A big challenge for sourcing specialists is needing to rely on security domain experts internally to judge provider quality. The internal team, already working on their day jobs, often doesn’t have as much time to devote to the selection and negotiation process as sourcing leaders want. It’s important for sourcing teams to get smarter about security themselves to lessen their dependence on domain experts for preliminary RFP screening and downselecting.
In our upcoming security services Blueprint, we asked the client references (themselves security experts) what advice they’d give non-technical teams on buying security services. Some of them are general sourcing best practices, and some are very specific to security. But they’re all important to ensuring the success of your security services engagement. Here are some of their key recommendations:
Make a map of your security landscape. You need to cover your bases regarding what kinds of security technology you’re using – end point, antivirus, etc. — so you can ask the provider about its expertise in each one. Ask in-depth questions about what kind of expertise it has with those tools, and look for specific clients and places where it can demonstrate the details of its experience. Have the provider pull it all together into a diagram and one vision so you can see it and make sure it matches your expectations.
Communicate. A lot. How you interact with the provider will have as much bearing on the engagement’s success as the technical security. Make sure you’re not so focused on technical questions that you ignore challenges in communication. Remember the provider’s on its best behavior during the RFP process and it’s unlikely that communication problems get better after signing the contract. As one client reference said, “if the communication is good, you’ll get it right 90% of the time.”
Ask references about mundane details. Beyond the technology expertise, talk to references about what their daily experiences are like. Ask about little things like how quickly the provider answers emails and responds to questions that aren’t part of a service issue. Talk to people who have direct experience with the processes and skills you’re buying to make sure what the provider wrote in the RFP response is actually borne out in client engagements. For example, one client we spoke with mentioned a situation where its incumbent provider proposed expanding scope based on its process for innovation – yet the process described in the proposal looked nothing like the process the client experienced every day with the provider. So even tactical steps within a proposed process need to be explored.
Weight flexibility and potential highly when grading. One client reference expressed sympathy for his sourcing counterparts: “It’s hard to know what questions to ask and know how to evaluate the answers,” he said. But he then explained that evaluating a provider’s flexibility is critical to engagement success. He points out that flexibility matters because even if you ask the right question, your questions will change over the course of the work. So flexibility and potential capability are better than specific current capability that may not be relevant in another year.
Pick a supplier that can meet you in the middle. It’s been a truism of outsourcing to hire for areas where you’re weak. But this often leads to provider teams that can’t effectively work with client teams because they have no common skill sets. One client pointed out that she relies on her provider’s ability to speak “business language” when discussing security. Can the provider talk about security from a business perspective or are they expecting you to translate their technical discussions for your stakeholders? What you really want is a provider that can go deep in the technology but still have a business discussion, while you’ll match those skills with your internal security experts and stakeholders.
Bottom line: Don’t be intimidated by the lack of deep technical security knowledge. It’s important to bring in domain experts as much as possible, but sourcing teams can dramatically improve their own efforts by making sure they focus on the business side of security.
We’ve seen a number of consulting and outsourcing firms making investments in design thinking over the last couple years. The most visible approach recently has been the roll of acquisitions of design-thinking boutiques. A few representative ones that are being covered in our current research for the Design Thinking in the As-a-Service Economy Blueprint include:
Capgemini – Fahrehenit 212 (2016)
Cognizant – Idea Couture (2016)
Tech Mahindra –BIO Agency (2016)
Wipro – Designit (2015)
Accenture – Chaotic Moon (2015), Fjord (2013)
And while other outsourcing companies are not making acquisitions, they are partnering with design thinking firms (e.g., Sutherland with UXAlliance, Genpact with Elixir Design) and academic institutions that offer design-thinking curriculum (e.g., Infosys with Stanford d.school). Do their clients feel like it really makes a difference? From what I’m hearing in my interviews with operations executives, product managers, and finance transformation leaders to name a few… Yes, it does.
