Thursday, April 20, 2017

Inside Story of Building a Global Security Operations Center for Cyber Defense

Transcript of a discussion on the planning and execution of building a state-of-the-art global Security Operations Center.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Dana Gardner: Hello, and welcome to the next edition of the BriefingsDirect Voice of the Customer podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing discussion on IT innovation and how it’s making an impact on people’s lives.

Our next inside story examination of security best practices focuses on the building of a security operations center (SOC) for cyber defense. We’ll learn now how Zayo Group in Boulder, Colorado built a state-of-the-art SOC as it expanded its international managed security service provider practice.

Vamvakaris
Join us now as we hear directly from Mike Vamvakaris, Vice President of Managed Cyber Security at Zayo Group, on the build-out, best practices, and end-results from this impressive project.

With that, please join me now in welcoming our moderator, Serge Bertini, Vice President of Sales and General Manager of the Canada Security Division at Hewlett Packard Enterprise (HPE). I hand it over to you, Serge, to delve into this use-case.

Serge Bertini: Thanks, Dana. Good morning, Mike, how are you today?

Mike Vamvakaris: Good morning, Serge. Great. Thanks for asking.

Bertini
Bertini: Mike, this has been a continuous discussion, on a weekly basis, and lately when we meet at the airport. You and I have talked many times about the importance of managed security service providers (MSSPs), global SOCs, but for our listeners, I want to take them back on the journey that you and I went through to get into the SOC business, and what it took from you to build this up.

So if you could, please describe Zayo’s business and what made you decide to jump into the MSSP field.

Vamvakaris: Thanks for the opportunity. I love our chats and I look forward to letting you know how we got started.

Zayo Group is a global communications and infrastructure provider. We serve more than 365 markets. We have 61 international data centers on-net, off-net, and more than 3,000 employees.

Zayo Canada required a SOC to serve a large government client that required really strict compliance, encryption, and correlational analysis.

Upon further expansion, the SOC we built in Canada became a global SOC, and now it can serve international customers as well. Inside the SOC, you will find things such as US Federal Information Processing Standard (FIPS) 140-2 security standards compliance. We do threat hunting, threat intelligence. We are also doing machine learning, all in a protected facility via five-zone SOC.

This facility was not easy to build; it was a journey, as we have talked about many times in person, Serge.

Holistic Security

Bertini: What you guys have built is a state-of-the-art facility. I am seeing how it helps you attract more customers, because not only do you have critical infrastructure in your MSSP, but also you can attract customers whose stringent security and privacy concerns can be met.

Vamvakaris: Zayo is in a unique position now. We have grown the brand aggressively through organic and inorganic activities, and we are able to offer holistic and end-to-end security services to our customers, both via connectivity and non-connectivity.

For example, within our facility, we will have multiple firewalling and distributed denial-of-service (DDoS) technologies -- now all being protected and correlated by our state-of-the-art SOC, as you described. So this is a really exciting and new opportunity that began more than two years ago with what you at HPE have done for us. Now we have the opportunity to turn and pivot what we built here and take that out globally.

Bertini: What made you decide on HPE ArcSight, and what did you see in ArcSight that was able to meet your long-term vision and requirements?

Turnkey Solutions


Vamvakaris: That’s a good question. It wasn’t an easy decision. We have talked about this openly and candidly. We did a lot of benchmarking exercises, and obviously selected HPE ArcSight in the end. We looked at everyone, without going into detail. Your listeners will know who they are.

But we needed something that supported multi-tenancy, so the single pane of window view. We are serving multiple customers all over the world, and ArcSight allowed us to scale without applying tremendous amount of capital expenditure (CAPEX) investment and ongoing operational expenditure (OPEX) to support infrastructure and the resources inside the SOC. It was key for me on the business side that the business-case was well supported.

We had a very strict industry regulation in working with a large government customer, to be FIPS-compliant. So out of the box, a lot of the vendors that we were looking at didn’t even meet those requirements.

Another thing I really liked about ArcSight, when we did our benchmarking, is the event log filtration. There really wasn’t anyone else that could actually do the filtration at the throughput and the capacity we needed. So that really lent itself very well. Just making sure that you are getting the salient events and kind of filtering out the noncritical alerts that we still need to be looking at was key for us.

