http://www.sourcingfocus.com/index.php/site/newsanalysis en paul@sourcingfocus.com Copyright 2012 2012-05-14T16:24:43+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/a_new_outsourcing_reality/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/a_new_outsourcing_reality/#When:15:24:43Z In mid-April the TPI Global Quarterly Index for Q1 2012, which provides a snapshot of the sourcing industry, showed that the value of overseas outsourcing contracts fell compared to both this time last year and compared to the previous quarter. Looking at different disciplines, IT outsourcing contact values showed a decline of 30% on the same period of the previous year. Other research, for example from the Hackett Group, as well as narrative evidence backs up the TPI findings. It seems that the offshoring boom of the past three years is over and we are facing a new outsourcing reality. Recession and related fears created that spike in demand. Now, I believe, ongoing economic uncertainty and a return to recession in the UK, coupled with some of the consequences of offshoring are leading to a new turn in the market. A considerable proportion of the off-shoring of recent years was to cut costs. With many functions like IT services and development already stripped out, in many companies there is little left to offshore. Budgets remain tight, hence there is nothing new to outsource. At the same time, for some companies, the honeymoon period with their off-shore partner might be over and 1 or 2 year contracts may not be renewed. As outsourcing costs have continued to rise in countries that experienced little or no recession, costs in the UK have fallen helping to make on-shoring much more competitive. The National Outsourcing Association echoes this view. In a recent article its chairman, Martyn Hart, explains the issue very succinctly:  “nowadays, with rising inflation in popular offshore destinations like India and China, the cost of doing business abroad has skyrocketed. Not only that: the costs of supplier management are escalating too.” Organisations’ understanding and use of outsourcing is maturing and price is no longer the biggest driver. Changing requirements are pushing organisations towards different sourcing models. For example in the field of software development, companies are increasingly outsourcing to take advantage of skills they do not have, and to learn new skills. This means they are looking for outsource partners that are also expert consultants. Unfortunately, many traditional software development companies are unable to offer this. In addition, there is a growing trend in software development towards much closer integration of teams, between the IT specialist and the business which seems to point away from long-distance outsourcing. Further, the UK economy is not recovering as rapidly as many expected. This is resulting in both social and political pressure to keep jobs on-shore: off-shoring is an easy target for finger-pointing. Additionally, public perception of offshoring hasn’t changed much, despite improvements in service.  Companies are not immune to these pressures and those that choose to do their development/ manufacturing/ customer service etc., onshore are able to turn this into a notable selling-point. So how can companies use these changes in the outsourcing market to their advantage? The obvious place to start is a re-visit to your sourcing strategy. Is it delivering the objectives you want it to? Have your objectives or drivers changed?  It is also worth reviewing the off-shore/ near-shore/on-shore options available to ensure you are still making the best decision.  If, as I believe, on-shore is in the ascendancy then is certainly is worth exploiting its strengths. While some functions like business process outsourcing are less time and distance-reliant, others like agile or scrum-based software development are proven to work much better when done on location. As previously noted, closer integration of teams on both sides of sourcing is gaining in popularity. With shifting costs and evolving priorities, if you reconsider whether the work that you outsource, as well as the employees in charge of it, would benefit from being done geographically closer to your company, your organisation may find that the cost-benefit balance has shifted slightly. The UK is particularly good at highly-skilled activities like specific software development or electronics.  What’s more, its professionals hold a lot of specific industry knowledge which is unobtainable anywhere else.  You are also able to find mid-tier companies that provide a mix of consultancy and ‘doing’ at a very reasonable price. Additionally the UK remains a paragon of upholding intellectual property law and is still a top 10 destination in the Brown-Wilson rankings of secure outsourcing destinations. For high-skill areas of outsourcing, this respect for IP is important, as many organisations that have had to fight intellectual property cases in courts abroad will tell you. For a whole range of reasons the overseas outsourcing industry is changing and, I believe, becoming less attractive. For many companies this should signal a re-assessment of their sourcing strategy.  The question is can businesses turn the changes to their advantage, and what does that mean for UK onshore outsourcers. Sectors, Topics, Offshoring 2012-05-14T15:24:43+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/how_can_we_solve_outsourcing_and_insourcing_not_working_in_the/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/how_can_we_solve_outsourcing_and_insourcing_not_working_in_the/#When:12:10:45Z Insourcing and outsourcing within the service supply chain are still not working, so how can the eternal problem be solved? As official GDP figures show, the UK is once again in recession,  businesses are looking to strip waste wherever possible to remain buoyant and profitable. The insource versus outsource debate has long been discussed across all industries, but neither has become the defacto as both have continued to encounter problems. As a solution to this, a new proposition being brought to the market; leansource. Mike Heslop, founder of Centrex Services and creator of the new concept, argues that combining sourcing principles and applying lean methodology provides the key to successful supply chain management. Lean on me When Toyota first brought lean principles to the manufacturing world they created a revolution in the way waste and value were approached.  Essentially focussing resource only on goals which create value for the end customer, lean principles strip processes and expenditure which don’t work to achieve that value. In all businesses, the stripping of waste is key to maximising profit margins and outsourcing has been a key bone of contention in the waste debate for many years. Outsourcing often seems like the logical option for business but the decision to outsource is too often based on short-term benefits such as cost reduction, with no assessment of the long-term impact of the decision. The same principles apply to insourcing, which may seem like a quick fix in the short term, but ultimately ties up valuable staff resource which could be focused on other core business critical tasks, and is not scalable. It is vital that a business considers the impact of decisions such as outsourcing on its customers and the business’s effectiveness.  