Here’s how:
From designing to doing: Design thinking offers an approach for a diverse group of people to work together to identify and articulate a common problem, brainstorm ideas for addressing it, quickly prototype/wireframe/storyboard and test it, and continue to iterate on the idea as it takes shape into a proposed solution. While designers often operate within a “non-constrained world,” Consultants bring a healthy dose of a reality check into the process, shared one interviewee. For example, a market-based and analytical approach adds context to the process of testing the ideas and prototypes for how well they could work in the business and how relevant they are to the market. Another executive described it as an “innovation agency” partnering with a “solution provider.”
Industrialization of methods and tools: Consulting and outsourcing firms have a rich history of standardizing what they have seen work in multiple instances. Many of them have been known to go to the extreme of “this way or the highway.” Most design thinking firms take a more creative, empathetic, and flexible approach, but are typically not as strong in analyzing, identifying, and setting standards. There are design-thinking agencies that are known for strictly adhering to standardized approaches and toolsets – IDEO comes to mind – but it is not the norm in the industry. Likewise, there are pockets of creativity in consulting and outsourcing, but, again, not typical. These two groups are starting to find complements in one another. Clients are appreciating this emerging combination of creative, engaging, and simple (thanks, designers) and standardized, contextualized (thanks, consultants) approach.
Research depth: Design thinking can be a richer experience through thoughtful diversity – bringing together people at different levels (hierarchy) in a company, from different business units and functions, and from different professional backgrounds (e.g., ethnographers, CPAs, and programmers). Design thinking firms are rich in creative professionals; and consulting and outsourcing firms can tap into industry subject matter experts, technology gurus, and change management leaders, as well, because of the breadth and depth of their organizations. They can help address needs from market sizing to industry experts to rapid prototype development with new, emerging technologies because of internal experts or their own ecosystems.
Recalibration underway
A key theme we hear over and over in the outsourcing industry is the drive toward “recalibration.” Outsourcing firms that have been in business for years were built on the premise of providing lower cost, higher efficient processes using best practices: Lean six sigma, and ERP or now, increasingly, cloud-based/SaaS platforms. But to keep doing something basically the same way and expecting different results is insanity (a refrain often accredited to Einstein) – design thinking offers an approach to finding those new results.
Bottom line: A design thinking led approach moves the focus of the operations executive and service provider partner off the process itself, off the internal, “what’s wrong inside of what we do” to “what do we actually want to achieve” (the business outcome), and what do we want people to feel and do naturally that will lead to further engagement and new—and different—results.
After seeing the impact of the human-centered, flexible, creative, fast approach within “innovation centers,” “labs,” or “digital” business units, consulting and outsourcing firms are realizing that design thinking can help a company and its clients reimagine something that desperately needs a new way of working. Outsourcing and service delivery is an industry suffering from hitting thresholds on cost reduction, failing to meet expectations of innovation, and wondering how to use digital technology and overcome barriers in communication set up within and between clients and service providers. At the same time, though, there are key aspects of rigor, process orientation, and service inherent in the services industry that fit well into enabling design thinking to move into solutions and results such as increased customer and employee loyalty and new revenue streams.
About 18 months ago, we thought – wow, what an interesting idea, using design thinking in the services industry. And we launched the first Design Thinking in the As-a-Service Economy Blueprint to explore whether it not it was feasible – if there were any examples of how design thinking was changing the way consulting and outsourcing firms work, internally with or for their clients. There were a few. As we go through the current refresh, we are finding that design thinking is actually changing the way many clients and service providers work, that there is a real complement between designers, consultants, engineers, and service delivery; and we will continue to share examples over the next few months.
Every CHRO focus group or survey these days identifies “enhancing analytics capabilities” or “crafting a people analytics roadmap” as a top initiative. This, of course includes analytics of a predictive nature, as these generally have the highest impact. It’s now time-critical for both HR execs and HCM solution providers to think about what type of technology capabilities are needed to support these initiatives, which, if successful, clearly help make the case for HR having that proverbial seat.
