driving new challenges for Microsoft SharePoint users. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in:

Monday, May 12, 2014

American Electric Power Leverages Dynamic Discounting to Bring New Efficiency and Innovation to Buying

Transcript of a BriefingsDirect podcast on how both buyers and sellers can benefit from a cloud solution to discounting.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP company.

Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast series coming to you from the recent 2014 Ariba LIVE Conference in Las Vegas. We’re here the week of March 17 to explore the latest in collaborative commerce and to learn how innovative companies are tapping into the networked economy.

Gardner
We’ll see how these companies are improving their real-time business productivity and sales, along with building far-reaching relationships with new business partners and customers.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Ariba-sponsored BriefingsDirect discussions.

Our next innovator case study focuses on American Electric Power and how they’ve been improving their financial processes and operations using Ariba Dynamic Discounting. We’ll learn how a real-time business-process approach to billing, ordering and settlement terms between buyers and sellers benefits both American Electric Power and its vendors.

To learn more about agile business services, please join me now in welcoming our guests, Drew Hofler, Manage Cash Solution Marketing Director at Ariba, an SAP company. Welcome, Drew.

Drew Hofler: Thank you, Dana.

Gardner: We’re also here with Rick Gray, Senior Treasury Specialist at American Electric Power in Columbus, Ohio. Welcome, Rick.

Rick Gray: Glad to be here.

Gardner: First to you, Drew. What are the pressures now? We’ve heard a bit about Dynamic Discounting in the last couple of years, but I’m wondering what's the new impetus? What’s changed that makes Dynamic Discounting more relevant than ever?

Hofler: The fundamentals around Dynamic Discounting that drive it are the buyers, their not having a lot of cash on hand. Not getting return on cash hasn't changed a whole lot in the last few years. Companies still have a lot of cash, but the Fed funds rate is still very low.

Hofler
On the supplier side, one thing that has changed for them a little bit is that the actual credit crisis has thawed a little bit, but not completely. The thing that's really changed for suppliers, and it was more of a gradual change, is that they all see longer payment terms now from their buyers. In the old days, before 2008, net 30 was your base term. Now, net 45, net 60 is standard, and many suppliers are facing longer terms than that.

Dynamic Discounting offers the great relief valve for that. It allows buyers to use their cash and earn some great return on that cash, and it allows suppliers to access early payment and lower their days sales outstanding (DSO) when they want to.

Evolutionary growth

The other thing that has really fundamentally changed, and I’d say it's more of an evolutionary growth that makes Dynamic Discounting more relevant than ever, is that what makes Dynamic Discounting possible is e-invoicing and the ability to get invoices approved very rapidly, so there's an opportunity for that early payment.

E-invoicing has really grown in the accounts-payable world, both in the US as well as abroad. E-invoicing has become more standard, More and more people are coming into it. It's not a leading practice anymore. It’s a best practice, but there is a long way to go.

But as those invoices get approved very quickly and suppliers have visibility into them, it becomes very natural for a supplier to raise their hand and say they would really like to get paid early, maybe to reduce DSO, maybe to increase cash flow, whatever their reasons, but the confluence of e-invoicing and that network visibility is really driving Dynamic Discounting.

Gardner: For any of our new listeners and readers, why don’t you quickly define for us what Dynamic Discounting is, and then also tell us what the benefits are and to whom? Now that this has been in play for a while, are there any unintended consequences about who is getting value from it and why that's increasing the uptake?
Dynamic Discounting simply puts the tools in the hands of the paying customer, to use their cash and earn something, and it puts the tools in the supplier hands to accelerate payment.

Hofler: Dynamic Discounting, at its very root, is an early payment on an invoice that is funded by buyer cash. What makes it dynamic is that it allows suppliers, on an automatic or an ad-hoc invoice-by-invoice basis, to essentially raise their hand on a Dynamic Discounting platform by clicking a button and say they would like to get paid early, and in their control, accelerate their payment.

Dynamic Discounting simply puts the tools in the hands of the paying customer, to use their cash and earn something, and it puts the tools in the supplier hands to accelerate payment.

I like to call it the bringing together of opportunity, visibility, and capability, where you have the opportunity created by e-invoicing and where now you have an early approved invoice.

Visibility is through a network that allows the buyer to see where they have an opportunity to pay early and a supplier to see where they have the opportunity to be paid early. Then, there’s the capability on that network to click a button and make it happen, so that they have money in their account a couple of days later.