Something that you and I have talked about is the strategic information and operations center (SIOC) service. As a company that knew we needed to build around SOC, to protect our own backbone, and offer those services to our extended connectivity customers, we enlisted SIOC services very early to help us with everything from instant response management, building up the Wiki, even hiring and helping us retain critical skill sets in the SOC.

From an end-to-end perspective, this is why we went with ArcSight and HPE. They offered us a turnkey solution, to really get us something that was running.

The Trifecta: People, Process, Technology

Bertini: In this market, what a lot of our customers see is that their biggest challenge is people. There are a lot of people when it comes to setting up MSSPs. The investment that you made is the big differentiator, because it’s not just the technology, it’s the people and process. When I look at the market and the need in this market, there is a lack of talented people.

How did you build your process and the people? What did you have to do yourself to build the strength of your bench? Later on we can talk a little bit more about Zayo and how HPE can help put all of this together.

Vamvakaris: We were the single tenant, if you will. Ultimately we needed to go international very quickly. So we went from humble beginnings to an international capability. It’s a great story.

For us, you nailed it on the head. SOC, the technology obviously is pertinent, you have to understand your use cases, your policies that you are trying to use and protect your customers with those. We needed something very modular and ArcSight worked for that.

But within the SOC, our customers require things like customized reporting and even customized instant-response plans that are tailored to meet their unique audits or industry regulations. It’s people, process and tools or technology, as they say. I mean, that is the lifeline of your SOC.

One of the things we realized early on, you have to focus on everything from your triage, to instant response, to your kill-chain processes. This is something we have invested significantly in, and this is where we believe we actually add a lot of value to our customers.

Bertini: So it’s not just a logging capability, you guys went way beyond providing just the eyes on the glass to the red team and the tiger team and everything else in between.

Vamvakaris: Let me give you an example. Within the SOC, we have SOC Level 1, all the way to Level 3, and then we have threat hunting. So inside we do threat intelligence. We are now using machine-learning technologies. We have threat hunting, predictive analytics, and we are moving into user behavior analysis.

Remember the way I talked about SOC Level 1, Level 2, Level 3, this is a 24x7, 365-day facility. This is a five-zone SOC for enhanced access control, mantraps inside to factor biometric access control. It’s a facility that we are very proud of and that we love showcasing.  

Bertini: You are a very modest person, but in the span of two years you have done a lot. You started with probably one of the largest mammoth customers, but one thing that you didn’t really talk about is, you are also drinking your own champagne.

Tell us a little bit more about, Zayo. It’s a large corporation, diverse and global. Tell us about the integration of Zayo into your own SOC, too.

Drinking your own Champagne

Vamvakaris: Customers always ask us about this. We have all kinds of fiber or Ethernet, large super highway customers I call them, massive data connectivity, and Zayo is well-known in the industry for that; obviously one of the leaders.
The interesting part is that we are able to turn and pivot, not only to our customers, but we are also now securing our own assets -- not just the enterprise, but on the backbone.

So you are right, we sip our own champagne. We protect our customers from threats and unauthorized data exfiltration, and we also do that for ourselves. So we are talking about a global multinational backbone environment.

Bertini: That’s pretty neat. What sort of threats are you starting to see in the market and how are you preventing those attacks, or at least how can you be aware in advance of what is coming down the pipe?

Vamvakaris: It’s a perpetual problem. We are invested in what’s called an ethical hacking team, which is the whole white hat/black hat piece.

In practice, we’re trying to -- I won’t say break into networks, but certainly testing the policies, the cyber frameworks that companies think they have, and we go out of our way to make sure that that is actually the case, and we will go back and do an analysis for them.
If you don’t know who is knocking at the door, how are you going to protect yourself, right?

So where do I see the market going? Well, we see a lot of ransomware; we see a lot of targeted spear phishing. Things are just getting worse, and I always talk about how this is no longer an IT issue, but it’s a business problem.
 

People now are using very crafty organizational and behavior-style tactics of acquiring identities and mapping them back to individuals in a company. They can have targeted data exfiltration by fooling or tricking users into giving up passwords or access and sign all types of waivers. You hear about this everyday somewhere that someone accidentally clicked on something, and the next thing you know they have wired money across the world to someone.