So we’ve decided to put a stake in the ground and evaluate what most enterprise software vendors are describing as their “early” capabilities and customer experiences in this area.
Many HRMS (employee life cycle) vendors cut their predictive analytics teeth around the retention risk area. Some of those providers have progressed to predicting potential to succeed in different roles or factors that impact employee engagement and productivity. A few now forecast labor and skill set gaps and use that intelligence to optimize work schedules. One or two HCM solutions now even highlight potential compliance risks and recommend training to mitigate those risks or offer other examples of prescriptive guidance.
Is this the bulk of what HR leaders are looking for? Hardly, as any HR Tech vendor will tell you: “They are just getting started!”
One HR tech vendor exec we spoke with for this research said, “the ultimate vision here is to predict all employee-related outcomes that materially impact business performance, understand why the outcome is likely, communicate why this insight matters, and determine and pursue the key actions needed.” As a destination point, it’s probably better than most.
2 key indications the time is now for getting this research out there:
A few of the larger HCM solution vendors weren’t in such a hurry to discuss their predictive capabilities. Yes, this can happen with emerging technology areas; plus getting a read on “customer and market readiness” perhaps requires soothsayers as much as product managers.
HR buyers’ interests seem to be out in front of what a large swath of the HR tech vendor community is delivering when it comes to these capabilities. This is not a dynamic observed very often. Vendors have historically done a lot of the pulling in this relationship.
Finding the “homeostasis point” where HR tech customers and vendors can both see and derive business benefit from moving the ball forward on HCM predictive capabilities keeps us moving forward with this research, underlining its sense of purpose — and urgency!
Bottom Line:The value of predictive capabilities in major HR tech platforms, and understanding how providers’ plans are meshing (or not) with customer needs, will be covered in this first-of-its-kind research to be published in mid-February. We at HfS look forward to generating some lively discussions.
A company’s security posture changes often. The change can be company-created, for example, by opening an office in a new geography or entering a business with different regulatory requirements for data protection. Security posture also changes as new threats like previously unknown malware emerge, and more sophisticated techniques for hacking evolve.
When engaging a managed security services provider, it’s tempting to believe that keeping up with changing security posture is “being handled” by the provider. But is it?
Providers Often Forgo Innovation For Operating Efficiency
A very common complaint among outsourcing and managed services clients is that the providers rarely suggest changes unless the client brings it up – unless, of course, that change benefits the provider’s ability to run the process. In security environments, this heads-down approach goes beyond ineffective – it can cause significant damage to clients as threats and mitigation options change quickly.
Yes, providers generally do a security posture assessment before beginning the engagement. However, in our current blueprint research we found little evidence that providers re-assess security posture formally during the ongoing engagements.
Recently, in fact, we even heard of one provider that regularly discovered threats in a client environment but didn’t report them to the client because the particular threat types were out of scope of the engagement. The client found out only months later, and by accident, about the omissions.
Even with such egregious scenarios of intentionally not alerting the client, many providers miss threats. They miss them because they’re not looking for them and their analytics engines aren’t detecting new patterns.
Be Proactive With Incident Monitoring And Reporting
There are many ways you can work with your managed security services provider to ensure that changes to your security posture are being addressed. From most quickly implemented to longest, here are some actions you can take:
First and foremost, monitor news and trends in security and threat intelligence. Don’t wait for your provider to flag new threats types to you.
Be proactive in asking questions about changes and new threats. Sometimes even a quick email asking the provider about a new ransomware technique that you read about will spur discussion about making changes to the service scope.
Include security market changes and news as part of monthly meetings. Make it an agenda item to discuss what’s happening in the market. And build into the provider’s mindset not to wait for the regular meetings to bring up new events.
Expand the scope of your engagement to include regular security posture re-assessments. This can depend on your industry and other factors, but it might be quarterly, semi-annual, or annual.
Include a new engagement metric on the provider’s ability to find and address new threats. The provider’s ability to keep your data and organization protected from threats even as those threats change needs to be part of the provider’s success metrics if it isn’t already.
