ADVISORY SERVICE DIRECTOR, CIO CONNECT
CIO CONNECT INTERVIEW WITH MARCELO DE SANTIS
ADVISORY SERVICE DIRECTOR, CIO CONNECT
CIO Connect Interview with Marcelo De Santis
Digital Transformation is a hot topic lately; it seems to be all the rage right now, especially for any business not ‘born digital’, which is basically every large organization out there, except those like Google and Facebook. But what is Digital Transformation? In a nutshell, it is a business ‘going digital’, moving from its traditional market. It could be moving from print to online delivery, or bricks and mortar to e-commerce, or simply putting up an online presence for a traditional business, like a bank or other financial institution. There is a key difference, however, between a traditional organization going digital and a company born digital and that is in the back end – born digital companies are digital end-to-end. Their systems are integrated and ‘talk’ to each other natively. The business was created that way and it is just natural that information will flow from front-end to back-end digitally. Traditional businesses are usually not built that way. Even if you have fully electronic records and systems, like CRM, ERP, accounting, HR, for example, chances are they do not talk to each other easily. Therefore, Digital Transformation is not just about putting up an outward facing digital footprint, but it is about reengineering the entire back end.
Now that we know what we have to do, it’s not that hard, or is it? Modern corporate systems are quite advanced, they have Application Programming Interfaces (APIs), some even have Software Development Kits (SDKs), or in the case of Software as a Service (SaaS) offerings, they are often set up as a platform for developers and partners alike to develop solutions on top (take Salesforce AppExchange as an example). It should be a simple matter of coding some connections between the systems and enabling a fully digital experience for our customers. So why is it so hard for organisations to transform in this manner? The more successful an organization becomes, the greater the forces of stability become. Successful business can become inherently hostile to change, known as the ‘Paradox of Success’. As firms grow in size and profitability they become increasingly reluctant to change. This paradox adds significant complexity to any transformation and the problem cannot be solved by technology alone.
Wrong way ‘round
Most organisations start a Digital Transformation from the wrong end – they start with the technology. Yes, the technology is imperative to a successful transformation, but most organisations ignore all the other forces in the organisation and assume that the technology will ‘fix’ the problem. It is often said, ‘You simply have to train the people to use the new technology and all will be fine.’ So why do new systems get implemented and then sit unused? The problem is culture – the way we do things around here. The resistance in the organisation has been put in place over years of rigor and enforced not only by rules, but by the social norms of the organisation. Ignore culture and this engrained behavior at your peril!
The New Normal
Digital Transformation is the ‘new normal’. Organisations must change or they will be left behind. Disruption lurks around every corner and not just from the start-ups or born digital organisations. A successful move into the modern digital world is the only way for large established organisations to remain competitive, but there are many pitfalls to watch out for on the journey.
Others have done it
Since other organisations have made the digital transformation, can we just use their playbook? There are positive and negative lessons we can take from organisations that have tried in the past. Beware, though of thinking you can outsource the whole process. There are no experts in this field, no matter what they might tell you. The important thing to remember is that every transformation is unique to the organisation in question. As can be seen from some examples, it is important to form your transformation around those things that are important to your organisation and especially your customers. Do not trust this journey entirely to outsiders, but do not forget much can be gained from some external insights. Seek help on your journey, but do not hand over the keys.
Some organisations have undertaken successful transformations to digital and we can learn from their experiences. Take Hive from British Gas as an example. An organisation doesn’t get much more established and set in its ways than a two-hundred-year-old utility. Hive provides a fully digital experience for the consumer with the ability to track and control their home heating and hot water from anywhere via smartphone, tablet, or laptop. How did they do it? They utilized lean thinking and agile development but kept a form of ‘docking’ with the main IT department and broader organisation, from which they sought ‘air cover’ and the freedom to proceed without getting rejected by the traditional business. Leveraging the trusted brand, they created a frictionless customer journey – thinking of the customer, not the technology. They also iterated with conviction alongside feedback – user experience over design. https://www.hivehome.com/
Travelex set out on a transformation journey with some key principles and avoided trying to ‘boil the ocean’. They emphasized the long game while racking up quick wins. They communicated relentlessly and integrated the changes throughout the organisation – avoiding the ‘cool kids in the corner’ syndrome. In short, they had a three-phase approach; build out capabilities, build new products, then launch transformation initiatives. These are important lessons to be learned from these two successful transformation initiatives.