Gardner: And the other part, what’s been perhaps an unintended or unexpected consequence that’s benefiting the chain here in such a way that more and more people are doing it? What’s fueling the uptake?

The business network

Hofler: I wouldn’t necessarily say that it was unintended, because I think we intended this to happen and we saw it. But I would say that what's really fueling it again is the rise of the business network.

As I said, it’s the opportunity, visibility, and capability, and it’s that visibility element, where now more suppliers are used to seeing their invoices on the network. They’re used to seeing them approved very early, and then they can take advantage of it.

But one of the surprises that I see is in who offers a discount and who takes the discount on the supplier side. Logically, you would think it would be your smaller suppliers, with not much access to cash or not much access to credit, and in general, they do very much take it up.
The beauty of Dynamic Discounting is that you don't have to know what your supplier is going to do or why they’re going to do it.

But you will also often see very large suppliers with very large invoice discounts -- I mean in the six digits sometimes -- that will do it on occasion, because they have the opportunity and the control to do it when they want to. They will do it for other reasons, such as end of quarter to reduce their DSO or as accounting window dressing to get receivables off their books.

And the beauty of Dynamic Discounting is that you don't have to know what your supplier is going to do or why they’re going to do it. You offer them the opportunity, give them visibility and the capability to do it, let them make the choice, and you will often encounter some surprises like that.

Gardner: Let’s to go to Rick at American Electric Power. Tell us a little bit about your organization and how you came to be using Dynamic Discounting?

Gray
Gray: American Electric Power is an electric utility, one of the largest investor-owned electric utilities in the country. We’re in 11 states, and we have five million customers. We have gross revenues that were over $15 billion last year. So, we’re pretty well-sized.



We started to look at our expenditure cycle, the whole purchase-to-pay (P2P) process, and had an independent consultant in to look at that and to give us some strategy on how we can improve. Part of it was to do the e-invoicing, the e-purchase order.

So we were looking at different tools and companies to provide that, and Ariba was the one that came out, and we selected them. Part of the justification for that whole project was the increase in early-payment discounts. That’s what got the ball rolling.

Gardner: And to what degree are you using it?

A lot of use

Gray: Quite a bit. When we started looking into it with Managed Services help, we saw that we had over 150 different payment terms. We looked at our days payable outstanding (DPO), which is the number of days it takes to pay our suppliers.

It was shorter than the industry average, which means we were paying sooner than our peers in the industry, which caused us a little concern in that we obviously weren’t being overly prudent with our cash or gave that appearance.

So part of the effort was to look at our payment terms and standardize them, and we decided to extend them a little bit to get along with the industry average.

Gardner: Rick, what about this notion of a business network, transparency, and having more data at your fingertips in order to benefit other processes, other financial issues in your company? Do you see this as an accelerant to the use of network information and transparency and perhaps building less risk into your overall financial situation?

Gray: Absolutely. And because we were looking at our working capital and our liquidity and extending the payment terms and consolidating them, we wanted to provide our suppliers with a tool for them to be able to then give them that relief valve that Drew was talking about. So if they did need the payment sooner, that’s fine. We could give them that opportunity without losing the benefit to ourselves in the process.
Part of the effort was to look at our payment terms and standardize them, and we decided to extend them a little bit to get along with the industry average.

It became really important to get the buy-in throughout the company. We realize that some suppliers need the money sooner and that’s fine, and here’s the process to do that. The tool then allows the suppliers an easy way of accessing that and getting their money sooner if they need to, without reaching out to our accounts payable department or our procurement department and calling around. This was a more streamlined process for that.

Gardner: One of the things that’s really interesting to me and why I think this takes off so well is that it benefits both sides. There are more information and terms available. Negotiation positions all work to their mutual benefit. Do you have any metrics of how this has benefited your organization? Do we have some opportunity to look at where the rubber hits the road? What do you get for it?

Gray: There are a couple of things. This past year, we extended our days payable outstanding by two days, which doesn't sound great. On the other hand, with $1.2 billion in average daily accounts payable, that’s two days we didn’t have to borrow $1.2 billion. We even had a holiday where we didn’t have to borrow one day, but gradually that turned out. So we reduced our borrowing for that much.

On the other hand, we also saw increased early payment discounts that matched that business case that we talked about later. So in that regard, we’ve done pretty well.

