Thomas L. Pettibone

In the race to beef up security measures through electronic surveillance, the crucial “human factor” is often overlooked.

For 30 years, companies have sought to outsource and offshore IT as a way to reduce costs and/or quickly improve performance. Mega-deals were done in the ’90s and then, after that market was saturated, lesser deals ensued.

Racing past red flags to introduce a new product or service invariably backfires. Here’s how to get the launch process right.

Information technology project failures cost companies millions in new technology expenses, manual workarounds, additional customer service and reputational damage. What’s more, failure rates are high. A look at three IT undertakings that went massively wrong offers some insights into what CEOs and companies can do to spot runaway projects early and take steps to get them back on track.

All companies—not just big, public firms—are vulnerable to security breaches. Fortunately, there are measures CEOs can take to mitigate risk.

When Gregg Steinhafel, Target’s CEO since 2008, abruptly resigned in May, the company’s recent weak financial performance clearly factored into the change. However, the massive 2013 holiday-season data breach involving 40 million credit cards and 70 million customer records must also have been a factor. Certain cyber-security warnings appear to have been ignored. In mid-2013, Target installed FireEye, a $1.6 million sophisticated malware (malicious software) detection tool with online monitoring by Target employees in India. On November 30, the tool flagged someone downloading malware onto Target computers (possibly Russian hackers). The Indian employees notified the security team in Minneapolis. Then, apparently nothing happened. No action was taken. Subsequently, for three weeks, the hackers copied credit card and customer data, temporarily staging it on other Target computers until wholesale data transfers could be masked in normal business transactions. Finally, on December 12, the U.S. Department of Justice contacted Target after receiving reports of fraudulent charges. The rest is history. Brussels-based SWIFT is a member-owned cooperative through which the financial world conducts global business operations. Consisting of 10,000 banking organizations, securities institutions and corporate customers in 212 countries, it exchanges millions of standardized, financial messages every day. At a recent conference, CEO Gottfried Leibbrandt described the dire situation facing businesses all over the world:

• “It’s a bad, scary world out there and it’s getting worse. The cyber threat is very real and persistent. If you are not paranoid yet, you should become so.”
• “While cyber criminals are getting ever better organized and funded, we now also have state actors, focusing on not just snooping, but disruption.”
• “We… require networks that are designed to meet the highest standards in terms of confidentiality, integrity and availability.”
• “Data protection is core to what we do and cyber-security is part of our DNA, not an afterthought.”
• “We fully support the EU Cyber Security strategy consisting of: Networks that operate across borders,” standards (such as ISO 27001-2). A robust (European) ecosystem of expertsand providers.”

While most CEOs acknowledge information security is a top priority, it is often addressed ad-hoc after a data breach occurs (i.e., the car engine has seized). The Target incident changes that paradigm, suggesting a more proactive and methodical approach involving an Information Security Management System (ISMS) built on ISO 27001-2 standards. Companies have standard processes for accounting, procurement and HR; why not have an information security system? The U.S. Department of Homeland Security urges CEOs to ask the following questions:

• How is our executive leadership informed about the current level and business impact of cyber risks to our company?
• What is our plan to address these risks?
• How does our program apply industry standards and best practices?
• How many and what types of cyber incidents do we detect in a normal week?
• What is the threshold for notifying our executive leadership?
• How comprehensive is our cyber-incident response plan? How often is it tested?

With an ISMS tailored to your company (one size does not fit all), you will be alerted to security breaches having high impact to your company. You get the red light warning that something bad is about to happen and you can take proactive action with and through your security team. Properly constructed, the alerts cannot be masked or ignored. It’s a dangerous world out there. Take the first step. Find out what security framework you have, compare it to your industry best practice and develop a plan for improvement. Your shareholders, partners and employees will be reassured; and most important, you will have taken an important step to protect your company’s assets from security risks.

While most CEOs realize that computers have produced significant productivity, many remain frustrated with their company’s Information Technology activity due to: 1) Poor communication, 2) Persistent Unresolved Difficulties; and 3) Surprises.