There is much more to a successful Digital Transformation and while the road is littered with the carcasses of unsuccessful transformation initiatives, there are many successful examples from which to take ideas and learn lessons. A few points to remember:
- Centre your transformation around your target customers – don’t transform just for technologies sake, make sure you are improving the customer journey. Customer first.
- Develop, prototype, test, and adjust quickly – remember to keep a connection back to the core business and IT department along the way. Learn fast.
- Transform in phases – get the core capabilities in place, assemble those capabilities into offerings, then launch longer-term transformation initiatives. Deliver fast.
Daryl Dunbar is a master of business rescue and development combining entrepreneurial creativity and pragmatic discipline. He works with organizations ranging from start-ups to large multinational and not-for-profit corporations, particularly in the areas of strategy, innovation, technology, operations, business design, corporate development, and venture capital. He is the Strategy Lecturer for IME in Singapore and a regular guest lecturer at MIT on innovation in large organisations.
As published on Enterprise Innovation, on August 22, 2017
We have all seen the headlines and read the stories about how organizations fail to apply basic security practices-- and ‘somehow’ expose sensitive data, or suffer interrupted business causing chaos and a loss of confidence in their brand.
The industry reacts and in some cases fans the flames of these fears, consulting firms jump on the chance to rabble rouse and tech companies tweak the blinky boxes (technology focused solutions) to block the latest adversary tactics.
During my long career in this industry I have found that typically organizations will make correct cyber security investments if presented with a solid business case that carefully weighs benefits and costs. Information and Communications Technology (ICT) ecosystems are complex and there are many ‘right’ decisions. It is important to identify the right decision for your organization. This is doubly true for large multi-national enterprises or nation-states featuring tech driven societies such as Singapore, Malaysia, Thailand, and Indonesia. To address this challenge, we must change our poor-cyber-habits which lead us down a path of reactionary measures and adopt future proof approaches.
This article will lay out a few guiding principles that leading organizations use to inform their plans, guide their architectures, enable risk management decisions and invest their limited budgets.
Our experience is rooted in the US Intelligence and Defence communities. We have seen at first hand the tools, tactics and tradecraft of well resourced ‘nation state’ level hackers and the mercenaries they train and employ. We have developed cyber strategies, plans and programs for global companies, governments and critical infrastructure providers. We have seen what works and what fails.
One commonality that we see is that effective cyber security leadership, starts with a well-informed board of directors and their management team who can quickly understand the risks, consequences, and cascade effects of a cyber threat.
These 8 guiding principles will inform leaders of organizations that operate critical infrastructures how to enhance their strategies, architectures, and culture to reduce potential impacts of undesired cyber events. This a not full house view or a prescribed list of fixes. The adversaries we face, coupled with increasing connectivity and complexity of our ICT demand a more holistic and dynamic approach to cyber security.
Eight Guiding Principles for establishing an enduring Cyber Security Program:
1. Culture is crucial
Creating an environment that encourages others to follow is particularly challenging given how IT provides more conveniences in our daily lives. We are used to having instant access to information when and where we want it. As a result, we must trade security for convenience and develop a plan to carefully balance the risks with the benefits that expanded connectivity and easy access to company resources provides. Creating a culture of safety and security takes a leadership team committed to empowering their staff to make decisions and realize the consequences that can have. To assist in developing the right security culture, the workforce must be reminded of the advanced threats that the organization faces and have transparency for when something does go wrong and how it was corrected. Having a strong disciplinary and reward process is also important. Testing staff regularly through drills, or even simulated phishing or malware campaigns, is important to keep folks sharp and vigilant. Finally, it is important for leaders to ‘practice what they preach’ and not exempt themselves from restrictive rules (e.g. 2-factor authentication or remote access policy that is waived for execs). Your staff is the front line in the daily battle to safeguard your data and business operations, so it’s good to invest in raising their knowledge and establishing a collaborative culture for cyber security throughout your organization.
2. Be resilient, not secure
In the past we have focused on castle wall strategies that layer on defensive capabilities to keep the bad guys out. This is a failing plan, because we simply cannot afford to protect everything. Our networks are more complex than ever and the adversary can easily develop an attack, while defence can cost more than 10 times that amount. Look within your organization and first map your ecosystem to understand how your data and ICT support your most essential functions to keep the organisation running, and know where your information is at all times. We must shift our strategies to Cyber ‘Resilience’ and Cyber ‘Survivability’ to ensure that our most essential business functions can continue in a trusted way. This means having an effective “plan B” and/or battle hardening critical systems and applying a costly resilience engineering approach, designing essential systems to “fail gracefully” while under attack but continuing to support essential functions in a degraded mode.
