In our introduction to this series, we talked about how securing the software supply chain is like other supply chain transformation initiatives and our intention to learn from initiatives like “green” supply chain and RFID rollouts. This post highlights the sixth of Seven Habits of Highly Successful Supply Chain Transformations, drawing analogies and translating into application security.
One of the simplest and most effective lessons I learned in a course on negotiation in business school was the concept of WIIFM. That’s “What’s in it for me,” and the part that’s really effective, and can be transformational, about a good negotiation is that it acknowledges the WIIFM on both sides of the table. The same is true for good market positioning, where a prospect’s explicit or implicit needs are mapped to capabilities and use cases of a product.
The same lesson can be the making - or breaking - factor for a successful supply chain exercise. Asking a supplier to get on board with a supply chain transformation program requires the enterprise to make it clear what’s in it for the supplier. This is absolutely true in securing the application supply chain, and we can draw lessons from other supply chain transformation exercises to understand why.
Some supply chains are designed with supplier WIIFM at their heart. For instance, Dell’s best practices include consigned inventory supply hubs that allow it to hold almost no inventory while deferring paying suppliers until it is paid by its customers. There’s certainly risk to the supplier in this model, but this is balanced by clear, trusted demand signals from Dell that help suppliers plan their inventory, along with demand shaping - where only products in inventory are promoted and offered in its web store, ensuring that suppliers’ inventory doesn’t sit idle. (See a longer discussion about this in MIT professor Larry Lapide’s “Four Habits of Highly Effective Supply Chains” in HBR’s Supply Chain Strategy.)
In the case of a supply chain transformation, where compliance with a standard is the issue, it’s even more important that the benefit to the supplier is considered. In some cases, the importance of the enterprise customer to the supplier, and the risk of losing the customer’s business over noncompliance, may be enough to drive compliance in the supplier. However, not every business wields the market strength of a Wal-Mart, so it is recommended that a priority of the first days of the supply chain transformation effort is to build a clear case study that makes the case to the supplier that compliance is worthwhile — based on real data.
Wal-Mart itself has practiced a phased rollout of supply chain transformation aimed at achieving and documenting clear supplier value. As documented in the Harvard case study “Half a Century of Supply Chain Management with Wal-Mart,” its vendor managed inventory (VMI) program, which required vendors to manage inventory at Wal-Mart’s distribution centers based on agreed-on service levels, began with a single product family - diapers - from a single vendor, Proctor and Gamble. Half a decade later, the entire supply chain was standardized on this approach.
With the rollout of RFID, Gaukler and Seifert (in “Applications of RFID in Supply Chains”, Trends in Supply Chain Design and Management Technologies and Methodologies) point out that a clear ROI is even more important, since viewed in isolation - through the lens of pure value to the supplier - the ROI on the RFID item-tagging initiative may not be clear. The ROI case has to be made considering value to the retailer and the customer, and then those value increases must be played forward to see the benefit they give the supplier—and all of those have to be spelled out clearly.
Likewise, the HBS case “RFID at the Metro Group” describes a phased rollout, where controlled experiments established that various RFID tagging initiatives would lead to reduced inventory theft, increased availability and reduced out of stocks, incremental improvements in sales, and reduced labor, yielding clear benefits for suppliers and Metro alike. The rollout then went to Metro’s top 100 vendors.
What lessons, then, for driving application security into the software supply chain? The lesson of driving clear benefit to the supplier is one important one. In the recent webinar by Boeing program manager John Martin on their third party program, one important point he raised was the economic affordability of static binary scanning to a small software supplier, compared to manual penetration testing. Software suppliers move as part of the program from simple, ad-hoc security testing at the request of their customers to full-blown secure development processes centered around binary static analysis. The improvements made by the supplier as a result of Boeing’s testing program then benefit all its customers.
Veracode’s recommendation is to build success story cases with suppliers early in a vendor application security testing program. Documenting specific benefits that arise as a result of the enterprise’s program is an important first step to bringing suppliers on board.
The Seven Habits of Highly Effective Third-Party Software Security Programs
- Choose the right suppliers
- Put your efforts where they do the most good
- Use suppliers as force multipliers
- Collaborate to innovate
- The elephant in the room is compliance
- Drive compliance via “WIIFM”
- Align benefits for enterprise and supplier - or pay