Enterprise Risk Management at Microsoft

This is a brief writeup from an Enterprise Risk Management class that I took back in 2013. The case describes Microsoft from the mid to late 90’s and its efforts to implement an Enterprise Risk Management group. The case mentions former head of treasury Brent Callinicos, who went on to become a regional CFO at Microsoft and the CFO for Uber.

For those who are interested in the case details, check out “Making Enterprise Risk Management Pay Off: How Leading Companies Implement Risk Management” by Thomas L. Barton, William G. Shenkir & Paul L. Walker.

Introduction

Historically, the technology sector has always been subjected to swift, rapid changes. Microsoft has always tried to anticipate new threats and technology advances (i.e. dealing with both existing risks and unanticipated risks). Back in the late 1990’s, technological changes due to the rise of the internet provided Microsoft a different landscape from the historical era of the unconnected, standalone PC. In Microsoft’s 1999 annual report, the first item discussed under “issues and uncertainties” is “rapid technological change and competition”[1].

Additionally as the mid 90’s era Microsoft launched new products, it also ventured into new business models. The launch of Expedia in 1996 positioned Microsoft as a player in the travel agency business and its Home Advisor product made the company a licensed mortgage broker. These novel business models exposed the organization to a new set of risks, which in-turn exposed the risk management group to new challenges.

Moving to an Enterprise-wide Risk Management Approach

Microsoft has always competed in a very competitive landscape replete with technologically savvy competitors and condensing product life cycles. As a result, an enterprise wide commitment to risk management was a necessary and prudent choice to remain competitive in the company’s markets.

The momentum that triggered a more enterprise wide view of risks at the company was the establishment of the risk management group in 1997. Prior to 1997, there was no such group to start the process of implementing an ERM framework. Within the treasury group, the risk management group head Brent Callinicos (also notably the eventual CFO of Uber) set out to develop a consolidated risk identification, measurement and management approach.

The treasury group started with finance risk management changes by increasing the complexity and effectiveness of VAR analyses. Furthermore, treasury presented a paper to the finance committee of the board of directors that analyzed the derivative losses of several major companies. This report precipitated a more integrated approach to the various financial risks handled within treasury. The creation of Gibraltar (a treasury information system) allowed the company to view all of its risks “holistically rather than on a silo basis” [1].

From a business risk perspective, the risk management group worked closely with business unit managers in order to develop risk-financing plans and to aid business units with appropriate quantitative risk modeling. This evangelist approach was an effective method for gaining buy-in regarding the risk management group’s aims.

Microsoft’s Enterprise Risk Management Structure

Microsoft’s risk management group is nestled within the treasury function of the organization. The leader of the risk management group is the corporate treasurer who reports directly to the CFO. Treasury manages somewhere in the neighborhood of $80 billion for the software company [2]. Business risk is divided into worldwide products, worldwide sales & support and worldwide operations. The company does not have a CRO as it decided that a CRO would not be practical.

In my opinion, I believe that Microsoft housed their risk management under the treasury function because they viewed a standalone risk organization under a CRO as duplicative. Treasurers concentrate primarily on managing financial risks but by nature must also be generalists with respect to many types of risk. In a multinational technology company such as Microsoft, various market currency risks exist that require appropriate anticipation and response.

Microsoft is inherently technologically driven. The company has very smart, knowledgeable people naturally embedded into its lines of business. These smart people understand the risks of their technological products and desire to see these products succeed. To the benefit of the organization, the embedded personnel have an inherently risk minded mentality. Therefore the job of the risk management group is to partner with and support the lines of business and various operations groups by adding “incremental value”; i.e. information that the business units may not have considered.

“Microsoft is first run by the product group, then maybe by sales, and finance and risk management will come after that. The risk management group or treasury group will not run the company”[1].

Microsoft previously looked at risk in separate silos. In order to look at risk holistically, the risk management group had to step back and take a strategic assessment, which is a much more challenging endeavor. With this holistic approach, the grouping or correlation of risks are considered as opposed to dealing with one specific risk at a time. For example, Microsoft considered property insurance as the legacy best way to manage the risk of building damage in an earthquake. With a new scenario analysis approach employed by the risk management group, additional risks must be considered that are correlated to property damage. This new correlation mentality required partnering with multiple areas of the company to incorporate additional risks for an appropriate risk assessment.

Use of Scenario Analysis

Scenario analysis is used to understand the risks with respect to situations where it is very hard to quantify or measure the precise impact to the organization. Sequences of events regarding severe earthquake damage or severe shocks to the stock market are risks that are difficult to quantitatively measure and thus scenario-based tactics are applicable to try and gauge the fallout. Additionally, Microsoft uses scenario analysis to conduct stress testing which consider hard to measure impacts of political and geographic circumstances. An order of magnitude approach is used in scenario analysis as opposed to an exact measurement approach. Microsoft uses qualitative language such as, “..the quantification of business risks is not exact…”  and , “Does this feel about right for this risk” in their scenario analyses.

Once the risk management group has identified the risks associated with each scenario, it then partners with other business units to understand impacts. The risk group will also investigate other external organizations that have experienced similar events in order to learn how these organizations weathered their experiences.

The Main Benefits of Enterprise Risk Management

One substantial benefit for Microsoft in moving to an ERM approach is that the company can view and assess its risks holistically as opposed to assessing risks in an independent/uncorrelated fashion. This is evident in initiatives such as the company’s Gibraltar treasury system which provides an aggregated view of market risks.

Another benefit is that the risk management group works across the organizational footprint and can provide input to various groups so that each group can “stay current on what is happening in the business” [1]. The risk management group can diffuse information across the organization by working closely with business unit managers. Face time with product and operations managers allows the risk group to understand risks across the enterprise which contributes to a holistic understanding.

This approach is mutually beneficial for both groups as the risk group gains understanding of new risks (continuous cataloging of risks) and the business units gain insight into risks they may not have previously considered.

“By having the business units educate us on the intricate details of their business, the risk management group can be aware of perhaps 90 percent of the risks facing Microsoft”[1].

Closing Thoughts

At Microsoft, the risk management group doesn’t necessarily have to posses the all-encompassing best risk solution for every line of business. Risk management considers the product managers and the respective lines of business as the most knowledgeable sources of risk within their own domains. The risk group is on hand to provide additional insight for incremental improvement and to enhance or build upon the risk knowledge already contained within the lines of business.

This approach makes sense for a technology company that is teeming with very risk aware and knowledgeable personnel at the operational levels who are designing or working with complex products.

In my work experience at a traditional bank, the risk group was assumed to have the best procedures, templates and analyses with respect to handling credit, market and operating risks.  From Microsoft I have learned that highly efficient and capable risk management can also be a synthesis of understandings from risk management proper and the lines of business.

References:

[1] Barton,T., Shenkir,W., Walker, P. (2002). Making Enterprise Risk Management Pay Off.

