Extreme Outsourcing: A Dangerous Sport?

Posted on : 27-09-2019 | By : kerry.housley | In : Uncategorized

Tags: , , , ,

0

Recently I’ve thought about an event I attended in the early 2000’s, at which there was a speech that really stuck in my mind. The presenter gave a view on a future model of how companies would source their business operations, specifically the ratio of internally managed against that which would be transitioned to external providers (I can’t remember exactly the event, but it was in Paris and the keynote was someone you might remember, named Carly Fiorina…).

What I clearly remember, at the time, was a view that I considered to be a fairly extreme view of the potential end game. He asked the attendees:

Can you tell me what you think is the real value of organisations such as Coca Cola, IBM or Disney?

Answer: The brand.

It’s not the manufacturing process, or operations, or technology systems, or distribution, or marketing channels, or, or… Clearly everything that goes into the intellectual property to build the brand/product (such as the innovation and design) is important, but ultimately, how the product is built, delivered and operated offers no intrinsic value to the organisation. In these areas it’s all about efficiency.

In the future, companies like these would be a fraction of the size in terms of the internal staff operations.

Fast forward to today and perhaps this view is starting to gain some traction…at least to start the journey. For many decades, areas such as technology services have be sourced through external delivery partners. Necessity, fashion and individual preference have all driven CIOs into various sourcing models. Operations leaders have implemented Business Process Outsourcing (BPO) to low cost locations, as have other functions such the HR and Finance back offices.

But perhaps there are two more fundamental questions that CEOs or organisations should ask as they survey their business operations;

  • 1) What functions that we own actually differentiate us from our competitors?
  • 2) Can other companies run services better than us?

It is something that rarely gets either asked or answered in a way that is totally objective. That is of course a natural part of the culture, DNA and political landscape of organisations, particularly those that have longevity and legacy in developing internal service models. But is isn’t a question that can be kicked into the long grass anymore.

Despite the green shoots of economic recovery, there are no indications that the business environment is going to return to the heady days of large margins and costs being somewhat “consequential”. It’s going to be a very different competitive world, with increased external oversight and challenges/threats to companies, such as through regulation, disruptive business models and innovative new entrants.

We also need to take a step back and ask a third question…

  • 3) If we were building this company today, would we build and run it this way?

Again a difficult, and some would argue, irrelevant question. Companies have legacy operations and “technical debt” and that’s it…we just need to deal with it over time. The problem is, time may not be available.

In our discussions with clients, we are seeing that realisation may have dawned. Whilst many companies in recent years have reported significant reductions in staff numbers and costs, are we still just delaying the “death by a thousand cuts”? Some leaders, particularly in technology, have realised that not only running significant operations is untenable, but also that a more radical approach should be taken to move the bar much closer up the operating chain towards where the real business value lies.

Old sourcing models looked at drawing the line at functions such as Strategy, Architecture, Engineering, Security, Vendor Management, Change Management and the like. These were considered the valuable organisational assets. Now. I’m not saying that is incorrect, but what often has happened is that have been treated holistically and not broken down into where the real value lies. Indeed, for some organisations we’ve heard of Strategy & Architecture having between 500-1000 staff! (…and, these are not technology companies).

Each of these functions need to be assessed and the three questions asked. If done objectively, then I’m sure a different model would emerge for many companies with trusted service providers running much on the functions previously thought of as “retained”. It is both achievable, sensible and maybe necessary.

On the middle and front office side, the same can be asked. When CEOs look at the revenue generating business front office, whatever the industry, there are key people, processes and IP that make the company successful. However, there are also many areas where it was historically a necessity to run internally but actually adds no business value (although, of course still very key). If that’s the case, then it makes sense to source it from specialist provider where the economies of scale and challenges in terms of service (such as from “general regulatory requirements”) can be managed without detracting from the core business.

So, if you look at some of the key brands and their staff numbers today in the 10’s/100’s of thousands, it might only be those that focus on key business value and shed the supporting functions, that survive tomorrow.

Why are we still getting caught by the ‘Phisher’men?