Bottom Line: Don’t let inertia set in on your security managed services engagement—make sure your engagement includes specific, proactive approaches to staying current with your security posture.
We hear a lot about how retailers are trying hard to bridge the online and in-store experience for customers, but have you thought about how this concept can help patients in healthcare? VCU Health, for example, is a forward thinking hospital that is looking outside the hospital walls for how to create a better experience and outcome for stroke patients before they even reach the ER. Partnering with the ambulance authority and technology providers, VCU Health is testing remote assessment of the patient during their ambulance journey to shorten their time to treatment. Led by neurologist Dr. Sherita Chapman Smith, this hospital’s story involves a passion for modern and mobile patient care, a lot of collaboration, and some real outside the box thinking in order to fine-tune and bring the idea to life.
At the heart of the effort is empathy – making an effort to “get inside” the experience of each person involved, understand their needs, and how to address those needs both simply and effectively.
The group that Dr. Chapman Smith gathered to the table included individuals from the local ambulance authority, the VCU Health Telemedicine Center, and technology provider swyMed, to determine what was needed to have a secure and stable system that would work and work well for all users. To get a patient perspective, the hospital reached out to specialty actors who have been trained to act in patient scenarios with medical students and residents, to give feedback on how they should interact with patients. The team trained these patient “stand-ins” on how to act out symptoms for a stroke.
These “patients” were picked up in an ambulance and connected via teleconference to the vascular neurologist in the hospital, who conducted a remote assessment; and when they got to the hospital, the scenario had them quickly advanced to the next stage of treatment. Afterwards, each one shared feedback via survey and interview, such as, did they feel safe, did they feel connected with the neurologist, were they comfortable, what did they think of the audio/visual quality? Participants ranged in age and ability to take into consideration comfort with technology and levels of hearing. The hospital also compared the responses with bedside evaluations. The feedback, combined with the experience from the physicians and EMT has led to proposals for changes to protocol and to the solution.
As the project moves along, they keep zeroing in on what will make the patient comfortable, and whether that works for the physician and EMT in the ambulance.
What makes it work?
Internal and External Network of Active Participation: “It’s a small group of vascular neurologists at VCU,” said Dr. Chapman Smith, “so I just asked my colleagues – can we give this a try?” She talked to her department chair, who connected her to the Chief of Emergency Services Operations and Medical Director of a local EMS agency, and then reached out to the communication office, and then to the ambulatory authority, bringing in representation from groups that all have a stake in how it would work, and how easily, and how smoothly. A small community banded together to test—what will work for the hospital, the patient and the EMT, and provide feedback. They have roles in working through implications to protocol, simulations, and dry runs.
Steady Visual Connection: “We wondered if the patient really needs to see the physician or EMT from within the ambulance,” said Dr. Chapman Smith, “but a main comment from the patient simulators was that it put them at ease to see a face versus just hear a voice… just a voice can add to the anxiety.” So the ambulance clearly needs a steady and secure connection with high enough bandwidth as it makes its way to the hospital. A modem, antennae, and single carrier connection did not do the trick; in test runs, the ambulance encountered multiple dead zones. “We want to be sure wherever we go, we can do the assessment/exam without a drop.” So, as part of the solution under development, swyMed software monitors for connections and can switch cell towers and antennas to get the best quality signal at the lowest bandwidth. It’s part of a portable solution the team developed to keep a live-video connection to a doctor all the way to the medical center.
Ease of Use and Access: During the assessment, the neurologist wants to be able to see the patient, but not have to click arrow keys to move around a camera. Taking this into consideration, the team designed a set of predefined commands such that a command would move the camera to a certain spot to look at an arm or a hand with as few arrow clicks and mouse moves as possible. Also, the physicians and EMTs want a mobile solution: physicians don’t want to be limited by being at a desktop computer; and the EMTs want something that is portable between vehicles, something not every ambulance has to have, since they are not all in service all the time. These insights all came from interviews, observations and dry runs.