In my view, any change in the supply chain that doesn’t add value to the customer is a waste.  Much like the traditional lean principles, the leansource methodology questions what, where, when and why sourcing decisions are made from this very simple but effective standpoint. Changing times Traditionally within the service supply chain, the two options available to businesses have been either to outsource to a third party or in-source to a standalone team. However, the rapidly changing world of technology has surpassed the traditional supply chain model, which is not designed to keep up with these rapid changes. Equally management structures and practices, and even the boardroom are often not equipped to react to these increasingly complex supply chains.  The answer to this is an approach which takes the core principles of lean manufacturing and applies them to service supply chain solutions, to eliminate waste and improve service, simplifying the whole process. Over a number of years, I have come to the firm conclusion that we should not outsource or insource – but leansource. It’s a methodology within the supply chain that delivers remarkable cost and service advantages, through a single touch supply chain solution. The issue with the traditional outsource supply chain model is that with multiple suppliers come multiple opportunities for disconnects within that supplier infrastructure. For example if one outsourced supplier is waiting on parts delivery with which to repair an item, and the delivery is delayed, they will not only fail to meet their service level agreement (SLA), but the end customer’s business will also be impacted by equipment down-time. The logical solution to this problem is to implement a simple end-to-end supply chain solution which incorporates initial call handling, stock management, field service, logistics, repair and close.  By closely coordinating these elements of any service supply chain, (as this doesn’t only apply to the IT sector), not only is the potential for delays and disconnects removed, but the ‘blame culture’ which can often form part and parcel of these supplier infrastructures is eliminated. This is what we term as connected process thinking, essentially the antithesis of supply chain silos. Lean mean machine The sheer labyrinthine size of the traditional supply chain model has left the industry fragmented and confused with little or no accountability. By implementing a complete end-to-end solution which incorporates a single point of contact for service, repair and disposal, the time-span for this process is also reduced.  As there is no multiple party liaison required between out-sourced providers there are no delays related to communication breakdown, or jobs being passed back and forth between those providers. Perhaps most importantly of all from a business perspective, the leansource approach reduces costs associated with the service, maintenance and disposal of parts within the service supply chain. The multiple outsourced supplier model results in costs growing exponentially in parallel with the number of suppliers, and by reducing the number of suppliers the costs are in turn reduced. The leansource approach increases the level of responsibility the supplier has for a client company and as they are responsible for all aspects of the service supply chain will provide the best solutions available rather than the cheapest or quickest. Advocation of replacement rather than repair when repair is an option so a complex or unprofitable job can be passed to another supplier, is also eradicated with leansource. Leansource eliminates waste and improves service. It radically changes the mentality that is applied in the typical supply chain and allows manufacturers to reach customers in a different way. By identifying the inefficiencies in supply chain silos, leansource challenges each process, culminating in a chain that is valuable, capable, available, adequate and flexible. The leansource supply chain exceeds service level agreement and removes inefficiencies, placing the customer at the heart of the service. Using leansource enables companies to easily manage service supply chains by simplifying the complexities of hardware maintenance and add value to their service supply chains, enabling them to rise above the competition.  Sectors, Manufacturing & Construction 2012-05-04T12:10:45+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/dont_let_your_business_lose_out_during_the_london_2012_olympics-cloud_/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/dont_let_your_business_lose_out_during_the_london_2012_olympics-cloud_/#When:10:00:14Z The 100 day countdown to the London 2012 Olympics Games has started. With 10.8 million tickets on sale and an estimated population influx of up to three million people in London travelling at peak times – transport disruptions, public disorder, road closures or staff absences are likely to impact businesses this summer.  New research of 1200 organisations in the public and private sector by recruitment firm Badenoch & Clark highlighted that UK companies can expect high employee absences. One in six employees admitted they plan to take a ‘sickie’ to watch the Olympics and yet in spite of this, 30% of companies including FTSE 100 firms, public sector organisations and SMEs haven’t made any preparations to avoid the potential disruption. This is particularly surprising considering the fact two-thirds of organisations are expecting an increase in business during this three month period. Currently, Transport for London (TfL) is campaigning to persuade individuals and businesses to change their commuting and working habits. TfL needs to reduce normal traffic by 50 – 60% at key hotspots such as London Bridge to accommodate the influx of spectators. Even then, there could be delays of up to half an hour. On peak days, there will be an extra 3 million people travelling on public transport in London. However, it seems that TfL’s campaign is having little impact on businesses – just 11% of companies have said they will allow staff to work from home. It seems that UK businesses are underestimating the threat of Olympics’ disruption. However, there is still time for them to address these issues and put in place reliable contingency plans to safeguard business. One way of ensuring ‘business as usual’ is by adopting Cloud Computing. Cloud has become a buzz word which represents many things; however, virtual hosted desktops in the cloud enable seamless remote working. Using Desktop as a Service (DaaS) technology, employees are able to access their company’s IT systems including emails, files and their own desktop securely from any location with an internet access. They don’t need to be in the office and they are not reliant on their organisation’s servers and technology to work.  