Is your company overweight, bloated, and out of shape? Is it burdened by rolls of inventory fat? Just how far from "just-in-time" is your delivery? Are your competitors trimmer and nimbler? If so, your organization needs to go on a corporate diet. But don't worry, implementing an "Efficient Consumer Response" system can help you shed those extra pounds. ECR focuses on reducing value-chain costs through lower systems costs, inventories, and physical assets. This is particularly important today, because consumers are becoming increasingly sophisticated in their pursuit of top-quality products at the lowest price. Thus, manufacturers, distributors, and retailers must squeeze costs out of the total system and can no longer afford the luxury of carrying "nice to-have" stock in the supply chain just in case of an unexpected run on ketchup or auto parts. Until now, most ECR effort and cost has been spent on transaction-based activities such as electronic data interchange and point-of-sale scanning. But other opportunities can be found in category management and the sharing of forecasting information. Integrating your systems with your business partners' enables you, your suppliers, and your customers to react as one to swings in demand. Computer systems can be linked, so orders entered into your systems simultaneously will update both your forecasts and those of your business partners. You might even consider common forecasting systems. With the exception of companies such as Wal-Mart, J.C. Penney, and Ford, most organizations don't share forecasts with their suppliers. Instead, each forecasts separately, using consumer research and other external data that may or may not reflect their market, and may be days, weeks, or even months old. Companies are unwilling (or unable) to share these data because: They need or want a wide range of suppliers, making it impractical to divide the forecast; they are insecure about their own forecasts and the risks associated through others' use of those data; or they are technically unable to link their systems. Integrating your systems with those of your suppliers and customers is quite different from simply extending terminal support as was done in systems such as the SABRE travel agent system and the Federal Express customer inquiry system. With terminal support, your partners simply are tapping into your data banks; information integration is done manually, if at all. But it doesn't have to-and shouldn't-only work that way. In 1993, Philip Morris was asked by its largest wholesale customer, Temple, TX-based McLanes, to provide category management for its tobacco products based on established guidelines, including ROI and space limits. Philip Morris built a suite of systems at McLanes that are linked to its own forecasting and inventory systems in Virginia. Demand fluctuations at McLanes now are reflected almost immediately in the Philip Morris systems. Rapid awareness of variations in demand (by SKU and location) enables McLanes and Philip Morris to react simultaneously, reducing the need for large cushions of perishable inventory. New York Life has 8,000 sales agents throughout the U.S. In the past, these agents shuffled reams of paper back and forth to the home office to sell and close a policy or product. In 1989, the company implemented a PC-based agent support system hooked into the home-office systems that contained all data necessary to sell and close most deals on the spot-without the paperwork. This slashed the commission payment cycle from an average of 30 days to fewer than 10, and provided agents with the tools to lessen their learning curve on new products. The combined system also cut policy approval time; lowered costs; and increased sales, agent productivity, and consumer satisfaction. With rapid improvements in technology, personal computer manufacturers historically have been burdened with large quantities of obsolete finished goods. Naturally, they pass these costs on to consumers. In its quest to keep costs down, Dell Computer has slashed finished goods inventory from 55 days to 33 days by abandoning the retail store and using a "make-to-order" consumer sales strategy. Dell's systems are high-quality, preloaded with software, and tested. Plus, Dell promises shipment in seven business days. To accomplish this, Dell tightened its entire supply chain with direct ties to component suppliers. Last year, Dell chose one freight company and developed system-to-system links that cut cost and time. "No pain, no gain," the fitness gurus claim. But that's not necessarily true. Integrating your systems with those of your business partners is a relatively painless-but effective-way to tighten the corporate belt and become lean and mean. Besides, competitively speaking, you can't afford to carry the extra weight.

---

  Thomas L. Pettibone is partner and managing director of New Canaan, CT-based Transition Partners Co., an information technology management consulting company.