There are a number of healthcare providers working inside the walls to create a better and more effective experience for health and care, but what happens before and after that care can have significant impact on outcomes as well. The work that VCU Health is doing is an example of a human-centered, not hospital-centered or technology/telehealth-centered care. The hospital is on a journey—still to finalize the protocols and rollout the remote assessment with real patients—but it’s a worthy example of forward thinking that shows how healthcare providers can step outside the storefront and provide real remote services that can really impact the quality of care.
A memorable exchange I once had with a former HR colleague went like this:
Me: “When Workforce Planning accounts for cascading gaps because you filled some jobs from within, that’s commonly viewed as HR best practice.” Colleague: “Oh really, Well I think best practice is simply the practice that works best!”
Borrowing a line from the classic movie Cool Hand Luke … his statement “helped get my mind right.”
So one suggestion coming out of my initiation into the world of practical HR thinking: Whenever you hear someone say: It’s “HR best practice”, perhaps you should ask if they’re following a blueprint crafted specifically for their organization and business context. And if they’re not, odds are that particular practice will come under some scrutiny soon, and perhaps shortly thereafter, the individual that architected the practice.
Many of us were a bit taken aback when we heard highly regarded Zappos was generously paying new hires to quit if they were dissatisfied, and not just because it was likely deemed more cost-effective in the long run. It was mostly because the company’s brand is totally about “best customer experience imaginable” and this is so much more than a tag line. One of countless examples is that their customer service reps never use scripts. Genius, common sense, or both. You decide, but also think about whether this would work for a phone company. Fat chance as they say.
As With New Employees, Best is Mostly About Fit
Elsewhere, a number of well-known large companies including LinkedIn, Virgin America, Best Buy and Netflix have started experimenting with unlimited paid time off. The rationale: time away from the job helped with employee productivity; e.g., by avoiding burn-out. Beyond that benefit, trusting employees not to take advantage of the company can make them feel – and therefore act — like part owners of the business. This practice worked for these employers, particularly when employees and managers discussed adequate coverage for key duties in their absence, but clearly it’s not a universally great fit. Consider the impact on an impending re-start of a nuclear power plant if even one senior-level nuclear or safety engineer was in urgent need of some downtime. “Adequate coverage” is in the eye of the beholder.
Outside the realm of potential life and death consequences, however, innovative crowd-funding company Kickstarter abandoned its unlimited vacation policy when they thought it was sending some type of message (subliminal?) to employees to take less time off. So a creative HR practice designed to minimize burn-out was actually burning people out!
As in the aforementioned exchange with that colleague, best practice does indeed come down to what works in a particular business context; and when you’re talking about a new HR practice under consideration, desired corporate culture might be the #1 element to focus on. In high-tech startups, a very informal, “we’re one family” culture and typically doling out some equity are used to attract top talent. Arguably it’s also to compensate for a lower salary initially. By way of contrast, when was the last time you saw someone’s canine companion taking a stroll inside a blue-chip investment advisory firm?
Bottom Line: HR practices are “best” when they support both a company’s culture and its workforce strategies designed to create a great customer experience.
Let’s not be wedded to any particular best practice within the HR / HCM domain, as best practices are really tools to effectively manage an ever-changing operating landscape.
Since we published our first report on blockchain, we continue to talk to players in the industry about how this fast-moving market is changing and growing. Compared to last year, there’s more discussion about security and privacy (evolving from the “blockchain is unhackable” talking point that was popular last summer,) there’s more talk about non-financial examples like using blockchain to help with supply chain compliance issues, and a hunger to get beyond POCs into valuable operational execution.