[2] Groenfeldt, T.  (Nov, 2013). Microsoft Treasury Wins Best Risk Management Award. Forbes. http://www.forbes.com/sites/tomgroenfeldt/2013/11/19/microsoft-treasury-wins-best-risk-management-award/#4fcade2124ed

Copyright: mrincredible / 123RF Stock Photo

B.I. Basics: Create an SSIS Data Profiling Task In SQL Server

Data Profiling is necessary when trying to gain an understanding of a given data set. A data profiling assessment should begin before any reporting or application development work begins. My video will demonstrate how to create a basic SSIS Data Profiling Task using SQL Server Data Tools.

According to the DAMA Guide to the Data Management Body of Knowledge:

“Before making any improvements to data, one must be able to distinguish between good and bad data…. A data analyst may not necessarily be able to pinpoint all instances of flawed data. However, the ability to document situations where data values look like they do not belong provides a means to communicate these instances with subject matter experts, whose business knowledge can confirm the existences of data problems.”

Here is additional information direct from Bill Gates’s former startup outfit regarding the types of data profiling tasks available in SSIS: https://msdn.microsoft.com/en-us/library/bb895263.aspx

More Than You Want to Know About Wal-Mart’s Technology Strategy Part 3

This article is the final piece and a continuation of my earlier analyses (Part 1, Part 2) where I waded into Wal-Mart’s strategy for information risk & security, stakeholder requirements and project ROI. Whether you love or hate Wal-Mart, no one can argue that historically the organization has been highly innovative, effective and efficient. In this third part of my three part series I will broach the company’s strategy for data acquisition, social media, and project execution.

Wal-Mart: Strategy for Data Acquisition and Impact on Business Processes:

Wal-Mart has always been on the forefront of how an organization acquires, handles and shares data with internal and external parties. The company’s information technology spans across their 11,500 stores operating under 63 banners in 28 countries and e-Commerce websites in 11 countries (Wal-Mart Stores, Inc, 2015). This diverse assortment of digital and traditional brick and mortar assets services 260 million customers. The company’s sprawling POS system must remain highly operable and robust enough to harvest daily sales data across its global footprint. In order to accommodate data from a substantial customer base of millions of shoppers, the company must have the requisite back end storage infrastructure. As of 2015, Wal-Mart is embarking on a plan to build a massive private cloud which is expected to make 40 petabytes of data available everyday (Buvat et al., 2015). From a strategic standpoint the in-house cloud build-out makes sense, as employing Amazon Web Services would be making the company reliant on a key competitor’s technology offering to house sensitive data.

The data acquired from its POS systems allows the company to better allocate its product mix in real time. For example, on “Black Friday”, which is typically the busiest shopping day of the year, the company’s buyers mine the day’s sales data as early as 6am on the East Coast in order to optimize the company’s product offerings for the day (Sullivan, 2004).

From a data acquisition perspective, Wal-Mart pioneered the use of bar code scanners. The usage of scanners and Universal Product Codes was not just to register the price and make the cashier’s job of processing customers faster (as its early competitors had used the technology); Wal-Mart realized that bar codes enabled the company to determine where and how sales were made. In order to link POS, inventory and supply chain management data together with headquarters, the company invested in its own personal satellite system in 1984 (Sherman, 2013). This investment impacted in-store business processes as analytics could be run against purchase data to determine customer market basket mix and product to product correlations. Being on the forefront of purchasing data analytics allowed the company to more effectively place products in-stores that customers demanded.

This information linkage enabled by Wal-Mart’s satellite investment also led to profound business practice impacts with respect to its supply chain management process. As mentioned earlier in this analysis, with the development of Retail Link, Wal-Mart led the industry by providing first P&G and then the rest of its supplier network with direct visibility to real time store-shelf data. This was a highly innovative move as suppliers and internal buyers could work together on “forecasting, planning, producing, and shipping products as needed” (Sherman 2013). Enabled by its new technology system, the data sharing of information between supplier partners allowed those suppliers to manage inventory at Wal-Mart stores with a more comprehensive understanding of product demand, while Wal-Mart benefited from lower inventory storage costs.

Wal-Mart: Strategy for Social Media/Web Presence:

Wal-Mart operates e-commerce web presences across 11 different countries. Although it is by far the biggest brick and mortar retailer in the world, it has struggled to compete with online “e-tail”, competitors such as Amazon and Target. Updating its digital know-how and refreshing its digital properties will be a requirement in order to keep pace in a shifting industry dynamic. To this end, Wal-Mart has embarked upon a number of strategies to keep itself relevant and enhance its digital capabilities. The company is leveraging its web properties to not only analyze purchasing behavior but also review customer search histories and customer social media interactions. The latter activities are aimed at boosting its online sales and predicting customer demand for its brick and mortar locations.

“Teams at WalmartLabs use visualization techniques to analyze social activity to capture insights that may indicate changes in product demand. Walmart can then use these insights to stock extra inventory at locations where it expects higher demand and reduce it from locations with lower demand” (Buvat et al., 2015).

Wal-Mart has also embarked upon a strategy of purchasing startup companies with the intention of adding to the retailer’s knowledge in the mobile, analytics and social media realm. The retailer purchased a company called Kosmix, whose founders had sold a digital company to Amazon in the late 1990’s. Kosmix is a social media data aggregator which analyzes data from Twitter and other social networks with the aim of helping the company understand the relationship between customers and products. Shortly after the Kosmix acquisition, a small team at @WalmartLabs prototyped a new search capability code-named “Polaris”. Polaris helps to determines customer intent when embedded within Walmart.com. “As a result, if a user types in the word ‘denim’, it returns results on ‘jeans’ while ‘chlorine tablets’ returns results related to pool equipment (Ribiero, 2012). Within 9 months the prototype was production ready as it replaced an Oracle based product (Endeca) whose search functionality was simply keyword based. The company claims that it sees a 10% – 15% boost in shoppers completing a purchase using the Polaris search algorithm.

One recent splashy acquisition in the e-tail space involved Wal-Mart’s purchase of Jet.com for 3 billion in cash. Wal-Mart realizes that customer preferences have shifted to the online retailer space while Wal-Mart has a substantial legacy footprint in brick and mortar locations. According to the Wall Street Journal, “The retailer gains access to a larger group of young, wealthy, urban shoppers through Jet” (Nassau, 2016). The company also gains access to a startup minded employee talent base, startup executive experience and Jet.com’s proprietary pricing software and customer data.

Additional social project activities employed by Wal-Mart include adding a ratings review capability to its products on Walmart.com and a partnership with Facebook to offer individual pages for each of the retailer’s 3,500 stores. The company has also used the hashtag #lovedata to appeal to potential technology hires.

From an employee social engagement perspective, Wal-Mart developed an internal web site called mywalmart.com with the aim of developing an employee social media community where employees are allowed to blog and answer questions related to the company. Roughly 75% of the company’s 1.4 million U.S. based associates log on to the site (Tuttle, 2010). This effort required integrating multiple disparate websites running on different web platforms (for example payroll and benefits sites).