So we actually see things like that. Obviously we’re very private in terms of where we see them and how we see them, but we protect against those types of scenarios.

Gone are the days where companies are just worried about their customer provided equipment or even cloud firewalls. The analogy I say, Serge, is if you don’t know who is knocking at the door, how are you going to protect yourself, right?

You need to be able to understand who is out there, what they are trying to do, to be able to mitigate that. That’s why I talk about threat hunting and threat intelligence.

Partners in Avoiding Crime

Bertini: I couldn’t agree more with you. To me, what I see is the partnership that we built between Zayo and HPE and that’s a testament of how the business needs to evolve. What we have done is pretty unique in this market, and we truly act as a partner, it’s not a vendor-relationship type of situation.

Can you describe how our SIOC was able to help you get to the next level, because it’s about time-to-market, at the end of the day. Talk about best practices that you have learned, and what you have implemented.

Vamvakaris: We grew out to be an international SOC, and that practice began with one large request for proposal (RFP) customer. So we had a time-to-market issue compressed. We needed to be up and running, and that’s fully turnkey, everything.

When we began this journey, we knew we couldn’t do it ourselves. We selected the technology, we benchmarked that, and we went for the Gartner Magic Quadrant. We were always impressed at HPE ArcSight, over the years, if not a decade, that it’s been in that magic quadrant. That was very impressive for us.

But what really stood out is the HPE SIOC.

We enlisted the SIOC services, essentially the consulting arm of HPE, to help us build out our world-class multizone SOC. That really did help us get to market. In this case, we would have been paying penalties if we weren’t up and running. That did not happen.

The SIOC came in and assessed everything that we talked about earlier, they stress-tested our triage model and instant response plan. They helped us on the kill chain; they helped us with the Wiki. What was really nice and refreshing was that they helped us find talent where our SOC is located. That for me was critical. Frankly, that was a differentiator. No one else was offering those types of services.

Bertini: How is all of this benefitting you at the end of the day? And where do you see the growth in your business coming for the next few years?

Ahead in the Cloud

Vamvakaris: We could not have done this on our own. We are fortunate enough that we have learned so much now in-house.

But we are living in an interconnected world. Like it or not, we are about to automate that world with the Internet of things (IoT), and always-on mobile technologies, and everyone talks about pushing things to the cloud.

The opportunity for us is exciting. I believe in a complete, free, open digital world, which means we are going to need -- for a long time -- to protect the companies as they move their assets to the cloud, and as they continue to do mobile workforce strategies -- and we are excited about that. We get to be a partner in this ecosystem of a new digital era. I think we are just getting started.

The timing then is perfect, it’s exciting, and I think that we are going to see a lot of explosive growth. We have already started to see that, and now I think it’s just going to get even more-and-more exciting as we go on.
It’s not just about having the human capabilities, but it's also augmenting them with the right technologies and tools so they can respond faster, they can get to the issues.

Bertini: You have talked about automation, artificial intelligence (AI), and machine learning. How are those helping you to optimize your operations and then ultimately benefitting you financially?

Vamvakaris: As anyone out there who has built a SOC knows, you’re only as good as your people, processes, and tools. So we have our tools, we have our processes -- but the people, that cyber security talent is not cheap. The SOC analysts have a tough job. So the more we can automate, and the more we can give them help, the better. A big push now is for AI, which really is machine learning, and automating and creating a baseline of things from which you can create a pattern, if you will, of repeatable incidents, and then understanding that all ahead of time.

We are working with that technology. Obviously HPE ArcSight is the engine to the SOC, for correlational analysis, experience-sampling methods specifically, but outside there are peripherals that tie into that.

It’s not just about having the human capabilities, but it's also augmenting them with the right technologies and tools so they can respond faster, they can get to the issues; they can do a kill chain process quickly. From an OPEX perspective, we can free up the Level 1 and Level 2 talent and move them into the forensic space. That’s really the vision of Zayo.

We are working with technologies including HPE ArcSight to plug into that engine that actually helps us free up the incident-response and move that into forensics. The proactive threat hunting and threat intelligence -- that’s where I see the future for us, and that’s where we’re going.

Bertini: Amazing. Mike, with what you have learned over the last few years, if you had to do this all over again, what would you do differently?