Gardner: Let’s go back to Drew. What’s coming next? What have we gained from the news here at Ariba LIVE? What are you hearing from the attendees, and what should we look for in terms of next steps in making Dynamic Discounting even more powerful?

Continued buildup

Hofler: What comes next is a continued buildup of the transparency and visibility in a network that allows suppliers to see what's going on and allows buyers to tie that in together.

We’re seeing that companies are looking at these things, not as disparate processes anymore, not just the invoicing, not just Dynamic Discounting, not just procurement, but are looking at the realization that each of those is a link in a value chain and they need to be linked together

We’re seeing people going from where they’ve started and expanding onto a platform that allows them to grow and link these things together. You’ve got suppliers, for example, that may have just been PO or may have just been a contract.
We really see the tying together, not only of the desire to be paid early, but then the actual mechanics around the settling of that payment.

Now, they move them into the invoice on that. Or, it may have been invoice and just contract. More and more suppliers are finding more and more reasons to come to the same network. That increases the pool of who is there to discount.

The other thing that’s tied to it, and not discount specific, is the idea that it’s early payment when they raise their hand. We’re now seeing this area of what we announced at LIVE in AribaPay -- not only to allow the supplier to raise their hand to receive their payment early, but to be able to be paid in such a manner when they do that, they have full visibility into everything that went into the final dollar that comes into their account, with every invoice, every line item, every PO, so that they can reconcile it easily and quickly identify discrepancies.

So we really see the tying together, not only of the desire to be paid early, but then the actual mechanics around the settling of that payment

Gardner: And for global companies that are concerned about currencies, jurisdictions, and tax issues, this can be a big deal.

Hofler: Absolutely, it can, and particularly if they have multiple invoices around payment, keeping track of the differences. You get one lump sum and it accounts for 100 invoices that might have 20 line items each. That becomes a big issue to maintain, and the more global you go, the more complex.

Networked economy

Gardner: Of course, a recurring theme at Ariba LIVE was the networked economy -- and also the fact that you are, as part of SAP, using HANA and other analytics capabilities to bring more insight across the activities of the Ariba portfolio.

I was struck when Rick mentioned that he could compare the industry standard for payable terms and therefore adjust accordingly. Are there other metrics, analysis, or even predictive value that, as an aggregator of Dynamic Discounting terms, with all privacy, security, and anonymization brought to bear, more value add when it comes to being smart about how you do this?

Hofler: Absolutely. I couldn’t be more excited about potentially having all of the 15 years now or more of data on the Ariba Network of POs, invoices, and payment terms and early payments. All of this is brought together in such a way that we can do just that. We can take all that big data and turn it into information that’/s actionable.

There is so much there, not only from the aggregate standpoint. As you mentioned, we never, ever share which supplier we discount how much, but on an aggregate basis, what are some of the trends, what are some of the indicators that a supplier would be more willing to discount? Just on the data that I’ve tracked outside of HANA, not nearly as powerful as that, you’ll see certain patterns, end of quarters, end of certain seasonal cycles.
It’s not really that complicated. So that's not too bad. The challenge is getting the suppliers on and getting them engaged.

Having the ability to see that for a buyer or a treasurer to then make maybe more cash available for that particular time and plan for that, they can make more cash available to handle the spike in volume of discounting. There’s just tremendous potential there.

Gardner: Rick, any advice for other organizations that perhaps haven’t done Dynamic Discounting, but are evaluating it? Is there anything that you can offer with 20/20 hindsight that they would benefit from?

Gray: A couple of things. One, it’s not that bad of an integration. There’s not a whole lot of movement there. It’s not really that complicated. So that's not too bad.

The challenge is getting the suppliers on and getting them engaged. We actually purchased the software right when Ariba was rolling out Managed Services, so we were sort of grandfathered in prior to that and didn’t utilize the Managed Services when we implemented. We saw that our adoption rate was well below our target.

Six months or so afterward, we engaged the Managed Services, and within three or four months, we had reached the original target. So that was a big help and something I would strongly encourage. Listen to and use the partners. It’s not that we’re not smart enough or don’t want to work hard enough to do it. It’s just that we just didn’t really have the time and resources.

Gardner: Would you say, Rick, that this has paved the way for a different type of relationship between you and your suppliers? Has it increased collaboration and communication in any way, maybe a stepping stone towards more transparent and even more mutually beneficial business negotiations and relationships?