It should be noted that although the company is taking positive steps in the social media space, its initial attempts in the early 2000’s were clumsily executed. “Its Walmarting Across America blog in 2006, about two Wal-Mart enthusiasts traveling around the U.S. in an RV, was revealed to be less than authentic when it was learned that Wal-Mart paid for the flights, the RV and the gas of the two protagonists. ‘The Hub,’ a MySpace-like clone, closed in October 2006, just 10 weeks after it launched, while a Wal-Mart sponsored Facebook group reportedly had lackluster results” (Edelson & Karr, 2011).

Wal-Mart: Strategy for Organizational Change Management, Project Strategy and Complexity:

Best practice project management principles for handling complexity include implementing risk management practices and analyzing project risk/rewards. This series has already addressed Wal-Mart’s heavy reliance on ROI as a measure of project success. But Wal-Mart also has the advantage of running a common information systems platform for its global operations. This has allowed the company to offset the higher costs of developing in-house systems by building a system once and then rolling it out along with the respective business processes enterprise wide.

The company also lowers IT project complexity by closely examining the current process that the system is supposed to improve. This activity has been described by former CIO Kevin Turner as “eliminate before we automate”.

“Eliminate steps, processes, reports, keystrokes; eliminate any activity that you possibly can for two reasons: One, you’ll end up building a whole lot better system that’s easier to support, and two, invariably you will have a better solution that’s more [user] friendly” (Lundberg, 2002).

Once the system is built, then a piloting phase occurs amongst the stores, distribution centers and customers that will present the most challenges. If the challenges are caught and addressed by pilot builds in the most trying situations, then installing at less challenging locations should experience minimal interruptions.

From an Enterprise Risk Management standpoint Wal-Mart uses a 5 step process that allows its ERM group to work with the business to mitigate many of the risks that the company faces. “The five-step ERM process involves: 1. risk identification, 2. risk mitigation, 3. action planning, 4. performance metrics, and 5. shareholder value” (Atkinson, 2003).

An additional project strategy is to funnel all IT projects through the central IT office with a single enterprise-wide portfolio overseen directly by the CIO. King (2014) asserts that objectively ranking projects by using an automated spreadsheet tool helps to eliminates politically-driven decisions. Resources are assigned to projects based upon criticality and available funds. When available employees and funds are exhausted for the quarter, remaining projects on the list do not make the cut. Technology resources are asked to remain flexible as they rotate to different jobs within the company to gain additional skills. The flexibility of IT resources is a boon to change management plans as resources can be swapped out without minimal interruption to the overall project plan.

In case you missed something, make sure to revist Part 1 & Part 2 of the series.

References:

Atkinson, W. (December, 1, 2003). Enterprise Risk Management at Wal-Mart. Risk Management. Retrieved from Factiva.

Buvat, J., Khadikar, A., KVJ, S. (2015). Walmart: Where Digital Meets Physical. Capgemini Consulting. Retrieved from https://www.capgemini-consulting.com/walmart-where-digital-meets-physical

Edelson, S., & Karr, A. (April, 19, 2011). Wal-Mart to Buy Kosmix. Retrieved from Factiva.

King, R. (October 2014). Wal-Mart Becomes Agile But Finds Some Limits. Dow Jones Institutional News. Retrieved from Factiva

Lundberg. A. (July 1, 2002). Wal-Mart: IT Inside the World’s Biggest Company. CIO magazine. Retrieved from http://www.cio.com/article/2440726/it-organization/wal-mart–it-inside-the-world-s-biggest-company.html?page=2

Nassau, Sarah (2016). Wal-Mart to Acquire Jet.com for $3.3 Billion in Cash, Stock. Wall Street Journal http://www.wsj.com/articles/wal-mart-to-acquire-jet-com-for-3-3-billion-in-cash-stock-1470659763

Sherman, Richard J.. ( © 2013). Supply chain transformation: practical roadmap to best practice results. [Books24x7 version] Available from http://common.books24x7.com.libezproxy2.syr.edu/toc.aspx?bookid=49746.

Ribeiro, J. (August 31, 2012). Walmart rolls out semantic search engine, sees business boost. Retrieved from http://www.computerworld.com/article/2491897/internet/walmart-rolls-out-semantic-search-engine–sees-business-boost.html

Sullivan, L. (September 24, 2004). Wal-Mart’s Way: Heavyweight retailer looks inward to stay innovative in business technology. Retrieved 6/17/16 from http://www.informationweek.com/wal-marts-way/d/d-id/1027448?

Tuttle, D. (February, 17, 2010). Wal-Mart’s social media community earns accolades. Retrieved 6/17/16 from Factiva

WAL-MART STORES, INC. (January 31, 2016). FORM 10-K. Retrieved from https://www.sec.gov/Archives/edgar/data/104169/000010416915000011/wmtform10-kx13115.htm

Photo Copyright: dutourdumonde / 123RF Stock Photo

Anthony Smoak Final Project: Data Visualization and Communication with Tableau

 

 

I recently earned a verified course certificate from Coursera in the “Data Visualization and Communication with Tableau” class. This class is the 3rd offered in the “Excel to MySQL: Analytic Techniques for Business” Coursera Specialization. I’m looking forward to taking a couple more MOOCs dealing with Tableau and visualization to supplement and reinforce existing knowledge. I would recommend the class to anyone looking to frame an analysis and learn a good bit about using Tableau.

The Data Quality Face-Off: Who Owns Data Quality, the Business or IT?

This article is also posted on LinkedIn.

Data is the lifeblood of organizations. By now you’ve probably heard the comparative slogans “data is the new oil” or “data is the new water” or “data is the new currency”. A quick type of “data is the new” into the Google search bar and the first result delivered is “data is the new bacon”. I’m not sure how apt this slogan is except to say that both can be highly fulfilling.

With the exception of a well-known Seattle based retailer, most enterprises experience substantial data quality issues as data quality work is typically an exercise in “pass the buck”. An Information Week article shrewdly commented on the risks associated with the lack of data quality:

“There are two core risks: making decisions based on ‘information fantasy,’ and compliance. If you’re not representing the real world, you can be fined and your CFO can be imprisoned. It all comes down to that one point: If your systems don’t represent the real world, then how can you make accurate decisions?” [3]

The Handbook of Data Quality: Research and Practice has reported that 60% of enterprises suffer from data quality issues, 70% of manufacturing orders contained poor quality data and that poor data quality management costs companies roughly $1.4 billion every year [4].

Organizational Hamilton/Burr style face-offs occur in which IT and the business are at loggerheads over the state of data quality and ownership. The business typically believes that since data is co-mingled with the systems that IT already manages, IT should own any data issues. With the high costs of poor data quality I just cited, and the risks of nimble disrupters utilizing data more efficiently to attack incumbents’ market share, both IT and the business need to be on the same team with regard to data quality for the organization’s sake.