Practice makes perfect

Vamvakaris: I would beg for more time, but I can’t do that. It was tough, it was tough. There were days when we didn’t think we were going to make it. We are very proud and we love showcasing what we built -- it’s an amazing, world-class facility.

But what would I do differently? We probably spent too much time second-guessing ourselves, trying to get everything perfect. Yet it’s never going to be perfect. A SOC is a living, breathing thing -- it's all about the people inside and the processes they use. The technologies work, and getting the right technology, and understanding your use cases and what you are trying to achieve, is key. Not trying to make it perfect and just getting it out there and then being more flexible in making corrections, [that would have been better].

In our case, because it was a large government customer, the regulations that we had to meet, we built that capability the first time, we built this from the ground up properly -- as painful as that was, we can now learn from that.

In hindsight, did we have to have everything perfect? Probably not. Looking back at the compressed schedule, being audited every quarter, that capability has nonetheless put us in a better place for the future.

Bertini: Mike, kudos to you and your team. I have worked with your team for the last two to three years, and what you have done has showed us a miracle. What you built is a top-class MSSP, with some of the most stringent requirements from the government, and it shows.

Now, when you guys talk, when you present to a customer, and when we do joint-calls with the customers -- we are an extension of each other. We at HPE are just feeding you the technology, but how you have implemented it and built it together with your people, process, and technology -- it’s fantastic.

So with that, I really thank you. I'm looking forward to the next few years together, to being successful, and bringing all our customers under your roof.

Vamvakaris: This is the partnership that we talked about. I think that’s probably the most important thing. If you do endeavor to do this, you really do need to bring a partner to the table. HPE helped us scale globally, with cost savings and an accelerated launch. That actually can happen with a world-class partnership. So I also look forward to working with you, and serving both of our customer bases, and bringing this great capability out into the market.

Bertini: Thank you, Mike, hope you have a great day and talk to you very soon together.

Vamvakaris: You bet. Thank you, Serge.

Gardner: I’m afraid we’ll have to leave it there. You have been listening to an inside story examination of security best practices focused on building a SOC for international cyber defense. We have learned how Zayo Group in Boulder, Colorado has built a state-of-the-art global SOC as it expanded its managed security service provider practice.

So please join me now in thanking our moderator, Serge Bertini, Vice President of Sales and General Manager of the Canada Security Division at HPE. And also thanks to our special guest, Mike Vamvakaris, Vice President of Managed Cyber Security at Zayo Group.

And a big thank you as well to our audience for joining this BriefingsDirect Voice of the Customer digital business transformation discussion. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HPE-sponsored discussions. Thanks again for listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Transcript of a discussion on the planning and execution of building a state-of-the-art global Security Operations Center. Copyright Interarbor Solutions, LLC, 2005-2017. All rights reserved.

You may also be interested in:

Friday, April 14, 2017

Diversity Spend: When Doing Good Leads to Doing Well

Transcript of a discussion on how companies are improving supplier diversity and the new tools that make attaining inclusive supply chains easier than ever.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: SAP Ariba.


Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast, coming to you from the 2017 SAP Ariba LIVE conference in Las Vegas.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host the week of March 20 as we explore the latest in collaborative commerce, and learn how innovative companies are leveraging the network economy.

Our next digital business insights panel discussion focuses on the latest path to gaining improved diversity across inclusive supply chains. We’ll examine why companies are seeking to improve supplier diversity, the business and societal benefits, and the new tools and technologies that are making attaining inclusive suppliers easier than ever.

To learn more about the increasingly data-driven path to identifying and achieving the workforce that meets all requirements, please join me in welcoming our guests, Rod Robinson, Founder and CEO of ConnXus. Welcome, Rod.

Rod Robinson: Thank you, Dana. Great to be here.

Gardner: We’re also here with Jon Stevens, Global Senior Vice President of B2B Commerce and Payments at SAP Ariba. Welcome, Jon.

Jon Stevens: Thank you, I look forward to it.

Gardner: And we’re here with Quentin McCorvey, Sr., President of M and R Distribution Services. Welcome, Quentin.

Quentin McCorvey, Sr.: Thank you, Dana.

Gardner: Jon, why is it important to seek diversity in procurement and across supply chains? What are the reasons for doing this?

