Sunday, 28 April 2013

5 Lessons from Findus on Managing Your Software Supply Chain

So unless you’ve been on another planet the past few months; you’ll have no doubt been chewing over the probability that your supermarket value beef burger may have contained horsemeat. For most the bigger shock was the revelation that these cheap and unappetising burgers contained any beef at all. Therein lays a critical lesson; not quite “buy cheap, buy twice” but rather “buy cheap and prepare yourself for some nasty surprises down the line”.

At the centre of the horsemeat scandal have been the complicated cross-EU supply chains, which have aptly demonstrated that no one, from the government, to food regulators, to manufacturers like Findus, actually seem to know where their meat originally came from.

With commercial software underpinning the IT infrastructure that businesses and governments rely upon for their most vital operations, enterprise customers need to be concerned about understanding their developers and their supply chain.

But while many of the criteria for the selection of product suppliers and system developers are the same, there are key differences. Product development for instance is usually completed in advance of an acquirer's product and supplier assessment. While for bespoke system development, you as the customer can and should be actively monitoring both the contractor and product supply chain risks during development.

Remember, a software supply chain can affect all aspects of your system, not just delivery and costs but system assurance, security and ongoing performance. To help you better manage your strategy, here are the top 5 things to consider from the experts at Synetec:

1. You get what you pay for
As market demands for more competitive costs have increased, so a distributed approach to software development is evolving, with platforms like oDesk allowing access to developers around the globe. But while paying $3 an hour for a developer abroad, may appear to save you money, you have to consider not just the financial risk but also the hidden cost. Consider whether you have the time to write an extra detailed brief or the capacity and expertise to manage the project on a daily basis in addition to what the cost/ benefit analysis of playing project manager will be.

Think also what you lose out on; be it an understanding of general business practices or the lack of added value, you have to accept that this approach is not buying you a relationship with a developer who is interested in your business- it is buying you a line of code.  

2. Manage your integrated solutions
Commercial software from a reputable developer should almost always be built at a central controlled location. Engaging with specialised developers like Synetec means you are buying into an established, credible and traceable business relationship- not just a product. This is doubly important because software systems often require different areas of expertise and increasing the distribution of development activities globally, creates additional risks to product security and your commercial brand.

Managing this risk requires you to identify not just your developers but their suppliers and any related parties they are using including; software from original equipment manufacturers; software built to specification that they themselves outsource to further external contractors, or which is sourced from repositories of Open Source Software (OSS).

3. Do your due diligence
Effective integrity controls mean that your developer closely manages the internal processes for accessing software components during the development, integration, testing and release of your software. Remember when doing your due diligence to consider… are the facilities where code is being developed secure? Are the developer’s data centre where code is stored secure and are communications between distributed teams monitored and controlled? Whilst postcode isn’t everything, it is a strong indication of the stability and credibility of the business. Take a look at our check-list of things to look out for when hiring a developer <link>.

4.  Check staffing policies
People are central to your software development success as well as one of the greatest sources of risk. Risks related to staff with malicious intent are not just confined to virtual employees in far flung locations, so as part of your due diligence, be sure to review your suppliers new staff and leaver policies. Different business functions are usually performed by different people. They require different levels of access to key assets, be that working on supplier sourcing, new product development and testing, or product delivery. Remember also that as nice as a NDA is, it’s probably not going to count for much- especially if your developer is in a foreign jurisdiction.

5. Ensure rigorous testing
Experienced developers manage internal and external supply chains effectively, including how they procure code from their suppliers; how they screen and test code; and how code is integrated and tracked throughout the development, testing and delivery processes. This is important both for security reasons and the quality of the code. Through a series of controls, developers assure that the software components they use are authentic and properly tracked along the supply chain. This can be through systems including online product registration, certificates of authenticity and tamper-proof product packaging. 
Every business has a budget and it is only fit and proper that you look for the most cost effective software solutions; but be aware of the hidden dangers. While most people have brushed off the prospect of having eaten horsemeat in their burgers as unfortunate or even amusing, the lasting damage of this supply chain melt down will have no long-term impact on the end consumer. If however your business critical software system fails you, the implications may be harder to swallow.


George Toursoulopoulos is a financial technology specialist and Director at Synetec, one of the UK’s leading providers of bespoke financial services software solutions. George started his career with US-software giant EDS, becoming the youngest manager in the company’s history and has since gone on to lead Synetec where he has continued to deliver world-class solutions for a number of the UK’s most prestigious Hedge Funds and Family Offices. George is a regular conference speaker on the implementation of technology within the financial services industry with a particular focus on delivering ROI and improving key business drivers. George has lectured on Microsoft development and has served as a director on numerous company boards.

No comments:

Post a Comment