“The relationship between IT and the business is a source of tension in many organizations, especially in relation to data management. This tension often manifests itself in the definition of data quality, as well as the question of who is responsible for data quality.” [5]

Anecdotally, IT units do not have the desire to be held responsible for “mysterious” data and/or systems that they had no hand in standing up. In my opinion, the enterprise IT mindset is to make sure the data arrives into the consolidated Enterprise Data Warehouse or other centralized data repository; and if downstream users don’t raise concerns about data quality issues, all the better for IT. Garbage-In, Garbage-Out. If the checksums or record counts from source to target match, then it’s time to call it a day.

The developer or analyst related mindset is to immediately dive in and start building applications or reports with the potential to deliver sub-optimal results because the data was misunderstood or misinterpreted as the “golden copy”. Up-front data profiling isn’t in the equation.

Gartner has suggested that the rise of the Chief Data Officer (particularly in banking, government and insurance industries) has been beneficial towards helping both IT and the business with managing data [2]. The strategic usage of a CDO has the potential to free up the CIO and the enterprise IT organization so they can carry on with managing infrastructure and maintaining systems.

However, most experts will agree that the business needs to define what constitutes high-quality acceptable data and that the business should “own the data”. However, IT is typically the “owner” of the systems that house such data. Thus, a mutually beneficial organizational relationship would involve IT having a better understanding of data content so as to ensure a higher level of data quality [5].

From a working together perspective, I find this matrix from Allen & Cervo (2015) helpful in depicting the risks arising from one sided data profiling activities without business context and vice versa. It illustrates how both “business understanding and data profiling are necessary to minimize any risk of incorrect assumptions about the data’s fitness for use or about how the data serves the business” [1]. Although originally offered in a Master Data Management context, I find the example fitting in illustrating how business and IT expertise should work together.

picture1From: Allen, M. & Cervo, D (2015) Multi-Domain Master Data Management: Advanced MDM and Data Governance in Practice. Morgan Kaufmann Publishers. Chapter 8 – Data Integration.
  • From the bottom left quadrant, low business knowledge and inadequate data profiling activities leaves the enterprise in a less than optimal position. This is not the quadrant an organization needs to languish within.
  • The top left quadrant illustrates that business context is high but “knowledge” is unsubstantiated because of the lack of understanding of data quality via profiling exercises. Cue quality guru W. Edwards Deming stating, “Without data, you’re just a person with an opinion.”
  • The bottom right quadrant illustrates the opposite problem where data profiling without business knowledge doesn’t yield enough context for meaningful analyses. Cue a “bizarro” W. Edwards Deming stating, “Without an opinion, you’re just a person with data.”
  • The “Goldilocks” quadrant in the upper right yields appropriate understanding of data quality and the necessary context in which to conduct meaningful analyses.

The more engaged that the business and IT are in finding common ground with respect to understanding existing data and solving data quality issues, the better positioned the organization is to avoid regulatory fines, departmental strife, threats from upstart firms and overall bad decision making. Refuse to become complacent in the data space and give data the attention it deserves, your organization’s survival just may depend upon it.

References:

[1] Allen, M. & Cervo, D (2015) Multi-Domain Master Data Management: Advanced MDM and Data Governance in Practice. Morgan Kaufmann Publishers. Chapter 8 – Data Integration.

[2] Gartner, (January 30, 2014). By 2015, 25 Percent of Large Global Organizations Will Have Appointed Chief Data Officers
http://www.gartner.com/newsroom/id/2659215

[3] Morgan, Lisa. (October 14, 2015). Information Week, 8 Ways To Ensure Data Quality. Information Week.
http://www.informationweek.com/big-data/big-data-analytics/8-ways-to-ensure-data-quality/d/d-id/1322239

[4] Sadiq, Shazia (Ed.) (2013). Handbook of Data Quality: Research and Practice: Cost and Value Management for Data Quality.

[5] Sebastian-Coleman, L. (2013). Measuring Data Quality for Ongoing Improvement: A Data Quality Assessment Framework. Morgan Kaufmann Publishers. Chapter 2 – Data, People, and Systems.

Picture Copyright: wavebreakmediamicro / 123RF Stock Photo

More Than You Want to Know About Wal-Mart’s Technology Strategy Part 2

This article is a continuation of my earlier analysis (Part 1 here, continued here at Part 3) where I waded into Wal-Mart’s strategy for technology infrastructure and strategy for IT capability & staffing. Whether you love or hate Wal-Mart, no one can argue that historically the organization has been highly innovative, effective and efficient. In this second part of my three part series I will broach the company’s strategy for information risk and security, stakeholder requirements and project return on investment.

Wal-Mart: Strategy for Information Risk & Security:

Wal-Mart operates a massive information system infrastructure that has been called the largest private computer system in the country. As such, the company must be strategic in implementing the proper information security protocols and vigilant in order to react to attempted compromises to its confidential information. Any compromise of sensitive customer information could lead to a significant expense in compensating affected parties and lead to updating systems, processes and procedures to restore customer confidence. This scenario is especially relevant as Wal-Mart’s extensive point of sale system, from a black hat hacker’s perspective, registers a veritable treasure trove of customer debit, credit and gift card information.

In order to mitigate the aforementioned risks, Wal-Mart has complied with the PCI DSS or Payment Card Industry Data Security Standard. PCI DSS offers, “compliance guidelines and standards with regard to our (Wal-Mart’s) security surrounding the physical and electronic storage, processing and transmission of individual cardholder data” (Wal-Mart Stores Inc., 2016). Some operational system components of PCI DSS include maintaining a secure network via use of firewalls to protect sensitive data, encrypting cardholder data that is transmitted across public networks, regularly updating anti-virus software as well as tracking and monitoring all access to network resources and cardholder data. (PCI Security Standards Council, 2016). Former CIO Turner has stated, “Necessity is the mother of invention, and we’ve invested a lot of knowledge and capital in intrusion detection and playing as much offense as we can to make sure that we’re protecting our company. Personally, every day I spend time on security” (Lundberg, 2002).

From a disaster recovery perspective, Wal-Mart maintains redundant primary and secondary information systems to mitigate the risks of operational downtime and/or significant loss of information. The organization keeps primary and secondary information systems physically separated. In 2005, the company was lauded for its disaster recovery and business continuity efforts in the wake of Hurricane Katrina. The company stood up satellite links for its retail centers enabling those centers to correspond with headquarters despite the loss of phone lines and internet connectivity (Worhten, 2005). Wal-Mart also maintains an Emergency Operations Center (EOC) established in the wake of the September 11, 2001 terror attacks. The organization has a central EOC located at headquarters in Arkansas which works in concert with decentralized EOCs at a division level. During Hurricane Sandy, the organization was successful in moving generators across state lines in order to reopen stores and provide systems operability in a timely manner (PricewaterhouseCoopers, 2005).

Wal-Mart: Strategy for Stakeholder Requirements, Testing & Training/Support:

Wal-Mart’s immense size allows it considerable influence over its supplier stakeholders. Typically, suppliers reside in an inferior position (Wal-Mart can end the supplier relationship or demand sub-optimal concessions from the supplier) which enables the retailing behemoth to dictate industry wide changes in how suppliers and merchants interact. This unbalanced power relationship allows the company to micromanage its supply chain partners from a business process and respective information technology project perspective. When the power balance is more on an equal footing, Wal-Mart is willing to work collectively with a supplier.

Case in point is the lauded cooperation between Procter & Gamble and Wal-Mart in the late 1980’s to implement Retail-Link. Retail-Link was a joint business process and related technology systems project between the two organizations for mutually beneficial gains. Wal-Mart’s in-store point of sale data acted as a pull to automatically trigger manufacturing orders to P&G when stocks were low (Wailgum, 2007). When this concept proved successful, Wal-Mart dictated to 2,000 supplier stakeholders that they must all update their information systems to integrate with Retail-Link. The integration and information sharing with Retail-Link was a boon to Wal-Mart’s suppliers as it provided predictable volumes and constantly humming factories, but the takeaway is that Wal-Mart mandated the terms to stakeholders based upon its asymmetrically favorable power position.

In some cases, Wal-Mart’s technical project mandates to suppliers did not yield mutually beneficial Return on Investment (ROI). An example of this scenario is embodied in the much publicized initiative to have its suppliers adopt RFID in the mid 2000’s. Wal-Mart was seeking to increase its inventory visibility at the warehouse and in its stores. In this case, Wal-Mart did not adequately consider stakeholder technology implementation concerns before issuing its RFID mandate. A supplier is on record stating that the consumer packaged goods industry was not the best early adaptor for RFID and that the small margins and project complexities didn’t offer compelling ROI (Wailgum, 2007). The ROI that could be established from a supplier standpoint was to continue doing business with Wal-Mart while only investing the bare minimum in upgrades required to implement RFID. A Gartner analyst has estimated that the implementation costs of RFID for smaller companies would cost between $100,00 to $300,000, while larger manufacturers could experience investment costs of up to $20 million (Network World, 2008).

Once a critical mass of important supplier stakeholders decided that their operating costs were being negatively impacted, Wal-Mart decided to back down from its mandate. Only when the favorable power dynamic shifted from Wal-Mart to the supplier network, did the company walk back its mandate.

From a development standpoint, Wal-Mart traditionally used the more structured Systems Development Lifecycle (SDLC) methodology. All systems within the company require testing & validation. According to former CIO Turner, “In any development effort, our [IS] people are expected to get out and do the function before they do the system specification, design or change analysis. The key there is to do the function, not just observe it. So we actually insert them into the business roles. As a result, they come back with a lot more empathy and a whole lot better understanding and vision of where we need to go and how we need to proceed” (Lundberg, 2002). Turner also eschews testing systems in low volume stores or with the easiest customers.

Recently, in its more cutting edge Silicon Valley based development division (@WalmartLabs) the company has moved to adopt an Agile development methodology. Agile methodology allows the group to react faster to changing market conditions with respect to the much slower SDLC methodology. This approach is necessary in a cut-throat marketplace where competitors such as Amazon have been using Scrum for over a decade (King, 2014).

Wal-Mart: Project ROI and Key Success Measures:

Despite the less than successful analysis and grasp of intended project benefits related to its RFID initiative, Wal-Mart relies heavily on ROI as a measure of project success. Cost is a major driver of IT related expenses thus a reliance on ROI is a sensible approach. Former CIO Turner has stated that 33% of Wal-Mart development projects are canceled before they are completed and that 56% of completed projects are subjected to budget overruns of 189%. “One of the problems is that a lot of companies don’t require an ROI except for major purchases. ‘At Wal-Mart, everything has to pay its way, even infrastructure [investments]. A lot of people say you can’t cost-justify infrastructure, but you can. There is a way. You have to make ROI the center of what you’re about, to begin to pay your way’” (Power, 1998). At Wal-Mart all technology implementations are assigned a payback analysis and the savings from the analysis must be incorporated into the business plan. A quarterly report on each project is shared at the executive level to ensure that business unit profit and loss statements reflect the investment value that was initially calculated. The mentality at Wal-Mart is a focus on turning information technology from a traditional cost center to a profit center.

Additionally, the centralized information technology group at Wal-Mart does not saddle its divisions with a chargeback funding method. The company takes a holistic enterprise wide view approach with respect to determining which projects make sense for the company. Wal-Mart can be said to employ the corporate budget funding method where IT managers have considerable control over the entire IT budget. When it’s time to implement a project, the divisions with the largest budgets are treated the same as divisions where resources are more scarce. As of 2004, the organization lacked an IT steering committee which helped speed up the project selection process (Sullivan, 2004). The drawback to this funding method approach is that IT competes with all other budgeted items for funds (Pearlson, Galletta & Saunders, 2016).

Project completion dates in the organization’s nomenclature are referred to as “end dates”. All projects are tracked against the end dates and problem projects are scrutinized when they fall behind schedule. When new systems are deployed it is not uncommon for high level management to solicit feedback from line employees involved in using the system. When necessary, personnel are replaced on project teams in order to increase project effectiveness (Lundberg, 2002).

To be continued in Part 3 where I address these three areas:

  • Strategy for Data Acquisition and Impact on Business Processes
  • Strategy for Social Media/Web Presence
  • Strategy for Organizational Change Management, Project Strategy and Complexity

References:

King, R. (October 2014). Wal-Mart Becomes Agile But Finds Some Limits. Dow Jones Institutional News. Retrieved from Factiva

Lundberg. A. (July 1, 2002). Wal-Mart: IT Inside the World’s Biggest Company. CIO magazine. Retrieved from http://www.cio.com/article/2440726/it-organization/wal-mart–it-inside-the-world-s-biggest-company.html?page=2

Network World. (September, 2008). “Wal-Mart’s RFID revolution a tough sell; Even for the world’s biggest retailer, championing an unproven technology with no clear ROI has been difficult” Retrieved from Factiva on June 13/16

PCI Security Standard Council. (2016). Maintaining Payment Security. Retrieved from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

PricewaterhouseCoopers. (September, 2013). Interview with Mark Cooper. Walmart takes collaborative approach to disaster recovery. Retrieved from http://www.pwc.com/gx/en/industries/capital-projects-infrastructure/disaster-resilience/walmart-disaster-response-strategy.html

Power, D. (June, 1998). WAL-MART: TECHNOLOGY PAYBACK IS IMPERATIVE. Supermarket News. Retrieved from Factiva

Pearlson, K., Galletta, D., & Saunders, C. (January, 2016). Managing and Using Information Systems: A Strategic Approach, Binder Ready Version, 6th Edition

Sullivan, L. (September 24, 2004). Wal-Mart’s Way: Heavyweight retailer looks inward to stay innovative in business technology. Retrieved 6/17/16 from http://www.informationweek.com/wal-marts-way/d/d-id/1027448?

Wailgum, T. (October 2007). How Wal-Mart Lost Its Technology Edge. Retrieved from http://www.cio.com/article/2437953/strategy/how-wal-mart-lost-its-technology-edge.html

WAL-MART STORES, INC. (January 31, 2016). FORM 10-K. Retrieved from https://www.sec.gov/Archives/edgar/data/104169/000010416915000011/wmtform10-kx13115.htm

Worthen, B. (November 1, 2005). How Wal-Mart Beat Feds to New Orleans. CIO Magazine.Retrieved from http://www.cio.com/article/2448237/supply-chain-management/how-wal-mart-beat-feds-to-new-orleans.html

The IT Department Needs To Market Its Value or Suffer the Consequences

This article is also published on LinkedIn.

By now it’s an all too common cliché that the IT department does not garner the respect it deserves from its counterpart areas of the business. This perceived respect deficiency can manifest itself in the lack of upfront involvement in business strategy (we’ll call you when it breaks), unreasonable timelines (do it yesterday), rampant budget cuts and layoffs (do more with less) and/or limited technical promotional tracks (promotions are for business areas only).

IT pros tend to believe that if they’re adding value, delivering difficult solutions within reasonable timeframes and providing it all in a cost efficient manner, the recognition and gratitude will follow. Typical IT and knowledge worker responsibilities fall under the high level categories of “keep things running” (you’re doing a great job so we don’t notice) or “attend to our technical emergency” (drop what you’re doing).

It’s fair to say that there is a perception gap between the true value and the perceived value of what IT brings to the table. Anecdotally, there certainly seems to be a disconnect between the perceived lack of difficulty in business asks and the actual difficulty in delivering solutions. This perception gap can occur not only between IT and the “business” but also between the non-technical IT manager and the technical rank and file.

In this era of automation, outsourcing and job instability, there is an element of danger in one’s contributions going unnoticed, underappreciated and/or misunderstood. Within IT, leaders and the rank and file need to overcome their stereotypical introverted nature and do a better job of internally marketing their value to the organization. IT rank and file need to better market their value to their managers, and in turn the IT department collectively needs to better market its value to other areas of the business.

Perception matters, but IT must deliver the goods as well. If the business misperceives the actual work that the IT department provides and equates it to commoditized functions such as “fix the printers” or “print the reports” then morale dips and the IT department can expect to compete with external third parties (vendors, consulting firms, outsourcing outfits) who do a much better job of finding the ear of influential higher–ups and convincing these decision-makers of their value.

I once worked on an extremely complex report automation initiative that required assistance from ETL developers, architects, report developers and business unit team members. The purpose was to gather information from disparate source systems, perform complex ETL on the data then and store it in a data-mart for downstream reporting. Ultimately the project successfully met its objective of automating several reports which in-turn saved the business a week’s worth of manual excel report creations. After phase 1 completion, the thanks I received was genuine gratitude from the business analyst whose job I made easier. The other thanks I received was “where’s phase 2, this shouldn’t be that hard” from the business manager whose technology knowledge was limited to cutting and pasting into excel.

Ideally my team should have better marketed the value and helped the business partner understand the appropriate timeliness (given the extreme complexity) of this win, instead of just being glad to move forward after solving a difficult problem for the business.

I believe Dan Roberts accurately paraphrases the knowledge worker’s stance in his book Marketing IT’s Value.

“’What does marketing have to do with IT? Why do I need to change my image? I’m already a good developer!’ Because marketing is simply not in IT’s comfort zone, they revert to what is more natural for them, which is doing their technical job and leaving the job of marketing to someone else, which reinforces the image that ‘IT is just a bunch of techies.’”

The IT department needs to promote better awareness of its value before the department is shut out of strategic planning meetings, the department budget gets cut, project timelines start to shrink and morale starts to dip. IT workers need to promote the value they bring to the table by touting their wins and remaining up to date in education, training and certifications as necessary. At-will employment works both ways, if the technical staff feels stagnant, undervalued and underappreciated, there is always a better situation around the corner; especially considering the technical skills shortage in today’s marketplace.

“It’s not about hype and empty promises; it’s about creating an awareness of IT’s value. It’s about changing client perceptions by presenting a clear, consistent message about the value of IT. After all, if you don’t market yourself, someone else will, and you might not like the image you end up with [1]”

References:

[1] Colisto, Nicholas R.. ( © 2012). The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value.

[2] Roberts, Dan. ( © 2014). Unleashing the Power of IT: Bringing People, Business, and Technology Together, second edition.

 

More Than You Want to Know About Wal-Mart’s Technology Strategy Part 1

Wal-Mart has long been associated with innovations in its home-grown information technology systems, which in turn have exerted tremendous influence on its business strategy of everyday low prices. The company was a pioneer in bar code scanning and analyzing point of sale information which was housed in its massive data warehouses. Wal-Mart launched its own satellite network in the mid 1980’s which led to profound business practice impacts with respect to its supply chain management process. Strategic systems such as Retail-Link, spearheaded by industry luminary Kevin Turner, enabled data integration and sharing between Wal-Mart and its suppliers. These systems also enabled the concept of vendor managed inventory. However, not every technology project in which the company invests significant resources turns to gold as Wal-Mart encountered missteps with its RFID technology initiative. Despite the less than stellar ROI and supplier adoption rate of RFID, that effort demonstrated the willingness of its technology to push the envelope in exerting tremendous changes on business processes not only within Wal-Mart but throughout the industry.

Storm clouds are on the horizon as consumer preferences change from “big-box” brick and mortar stores to online retail platforms such as Amazon. To counter Amazon’s online dominance, the company must continue to invest in its digital know-how. Adding new capabilities to its online presences and refreshing its digital properties will be a requirement in order to keep pace in a shifting industry dynamic.

Wal-Mart: Strategy for Technology Infrastructure:

Wal-Mart’s architectural philosophy can be classified by the twin sentiments of “build rather than buy” (the organization has historically held the belief that their information systems provide a competitive advantage over other industry players) and one of innovation. Recently, as consumer preferences have shifted away from “big-box” brick and mortar stores to the convenience of online “e-tail”, competitors such as Amazon and Target have begun to erode Wal-Mart’s retail dominance. In order to react, Wal-Mart has been allocating resources to invest in digital capabilities that will allow the organization to effectively compete and become better aligned with consumer shopping preferences.

Historically, Wal-Mart’s information technology strategy has long favored an internal “build rather than buy” approach which has spawned innovative business strategies. Wal-Mart prefers to build in house strategic systems that allow the company to gain competitive advantages. Retailers are known to prefer home-grown systems and Wal-Mart’s immense size has traditionally been a hindrance in running off the shelf packages (Wailgum, 2007). Globally, the company runs a heavily modified version of IBM’s elderly point of sale (POS) supermarket application at all of its checkouts with the exception of Japan (Zetter, 2009). The in-house systems approach has been a source of competitive advantage for Wal-Mart. “Wal-Mart was a pioneer in applying information and communications technology to support decision making and promote efficiency and customer responsiveness within each of its business functions and between functions” (Ustundag, 2013).

The advantage of an in-house strategic system is that it offers tight alignment between the company’s business strategy and the finished solution. Another advantage of in-house strategic systems as opposed to running off the shelf packages from third parties is the ability to keep proprietary business process and systems knowledge out of the hands of competitors. A third party developer would have no problem advertising a system that was in use at Wal-Mat and then selling that system to competitors. The advantages of the in-house development approach must be weighed against the downsides, namely the higher cost of development and the internal staffing required for new innovative development and on-going maintenance.

Recently, as Wal-Mart tries to use its geographic reach and existing retail infrastructure to compete with Amazon, it is making a move to ramp up its cloud based technology assets. In keeping with its “build rather than buy” approach, the company built its own data centers and developed supporting cloud based commerce applications using open source tools. “‘We took back control of the technology and largely built it ourselves,’ explained Jeremy King, chief technology officer for global e-commerce at Walmart” (Lohr, 2015). Additionally, as of 2015, the company is in the middle of an IT systems overhaul called Pangaea that “includes a hybrid cloud platform and search technology” (Nash 2015). King, in keeping with the Wal-Mart approach has stated, “Most people don’t replace entire systems in one shot, especially with from-scratch development…but given how rapidly this place is changing, we didn’t have time to screw around” (Nash 2015).

Wal-Mart: Strategy for IT Capability & Staffing:

Wal-Mart is not a technology company, but it is a company in which technology is a key enabler of business strategies. Since technology has been a crucial component of the organization’s competitive advantage, its IT governance archetype can be characterized as an IT duopoly. The IT duopoly arrangement allows technology executives and business unit leaders to collaborate on technology projects and decisions. Kevin Turner, who was a Wal-Mart vice president for application development, a former CIO and current CEO of Citadel Securities, has stated that technology payback figures for Wal-Mart initiatives are put into writing, “which in turn requires the affected business units to acknowledge savings and work them into their business plan — or dispute the savings and work with the IT department toward a resolution” (Power, 1998). “‘Do the [business units] always agree with us? No. Will they work with us? Yes. If they don’t, we won’t do anything more for them in the future. And I’ll tell you, that works,’ said Turner” (Power, 1998).

Traditionally, Wal-Mart’s IT staff have a background in other non-technology areas of the business. The company looks to promote its staff out of the IT department which allows a technological “cross-pollination” of knowledge to occur across the organization. When Wal-Mart is looking to develop new systems it dispatches its top engineers to perform “regular” operations jobs so they can gain working hand knowledge of the challenges that line employees face (Boyer, 2003).

As Wal-Mart has looked to withstand new online retail challenges from chief competitors Amazon and Target, its technology staffing mix and organizational structure have had to adapt in order to remain competitive. Former CEO Mike Duke was looking to combine the organization’s stores, information technology assets and logistics expertise into one channel in order to drive growth (Buvat, Khadikar, & KVJ, 2015). Wal-Mart was cognizant that it could not realistically expect the technical staff that it required in order to compete with Amazon, to relocate to Bentonville Arkansas. Therefore, in 2010 Wal-Mart re-organized and consolidated its worldwide e-commerce staff into a new Global division located in Silicon Valley California. Historically, the company has favored a centralized Information Systems structure coupled with an in-house development approach. Former Wal-Mart CIO Turner has stated, “What we’ve come up with is a model of decentralized decisions but centralized systems and controls. We will have a common system and a common platform, but we have to allow a great deal of flexibility in our systems so that the people in those local markets can do their job in the best, most effective way” (Lundberg, 2002).

The new Global E-Commerce initiative is in keeping with that philosophy as the new division’s key responsibilities include, “running Walmart’s ten websites worldwide, building and testing cutting-edge technology at @WalmartLabs, and building Walmart’s eCommerce capabilities” (Buvat et al., 2015). Additionally, in order to bolster its e-commerce staff, Wal-Mart has purchased 14 companies primarily for the purpose of gaining access to engineering personnel. As a result of Wal-Mart’s emphasis on ramping up e-commerce talent, its e-commerce sales grew from 4.9 billion to 12.2 billion dollars between 2011 and 2014; an increase of nearly 150% (Buvat et al., 2015).

To be continued in Part 2 and Part 3 where I address additional areas such as:

  • Strategy for Information Risk & Security
  • Strategy for Stakeholder Requirements, Testing & Training/Support
  • Project ROI and Key Success Measures
  • Strategy for Data Acquisition and Impact on Business Processes
  • Strategy for Social Media/Web Presence
  • Strategy for Organizational Change Management, Project Strategy and Complexity

References:

Boyer, J. (February, 2003). Technology Helps Stores Order Only As Much As They’ll Sell. Albany Times Union. Retrieved from Factiva

Buvat, J., Khadikar, A., KVJ, S. (2015). Walmart: Where Digital Meets Physical. Capgemini Consulting. Retrieved from https://www.capgemini-consulting.com/walmart-where-digital-meets-physical

Lohr, S. (October 2015). Walmart Takes Aim at ‘Cloud Lock-in’ Retrieved from http://bits.blogs.nytimes.com/2015/10/14/walmart-takes-aim-at-cloud-lock-in/

Lundberg. A. (July 1, 2002). Wal-Mart: IT Inside the World’s Biggest Company. CIO magazine. Retrieved from http://www.cio.com/article/2440726/it-organization/wal-mart–it-inside-the-world-s-biggest-company.html?page=2

Nash, K. (October, 2015). “Wal-Mart to Pour $2 Billion into E-Commerce Over Next Two Years.”, Dow Jones & Company, Inc. Retrieved from Factiva

Power, D. (June, 1998). WAL-MART: TECHNOLOGY PAYBACK IS IMPERATIVE. Supermarket News. Retrieved from Factiva

(ed), Alp Ustundag. ( © 2013). The value of rfid: benefits vs. costs. [Books24x7 version] Available from http://common.books24x7.com.libezproxy2.syr.edu/toc.aspx?bookid=49466.

Wailgum, T. (October 2007). How Wal-Mart Lost Its Technology Edge. Retrieved from http://www.cio.com/article/2437953/strategy/how-wal-mart-lost-its-technology-edge.html

Zetter, K. (October 13, 2009). BIG-BOX BREACH: THE INSIDE STORY OF WAL-MART’S HACKER ATTACK. Wired. Retrieved from https://www.wired.com/2009/10/walmart-hack/

Consumer Financial Protection Bureau Infographic: Complaints Analysis

Background

As a data and visualization endeavor, I put together an infographic that highlights some product complaints analyses I performed using publicly available Consumer Financial Protection Bureau data.

In case you are unfamiliar with the CFPB, it is an organization that was created in 2010 as a result of the financial calamity that gripped that nation during the great recession. The CFPB’s mission is to write and enforce rules for financial institutions, examine both bank and non-bank financial institutions, monitor and report on markets, as well as collect and track consumer complaints.

On the bureau’s website they host a consumer complaint database that houses a number of complaints that consumers file against financial institutions.

Each week we send thousands of consumers’ complaints about financial products and services to companies for response. Those complaints are published here after the company responds or after 15 days, whichever comes first. By adding their voice, consumers help improve the financial marketplace.

Process

I downloaded the complaint database from the CFPB’s  website and then decided to concentrate on selected bank complaints from the many financial institutions that are present in the database. I settled on a self-defined “National” category and a “Regional” category and then analyzed the percentage of complaints across three product spaces (Mortgages, Bank Accounts & Credit Cards).

I felt a percentage approach would be more useful than just merely listing a total count of complaints. The national banks category consists of the four nationally known firms: JP Morgan Chase, Wells Fargo, Bank of America and Citibank. The regional banks category consists of ten fairly large regional banks that have product offerings similar to the national banks.

It’s fairly obvious that the behemoth national banks are going to have more mortgage complaints than the much smaller regional banks on a total count basis. The more interesting analysis is to look at the rate of mortgage complaints for the national banks as compared to the regional banks (e.g. divide a specific product complaints total like mortgage by the total complaints for all products; calculate this percentage for national and regional categories across all three products).

I carried out this analysis using the ggplot package in R to generate the base graphics for the infographic. Adobe Illustrator was then used to further refine the graphics into what you see below:

IST 719 Final Project-01_BLOG_VERSION

I have an additional unrefined chart that is a straight output from the ggplot package in R. I didn’t have enough space on the infographic to include it there. However, this analysis is the same as is represented in the bottom quadrant of the infographic, except that it solely applies to regional banks.

The analysis consists of totaling all of the specific PRODUCT complaints filed against a particular bank and then dividing that number by the total number of ALL complaints filed against the individual bank (e.g. Total mortgage complaints filed against a bank/total complaints filed against a bank). I call the resulting number the Complaint Ratio.

In the ggplot graph output below we can see that Regions’s “Bank Account or service” product represents about 67% of all complaints filed against Regions. If I were to break out the numbers on a total count basis, we’d see that Regions’s overall complaints total is relatively small compared to other banks. However, the bulk of its complaints are distributed in the “Bank Account or service” product area.

9_Regional Data by Product

May your next bank be your best bank.

Additional Reading:

An Interesting Comparison of Bank of America to JPMorgan Chase

The National Shortage of Cyber Security Professionals

The sophistication of techniques and tactics employed by cyber criminals have ascended to a point where U.S. government and private industry must participate in a cyber “arms race” in order to protect their assets from malefactors. This arms race requires the talents of thousands of cyber security professionals to keep national information assets safe. Unfortunately, there is a dearth of talent available in the marketplace to meet this demand. As a result of this shortage, national cyber-defense capabilities are not growing to keep pace with both the number and the sophistication of these attacks on the United State’s strategic information assets. In addition, current security professionals are feeling stressed by staff shortages, which can also lead to a drop in security effectiveness.

The Center for Strategic and International Studies (CSIS) is a bipartisan think tank headquartered in Washington D.C. that focuses on defense and security policies. In their report titled “A Human Capital Crisis in Cyber Security”, they highlight a “desperate shortage” of people with the skills to “design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts” (Evans & Reader, 2013, pg. 4). Furthermore, according to the CIA’s Clandestine Information Technology Office, there are currently one thousand security specialists in the United States who have the specialized skills to operate effectively in cyberspace; however, the United States needs about ten to thirty thousand such individuals. (Evans & Reader, 2013)

Competent cyber security specialists are needed on two fronts; the first front deals with the operating and maintaining of defense systems and tools that are already in place. The second front pertains to a need for creators and designers who establish new solutions that prevent, detect and mitigate attacks. With respect to those cyber professionals who can contribute on either of these two fronts, organizations wrestle with the questions of “Where do we recruit these individuals and how do we retain them?” Right now the Executive Branch has formulated a “Comprehensive National Cybersecurity Initiative”, where one of its aims is to expand cyber education. The initiative states, “we must develop a technologically-skilled and cyber-savvy workforce and an effective pipeline of future employees. It will take a national strategy, similar to the effort to upgrade science and mathematics education in the 1950’s, to meet this challenge” (National Security Council, 2013, pg.4).

CSIS also offers four elements of a strategy that aims to fill the cyber talent pipeline. These elements are paraphrased and listed below as offered by Evans & Reader (2013, pg. 3):

  • Promote and fund the development of more rigorous curricula in our schools:
    • Several U.S. colleges, funded under the Scholarship for Service program, have been graduating security experts with advanced technical skills. The Scholarship for Service program is offered by the National Science Foundation and provides scholarships to students in cyber security under the condition that they work for the government for a period equal to the duration of the scholarship. Unfortunately, the total number of new graduates with very deep technical skills is around 200 per year.
  • Support the development and adoption of technically rigorous professional certifications that include a tough educational component and a monitored practical component:
    • Emphasize hard technical skills. Do not rely solely on written examinations as an indicator of competence.
  • Use a combination of the hiring process, the acquisition process, and training resources to raise the level of technical competence of those who build, operate, and defend governmental systems:
    • Ensure that those who are hired have the necessary skill sets to be effective. Help those that are currently employed in the security field obtain the necessary knowledge and credentials.
  • Assure there is a career path as with other disciplines, like engineering or medicine, and reward and retain those with high-level technical skills, both in the civilian workforce and in the uniformed services.

Recruiting cyber professionals with highly in-demand skills and certifications also requires special considerations and challenges. Competition for this talent creates a bidding war that may prove costly to companies. Bureaucracies and resistance to change mentalities of typical corporations need to be adjusted to consider the higher than average compensation that in-demand cyber security professionals expect. The same organizational bureaucracy presents a challenge when trying to on-board candidates quickly. Federal agencies are known to have long hiring processes as individuals wait to pass security clearances. Individuals in high demand can often times take a position at another more efficient organization during a protracted wait.

In addition, true superstars may have limited credentialing to demonstrate their expertise as self taught hackers. Other “reformed” players from cyber security’s “dark side” may be the best prospects (Barr, J., 2012 b, pg. 3).

References:

Barr, J. G. (a) (November 2012). Recruiting Cyber Security Professionals. Faulkner Information Services.

Evans, K., & Reeder, F. (2013). “A Human Capital Crisis in Cybersecurity Technical Proficiency Matters” A Report of the CSIS Commission on Cybersecurity for the 44th Presidency. Retrieved April 15, 2013 from http://csis.org/files/publication/101111_Evans_HumanCapital_Web.pdf

National Security Council. (2013). The Comprehensive National Cybersecurity Initiative. Retrieved April 15, 2013 http://www.whitehouse.gov/sites/default/files/cybersecurity.pdf

Image courtesy of cjgphotography / 123RF Stock Photo