They can carry on as normal wherever they are based; they are not losing hours spent unproductively in transport delays and won’t have to battle in to the office on overcrowded trains. From a corporate perspective, there are many additional benefits – including significant financial ones. Adopting cloud computing technology reduces the need for capital investment in IT and, all administration issues including software provisioning and updates, security, disaster/recovery are taken care of by the cloud computing provider. There is no longer any need for ‘energy draining’ servers in an office as everything is managed remotely. Until now, one of the biggest barriers to cloud computing adoption has been fears about security. Understandably, companies have felt nervous about outsourcing their data and information to a third party supplier. However, serious DaaS providers will typically improve any company’s securities setting when compared to their existing situation. If organisations want to move into the cloud, security considerations should of course be prioritised. For companies to have confidence in the security of their data, they should work with a trusted cloud computing provider that can manage and store their data in a secure UK data centre behind firewalls to ensure security is watertight. Adopting DaaS is not only a good contingency plan for to minimise business disruption during the Olympics, it can help companies realise long term, strategic business benefits and cost savings. The cloud has the potential to enable companies to become efficient, responsive and innovative and gain a much needed competitive advantage in a difficult business climate. Topics, Cloud Computing 2012-05-02T10:00:14+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/avoiding_the_hullabaloo_surrounding_cloud_strategy/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/avoiding_the_hullabaloo_surrounding_cloud_strategy/#When:09:33:03Z With all the hullabaloo about cloud floating around in the content management world, here’s a handy tool to help you evaluate your ECM vendor’s cloud strategy, to see if it fits what you are looking for.  So, without further adieu, here are the results of our extensive (web surfing) research: The Check-The-Cloud-Box Strategy:  This strategy is simply virtualization by another name.  The thinking behind this strategy goes like this:  oh fiddlesticks! We need a cloud strategy, because Gartner said so.  Let’s see if we can make this thing work on EC2.  No way?  Ok, how about a virtualized server or 16.  Yes?  Great… we’ll put it in a hosting center - heck, we’ll even host it ourselves for customers if they want us to.  Shazam!  Write the press release, Martha - We are in the cloud! The DropBox-for-the-Enterprise Strategy:  At first blush, this strategy seems rather useful and indeed generous.  ECM vendor develops a tool - such as a desktop sync tool - that makes it super simple for people to get content into the on-premise ECM system.  It turns your big ECM system into a corporate DropBox, because DropBox is evil and insecure and way too easy to use and must be banned.  We can’t have that type of productivity around here!  So here’s the rub:  with open standards, you could do that like 7 years ago (WebDAV & CIFS).  Another name for this strategy is:  replace useful user tools that everyone uses and finds easy with “corporate approved” tools that keeps everyone locked-in to the ECM system.  Now let me ask you - do you really want everyone’s My Documents and My Photos and My Music folders copied into your corporate document management system?  How much is that going to cost you next year? The Red-Pill-or-Blue-Pill Strategy:  Think of this as the market segmentation approach.  Here’s how the vendor thinks:  so, we’ve been selling on-premise ECM to big enterprises for years, and we’re not growing as fast as we want (or at all, or shrinking, actually).  So, let’s put a lightweight solution in the cloud, and sell it to SMBs!  We’ll position on-premise as the secure, safe choice, and we’ll position cloud as the lightweight, SMB choice.  We’ll get to market fast by buying someone or building completely new cloud technology, that has very little to do with the on-premise tech.  And, for the over-achiever customers who want to use both cloud and on-premise together, we’ll wave our hands and shuffle forward a few partners who can develop connectors and migrators and syncher-magigs, but we secretly bet you won’t actually try this. The Ignore-It-and-Hope-it-Goes-Away Strategy:  Not much to say here. If your goal is to embrace the status quo with reckless abandon, then you should definitely find an ECM vendor with this strategy and have some high-level meetings in big leather chairs. The Cloud-Extensions Strategy:  Okay, I can’t make too much fun of this one, because it makes good sense.  In this strategy, ECM vendor provides complementary cloud services that make owning their ECM platform better.  Cloud back-up and archiving maybe?  Cloud indexing?  Cloud transformations?  Some or all of these might make good sense.  The problem is, nobody is actually doing this.  This is the trick answer in this multiple choice quiz. Here’s what you don’t see out there:  choice and flexibility.  The common theme here is:  give the people a “cloud strategy”, so that we can buy time and continue to protect our on-premise power base.  Now, to be fair, all companies want to attract and keep customers, and most of these strategies are born out of good intentions - but legacy technology and proprietary lock-in creates frankenstein-style innovation.  If you want play a little game, check out Gartner’s 2011 ECM Magic Quadrant, and see if you can match the cloud strategy with the vendor. There is a better ECM cloud strategy.  At Alfresco, we have actually put our ECM platform in the cloud, so companies can have a choice about where they use it:  on premise, in the cloud or both.  For the 80% of content you want to keep behind your firewall, Alfresco’s enterprise platform fits the bill.  For content you would like to use to collaborate with your business partners or agencies, Alfresco in the cloud is the perfect choice.  And with Alfresco’s upcoming enterprise-to-cloud sync, you can push and pull content from the cloud into your enterprise based on policies you set up.  Legacy, proprietary vendors either can’t (or won’t) deliver flexibility like that, because either their technology isn’t built for the cloud, or their business model is too threatened. Here’s the bottom line:  Don’t settle for Frankenstein innovation or a reactionary cloud strategy, when you can have choice & flexibility.  