Recently we spoke to Santosh Kumar, Rob Ellis, and Mani Nagasundaram from HCL about blockchain trends. HCL shares many characteristics with the players we included in the report, such as:
Basing its blockchain expertise within its financial services practice
Building expertise in some key industry hot buttons like international money transfer, asset tracking, and trade operations
Creating POCs with global banks like one HCL did on cross-border money transfers across subsidiaries
Exploring partnerships with several key blockchain technology vendors like Ethereum and ERIS Industries
Regarding trends, HCL sees a lot happening in security and privacy, as well as regulatory agencies stepping up to help businesses form some governance policies around blockchain. We’ve seen in the past few months that while maybe the blocks in the chain aren’t hackable per se, there have been identity thefts, fraudulence, and further concerns about public blockchain networks.
The HCL team notes that transactions are well executed in blockchain, but identity validation and asset validation are less mature. And valuation of assets still needs to happen in the real world, so they caution over-optimism in moving quickly to broad blockchain adoption.
Also, adoption may be slowed down until we can answer the key question, “who owns the network?” HCL’s current thinking is that there’s likely to be one or two per industry and that moving or crossing networks will be difficult (HfS agrees that network interoperability is a big problem. See my prior blog on network interoperability issues here.)
They also believe that maturity in blockchain comes in three phases and that blockchain mirrors the Internet itself in this maturity curve:
Operating business processes better with blockchain
Changing operations using blockchain
Using blockchain to create new business models, processes, and activities
When you get to the discussion of new business models, HCL has a few scenarios that they share (see Exhibit 1 for an example.) We like HCL’s ability to not just explain the technology in-and-outs, but blockchain’s impact on business. In the blueprint guide on blockchain, we scored providers highly on innovation when they have strong business stories and the ability to demonstrate blockchain’s potential to prospective clients.
Bottom Line: 2017 will be an important validation year for blockchain
As HfS continues to research HCL and its competitors, we’re looking for the following in 2017:
Movement beyond POCs into live implementations
An example of inter-company blockchain work (remember, most POCs right now are intra-company, which is why the network question didn’t come up much this year)
Some hardening lines in the partnership area as the winners and losers on the technology side become clearer and providers get pickier about which vendors they bring into client engagements
Maximizing team performance and improving employee engagement are both winners in their own right as HCM themes to focus on. Solutions that focus on either are correlated with better business results. ADP and its clients can now play in this arena with the strategic acquisition of The Marcus Buckingham Company.
By many accounts, including mine, ADP’s past acquisitions of companies like Workscape, Virtual Edge and The Right Thing, while accretive to revenue (not necessarily a game-changer on a base of over $10 billion) and enabling a more diversified solution and customer portfolio, didn’t fully detach the company from its long-time transactional HR / Payroll branding. Yes, Workscape did bring cool technology around total rewards and portals, but ADP also talked a lot about their new benefits admin outsourcing capability after that acquisition.
The bold move of adding The Marcus Buckingham Company could pay off nicely for ADP, and in “multiplier effect” ways that, by definition, are much more consequential than incremental revenue or adding some new strategic customers.
Just as SuccessFactors was a clear catalyst in SAP’s embracing of the cloud, TMBC could do the same for ADP; not in terms of the cloud as ADP operates there already. The story here is adding a disruptive HCM solution, one that weaves together technology and services elements to help customers solve issues many HR tech products will never tackle.
Among other things, TMBC’s flagship technology StandOut distils the complexity of a team leader’s job into two fundamental questions: “what are my team members’ priorities, and how can I help them?”. As this will entail a new way of approaching the job for many team leaders, the transition is helped along by targeted and expert coaching, TMBC’s other strength that ADP plans to tap into.
TMBC’s technology and complementary coaching bring self-awareness to the performance management and career development process
Self-awareness/self-discovery is often the missing link in feedback and performance management models and systems. You could say that one exception is when an employee is told their self-ratings are very different than how others see/rate them; however that is “being told” rather than learning it through a guided process. Coaching is also advocated by more and more companies, but most aren’t consistently adept at it enterprise-wide. ADP customers can now benefit from Marcus Buckingham’s proven approach, one centered around individuals fully leveraging their strengths (motivating and energizing) vs. addressing their performance gaps (often de-motivating). The model also clearly fits organizations wanting to pursue a “learning organization” strategy and corporate culture.