3. Trust but verify
Recognizing that serious cyber issues can start with misplaced trust placed in others is an important first step in closing a significant gap we often find in large enterprises. Trust is a broad term, but in this context we are focusing on Insider Threats, and 3rd Party Risk. Insider Threats, could range from a bad apple (employee gone rogue) or a contractor with little loyalty to your brand. Addressing insider threats takes teamwork from the folks who interface with your staff, typically Human Resources, Physical Security, and the IT Department. These agents coordinate their approach on monitoring employee behaviour [e.g. is that employee logging in constantly while on vacation, in Brussels? Why?] and creating the policy and legal frameworks to act on suspicion. Finally, 3rd Party Risk is a growing concern as the notion of traditional business operations is replaced with outsourcing by cloud computing, managed services that carry your data and secrets along with it far from your doorstep. Shadow IT is a particular threat because there is little to no technical oversight of the risks and countermeasures and you are often in the dark when something happens. Plan with an understanding of the threats and consequences from inside and outside your organization, and ensure that you have the right legal frameworks and technology monitoring in place to practice a trust but verify approach to mitigating these risks.
4. Focus on your information
Fundamentally what are we trying to protect? What information do we hold onto and what is the worst-case scenario for when it is exposed, corrupted, or manipulated? Before all the buzzwords took over, it was about information security. Organizations should understand that data and information impact their organization's business operations and reputation (see note earlier on resilience); therefore, they must put in necessary policies on data retention, destruction, and most importantly classification. If we treat data all the same we will end up with something unmanageable as the complexity of these information systems will continues to grow, especially factoring in 3rd party processing of data. Information and data is categorized and mapped. Draw a line around what you are willing to protect based on budget constraints and carefully balance your program against consequences and regulatory requirements. Publishing a guideline on information and how it should be secured will help inform the architects of your ICT environment as well as incident responders who must reconstitute business operations during a cyber crisis.
5. Win the war for cyber talent
Recruiting and retaining talent is about culture. Yes money is important, but opportunity, career mobility, and creating a culture to succeed is what is needed. There is an overall shortage of cyber security professionals. In Cybrary's Cyber Security Job Trends Survey for 2016 68 percent of the 435 senior-level technology professionals surveyed said that there is a global shortage of skilled cybersecurity professionals and that there are currently a million jobs for cyber security positions around the world. To attract top talent you need to engage with the cyber security community by keeping an active social presence and demonstrating you are leaning forward and open to new ideas and approaches in cyber security. Offering generous training programs, flexible work schedules, and telework options for security professionals fit the typical lifestyle. Think outside of the box -- create social events and perhaps a work-exchange programs with their industry partners to give them opportunities and exposure to broaden their experience and ensure that they have the tools to do their job. They’re geeks, with a passion for security. Leverage that. Don't sacrifice investments in your staff for the bottom line; recognize that recruiting and retaining cyber security professionals is not easy.
6. Leapfrog your adversary
Innovate!, Innovate!, Innovate! This sounds like a battle cry, but there is something satisfying in out-manoeuvring your adversary. In an age where a cyber breach, data destruction, or worse, manipulation, can be a mortal threat to a company, (or its board of executives), it is important to lean forward in your approaches to mitigate risks. Technically speaking, the internet using the TCP/IP protocol has operated fundamentally the same since it was invented in the 1960’s. We have bolted security on top. There are many who believe a complete internet overhaul is in order-- but others who come up with new ways to squeeze functionality and trust over this age-old resource. Either way, to survive in these cyber times, run towards change and embrace innovation by investing heavily in research and development and trying new tools, tactics, and techniques to secure your data. Choose nimble start-ups and consultants with brave new approaches to inform your strategies, plans and programs towards a more trusted end state. By the time there is a commonly available solution, the bad guys have moved on to the next thing.