Next target

Gray: Yes, and we’re working on that, as far as a long-term contract is going into place. That's our next target right now with the smaller suppliers, with immediate need. Now, we’re looking to make sure that that’s the culture within the company. These are the payment terms and this is the tool to utilize going forward. We’re sticking to our guns, saying that there are no exceptions. Everyone goes through this, and that’s been beneficial.

Gardner: Last word to you Drew. How does this integrate into other things? You’ve already mentioned AribaPay. We’ve talked a little bit about analytics and visibility. The whole greater than the sum of the parts is where a lot of business services and those that avail themselves of cloud models can go. Where does this integrate into next? Where is the bundle? How do we make this a value add?
It’s very helpful for folks who are looking to get some technology to help them drive business process reengineering and to improve their business processes.

Hofler: It’s just a natural bundle for anything that has anything to do with P2P,  Ariba Collaborative Commerce, and Ariba Collaborative Finance. If you look at it as a process, classic process, everything ends up with an invoice to be paid.

So we bundle it in when the invoice is a part of any type of business process re-engineering that a customer is doing. We point it out to them as a natural next progression when they are going there.

Rick made the point earlier that it really drives the business case too. It’s very helpful for folks who are looking to get some technology to help them drive business process re-engineering and to improve their business processes.

Sometimes, efficiency isn't enough in terms of savings to get that raised to the top of the project pile. Dynamic Discounting is a great way to add significant return on investment (ROI) to that business case, so that they can get their overall project approved. We’ve seen that happen time and time again. So it’s a great part of the bundle.

Gardner: Very good. I’m afraid we will have to leave it there. We have been talking about how American Electric Power improves their financial processes and billing operations using Ariba Dynamic Discounting.

And by examining a user's experience, in this case at American Electric Power, we’ve learned how a real-time business process approach to billing, ordering and settlement terms benefits both the buyer and the seller.

So a big thanks to our guests, Drew Hofler, Manage Cash Solution Marketing Director at Ariba, an SAP company. Thanks, Drew.

Hofler: Thank you, Dana. It’s my pleasure.

Gardner: And also Rick Gray, Senior Treasury Specialist at American Electric Power. Thank you, sir.

Gray: You’re welcome.

Gardner: And thanks to our audience for joining this special podcast coming to you from the recent 2014 Ariba LIVE Conference in Las Vegas.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Ariba-sponsored BriefingsDirect discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP company.

Transcript of a BriefingsDirect podcast on how both buyers and sellers can benefit from a cloud solution to discounting. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in:


Wednesday, April 30, 2014

Software Security Pays Off: How Heartland Payment Systems Gains Steep ROI Via Software Assurance Tools and Methods

Transcript of a BriefingsDirect podcast on how HP Fortify has helped one company improve their software security practices.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing sponsored discussion on IT innovation and how it’s making an impact on people’s lives.

Gardner
In this first of a two-part series -- Does Software Security Pay? -- we’ll discuss how Heartland Payment Systems in Princeton, New Jersey has leveraged software-assurance practices and HP Fortify to drive value within its IT organization -- and improve their overall business performance.

Join us now, as Ashwin Altekar, Director of Enterprise Risk Management at Heartland, shares his insights and knowledge with Amir Hartman, the Founder and Managing Director at MainStay, a marketing and IT advisory services firm in San Mateo, California.

Amir recently completed a software-assurance return-on-investment (ROI) study. He’ll now share details from that study on how HP Fortify has impacted Heartland’s IT organization and their developments.

We’ll learn how Heartland has improved results in innovative ways across the organization thanks to both security best practices and tools. With that, please join me now in welcoming our moderator, Amir Hartman.

Amir Hartman: Good morning, Dana. Thanks for having us, and I'm really excited about the program today. We have a two-part series, as you indicated, and the research that we did found some very interesting results from the companies that we interviewed.

Hartman
We found three main benefits to employing and institutionalizing a strong software security-assurance program with supporting tools. One was a saving that organizations are seeing. Second, it’s a risk-management benefit to the organization. Last, we actually saw some revenue protection benefits as well.

So I'm pretty excited to have Ashwin on the call today and have Ashwin share with us his experiences in deploying HP Fortify solutions and these practices within Heartland. Why don’t we start? Ashwin, could you give us a little bit of background, a little bit about yourself, and then segue for us into the software security landscape at Heartland?