While a talent management solution offering the type of capabilities TMBC brings can be ahead of many smaller company’s adoption or strategic interests for some time, this acquisition should allow ADP to finally break free of its transactional HR/ Payroll branding constraints.
The Bottom Line:
The Marcus Buckingham Company found its mother ship to reach the next stage in its journey to greater revenue and broader marketinfluence/impact; and ADP likely jumped on an acquisition that will put it on the broader HCM brand trajectory it’s been longing for. The pairing should bring even more value to ADP and TMBC customers, and broaden ADP’s strategic HCM footprint in those customers, over 600,000 strong worldwide.
“It is a truth universally acknowledged” that the healthcare experience needs to change – for consumers and clinicians. Part of this change is to make access to data, services, and transactions easier – more “at the fingertips,” if you will—and more relevant to their healthcare experience. In a word, mobility. Mobile is about the platform; mobility is about the journey, the movement of the person, and the experience while in motion. There are a number of mobile platforms on the market today, but who is using them to bring mobility to healthcare?
“…mobility is about understanding where I am, where I am going and what I want to accomplish, and helping to make that journey exponentially better,” said David Sable, CEO of communications firm Y&R in a Huffington Post blog.
Well said. There are a number of mobile platforms on the market today to help make this happen, from well-established technology providers like IBM, PegaSystems, and SAP as well as up-and-comers like Kinvey, Kony, and MobileSmith. And I recently had an opportunity to get to know one offering suite a little better – Skava, which was acquired by Infosys in 2015.
How can mobile platform technology providers bring mobility to healthcare?
Skava is well established as a mobile development platform in retail, powering mobile apps, kiosks, and mobile devices for Gap, Staples, ToyRUs, and others. Now Infosys is bringing this consumer engagement and e-commerce enablement platform to healthcare. It is developing a set of independent, modular, discrete functional units packaged as “Build Your Own Digital Platform” for healthcare providers and payers. (see Exhibit 1) Imagine consumers, patients, caregivers, pharmacists, and clinicians – among others in the healthcare community – being able to enroll, complete transactions like paying bills, scheduling, care management plans and alerts, etc. Then imagine having it integrated into the core healthcare management systems already in place.
Exhibit 1: The “Build Your Own Digital Platform” Play for Mobility in Healthcare
Infosys isn’t the only one with this capability, so if you are looking at walking down this path, take a look around for what best fits your needs. What I found with Infosys is that even though this solution set is not well established in healthcare, it does have a strong client base and proof points from retail, an industry that is heavily dependent on engaging consumers in transaction oriented interactions. The platform supported $1.5 billion in e-commerce revenues in 2015. Infosys also has depth in IT services across industries, including healthcare, so it has the capability to work with clients to integrated and customize apps and services as needed. The Skava platform does plug into current IT infrastructure. And, the service provider is also better integrating its business services and IT capability so that if you want on-going support that includes data management and analysis, you can tap into extended services and have a single provider.
One “miss” in the story line so far, though, is my earlier point about mobility and creating an experience versus offering a mobile platform. Infosys as a company is investing heavily in design thinking capability – an innovative approach to identifying and solving problems. Yet, when we engage in briefings and look at the materials associated with this solution set, there is no mention of starting first with – what problem are you trying to solve? What opportunity are you looking to address? How are you defining and testing out the proposed solution prototypes with the stakeholders – consumers and business? And that’s a critical first step to ensure that the use of the IT-based solution is truly to address the consumer experience and how that impacts the business outcomes.
Bottom line: If you want people to do something, make it as easy as possible for them to do it. Healthcare providers and payers need to make healthcare services easier for consumers to access, use, and pay for, and mobility plays an inevitable role.
Infosys can tap into its design thinking approach and IT services, and leverage the Skava platform in a flexible way to help clients get there. There are already a number of healthcare management apps and mobile capabilities on the market, so it isn’t new. It is something that if you want to truly be a healthcare consumer oriented organization, you’ll have to incorporate into your business, and partnering with a service provider with IT, business process, and analytics skills is a viable option.