Stevens: It’s a very good question. It's for few reasons. Number one, there is a global war for talent, and when you can get a diverse point of view, when you can include multiple different perspectives, that usually helps drive several other benefits, one of which could even be innovation.

We often see companies investing deeply inside their supply chain, working with a diverse set of suppliers, and they are gaining huge rewards from an innovation standpoint. When you look at the leading companies that leverage their suppliers to help drive new product innovation, it usually comes from these areas.

We also see companies more focused on longer-term relationships with their suppliers. Having a diverse perspective -- and having a set of diverse suppliers -- helps with those longer-term relationships, as both companies continue to grow in the process.

Gardner: Rod, what are you seeing in the marketplace as the major trends and drivers that have more businesses seeking more inclusivity and diversity in their suppliers?

Diversity benefits business

Robinson: As a former chief procurement officer (CPO), the one thing that I can definitely say that I have witnessed is that more diverse and inclusive supply chains are more innovative and deliver high value.

I recently wrote a blog where I highlighted some statistics that I think every procurement professional should know: One is that 99.9% of all US firms are in a small business category. Women- and minority-owned businesses represent more than 50% of the total, which is responsible for employing around 140 million people.
Robinson


This represents a significant portion of the workforce. As we all know, small businesses really are the economic engine of the economy – small businesses are responsible for 65% of net new jobs.

At the end of the day, women and minorities represent more than 50% of all businesses, but they only represent about 6% of the total revenue generated.

The only thing that I would add is that diversity is vitally important as an economic driver for our economy.

Gardner: Rod points out a rich new wellspring of skills, talent and energy coming up organically from the small to medium-sized businesses. On the other hand, major national and international brands are demanding more inclusivity and diversity from their suppliers. If you are in the middle of that supply chain, is this something that should interest you?

Targeting talent worldwide

Stevens: You are spot-on. We definitely see our leading customers looking across that landscape, whether they are a large- or medium-sized company. The war for talent is only going to increase. Companies will need to seek even more diverse sources of talent. They are really going to have to stretch themselves to look outside the walls of their country to find talent, whereas other companies may not be doing so. So you're going to see rising diversity programs.

Stevens
We have several customers in emerging parts of the world; let's take South Africa for example. I spend a lot of time in South Africa, and one of our customers there, Nedbank, invests a lot of time and a lot of money in the growth and development of the small businesses. In South Africa, the statistics that Rod talked about are even greater as far as the portion of small companies. So we are seeing that trend grow even faster outside of the US, and it's definitely going to continue.

Gardner: Rod, you mentioned that there are statistics, studies and research out there that indicate that this isn't just a requirement, it's really good business. I think McKinsey came out with a study, too, that found the top quarter of those companies seeking and gaining gender, racial and ethnic diversity were more likely to have a better financial return. So this isn't just the right thing to do, but it's also apparently demonstrated as being good business, too. Do you have any other insights into why the business case for this is so strong? 

Diversity delivers innovation

Robinson: Speaking from first-hand experience, having been responsible for procurement and supplier diversity within a large company, there were many drivers. We had federal contracts that required us to commit to a certain level of engagement (and spending) with diverse suppliers.  We had to report on those stats and report our progress on a monthly and/or quarterly basis. It was interesting that while we were required by these contractual mandates -- not only from the government but also customers like Procter and Gamble, Macy's, and others -- we started to realize that this is really creating more competition within categories that we were taking to market. It was bringing value to the organizations.

We had situations where we were subcontracting to diverse suppliers that were providing us with access to markets that we didn't even realize that we were missing. So again, to Jon's point, it's more than just checking a box. We began to realize that this is really a market-imperative. This is something that is creating value for the organization.

We began to realize that this is really a market-imperative. This is something that is creating value for the organization.
The whole concept of supplier diversity started with the US government back in the late ’60s and early ’70s. That was the catalyst, but companies realized that it was delivering significant value to the organization, and it's helped to introduce new, innovative companies across the supply chain.

At ConnXus, our big break came when McDonald's gave us an opportunity five years ago. They took a chance on us when we were a start-up company of four.  We are now a company of 25. Obviously, revenues have grown significantly and we've been able to attract partners like SAP Ariba. That's the way it should work. You always want to look for opportunities to identify new, innovative suppliers to introduce into a supply chain; otherwise we get stagnant.