7. Measure twice cut once
… but keep the glue can within reach. Metrics help us check the pulse of the organization and predict if there will be a breakdown in technology, a process failure, or environmental effects that could lead to a ‘black-swan’ event or as others have called it, an unknown-unknown. Establishing key risk indicators for cyber along with your enterprise risk management program is an important element in determining how risk is understood and reported. Cyber should be treated differently than other risk management key indicators because cyber is often cross-cutting other disciplines so it will take a whole-of-team approach to collect the necessary metrics and report on progress. We recommend that organizations create a ‘mission effectiveness’ metrics approach to understanding how investments in solutions buy-down the risk but also increase the cost required for an adversary to attack your networks. Because securing an enterprise against well-resourced next generation adversaries can be expensive, It all comes down to justifying the business case and having a robust metrics program linked to business efficiencies that help demonstrate the benefits of the program over time. By measuring investments in cyber risk mitigation capabilities against business performance an executive can begin to measure the effectiveness of their cyber security programs. Understanding how investments in cyber security capabilities apply to business performance enables a more meaningful dialog with the Chief Information Security Officer on their program budget.
8. Listen to Sun Tzu
The Art of War by Sun Tzu was written over 2,500 years ago. If you have never read this, I highly recommend reading the complete 13 chapters which capture wisdom that has stood the test of time. One such passage is about knowledge and insight into one's own capabilities as well as the enemy’s strengths and weaknesses. It states: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” This statement seems simple, but applying these lessons to cyber security is quite complex. It is much like warfare and the stakes are high. Organizations that operate on today’s internet fight for resources in this highly contested environment-- knowing your adversary's motivation and how you appear to them is a critical step in planning your defensive strategies. This approach ensures that your cyber operations team has the knowledge not only to recover from an unanticipated cyber event, but to recover in a way that deceives the adversary, protecting you from a follow up attack. Sun Tzu has many relevant things to say about how we can enhance our cybersecurity practices and approaches, and we encourage you to read The Art of War.
By adopting these eight guiding principles you will enhance your plans, architectures, and enable risk management decisions. Please contact us by CIO Connect. Our team is ready to answer any follow up questions that you have.
To recap organizations can start right away to enact these eight principles;
- Security is led by the executives of the organisation. They embody the culture.
- Map your ecosystem to understand how your data and Information and Communications Technologies support your most essential functions and consider what is important to keep the mission running
- Address insider threats proactively, organizations can’t afford to wait until a malicious insider deals a mortal blow to the organization, and this will be very costly.
- Think outside the box on your recruitment and retention strategies for Cyber Security Processionals - flexible work hours, empowerment from mentoring by industry leaders and education opportunities. Give the cyber team the tools that they need to do their job and access to information. Be sure to give them the right authorities. Be careful not to create an elitist group within the company, but don’t be held back by stringent human resources methodologies of the past.
- Implement an affective governance program that connects enterprise risk with cyber risk, and plan ahead to measure the organizations investments against their effectiveness in protecting the business mission (not security for IT’s sake).
- Finally, lean forward in innovation. Invest in research and development into new capabilities. Partner with your peers in industry (sometimes even sharing cyber information with your competitor is critical in combating a sophisticated adversary). The next generation adversaries will attack you all the same, it’s easier to join forces in this digital battle ground.
About the Author: Mr. Anthony Bargar, is the Managing Director of the Cyber Security Consulting Group (CSCG) with offices in Thailand, Singapore and Washington DC. Through their partner CIO Connect, they educate Boards of Directors, CIOs, other C level executives and senior leaders on Cyber Security, the ever-increasing risks and methods for thwarting them. CIO Connect provides advice to technology and business leaders on the opportunities and challenges that digital technology developments create.
If you would like to talk to us to understand more, please contact Emma Burrows firstname.lastname@example.org.
Can we keep the bad guys out of our networks? – “NO”, Says the former Senior Policy & Strategy Advisor for the US Department of Defense, Mr. Anthony Bargar
Instead we must shift our strategies to Cyber ‘Resilience’ and Cyber ‘Survivability’, to ensure that our most essential business functions can continue in a trusted way despite operating in a hostile information and communications technologies (ICT) battle zone some call “the internet”.