Posted on : 26-09-2019 | By : kerry.housley | In : Cyber Security, data security, Finance, Innovation

Tags: , , , , , , ,

0

Phishing attacks have been on the increase and have overtaken malware as the most popular cyber attack method. Attackers are often able to convincingly impersonate users and domains, bait victims with fake cloud storage links, engage in social engineering and craft attachments that look like ones commonly used in the organisation.

Criminal scammers are using increasingly sophisticated methods by employing more complex phishing site infrastructures that can be made to look more legitimate to the target. These include the use of well-known cloud hosting and document sharing services, established brand names which users believe are secure simply due to name recognition. For example, Microsoft, Amazon and Facebook are top of the hackers list. Gone are the days when phishing simply involved the scammer sending a rogue email and tricking the user into clicking on a link!

And while we mostly associate phishing with email, attackers are taking advantage of a wide variety of attack methods to trick their victims. Increasingly, employees are being subjected to targeted phishing attacks directly in their browser with highly legitimate looking sites, ads, search results, pop-ups, social media posts, chat apps, instant messages, as well as rogue browser extensions and free web apps

HTML phishing is a particularly effective means of attack where it can be delivered straight into browsers and apps, bypassing secure email gateways, next-generation antivirus endpoint security systems and advanced endpoint protections. These surreptitious methods are capable of evading URL inspections and domain reputation checking.

To make matters worse, the lifespan of a phishing URL has decreased significantly in recent years. To evade detection, phishing gangs can often gather valuable personal information in around 45 minutes. The bad guys know how current technologies are trying to catch them, so they have devised imaginative new strategies to evade detection. For instance, they can change domains and URLs fast enough so the blacklist-based engines cannot keep up. In other cases, malicious URLs might be hosted on compromised sites that have good domain reputations. Once people click on those sites, the attackers have already collected all the data they need within a few minutes and moved on.

Only the largest firms have automated their detection systems to spot potential cyberattacks. Smaller firms are generally relying on manual processes – or no processes at all. This basic lack of protection is a big reason why phishing for data has become the first choice for the bad actors, who are becoming much more sophisticated. In most cases, employees can’t even spot the fakes, and traditional defences that rely on domain reputation and blacklists are not enough.

By the time the security teams have caught up, those attacks are long gone and hosted somewhere else. Of the tens of thousands of new phishing sites that go live each day, the majority are hosted on compromised but otherwise legitimate domains. These sites would pass a domain reputation test, but they’re still hosting the malicious pages. Due to the fast-paced urgency of this threat, financial institutions should adopt a more modern approach to defend their data. This involves protections that can immediately determine the threat level in real-time and block the phishing hook before they draw out valuable information..

  • Always check the spelling of the URLs in email links before you click or enter sensitive information
  • Watch out for URL redirects, where you’re subtly sent to a different website with identical design
  • If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply
  • Don’t post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media

We have started to work with Ironscales, a company which provides protection utilising machine learning to understand normal behaviours of users email interactions. It highlights (and can automatically remove) emails from the user’s inbox before they have time to open them. They cross reference this information with a multiple of other sources and the actions of their other client’s SOC analysts. This massively reduces the overhead in dealing with phishing or potential phishing emails and ensures that users are aware of the risks. Some great day to day examples include the ability to identify that an email has come from a slightly different email address or IP source. The product is being further developed to identify changes in grammar and language to highlight where a legitimate email address from a known person may have been compromised. We really like the ease of use of the technology and the time saved on investigation & resolution.

If you would like to try Ironscales out, then please let us know?

 

Phishing criminals will continue to devise creative new ways of attacking your networks and your employees. Protecting against such attacks means safeguarding those assets with equal amounts of creativity.

Artificial Intelligence – Explaining the Unexplainable

Posted on : 23-09-2019 | By : kerry.housley | In : Finance, FinTech, General News, Innovation

Tags: , , , , , ,

0

The rise of Artificial Intelligence (AI) is dramatically changing the way businesses operate and provide their services. The acceleration of intelligent automation is enabling companies to operate more efficiently, promote growth, deliver greater customer satisfaction and drive up profits. But what exactly is AI? How does it reach its decisions? How can we be sure it follows all corporate, regulatory and ethical guideline? Do we need more human control? 