Small but mighty

Stevens: I'll add to what Rod said. This is just the sort of feedback we hear from our customers, the fact that a lot of the companies that are in this inclusive space are small -- and we think that's a big advantage.

Speed, quickness and flexibility are something you often see from diverse suppliers, or certainly smaller businesses, so a company that can have that in its portfolio has better responsiveness to their customer needs, versus a supply chain with very large processes or large organizations where it takes a while to respond to market needs. The quick in today's world will be far more successful, and having a diverse set of suppliers allows you to respond incredibly quickly. There is obviously a financial benefit in doing so.

Gardner: A big item of conversation here at SAP Ariba LIVE is how to reduce risk across your supply chain. Just like any economic activity, if you have a diversified portfolio, with different sizes of companies, different geographic locations, and different workforce components -- that can be a real advantage.

Now that we've established that there is a strong business case and rationale for seeking diversity, why do procurement professionals have trouble finding that diversity? Let's go to Quentin. What's holding back procurement professionals from finding the companies that they want?

McCorvey
McCorvey: Probably the biggest challenge is that the whole trend of supply chain optimization, of driving cost out of the supply chain, seems to be at odds with being inclusive, responsive, and in bringing in your own diverse suppliers. A company may have had 20 to 30 suppliers of a product, and then they look to drive that down with to just one or two suppliers. They negotiate contract prices for three-year contracts. That tends to weed out some of the smaller, more diverse organizations for several reasons.

For example, Rod talked about McDonald’s taking a chance on him. Well, they took a chance on him being a four-person organization; if he had to [grow first] he never would have had the opportunity.

For a company that requires a product in the market for every location nationally -- as opposed to regionally -- at a certain price, that tends to challenge a lot of the inclusion or the diversity in the supply chain.

Gardner: Right. Some companies have rules in place that don't provide the flexibility to attract a richer supplier environment. What is being done from your perspective at SAP Ariba, Jon, to go after such a calcification of rules that leads to somewhat limited thinking in terms of where they can find choices?

Power through partnerships

Stevens: That short-term thinking that Quentin talked about is absolutely one of the big barriers, and that generally comes down to metrics. What are they trying to measure? What are they trying to accomplish?

The more thought-leading companies are able to look past something in the first year or two, and focus on not just driving cost out, as Quentin talked about, but discovering what else their suppliers can help with, whether it’s something from a regulatory standpoint or something from a product and innovation perspective.

Certainly, one challenge is that short-term thinking, the other is access to information. We see far too many procurement organizations that just aren't thinking on a broader scale, whether it's a diverse scale or a global scale. What SAP Ariba is now bringing to the table with our solutions is being able to include information about where to find diverse suppliers, where to search and locate suppliers, and we do that through many partnerships.

We have a solution in South Africa called Tradeworld, which addresses this very topic for that market. We have a solution called SAP Ariba Spot Buy, which allows us to bring diverse suppliers automatically into a catalog for procurement organizations to leverage. And at SAP Ariba LIVE 2017 we announced that we are partnering with Rod and his firm, ConnXus, to expand the diversity marketplace by linking the ConnXus database and the SAP Ariba Network, which opens the door to more opportunities for all of our customers.

Robinson: If I could add to Jon’s point, one thing I also look forward to as a part of our partnership with SAP Ariba is thought leadership. There are opportunities for us to share best practices. We know companies who are doing it really well, we know the companies that maybe struggling with it, but within our joint customer portfolios, we will be able to share some of those best practices.

For example, there may be situations where a company is doing a big maintenance, repair and operations (MRO) bid and you have some large players involved, such as W.W. Grainger. There may be opportunities to introduce Grainger to smaller suppliers that maybe provide fewer stock keeping units (SKUs) that they can leverage strategically across their accounts. I have been involved in a number of initiatives like that. Those are the types of insights that we will be able to bring to the table, and that really excites me about this partnership.

Gardner: Those insights, that data, and the ability to leverage a business network to automate and facilitate that all at scale is key. From what we are hearing here at SAP Ariba LIVE, leveraging that business network is essential. Rod, tell us aboutConnXus? What’s being announced here?