Anthony Bargar has spent a better part of his career in Washington DC, in the US Intelligence Community, and Department of Defense where he started out as a white-hat hacker hacking into military intelligence command and control (C2) systems to demonstrate weaknesses and design more secure architectures, and has since worked on sensitive counter-espionage cases to gather digital evidence to identify and prosecute spies. He quickly moved up the ladder eventually landing at the US Office of the Secretary of Defense (OSD) where he supported the Department’s Chief Information Officer (CIO), and was assigned to National Security Council where he helped the White House re-write the US Cyber Strategy. Mr. Bargar left government service in 2010 and went to Wall Street, where he was the chief consultant to the NASDAQ OMX and helped safeguard the high speed trading networks from Nation state level hackers, he and his team were instrumental in assessing and enhancing NASDAQ’s security program.
Asked about keeping the bad guys out, Anthony said, “We cant afford to protect everything, our networks are getting more complex and the adversary has to spend very little in developing an attack, while the cost of defense can be a factor of 10 if not more”, he went on to tell us, “The industry has led us to acquire ‘blinky box’ syndrome, that is throwing too much technology at the problem – organizations need to look within and first think more strategically about what is important to keep the mission running, and about where there information is at all times”. Adversaries are now shifting their tactics to attack trust, and take our data hostage—as evident in the global ransom ware attacks---- this is an escalation and the more dependent we become as digital societies, this will give rise to increased attacks on our data networks, and information that we depend on for our daily lives--- the stakes will just get higher and higher as time goes on.
Mr. Bargar leads a consulting group comprised of similarly experienced experts working with the private sector and governments worldwide on resilient architectures, effective strategies, and leap ahead technologies to reduce risk and create business opportunity. Anthony is currently focused in SE Asia enhancing cyber maturity to counter for next generation adversaries. He launched CSCG’s SE Asia HQ in Singapore and has recently inked a collaboration with CIO Connect Pte Ltd to educate Boards of Directors, CIOs, other C level executives and senior leaders on Cyber Security, the ever increasing risks and how they can be thwarted.
CIO Connect is a boutique advisory firm that brings pragmatic tangible advice from tenured advisors with extensive experience of working in IT and the business. We provide advice to technology and business leaders on the opportunities and challenges that digital technology developments create.
“Effective Cyber Security Leadership, starts of course with a well informed board of directors, and their management team who can quickly understand the risks, consequences, and cascade effects of a cyber threat and the decisions they make”—said Anthony Bargar.
“We have been searching for the right senior level cyber security expert who can discuss Cyber strategies with C suite members and the technical implications for IT people. There are many people positioning themselves as experts who aren’t.” – said Barb Dossetter
Working with CIO Connect, the Cyber Security Consulting Group will offer a series of Master Classes on the following subjects:
Data Breaches and Cyber Resilience– Strategies, tactics and countermeasures to today’s ransomware and other sophisticated cyber threats.
Controlling Cyber Risks from 3rd Parties and Outsourcing ICT Operations– Recognizing risks to your organizations resulting from the growing trends of cloud computing, outsourcing ICT operations, and increasing dependence on 3rd parties.
Executive Management of Cyber Security – Build a plan to manage board communications, ask the right questions as leaders, evaluate the effectiveness of your programs (Cyber Maturity Analysis), and implement a governance program that is flexible and adaptable to the cyber threats tailored to your organization.
If you would like to talk to us to understand more, please contact Emma Burrows emma.burrows@cio- connect.com or you can find out more by visiting our website at www.cio-connect.sg
As IT, you deliver every day - day in and day out. However, it seems that the only time your business colleagues seem to take an interest is when something goes wrong. This is a common ‘brand issue’ with most IT departments. The effect on the organisation as a whole, is that the organisation has not leveraged the investment in technology. While that might have been ok 20 years ago, now this means that the organisation is not leveraging the huge investment (between 1 and 6% of revenue) in technology. By taking control of your brand, you can reposition IT in the corporate mind.
This can start with a masterclass as a catalyst for change. As a result clients have repositioned themselves as partners to their business colleagues with measureable improvements to the bottom line.
On this masterclass we cover:
- The Power of the brand
- Managing stakeholders
- Communicating for success
Email me at email@example.com to find out more.
Options for a CIO in Resolving Contractual Problems
Organizations increasingly rely on a complex and fast moving network of third parties including ‘as a service’ or cloud providers to implement and support critical IT services. And so they should - out-tasking removes many technological risks from businesses not best equipped to deal with them. CIOs are also rightly encouraged to embrace disruption and ‘start-up’ vendors to maximize opportunities from innovative ways of working.