Is it time for AI to explain itself? 

The enhancement of human intelligence with AI’s speed and precisiomeans a gigantic leap forward for productivity. The ability to feed data into an algorithm black box and return results in a fraction of the time a human could compute, is no longer sci fi fantasy but now a reality.  

However, not everyone talks about AI with such enthusiasmCritics are concerned that the adoption of AI machines will lead to the decline of the human role rather than freedom and enhancement for workers.   

Ian McEwan in his latest novel Machines Like Me writes about a world where machines take over in the face of human decline. He questions machine learning referring to it as

“the triumph of humanism or the angel of death?” 

Whatever your view, we are not staring at the angel of death just yet!  AI has the power to drive a future full of potential and amazing discovery. If we consider carefully all the aspects of AI and its effects, then we can attempt to create a world where AI works for us and not against us. 

Let us move away from the hype and consider in real terms the implications of the shift from humans to machines. What does this really mean? How far does the shift go?  

If we are to operate in world where we are relying on decisions made by software, we must understand how this decision is calculated in order to have faith in the result.   

In the beginning the AI algorithms were relatively simple as humans learned how to define them. As time has moved on, algorithms have evolved and become more complex. If you add to this machine learning, and we have a situation where we have machines that can “learn behaviour patterns thereby altering the original algorithm. As humans don’t have access to the algorithms black box we are no longer in charge of the process.   

The danger is that where we do not understand what is going on in the black box and can therefore no longer be confident in the results produced.

If we have no idea how the results are calculated, then we have lost trust in the process. Trust is the key element for any business, and indeed for society at large. There is a growing consensus around the need for AI to be more transparent. Companies need to have a greater understanding of their AI machines. Explainable AI is the idea that an AI algorithm should be able to explain how it reached its conclusion in a way that humans can understand. Often, we can determine the outcome but cannot explain how it got there!  

Where that is the case, how can we trust the result to be true, and how can we trust the result to be unbiased?  The impact of this is not the same in every case, it depends on whether we are talking about low impact or high impact outcomes. For example, an algorithm that decides what time you should eat your breakfast is clearly not as critical as an algorithm which determines what medical treatment you should have.  

As we witness a greater shift from humans to machines, the greater the need for the explainability.  

Consensus for more explainable AI is one thing, achieving it is quite another. Governance is an imperative, but how can we expect regulators to dig deep into these algorithms to check that they comply, when the technologists themselves don’t understand how to do this. 

One way forward could be a “by design” approach – i.e., think about the explainable element at the start of the process. It may not be possible to identify each and every step once machine learning is introduced but a good business process map will help the users the define process steps.  

The US government have been concerned about this lack of transparency for some time and have introduced the Algorithmic Accountability Act 2019. The Act looks at automated decision making and will require companies to show how their systems have been designed and built. It only applies to the large tech companies with turnover of more than $50M dollars, but it provides a good example that all companies would be wise to follow.  

Here in the UK, the Financial Conduct Authority is working very closely with the Alan Turing Institute to ascertain what the role of the regulator should be and how governance can be  appropriately introduced.

The question is how explainable and how accurate the explanation needs to be in each case, depending on the risk and the impact.  

With AI moving to ever increasing complexity levels, its crucial to understand how we get to the results in order to trust the outcome. Trust really is the basis of any AI operation. Everyone one involved in the process needs to have confidence in the result and know that AI is making the right decision, avoiding manipulationbias and respecting ethical practices. It is crucial that the AI operates within public acceptable boundaries.  

Explainable AI is the way forward if we want to follow good practice guidelines, enable regulatory control and most importantly build up trust so that the customer always has confidence in the outcome.   

AI is not about delegating to robots, it is about helping people to achieve more precise outcomes more efficiently and more quickly.  

If we are to ensure that AI operates within boundaries that humans expect then we need human oversight at every step.