Seek and ye shall find in the connected cloud

Robinson: ConnXus is a next-generation procurement platform that specializes in making corporate supply chains more inclusive, transparent, and compliant. As I mentioned, we serve several global companies, many of which we share relationships with SAP Ariba.  Our cloud-based platform makes it easy for companies to track, monitor, and report against their supplier diversity objectives.

One of the major features is our supplier database, which provides real-time searchable access to nearly two million vetted women-, minority- and veteran-owned businesses across hundreds of categories. We integrate with the SAP Ariba Network. That makes it simple for companies to identify vetted, diverse suppliers. They can also search on various criteria including certifications, category, and geography. We have local, national and global capabilities.  SAP Ariba already is in a number of markets that we are looking to penetrate.

Gardner: I was really impressed when I looked at the ConnXus database, how rich and detailed it is, and not just ownership of companies but also the composition of those companies, where those people are located. So you would actually know where your inclusive supply chain is going to be, where the rubber hits the road on that, so to speak.


Stevens: The SAP Ariba Network has a community of over 2.5 million companies, and it’s companies like M and R Distribution Services that we have been able to help grow and foster over time, using some of the solutions I talked about and Ariba Discovery.

Adding to the information that Rod just talked about, we are greatly expanding that. We have the world’s largest, most global business network and now we have the world’s most diverse business network, due to the partnership with ConnXus being able to provide that information through various processes.
The partnership with ConnXus will allow us to provide a lot more education, a lot more awareness.

Fortune 2000 companies are looking all the time through requests for proposal (RFPs), through sourcing events, and analyzing supplier performance on the SAP Ariba Network. The partnership with ConnXus will allow us to provide a lot more education, a lot more awareness to them.

For the suppliers that are on our network and those who will be joining us as a part of being in ConnXus, we expect to drive a lot more business.

Gardner: If I am a purchasing agent or a procurement officer and I want to improve my supplier inclusion program, how would something like, say, SAP Ariba Spot Buy using the ConnXus database, benefit me?

Stevens: As you decide to search for a category, we will return to you several things, one of which is now the diverse supplier list that ConnXus has. One of the things we are going to be doing with SAP Ariba Spot Buy is to have a section that highlights the diversity category so that it’s front and center for a purchasing agent to use and to take advantage of.

Gardner: Clearly there is strong value and benefit here if you are a procurement officer to get involved with the ConnXus database and Ariba Network. Quentin, at M and R Distribution Services, tell us from the perspective of a small supplier like yourself, what you're hearing about Ariba and ConnXus that interests you?

Be fruitful and multiply business opportunities 

McCorvey: You referenced a marriage between SAP Ariba and ConnXus, and part of a marriage is to be fruitful and multiply. So I want them to be fruitful so I can multiply my business opportunities. What that does for a company like ours is, we are looking for opportunities. It’s tougher for me to compete as a small business against a Grainger, or against a Fastenal, or against other larger companies like that.

So when I am going after opportunities like that, it’s going to be tough for me to win those large-scale RFPs. But if there is a target spot opportunity that I am looking for or within a region, it’s something that I can begin to do if a company is looking for someone like me.

We’ve talked a lot about corporations and the benefit of corporations, but there is also a consumer benefit, too, because we are in an age where the consumer is socially responsible and really wants to have a company that they are either investing in or they’re buying products from and they look for inclusion in their supply chains.

Folks are looking at that when they are make their investment and consumer decisions. Every company has an extremely diverse consumer base, so why should they not have a diverse supplier base? When companies look at that business ethic and corporate social responsibility as a driving tool for their organization, I want them to be able to find me among the Fortune top 20 companies. The relationship that ConnXus and SAP Ariba are driving really catalyzes these opportunities for me.

Gardner: Rod, if a company like M and R Distribution Services is not yet in your database and they want to be, how might they get going on that process and become vetted and be available to a global environment like the Ariba Network?

Robinson: It’s really simple. One of the things that we have striven to provide is a fantastic, simple user experience. It takes about six minutes to complete the initial supplier profile. Any supplier can complete a profile at no cost.

Many suppliers actually get into our database because of the services that we already provide to large enterprise customers. So if you are a McDonald's supplier, for example, you are already going to be in our database because we scrub their vendor data on an annual basis. I think Quentin is already in because he happens to be a vendor of one of our customers, or of multiple customers.