At the same time we must recognize that these positive trends introduce a significant level of commercial risk that cannot be left unmanaged. In a dynamic multi sourced network there is a greatly increased risk of vendors failing to deliver the required level of integrated services. The three most common areas that give rise to problems are vendors
- Not adopting collaborative behaviours when working with competitors to deliver an integrated service
- Being resistant to proposing innovation and change to the benefit of the client
- Not adopting constructive approaches to resolving disputes which can arise even in the best managed relationships
The increasingly volatile nature of the vendor market and the lower capital strength of new vendors in the market also present increased risks to service continuity from failure to stay in business or from being absorbed into stronger – potentially less attractive - competitors.
There is much good advice especially from CIO Connect around how to manage vendors to mitigate these risks. I do not intend in this article to repeat that rather to explore what options exist for a CIO and team when prevention has not worked.
Managing the Conflict
Technology failures and human errors cannot be avoided completely even in Tier 1 providers. In a complex outsourced service model these invariably lead to disputes over who is responsible and who should pay. The contract may appear to be clear on this but very often day to day service delivery depends on important intangibles not covered by the legal allocation of responsibilities and liabilities. From my own experience as a CIO I am clear that naïvely hoping that disputes don’t happen doesn’t work. We need to accept that a constructive approach to managing conflict is essential to maximizing value from key and long term vendor relationships.
My current role as an arbitrator has taught me that positive dispute management should be based on very clear processes for escalation of a problem within the party organizations. In many cases the problem will be resolved eventually by an agreement between individuals and it is essential that good communication lines are kept open throughout the dispute.
We save you time We help you & your leadership team excel We focus on your key business imperatives We ensure you have a return on your investment We are your local boutique partner
However it is naive to assume that parties to a dispute will be able to take an entirely objective view of the problem unaffected by their own corporate pressures and interests. Inter-party negotiations should be supported by early recourse to a professional third party able to provide an independent view before parties become too entrenched. It is important to ensure during contract negotiations that such recourse is incorporated in a valid arbitration clause.
There are two main approaches to independent involvement in a dispute. In the first category the parties to a dispute may commission an independent analysis of the causes of a dispute and a report containing an objective assessment of the dispute and a proposed framework for resolving the dispute. This is known as early neutral evaluation or ENE, and is often the forerunner to the appointment of an independent mediator between the parties who will endeavour to facilitate an agreed settlement between the parties.
However if an agreed settlement is not possible through ENE or mediation, the parties may agree to the appointment of an independent arbitrator. An arbitrator will conduct a formal resolution process and the parties must agree in advance to accept the outcome of the resolution. Arbitrations for contracts concluded under English Law will be conducted within the Arbitration Act 1996 but other jurisdictions have similar legislation and sets of arbitral rules governing the conduct of the dispute.
An arbitration is not a court case and need not involve legal representation. However it still provides an effective resolution as it is a legally binding process, rules of evidence apply and an arbitrator’s awards are usually legally enforceable.
Managed correctly, arbitration should always be more cost effective than litigation. With the agreement of the parties it is possible for the arbitrator to fix in advance how much the case will cost and how long it will take.
In addition the parties are able to select an arbitrator who is qualified to understand the professional and technical context of their dispute. In many cases the arbitrator can deal with the case without a hearing but even if one is required the arbitrator will seek to minimise the adversarial nature of a court case and concentrate on establishing the merits of each case using the facts rather than points of law.
The arbitrator is also legally bound to conduct the resolution with strict impartiality and also ensure confidentiality unlike a court case which of course is in the public domain.
In short taking a dispute to arbitration means that it can be resolved in a legally binding way but as it is conducted confidentially, impartially, and relatively swiftly at a known cost the matter can very often be resolved without undisputed areas of the contract being affected.
Prevention is always better than cure and, to ensure effective management of the risks arising from reliance on external sources for key business services, CIOs should have good vendor management processes and a clear understanding of vendor risks in place.
However CIOs also need to be aware that problems will arise even in the best managed contracts and having a constructive approach to managing disputes in place is essential. Early recourse to an independent mediator or arbitrator is part of a constructive approach and this will often be crucial in ensuring that vendors deliver the business value that was anticipated during the procurement and sales process.
About the Author:
Stephen Hand is a Fellow of the Chartered Institute of Arbitrators and a member of the Institute’s Business Arbitration panel. He is the former CIO of a global marine organisation with many years senior IT management experience.