This week the Internet blew up based on news that Intel officials briefed President Obama and Donald Trump on the possibility that Russia had information on Donald Trump that was damaging to him personally and might even have implications for the entire US government. (And while one never expects a hashtag like #goldenshowers to trend on twitter, the feed was hilarious.)
Politics aside, this story is a textbook case of problems with being proactive with threats. Notice: I wrote “threats” not “events” or “incidents” because the incident hasn’t happened yet, there’s just a high potential for it to be true and for it to happen.
You get lots of finger pointing in hindsight. The common question is “what did you know, and when did you know it?” Because, after something bad happens, anyone who knew of the potential for the event comes under fire for not saying something sooner, not being more forceful if in fact they HAD said something, and for not doing something to stop it from happening. The fact is something happened and someone has to somehow get blamed.
And in the Trump intel story, you see the opposite of that, with everyone retreating to respective political corners, defending or dismissing the intel reports based on emotion and personal perspective. And since now that everyone’s already picking sides, it will be that much harder to make the right decision on how to treat the threat risk. So, how do you ask the right questions and take action in time to avoid the impending threat?
Here are the questions predictive security and risk management brings:
When do you flag a threat to executives? It’s important to have a policy in advance so there isn’t confusion later. It could be something like “a risk has been increasing steadily for the past 3 months” to “a risk increased very quickly in a short period” or similar idea. When you raise the flag may have a drastic impact on which actions you take to address the treat, since risks are often time sensitive.
How much do you tell them? Even if you’ve decided to tell executives, you must decide how much information to give. Too much detail and you may panic them unnecessarily, too little and they may not appreciate the implications of the threat. This question is usually harder to answer than the first one.
What do executives need to DO because of the rising risk? Another tricky area, what do you propose be done about the threat? Wait it out and seek more confirmation? Deal with it proactively, even if there’s potential for the threat to not happen? Take interim steps? This is the most important question to be answered when talking about predictive security management.
Focus Predictive Security On Remediation Not Reporting
We don’t know what advice the intel team gave to the government leaders, but we do know there are a few general ways you can deal with a threat or risk:
Accept the risk and go on with what you were doing. Sometimes there’s not much that can be done – or worth doing. For example, there could be a heightened risk of a terrorist attack, but you don’t want to be seen to be weak and encourage them further and choose to ignore it, safe in the knowledge airport security is already prepared for such a threat.
Try to remove or reduce the risk. In a political context, it might involve finding the people who are informants and stopping their ability to keep helping the other government. In a corporate setting, it might involve cutting a contract with a supplier you think has illegal dealings, for example.
Make a strategic bet to increase the risk. In a political context like yesterday’s story, increasing a risk strategically could involve cutting diplomatic ties, mobilizing troops or invoking sanctions, among others (these increase risk because they may cause the original threat actor to escalate further or move more quickly with the original threat.) In a corporate context, an example would be to work with a startup vendor even though you know it’s a highly risky supplier because that vendor has some amazing new technology that you want to use.
Unfortunately, if you didn’t have a remediation plan in place BEFORE the risk became likely, you’re facing much more confusion about what to do and even whether to do anything at all. This puts your company at risk and in fact, negates the value of having predictive security capabilities.
Bottom Line: Security professionals need predictive security management and prescriptive treatment plans to protect their firms from looming threats.
Security teams need clear treatment plans that address potential risks and how to mitigate them. As a simple example, if there is a threat of insiders giving information to third parties, then the remediation plan would involve something like “when someone downloads more than one file they don’t normally access, that person’s manager must ask why the person needed those files within 4 hours of the download.” Without this proactive treatment planning, companies likely do nothing and then get harmed even by risks they could have addressed.
The bold move of adding The Marcus Buckingham Company could pay off nicely for ADP, and in “multiplier effect” ways that, by definition, are much more consequential than incremental revenue or adding some new strategic customers.