Ashwin Altekar: Sure. I’m the Director of Enterprise Risk Management at Heartland. I've been working in information security for over a decade and have spent a large portion of my time performing application penetration tests and managing software-assurance efforts.

At Heartland, we take software security very seriously. We strive to be the trusted transaction provider, the trusted partner of the large number of merchants who depend on our payments and payroll services. With application security being such a large vector for attack, we’re very aware of the multiple controls necessary to keep our customers’ data secure.

We lean quite heavily on Fortify, first to understand, and then improve, our level of software assurance.

Previous scenario

Hartman: Let's take people back a little bit. Could you describe for us what the software-security scenario was like at Heartland before institutionalizing some of these practices and before implementing and rolling out Fortify.

What did things looked like before? Then, talk to us about why you went in a new direction.

Altekar: Prior to Fortify, or any automated tools, we relied mostly on manual inspection by developers using common security guidelines like the Open Web Application Security Project (OWASP) or assessments done by third parties.

Altekar
As our enterprise grew, it became harder and harder to be confident in our application-security posture with just manual inspection by development teams. Software assurance is very important to us, not just finding vulnerabilities, but understanding what percentage still remains. With manual efforts, there was just too much to do and not enough time.

We liked the breadth of programming languages supported by Fortify and we really liked the direct integration to the integrated development environment (IDE) for common IDEs like Visual Studio and Eclipse. So Fortify was just a natural fit for the need at the time.

Hartman: I would imagine that with the space that Heartland plays in, obviously these issues are quite sensitive. And if you look at the marketplace, you’re seeing this explosion of mobile devices and mechanisms by which consumers are transacting. It makes this issue even more front and center.

Altekar: Absolutely. Our primary product or service of facilitating transactions is provided through software. So Fortify is definitely a key product that helps us position ourselves as a secure company. And to do so, we need to understand what security issues we have in our software.

Hartman: Ashwin, talk to us a little bit about the implementation itself, just some interesting facts. Then, if you could, segue into the impact that you’ve seen it have on the organization. What are some of the benefits that you've been able to deliver to the organization and to its customers through institutionalizing these practices and tools?

Altekar: At Heartland, we risk-rank our numerous applications and have various requirements on what each development team has to do to meet internal requirements.

One of our basic requirements is that all software applications be scanned using Fortify. From the information-security perspective, that has allowed us to understand what it is that we’re up against when we talk about software-security assurance. So, a large challenge is trying to figure out what it is we don’t know. Fortify allows us to quantify our level of effort and get the attention software security requires.

Also, we've been able to show the successes of many teams that embrace Fortify. They’ve been able to do more and learn more about software security in much less time.

Similar results

Hartman: In the research that we did, we found similar results. We found quite a number of organizations that were able to reduce the amount of time the developers were spending identifying and remediating. Because of the automated mechanism, they focused their attention on developing new value-add applications.

It's reallocating their time. It’s not that this stuff isn’t important. Obviously it's essential, but if we've got a way to do this faster and then focus the developers’ attention on different areas that are more value add, that was a big win. I don’t know if that’s something similar what you’re finding as well, as developers are making it part of their DNA.

Altekar: We absolutely do find that. There’s an old expression for spell check that if you see the correct spelling seven times, you would finally get it right on the eighth.

Our developers are bit quicker in learning about security best practices, but Fortify allows us to do a very similar type of reinforcement when it comes to specific software-security issues. They’re able to see the right way to do secure development through Fortify and then learn from that.
They’re able to see the right way to do secure development through Fortify and then learn from that.

Hartman: Let's shift gears a little bit here, Ashwin. Some of the things we noticed were a little bit unexpected. When we went into the study trying to figure out how companies are benefiting from effective software security practices, we were going in with certain assumptions.

One of the assumptions was that some of these automated tools and practices are going to obviously save time and save money on the developer side. Certainly, if I can address and remediate things early in the development cycle, that’s going to save me a tremendous amount of resources and money, versus down the road in post production.

But there were a couple of areas that we found in terms of benefits that companies were experiencing that were a little bit unexpected, and there were some innovative uses.

Can you share with us a little bit from your perspective, and from Heartland's experience, some of the more innovative uses of these practices and Fortify related to software assurance?

Altekar: We provide broad warnings about software security issues in general at the enterprise level, and Fortify allows us to really target our training efforts on the issues we see at the project level.

We can discuss those specific topics with the development teams when we interact with them and we can even point out the specific remediation tips within Fortify. That’s very helpful.

Secure development

Something else we’re looking to roll out right now is how we can visualize the different development teams and how they compare to each other in terms of software security. So we’re looking to see if we can incentivize secure development even before a line of code has been written.

Through some minor gamification, leveraging Fortify statistics between the various development teams here at Heartland, we hope to better train developers and, in turn, improve the overall development productivity.

There’s another interesting use that we have. At Heartland, from time to time, we acquire various companies or seek to be partners with them. During the evaluation phase, often we’ll use HP Fortify to determine the amount of work that we may need to do to get the acquired software into a production-ready state.

That has been helpful sometimes in negotiating the acquisition price or making sure that we factor that in and do and appropriate level of due diligence ahead of time.
When you start articulating and dictating to developers things that they should do, the reaction isn’t always positive.

Another common scenario for us is that we’re able to understand the quality of any third-party developers that we contract with and we can force strict standards on what secure development means.

Traditionally we enforce security through a legal contract that says the third party has to follow secure coding guidelines based on best practices, but with the implementation of Fortify we can say that they have to have a clean Fortify scan prior to finalizing a certain amount of work.

Lastly, our secure software development lifecycle (SDLC) process, which includes Fortify, signals to our partners -- especially our partners that value security -- that we’re very serious about software security and that we take a lot of the right steps, if not all the right steps, doing whatever we can to understand our vulnerabilities in software and to eliminate them.

Hartman: I love those examples. The healthy competition between the developers is a great idea. Perhaps it's a little bit melodramatic, but we hear a lot of this. When you start articulating and dictating to developers things that they should do, the reaction isn’t always positive.

These are folks who think they’re developing great code and they’re quite independent. So, thrusting upon them new ways of doing things sometimes can be met with some resistance. But that notion of healthy competition and gamification between groups is a great idea.

And your point about leveraging these capabilities and these tools in the acquisition process is something that we’ve heard. When we did this study three years ago, that was something that one or two companies were leveraging. Your example is great.

Leveraging practices

It's not necessarily acquiring companies. It could be the acquisitions of certain technology and software assets, websites for example. Those things are ripe for leveraging these kinds of practices and tools. So that’s great example.

Let's move on to more insight on how this has differentiated, or been used to differentiate, Heartland. Obviously, in the space that you play in, security is at a premium, as is being able to ensure your customers that you've got a terrific approach. Can you talk to us about that in terms of  whether this capability helps you differentiate in the marketplace?

Altekar: As I'm sure you know, security is more important than ever in our customers’ minds. When it comes to transactional security, we've heard of a few high-profile reports about payment security and breaches lately. That has really raised awareness and that’s great, especially since many of Heartland’s products and services focus on security.

Confidence in the quality and security of our software product is absolutely a differentiator. It allows our customers to focus on their business without having to worry about technical security issues in their day-to-day operations.
Having trust in a brand, having trust in a company and its products and services, is very important for our customers.

Having trust in a brand, having trust in a company and its products and services, is very important for our customers, and our secure SDLC allows us to articulate why it is they should have that confidence in us.

We can tell them that we have secure development training, we have a static source code analyzer, we use dynamic tools, we have manual inspection, we have third-party assessments. These are all things that especially our larger customers appreciate. They understand that this is what you need to do in today’s day and age to have secured products.

We’re able to elaborate on the multitude of things that we do, and many of our partners are very thrilled to partner with us because of that.

Hartman: That’s well said. Ashwin. Think a little bit for me around what it took to institutionalize some of these practices. You mentioned a little bit earlier about the use of gamification and healthy competition among development groups, but institutionalizing effective software-assurance practices is easier said than done.

Can you help us understand what were some of those key factors throughout this journey, and it is a journey? It's not just one quick little implementation and then you are off and running. It's definitely a journey from the customers we've talked to. What are some of those key success factors in institutionalizing such tools and practices across an organization?       

Changing variables

Altekar: Journey is a great word for it. There have been so many times when I thought that we were finally at a place where we need to be, and then, one of the variables changed.

The first thing that you can do is be very clear about what development teams need to do for internal compliance when it comes to software assurance. That could mean setting specific metrics or making sure that they have well defined processes. But whatever is right for your organization, you have to repeat that message often.