There is a vetting process where we integrate with other third-parties to pull in data, and then you become discoverable by all of the buyers on our platform.

Gardner: Before we close out, let’s look to the future. Jon, when we think about getting this rich data, putting it in the hands of the people who can use it, we also are putting it in the hands of the machines that can use it, right?

So when we think about bots and artificial intelligence (AI) trends, what are some of your predictions for how the future will come about when it comes to procurement and inclusive supply chains?

The future is now

Stevens: You talked about trends. One is certainly around transparency and visibility; another one is around predictive analytics and intelligence. We believe that a third is around partnerships like this to drive more collaboration.

But predictive analytics, that’s not a future thing, that's something we do today and some of the leading procurement companies are figuring out how to take advantage of it. So, for example, when a machine breaks down, you are not waiting for it. Instead, the machine is telling our systems, “Hey, wait a minute, I've got a problem.”

Not only that, but they are producing for the buyer the intelligence that they need to order something. We already know who the suppliers are, we already know what potentially should be done, and we are providing these decisions to procurement organizations.

The future, it’s here, you see it in our personal lives, on our phones, when you get recommendations in the morning, on the news, and everything else. It’s here today through some of our solutions.
We began to realize that this is really a market-imperative. This is something that is creating value for the organization.

And this trend around diversity, it’s also here. You mentioned SAP Ariba Spot Buy and we also have some of these other solutions like SAP Ariba Discovery where a procurement person is starting to create a sourcing event. We have the ability in our solutions to automatically recommend suppliers and based off of the goals that that procurement organization has, we can pre-populate and recommend the diverse MRO suppliers that you might want to consider for your program.

You’re seeing that today through the Ariba Network and through things like Guided Buying, where we are helping facilitate many of those steps for procurement organizations. So it's really fun and the future in many respects is here right now.

Value-driven supply chains

Robinson: I envision a future in procurement of being able to make informed decisions on supplier selection. Procurement professionals are in a great position to change the world, and the CPO of the future; they are going to be Millennials. They want more control, and they want more transparency, and, to Quentin’s point, they want to buy from organizations that share their same values.

Our partnership with SAP Ariba will create this environment where we can move closer to fulfilling this vision of whenever you have a specification that you’ve put into the system, you’ll be pushed supplier options, and you can actually configure your criteria such that you create this optimal supplier mix – whether diversity is important to you, green/environmental issues are important you, if ethical practices are important to you. All of this can be built-in and weighted within your selection. You will create an optimal supplier portfolio that balances all of the things that are important to you and your organization.

McCorvey: Why I am excited? This conversation has come full circle for me. I started off taking about supply optimizations and some of the challenges that they pose for businesses like me. We know that people do business most often with people they know, like and appreciate. What I want to do is turn a digital connection into a digital handshake and use predictive analytics and the connections between Jon and Rod that propose an opportunity for folks to know me, for me to grow as a new organization, and for me to be in the forefront of their minds. That is a challenge that this kind of supply chain optimization helps to overcome.

I’m really happy for where this is going to go in the future. In the end, there are going to be a lot of organizations both large and small that are going to benefit from this partnership. I look forward to the great things that are going to come from it, for not only both organizations -- but for people like me across the country.

Gardner: I’m afraid we will have to leave it there. We have been talking about the latest path to gaining improved diversity across inclusive supply chains. And we’ve learned how improved supplier diversity along with business and societal benefits can be achieved easier than ever thanks to new tools and technologies.

So a big thanks to our guests, Rod Robinson, Founder and CEO of ConnXus;
Jon Stevens, Global Senior Vice President of B2B Commerce and Payments at SAP Ariba, and Quentin McCorvey, Sr., President of M and R Distribution Services.

A big thank you as well to our audience for joining this latest BriefingsDirect discussion coming to you from the 2017 SAP Ariba Live conference in Las Vegas. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of SAP Ariba-sponsored BriefingsDirect digital business insights discussions. Thanks again for listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: SAP Ariba.

Transcript of a discussion on how companies are improving supplier diversity and the new tools that make attaining inclusive supply chains easier than ever. Copyright Interarbor Solutions, LLC, 2005-2017. All rights reserved.

You may also be interested in: