So unless you’ve been on another
planet the past few months; you’ll have no doubt been chewing over the
probability that your supermarket value beef burger may have contained
horsemeat. For most the bigger shock was the revelation that these cheap and
unappetising burgers contained any beef at all. Therein lays a critical lesson;
not quite “buy cheap, buy twice” but rather “buy cheap and prepare yourself for
some nasty surprises down the line”.
At the centre of the horsemeat
scandal have been the complicated cross-EU supply chains, which have aptly
demonstrated that no one, from the government, to food regulators, to
manufacturers like Findus, actually seem to know where their meat originally
came from.
With commercial software
underpinning the IT infrastructure that businesses and governments rely upon
for their most vital operations, enterprise customers need to be concerned
about understanding their developers and their supply chain.
But while many of the criteria
for the selection of product suppliers and system developers are the same,
there are key differences. Product development for instance is usually
completed in advance of an acquirer's product and supplier assessment. While for
bespoke system development, you as the customer can and should be actively
monitoring both the contractor and product supply chain risks during
development.
Remember, a software supply chain
can affect all aspects of your system, not just delivery and costs but system
assurance, security and ongoing performance. To help you better manage your
strategy, here are the top 5 things to consider from the experts at Synetec:
1. You get what you pay for
As market demands for more competitive
costs have increased, so a distributed approach to software development is
evolving, with platforms like oDesk allowing access to developers around the
globe. But while paying $3 an hour for a developer abroad, may appear to save
you money, you have to consider not just the financial risk but also the hidden
cost. Consider whether you have the time to write an extra detailed brief or
the capacity and expertise to manage the project on a daily basis in addition
to what the cost/ benefit analysis of playing project manager will be.
Think also what you lose out on; be
it an understanding of general business practices or the lack of added value, you
have to accept that this approach is not buying you a relationship with a
developer who is interested in your business- it is buying you a line of code.
2. Manage your integrated solutions
Commercial software from a
reputable developer should almost always be built at a central controlled
location. Engaging with specialised developers like Synetec means you are
buying into an established, credible and traceable business relationship- not
just a product. This is doubly important because software systems often require
different areas of expertise and increasing the distribution of development
activities globally, creates additional risks to product security and your
commercial brand.
Managing this risk requires you
to identify not just your developers but their suppliers and any related
parties they are using including; software from original equipment
manufacturers; software built to specification that they themselves outsource
to further external contractors, or which is sourced from repositories of Open
Source Software (OSS).
3. Do your due diligence
Effective integrity controls mean
that your developer closely manages the internal processes for accessing
software components during the development, integration, testing and release of
your software. Remember when doing your due diligence to consider… are the
facilities where code is being developed secure? Are the developer’s data centre
where code is stored secure and are communications between distributed teams
monitored and controlled? Whilst postcode isn’t everything, it is a strong
indication of the stability and credibility of the business. Take a look at our
check-list of things to look out for when hiring a developer <link>.
4. Check staffing policies
People are central to your software
development success as well as one of the greatest sources of risk. Risks
related to staff with malicious intent are not just confined to virtual employees
in far flung locations, so as part of your due diligence, be sure to review
your suppliers new staff and leaver policies. Different business functions are
usually performed by different people. They require different levels of access
to key assets, be that working on supplier sourcing, new product development
and testing, or product delivery. Remember also that as nice as a NDA is, it’s
probably not going to count for much- especially if your developer is in a
foreign jurisdiction.
5. Ensure rigorous testing
Experienced developers manage
internal and external supply chains effectively, including how they procure
code from their suppliers; how they screen and test code; and how code is integrated
and tracked throughout the development, testing and delivery processes. This is
important both for security reasons and the quality of the code. Through a
series of controls, developers assure that the software components they use are
authentic and properly tracked along the supply chain. This can be through
systems including online product registration, certificates of authenticity and
tamper-proof product packaging.
…
Every business has a budget and
it is only fit and proper that you look for the most cost effective software
solutions; but be aware of the hidden dangers. While most people have brushed
off the prospect of having eaten horsemeat in their burgers as unfortunate or
even amusing, the lasting damage of this supply chain melt down will have no
long-term impact on the end consumer. If however your business critical
software system fails you, the implications may be harder to swallow.