Look for modern ECM platforms that work in the cloud or on premise, with business models that deliver consistent value to your organization. Sectors, Topics, Cloud Computing 2012-05-02T09:33:03+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/no_red_tape_please_we/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/no_red_tape_please_we/#When:14:46:48Z So an election pledge becomes policy!  From 1st April, unless there is a “strong business case” or a “matter of National Security”, all Central Government IT contracts will be capped at £100m. Not quite Big Society but certainly less big IT. Whitehall, claim that the £100m limit can be complied with by: • encouraging the reuse of existing assets; • making changes to procurement such as the application of lean methodology to buying; • greater competition among suppliers including through the increased use of SMEs; and • creating contracts differently, for example, by reducing their length or separating out commodity hardware from a new project and purchasing it through an existing contract, or separating out telecoms needs and buying them through the PSN frameworks. Nice words but will any of these really enable central government to deliver.  Will the £100m cap create a level playing field on which SMEs can compete? Let’s get the ‘reuse of existing assets’ myth out the way first.  Technology moves apace so quickly, that hardware and software once bought as a limited shelf life.  Standard accounting practice depreciates its value from 100-0% over three years.  Consider also the level to which previous government procurement exercises have created bespoke solutions tailored for specific purposes.  Simple reuse, other than for standard bought desktops, seems highly unlikely - when buying new generally costs less than reconfiguring old. Making changes to procurement including lean methodology to buying.  Ask any procure operating or supplier bidding under the OJEU regulations and they’ll say it does little more than add voluminous red tape, expense, delay and, ultimately, no better result.  The UK, it seems, stands alone in the EU in observing these regulations to the letter – think of instances such as that of Bombardier trains, British jobs being lost.  Whilst the intent of open and transparent procurement processes is entirely right – the application of scalpel (or preferably fire-axe) to the current EU regulations would minimize cost for buyer and supplier alike and would encourage more suppliers to pitch for such contracts. Ironically, doing away with these regulations could create more competition. If the UK is to challenge any rule of the EU, it should challenge this first.  Let’s see if this is Whitehall’s intention? Greater competition among suppliers including through the increased use of SMEs.  A cornerstone of Coalition policy is to help British business through enabling them to compete for both Central Government (as per this policy) and local government (the Localism Act) contracts.  SMEs, small to medium enterprises, are normally considered to be companies with fewer than 250 employees and turnover not exceeding €50m, per annum. If one of the aims of this policy is to provide SMEs with the opportunity to compete – then the limit of £100m per contract invalidates the policies efficacy as no SME could realistically compete at this level.  Even with a leaned out process of procurement, the cost for suppliers to go through such an exercise is prohibitive.  Larger corporate organizations are able to absorb this by spreading the cost of failed procurement exercises across those they are able to secure.  It will simply not be possible for SMEs to absorb this. And, finally, creating contracts differently through making them shorter or separating out services.  More contracts, means more procurement exercises, more bidders and more service providers.  Even with ‘leaned out’ processes, the cost of procurement will rise through the increase in sheer volume of ‘moving parts’ in the system. So, where are we?  Reuse, unlikely. Lean processes, desirable but will the UK take Europe on? More competition, and the encouragement of SMEs, the £100m limit makes this policy totally ineffectual. Breaking contracts in to smaller, shorter or more discrete parts just adds volume and therefore increases the cost of procurement,  Again,  as the target is £100m per contract –  this won’t help SMEs. So, from a procurement perspective, this policy has some very real practical challenges. There is also a massive oversight here.  A failure to see the bigger picture.  Even if these measures did reduce cost and increase SME engagement, in terms of the cost of procurement – the Government have considered the life and management of those contracts, post procurement. One of the benefits of buying (properly) from big suppliers is that you can pass the management of the delivery of a number of services to the supplier.  They can do this due to scale and infrastructure.  Engage a larger number of smaller suppliers and who is going to take responsibility for and absorb the cost of ensuring that each of the procured services fit together?  All in all, whilst lean procurement and the challenge to Europe of the procurement rules is desirable, this doesn’t look like a piece of policy that has been that thoroughly thought out. Stephen Allen FRSA, advises public and private sector organizations on creating efficient legal functions.  He writes a daily blog http://www.lexfuturus.com which challenges the legal services market to innovate. 2012-04-18T14:46:48+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/shared_services_/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/shared_services_/#When:10:29:41Z Outsourced services from dynamic, dedicated private sector providers still set the industry benchmark, argues Leading Services’ Sheila Bryant On the face of it, cost sharing groups (CSGs) that provide shared services exempt of VAT look a good thing. Dig beneath the surface a little, however, and the question of whether real value is being offered arises. In order to qualify for VAT exemption, a CSG has to be non-profit making by providing services at cost to the organisations within the group – all of which jointly own the CSG. The types of organisation most likely to be attracted to the idea of CSGs are charities, non-government organisations (NGOs) and public sector bodies. It follows then, that members are unlikely to benefit from the level of commercialism and competition that exists across the private sector. If the CSG is owned on an equal basis by all its members, there would be no clear leader in the group and probably, no real incentive to drive change and seek ongoing service improvements. And, as we’ve seen before, the merging of back office services in the public sector is invariably bedevilled by bureaucracy and characterised by a wholly different culture to that in commercial organisations. It is very difficult to change this and create the environment in which the imperative to drive quality up exists hand-in-hand with the need to keep costs down. The private sector, on the other hand, has a great deal of experience in demanding market conditions where efficiencies have been achieved through outsourcing, co-sourcing, process change and policy enhancement. Nowhere are these skills more finely honed than at specialist private sector consultancies. That’s why I believe that, by introducing a private sector driver, a client will enjoy more efficiencies than are currently available within the public or third sectors. However, if the private sector created its own consortium along the lines of the VAT exempt CSGs, Its clients would not benefit from the VAT exemption applicable to CSGs. This means that members would be paying 20% over cost, yet would have no mechanism for claiming that money back. This in turn restricts opportunity for those private sector oursourcing providers who owe their very existence to their skills, knowledge, experience and expertise in services that make a huge contribution to the success of many businesses and charities. Quite simply those who are arguably best placed to drive most value for money are disadvantaged to the tune of 20% when compared to CSGs. Dynamic outsourcing consultancies such as Leading Services can facilitate the setting up of amalgams by bringing together customers that would be eligible to benefit from the VAT exemption. However, under the current proposals, they would be actively discouraged from doing this. In this scenario, their best bet would be to join a CSG, where they become subordinate to the consortium members and lose their ability to drive and shape a successful and efficient operation. For this reason many organisations without the resources of large commercial businesses – such as those in the third sector – find themselves with a dilemma: go down the CSG route or outsource to private organisations? To win these clients over and show that their needs are fully understood, private sector providers need to demonstrate their commitment to a wide range of ethical and practical principles. High among these are sustainability and transparency: third sector clients demand that providers share their environmental values and that they are open and operate with the utmost integrity. Similarly, the provider should show clarity in everything it does and work within clear management consultancy codes and guidelines. Governance structures should be sufficiently robust to assure the client of its adherence to corporate responsibilities. Clients are also increasingly looking for assurance that outsource providers understand - and can adapt to - their unique organisational culture and that they have the client portfolio and range of services that engender complete confidence. Sheila Bryant is an experienced Chartered Accountant and CEO of Leading Services where she provides strategic professional and outsourced finance director services to the company’s clients. http://www.leadingservices.co.uk Sectors 2012-04-13T10:29:41+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/we_know_where_what_you/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/we_know_where_what_you/#When:14:10:58Z This week, the Government caused a stir when it announced plans to introduce legislation to allow authorities to monitor the online activity of everyone in the UK. It has been no surprise to see intensive lobbying from MPs, civil rights agencies and individuals whose rights would be affected by such ‘Big Brother’ proposals – but what do these developments tell us about the Government, its reactions to developments in technology, the way in which technology is used by society and the domestic legal system in general? When the proposed legislation was first announced, nobody had seen the detailed rights which the government was seeking to introduce - which in itself, led to a negative reaction. It appeared from initial reports that law enforcement agencies would have the unfettered right to review content held by social media sites, but following clarification from government officials, it seems that this would include, or constitute, the tracking of relationships between individuals by monitoring the flow, timing and location from which messages are sent and received through social media channels. This means that given the geo-location capability of smart phones and tablets, it could be determined where you are, when you’re there, who you are talking to and potentially (as this aspect is still unclear) what you’re saying. While the Government’s hastily presented clarifications are helpful in understanding the potential scope of the proposed rights, in practice, individuals and civil liberties groups, in particular, will remain concerned about the ability of law enforcement agencies to track this type of information which has the potential to be extremely intrusive and prejudicial to the rights of individuals. This is compounded by the lack of clarity as to whether or not the proposed rights would be subject to obtaining a warrant - this has important implications as the warrant requirement provides a further safeguard to the rights of individuals.  Again, this lack of clarity has further fuelled the growing and almost unanimous negative response to the Government’s proposals. Similarly, the timing of such proposals in wake of the public outcry from the UK’s phone-hacking scandal (where private communications between individuals were intercepted and utilised by third parties) is regrettable. For all of these reasons, it’s essential that the Government provides detailed proposals on the rights which it is seeking to enshrine into English law, as this will have a knock-on effect in terms of evaluating the adequacy of existing legislation which provides similar powers – such as the Regulation of Investigatory Powers Act – as well as those laws that are in place to protect individuals – for example, the Data Protection Act and the Human Rights Act. Before any new legislation can be successfully implemented, relevant bodies, such as the Information Commissioners’ Office (ICO), would need to assess the potential impact of it on individuals and their statutory rights regarding the use of their personal data by third parties.  Similarly, those directly affected by the proposals will need to consider the implications of the proposals for their business and the commercial and technological challenges which they may present.  Many of those businesses affected will be social media sites that do not charge for use of their services, but may be required to introduce new systems, processes and personnel in order to deal with these types of requests for information - adding further overheads to their business. Despite the issues that the proposed legislation has raised, it does provide a good working example of how the checks and balances which are built into the Parliamentary system continue to work in the modern age. While the Government will be left frustrated at not being able to push through the proposals in the name of national security, it is right and proper that proposals which may have far-reaching implications for the rights of individuals, are clearly articulated and subject to scrutiny by all interested parties before they become law. Generally, however, this debate highlights the way in which the Government and legislators are struggling to keep pace not only with digital developments, but also with the way in which people now use technology as part of their everyday lives and how laws should be developed to deal with such developments. What is clear from this episode is that attempts to rush through legislation in the name of national security will not go unnoticed or unopposed, particularly where the rights of individuals may be eroded as a result. During the riots last year, much was made of the way in which social-media enabled the rioters to rapidly share information on both a local and national scale, and the Government’s proposals seem, in part, to be a reaction to this event. Whilst not necessarily the most appropriate course of action, had the Government introduced the proposals in the immediate aftermath of the riots, they may have gained more immediate positive reactions from the public, or at least a slightly more sympathetic response. However, as we stand, it is likely that these proposals will take several years of drafting, reviews and consultation before they are enshrined into law – by which time, we will probably be looking at new uses of technology, in respect of which the current proposals may no longer be adequate. 2012-04-04T14:10:58+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/it_security_lessons_that_australia_can_teach_us/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/it_security_lessons_that_australia_can_teach_us/#When:08:16:20Z The Australian economy - under the respected guidance of its 27th Prime Minister Julia Gillard and her federal team - is carving out a name for itself in the IT security arena. Whilst this may sound surprising, it comes against the background of Australia’s (as a country) relative youth and the fact that the country has around 22 million citizens: big enough to make its weight felt in international terms, but small enough to be flexible in the modern world of IT matters. A key example of this is the country’s Defence Signals Directorate (DSD) - Australia’s equivalent to the US Department of Homeland Security - which has analysed some of the attack techniques used by cybercriminals and come up with four main methods of blocking them. And the Australian government - moving swiftly in response - has started rolling out these techniques across its government IT infrastructre, reportedly to great effect. The 3rd and 4th techniques centre on the idea of whitelisting, that is, forcing public sector computer users to install only approved (whitelisted) applications and only allowing similarly approved - and risk analysed - emails to be viewed. This means that, on their office computers, government employees can only access their corporate email and browse a limited number of Web sites, which, in turn – means they have a far less chance of infecting their PCs than `civilian’ Internet users. Alongside its controlled software and Internet usage approach to IT, the Australian government has also been highly pro-active in quickly patching high-risk security vulnerabilities in both the operating systems and software that its many computers run. Based on an analysis of its Internet usage during 2010, in fact, the Australian DSD concluded that at least 85 per cent of the targeted cyber intrusions that it responded to during the year could have been prevented by following these four main mitigation strategies. These four strategies are just part of a 35-point strategy report - Strategies to Mitigate Targeted Cyber Intrusions (http://bit.ly/lvZn7K) - which found that, although resistance to the idea of patching operating systems and software was low, the costs involved on the financial and staff training side of things were still quite high. That’s not to say that staff response to the report’s recommendations - which included the control over both portable and data devices - was entirely positive. The report’s authors found there was a high degree of staff resistance to the idea that their access to USB sticks and other forms of low-cost data storage were to be restricted. Despite this, there are signs that staff are now realising that these data security requirements are a normal part of doing business in the public sector and will therefore be the normal IT methodology - both now and in the future. If we contrast this IT security methodology to that seen in the government and public sector here in the UK - where the emphasis is very much on cost saving, rather than taking a draconian approach to effective security - it can be seen that there is considerable scope for security problems with many UK government departments being encouraged to go down the open source (freeware) route. There is, of course, nothing wrong with using open software over commercial applications, but most experts agree that at least some of the cost savings accrued from going down the open source route should be re-invested in other aspects of computing security, not least in ensuring those applications are secure enough for general usage. Unfortunately for computer users in the UK, there are signs that the audit requirements laid down by current governance rules can still be counter-productive in the longer term, as employees are still free to source – and use - just about any software application they wish. Put simply, where Australian public sector workers are effectively told what operating system and software they will be using in the workplace – and IT governance/security staff can plan and accommodate accordingly – their UK counterparts are allowed carte blanche (within reason) to decide the software they wish to use. IT purists might argue that this makes for a more efficient IT user base in the UK public sector when compared to their Australian colleagues, but there are real reasons behind the Australian mandate on what operating system and software you can - and cannot - use. A clear example of this lies in the use of SCADA - Supervisory Control And Data Acquisition - computer control systems seen at the heart of many industrial automation and control systems. First developed in the 1960s - and really coming into their own with the arrival of the first PCs in the 1980s - SCADA-driven systems are typically found in industrial systems such as energy power plants, electricity supply grids, chemical plans and many other industrial systems that require a high degree of computerised control - but also require total, 100 per cent, systems availability. This is Mission Critical with a capital M and C. Many businesses claim their IT processes are mission critical, but SCADA control systems are often critical to national infrastructures. If the national electrical grid goes down, for example, it can cost industry many tens of millions of pounds per hour and - in the case of hospitals, air traffic control systems and the like - can actually place people’s lives in jeopardy. Despite the fact that a growing number of PC users in the private and public sector are migrating – or have migrated onto – the Windows 7 platform, most SCADA-based systems use a robust and ruggedised version of Windows 98, a 16-bit version of Windows dating back to the late 1980s. The reason for this apparent luddite approach is quite simple: by using a stable and unchanged operating system which has been fully updated and completed its lifecycle, SCADA-based systems can have their operating system loaded into firmware. This means that, although there is no equivalent of Microsoft’s `Patch Tuesday’ update programme for Windows 98, cybercriminals cannot easily subvert the code of SCADA-based system, since the firmware-based operating system is fixed - and cannot be updated. This fully-embedded firmware approach is fairly unique to SCADA-based operating systems, but helps one to understand that a highly controlled operating system and software environment – as mandated under the Australian DSD’s diktat - has a far lower risk of subversion than the free-for-all software approach see in the cost-cutting UK public sector. Here at Avecto, whilst we understand the impetus behind moving to open source software that a growing number of UK government departments and allied public sector agencies are moving towards as part of their cost-cutting strategy, this does not mean that the Australian ideas enshrined in the DSD report cannot also be applied here in the UK. This is because the principle on which our security offerings are built is Windows privilege management - namely the control over who has access to specific applications running on the corporate IT platform, as well as the underlying data. This means, for example, that if the admin team only run their control and security software from within the network perimeter on known PCs, then access to those applications can be locked down to specific on-network computers. Then, even if a set of admin account credentials are compromised by hackers, they cannot use those credentials from the Internet – they would still have to gain physical access to the terminals used by the admin staff. This is a similar belt-and-braces approach being adopted by a growing number of banks for online account access. Not only must users present the right credentials, but they must also authenticate themselves using the appropriate hardware token. Back in the land of securing Windows-based computers, meanwhile, and it is interesting to note that a second report from Australia’s DSD - Implementing the DSD’s Top Four for Windows environments (http://bit.ly/tfouuM ) - the conclusion is quite unequivocal: “Minimising administrative privileges is an exercise in the principle of least privilege. In a properly designed, administered and maintained environment there is no requirement for any user to have administrative privileges on their day-to-day account. In addition there should be no account which has both administrative privileges and access to networks outside of the organisation, such as Internet or email services,” it says. “When properly planned and executed, minimising administrative privileges can have significant flow on benefits to the stability and consistency of the computing environment, simplifying administration and support of that environment,” it adds. Does this sound vaguely familiar? It should – it’s effectively a summary of the reasoning and principles surrounding the use of SCADA-based computer systems that run our critical infrastructures. And whilst I’m clearly not advocating the use of the inflexible embedded operating system approach seen on SCADA-based platforms, I think there is considerable scope for the Australian DSD’s report recommendations to be deployed in UK corporate IT departments. As well as reducing the risk profile of company IT systems, they would also greatly assist in the number of support calls need in a typical major corporate - which is something that will make the bean counters happy. And that’s no bad thing when you think about it… Topics, ITO, BPO 2012-03-21T08:16:20+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/eu_data_protection_proposals_outsourcing_and_employee_data_issues/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/eu_data_protection_proposals_outsourcing_and_employee_data_issues/#When:16:19:23Z Outsourcing arrangements often require the transfer of employees’ personal data from the customer to the supplier or vice versa.  For example, an outsourcing of payroll functions will involve the transfer of employee data.  Particular issues arise if the data is to be transferred outside of the EU.  In addition, notwithstanding that most data protection legislation within the EU derives from the EU Data Protection Directive, there are important differences between countries on how personal data can be processed.  The UK rules are currently contained in the Data Protection Act 1998.  In January 2012, the European Commission published its proposal for a new General Data Protection Regulation.  The extensive proposals would overhaul this area of law and significantly increase data protection across Europe.  The key proposals are: • Harmonisation: A single set of rules will apply across Europe.  • Scope extends beyond Europe: The new rules will apply to EU businesses and businesses based outside the EU that process European citizens’ personal data for the sale of goods or services or the monitoring of behaviour. • Fines: Penalties for non-compliance will be significant, with businesses facing proposed fines of up to €1 million or up to 2% of their annual worldwide turnover (depending on whether the organisation is an ‘enterprise’). • Explicit consent: The new definition of “consent” will include a requirement that individuals’ consent must be explicitly obtained; it cannot be assumed.  • Notification requirements: Organisations will be required to notify their supervisory authority of a security breach without undue delay, meaning within 24 hours if that is feasible.  If not, the notification must be accompanied by a reasoned justification.  • Right to be forgotten: Individuals will be able to ask to be forgotten and have their data deleted unless there is a legitimate ground for keeping it. • Data protection officers: Organisations with over 250 employees will be required to have a designated data protection officer who will have specific duties in relation to monitoring and advising the organisation. These changes are probably long overdue – the current law was drafted when recent technological advances could not have been contemplated.  However, preparing for the changes and ensuring compliance will place a large administrative and financial burden on businesses with a European presence, including businesses involved in outsourcing. The next step is for the proposed Regulation to be considered by the European Parliament and Council.  It is expected there will be widespread debate on the proposals, and that the Regulation will be amended.  Once the Regulation is approved, it is likely to be a further two years before it comes into force. If the current drafting of the Regulation is approved, there will be a significant change in data protection obligations for both customers and suppliers.  Under the current law, only data controllers – organisations that control the purposes and manner for which personal data is processed – are subject to the obligations and restrictions on personal data.  Most suppliers are data processors as they process personal data on behalf of the customer (the data controllers).  However, the proposal is to impose restrictions and obligations directly on data processors (i.e. suppliers) for the first time. Currently, it is important for all parties to establish who the data controller is and for the data controller to impose contractual obligations on the other party to ensure compliance with data protection legislation.  It is also key to ensure that, if personal data will be moved outside of the EU, this is done in compliance with the strict restrictions on exporting data.  Arguably, by extending the scope of data protection legislation to cover data processors and organisations based outside the EU which process EU citizens’ data, these considerations will become less significant for EU-based data controllers (i.e. customers).  However, the effect on data processors and international organisations will be much more significant.  The more stringent rules will place a tougher administrative burden on suppliers, which could lead to an increase in the overall cost of outsourcing. Organisations that are about to enter into new outsourcing arrangements should be aware that their data protection obligations may change during the course of the arrangements.  Contractual provisions should be drafted accordingly, for example to make data protection provisions subject to amendment to comply with legislative changes. The key message for customers and suppliers is: watch this space.  It will be some time before the measures are implemented, but the scope and effect of data protection legislation is likely to change significantly.   2012-02-16T16:19:23+00:00 http://www.sourcingfocus.com/index.php/site/newsanalysisitem/offshoring_v_onshoring_-_which_way_is_the_pendulum_swinging/ http://www.sourcingfocus.com/index.php/site/newsanalysisitem/offshoring_v_onshoring_-_which_way_is_the_pendulum_swinging/#When:16:02:46Z   In recent years, we have seen UK businesses moving away from the tendency to outsource business functions overseas and once again seeking delivery of these services within their borders. However, have national pride and political sentiment now become the drivers of the onshoring vs offshoring debate? Or do cost-consideration and expertise still determine where a business locates its services? Adrian Guttridge, EMEA Head of BPO, HP Enterprise Services investigates the importance of these factors and the role of vendors in this decision process. Since late 2007, most of Western Europe has been in the shadow of economic uncertainty. Large numbers of reputable business institutions have struggled to survive and for some, the impact of the debt crisis has been overwhelming. The UK banking sector witnessed the nationalisation of Northern Rock and saw both the Royal Bank of Scotland and Lloyds TSB receive an injection of public funds to shore them up. One might think that such developments would, if anything, strengthen the allure of offshore cost-savings. However, cost was no longer the only consideration. Alongside a renewed cost-cutting imperative, the economic downturn also ushered in the politics of protectionism. Sending business abroad to create jobs, infrastructure, and skills overseas when these are needed so desperately at home has a negative impact on companies and political goodwill, another valuable asset, already in extremely limited supply. The past 12 months have also been characterised by social and political unrest, particularly in many developing markets. This has demonstrated the geopolitical risk of locating business services abroad and alerted corporate decision-makers to the fact that while offshoring delivered benefits to the balance sheet, it also brought with it the very real possibility of denial of service and the business challenges that come with this. Such cost-savings, it suddenly seemed, could have a significant cost in themselves. These factors have indisputably shifted the context of a CFO’s thinking when grappling with the offshoring vs onshoring debate. In HP’s experience, what will ultimately remain the most pressing consideration, and the easiest sell internally, is cost. While the events of 2011 have demonstrated that the analysis cannot stop here, the essential savings to be made from offshoring through, for example, labour arbitrage, have not lost their allure. As such, businesses have had to find the middle ground. At HP, we are finding that organisations are increasingly seeking to get the best of both worlds by adopting a hybrid model with the core business at home and selected services strategically outsourced overseas. HP’s Best Shore delivery strategy caters to this dual requirement by giving the customer the advantage of a global infrastructure and balanced global footprint. This enables the business to react quickly to any uncertainly, but capitalising on the cost benefits of offshoring. Individual customers may have specific reasons for wishing to keep certain services onshore – such as data-protection and security – but it is more than likely that for other services, location choices will depend largely on the vendor’s judgment that conditions are suitable. Moreover, what will ultimately determine a market’s viability as a centre for, for example, the provision of BPO services is the expertise, the people, the processes, the tools and the infrastructure available. This is what a vendor will look for when deciding where to establish itself. HP’s approach is to develop centres of excellence for specific services in broad based key global hubs supported by regional language centres. What delivers value to customers is our investment in people, technology and modern facilities; it means they get more time to spend on managing their core business and don’t need to worry about their location strategy. As ever, advancing technology will continuously shift the goalposts of this debate. Connectivity has created a global village in which individuals and communities everywhere can contribute in the outsourcing market. As this trend moves towards its logical conclusion, the particular resources or characteristics of a specific market will lose their significance and a location-based outsourcing proposal will become less relevant. For now, the pendulum on the “onshore vs offshore” debate will continue to swing back and forth, impelled by transitory political, social and economic exigencies. Cost is still what the CFO will have front of mind when tackling this dilemma, but the growing sophistication of technology may make it a headache of the past. 2012-02-01T16:02:46+00:00