I used to think that I was just constantly talking about security, and everyone was tired of it, but one of the key lessons I learned was that it's impossible for you to repeat that message too often. So be very clear about what it is you want them to do and say it often to anyone who will listen.

The second is to make it easy. Make it very simple for various development teams that integrate into your software assurance processes. So understand the challenges that individual teams face in implementing security during the development life cycle. One team’s problem, if they are doing an agile development process versus waterfall, could be very different depending on those scenarios.
The key success factors are just to be clear about the message, make it easy for people to integrate, and then measure how well everyone is doing.

Make sure you understand their challenges, whether it's process, time, or the right tools, and make sure that you’re able to solve for those. Thankfully, for us, Fortify has been very easy to integrate into the IDE. We've been able to automate with it, so it's been flexible in a number of different scenarios for us.

Finally, quantifying, measuring progress over time. It's very easy to sit back and say, “These guys implement Fortify” or “We have manual tests for them” or “They take all the required training,” but it's great to quantify each, so that you provide feedback to senior management and talk about many of the success stories.

If you can provide quantitative information and share those success stories everywhere throughout the organization, you’re able to reward everyone’s efforts. In summary, the key success factors are just to be clear about the message, make it easy for people to integrate, and then measure how well everyone is doing.

Hartman: That’s a great summary, and last one, especially to your point, sounds easy. It's not that trivial of an activity. It's being able to communicate to leadership as well as to the troops.

Leadership, especially in a set of measures or metrics that resonate with them, is not an easy task. There are a lot of activities that get done as far as software security and software assurance practices go, but translating that into a language that a senior business leader is going to understand is not an easy task. That’s a very good point.

A couple of last questions for you. If you could take a look back for us with this journey and when it started and the success you've had, is there anything you would do a little differently?

Be repetitive

Altekar: One of the things I already mentioned was to be repetitive about the importance of software security and what needs to be done. There is always someone who hasn’t heard that message, and it's important for them to hear it as well.

The other thing is that it's okay to be a bit more realistic in what an organization can do. Just because there's lots of security work ahead of you, it doesn’t mean that the organization is able to get it all done immediately.

So it's important to create realistic goals and time frames that the organization can meet, versus trying to get everything done all at once. It changes from organization to organization on what that means, but I've learned to have realistic goals, rather than ideal goals.

Hartman: The goal-setting and the expectations and constant communication of reinforcing of those goals is definitely critical.

Going forward then, what's next for Heartland and specifically in this space? Can you paint us a picture for what's next in the horizon from an SSA standpoint, let's say, the next 12 months or so?
My next goal is to combine all our different tools and get even more value out of them running in sync with each other.

Altekar: I'm really excited for the next year at Heartland. We’re at a place where we have many of the right tools. We have many of the right controls at the right time during the software development lifecycle. 

My next goal is to combine all our different tools and get even more value out of them running in sync with each other - trying to add one and one to get three, versus just the two that we have today.

Going forward, I’d really like to continue to automate and leverage the individual tools and get them working together so that we get, one, richer information about our security posture, but two, to get more actionable and precise information on what various development teams need to do, or what the security team needs to do to better support software assurance efforts.

Hartman: Ashwin, I really appreciate your sharing this with us. You have a lot of great insights. Obviously, as you pointed out, this is very much a journey. It's not something that’s a week, month, or multi month effort. It's constantly changing and morphing. Again, your insights were very, very valuable and I appreciate them. So, back to you, Dana, on this one.

Gardner: Thanks, Amir. You've been listening to the first in a two-part sponsored series -- Does Software Security Pay? -- examining how Heartland Payment Systems has leveraged software assurance best practices and HP Fortify tools to drive value inside the organization and improve their overall business performance.

And we've seen how a recent software assurance return on investment study from MainStay demonstrates how HP Fortify has measurably positively impacted Heartland’s IT organization and their developers.

Please join me now in thanking our moderator, Amir Hartman, Founder and Managing Director at MainStay. Thank you so much, Amir.

Hartman: You got it, Dana. I appreciate being here.

Gardner: And also, a big thank you to our special guest, Ashwin Altekar, Director of Enterprise Risk Management at Heartland Payment Systems. Thank you so much, Ashwin.

Altekar: Thank you.

Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this on going sponsored discussion of IT Innovation and how it's making an impact on people’s lives. Thanks again, for listening and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on how HP Fortify has helped one company improve their software security practices. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in: