Monday, May 12, 2014

American Electric Power Leverages Dynamic Discounting to Bring New Efficiency and Innovation to Buying

Transcript of a BriefingsDirect podcast on how both buyers and sellers can benefit from a cloud solution to discounting.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP company.

Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast series coming to you from the recent 2014 Ariba LIVE Conference in Las Vegas. We’re here the week of March 17 to explore the latest in collaborative commerce and to learn how innovative companies are tapping into the networked economy.

Gardner
We’ll see how these companies are improving their real-time business productivity and sales, along with building far-reaching relationships with new business partners and customers.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Ariba-sponsored BriefingsDirect discussions.

Our next innovator case study focuses on American Electric Power and how they’ve been improving their financial processes and operations using Ariba Dynamic Discounting. We’ll learn how a real-time business-process approach to billing, ordering and settlement terms between buyers and sellers benefits both American Electric Power and its vendors.

To learn more about agile business services, please join me now in welcoming our guests, Drew Hofler, Manage Cash Solution Marketing Director at Ariba, an SAP company. Welcome, Drew.

Drew Hofler: Thank you, Dana.

Gardner: We’re also here with Rick Gray, Senior Treasury Specialist at American Electric Power in Columbus, Ohio. Welcome, Rick.

Rick Gray: Glad to be here.

Gardner: First to you, Drew. What are the pressures now? We’ve heard a bit about Dynamic Discounting in the last couple of years, but I’m wondering what's the new impetus? What’s changed that makes Dynamic Discounting more relevant than ever?

Hofler: The fundamentals around Dynamic Discounting that drive it are the buyers, their not having a lot of cash on hand. Not getting return on cash hasn't changed a whole lot in the last few years. Companies still have a lot of cash, but the Fed funds rate is still very low.

Hofler
On the supplier side, one thing that has changed for them a little bit is that the actual credit crisis has thawed a little bit, but not completely. The thing that's really changed for suppliers, and it was more of a gradual change, is that they all see longer payment terms now from their buyers. In the old days, before 2008, net 30 was your base term. Now, net 45, net 60 is standard, and many suppliers are facing longer terms than that.

Dynamic Discounting offers the great relief valve for that. It allows buyers to use their cash and earn some great return on that cash, and it allows suppliers to access early payment and lower their days sales outstanding (DSO) when they want to.

Evolutionary growth

The other thing that has really fundamentally changed, and I’d say it's more of an evolutionary growth that makes Dynamic Discounting more relevant than ever, is that what makes Dynamic Discounting possible is e-invoicing and the ability to get invoices approved very rapidly, so there's an opportunity for that early payment.

E-invoicing has really grown in the accounts-payable world, both in the US as well as abroad. E-invoicing has become more standard, More and more people are coming into it. It's not a leading practice anymore. It’s a best practice, but there is a long way to go.

But as those invoices get approved very quickly and suppliers have visibility into them, it becomes very natural for a supplier to raise their hand and say they would really like to get paid early, maybe to reduce DSO, maybe to increase cash flow, whatever their reasons, but the confluence of e-invoicing and that network visibility is really driving Dynamic Discounting.

Gardner: For any of our new listeners and readers, why don’t you quickly define for us what Dynamic Discounting is, and then also tell us what the benefits are and to whom? Now that this has been in play for a while, are there any unintended consequences about who is getting value from it and why that's increasing the uptake?
Dynamic Discounting simply puts the tools in the hands of the paying customer, to use their cash and earn something, and it puts the tools in the supplier hands to accelerate payment.

Hofler: Dynamic Discounting, at its very root, is an early payment on an invoice that is funded by buyer cash. What makes it dynamic is that it allows suppliers, on an automatic or an ad-hoc invoice-by-invoice basis, to essentially raise their hand on a Dynamic Discounting platform by clicking a button and say they would like to get paid early, and in their control, accelerate their payment.

Dynamic Discounting simply puts the tools in the hands of the paying customer, to use their cash and earn something, and it puts the tools in the supplier hands to accelerate payment.

I like to call it the bringing together of opportunity, visibility, and capability, where you have the opportunity created by e-invoicing and where now you have an early approved invoice.

Visibility is through a network that allows the buyer to see where they have an opportunity to pay early and a supplier to see where they have the opportunity to be paid early. Then, there’s the capability on that network to click a button and make it happen, so that they have money in their account a couple of days later.

Gardner: And the other part, what’s been perhaps an unintended or unexpected consequence that’s benefiting the chain here in such a way that more and more people are doing it? What’s fueling the uptake?

The business network

Hofler: I wouldn’t necessarily say that it was unintended, because I think we intended this to happen and we saw it. But I would say that what's really fueling it again is the rise of the business network.

As I said, it’s the opportunity, visibility, and capability, and it’s that visibility element, where now more suppliers are used to seeing their invoices on the network. They’re used to seeing them approved very early, and then they can take advantage of it.

But one of the surprises that I see is in who offers a discount and who takes the discount on the supplier side. Logically, you would think it would be your smaller suppliers, with not much access to cash or not much access to credit, and in general, they do very much take it up.
The beauty of Dynamic Discounting is that you don't have to know what your supplier is going to do or why they’re going to do it.

But you will also often see very large suppliers with very large invoice discounts -- I mean in the six digits sometimes -- that will do it on occasion, because they have the opportunity and the control to do it when they want to. They will do it for other reasons, such as end of quarter to reduce their DSO or as accounting window dressing to get receivables off their books.

And the beauty of Dynamic Discounting is that you don't have to know what your supplier is going to do or why they’re going to do it. You offer them the opportunity, give them visibility and the capability to do it, let them make the choice, and you will often encounter some surprises like that.

Gardner: Let’s to go to Rick at American Electric Power. Tell us a little bit about your organization and how you came to be using Dynamic Discounting?

Gray
Gray: American Electric Power is an electric utility, one of the largest investor-owned electric utilities in the country. We’re in 11 states, and we have five million customers. We have gross revenues that were over $15 billion last year. So, we’re pretty well-sized.



We started to look at our expenditure cycle, the whole purchase-to-pay (P2P) process, and had an independent consultant in to look at that and to give us some strategy on how we can improve. Part of it was to do the e-invoicing, the e-purchase order.

So we were looking at different tools and companies to provide that, and Ariba was the one that came out, and we selected them. Part of the justification for that whole project was the increase in early-payment discounts. That’s what got the ball rolling.

Gardner: And to what degree are you using it?

A lot of use

Gray: Quite a bit. When we started looking into it with Managed Services help, we saw that we had over 150 different payment terms. We looked at our days payable outstanding (DPO), which is the number of days it takes to pay our suppliers.

It was shorter than the industry average, which means we were paying sooner than our peers in the industry, which caused us a little concern in that we obviously weren’t being overly prudent with our cash or gave that appearance.

So part of the effort was to look at our payment terms and standardize them, and we decided to extend them a little bit to get along with the industry average.

Gardner: Rick, what about this notion of a business network, transparency, and having more data at your fingertips in order to benefit other processes, other financial issues in your company? Do you see this as an accelerant to the use of network information and transparency and perhaps building less risk into your overall financial situation?

Gray: Absolutely. And because we were looking at our working capital and our liquidity and extending the payment terms and consolidating them, we wanted to provide our suppliers with a tool for them to be able to then give them that relief valve that Drew was talking about. So if they did need the payment sooner, that’s fine. We could give them that opportunity without losing the benefit to ourselves in the process.
Part of the effort was to look at our payment terms and standardize them, and we decided to extend them a little bit to get along with the industry average.

It became really important to get the buy-in throughout the company. We realize that some suppliers need the money sooner and that’s fine, and here’s the process to do that. The tool then allows the suppliers an easy way of accessing that and getting their money sooner if they need to, without reaching out to our accounts payable department or our procurement department and calling around. This was a more streamlined process for that.

Gardner: One of the things that’s really interesting to me and why I think this takes off so well is that it benefits both sides. There are more information and terms available. Negotiation positions all work to their mutual benefit. Do you have any metrics of how this has benefited your organization? Do we have some opportunity to look at where the rubber hits the road? What do you get for it?

Gray: There are a couple of things. This past year, we extended our days payable outstanding by two days, which doesn't sound great. On the other hand, with $1.2 billion in average daily accounts payable, that’s two days we didn’t have to borrow $1.2 billion. We even had a holiday where we didn’t have to borrow one day, but gradually that turned out. So we reduced our borrowing for that much.

On the other hand, we also saw increased early payment discounts that matched that business case that we talked about later. So in that regard, we’ve done pretty well.

Gardner: Let’s go back to Drew. What’s coming next? What have we gained from the news here at Ariba LIVE? What are you hearing from the attendees, and what should we look for in terms of next steps in making Dynamic Discounting even more powerful?

Continued buildup

Hofler: What comes next is a continued buildup of the transparency and visibility in a network that allows suppliers to see what's going on and allows buyers to tie that in together.

We’re seeing that companies are looking at these things, not as disparate processes anymore, not just the invoicing, not just Dynamic Discounting, not just procurement, but are looking at the realization that each of those is a link in a value chain and they need to be linked together

We’re seeing people going from where they’ve started and expanding onto a platform that allows them to grow and link these things together. You’ve got suppliers, for example, that may have just been PO or may have just been a contract.
We really see the tying together, not only of the desire to be paid early, but then the actual mechanics around the settling of that payment.

Now, they move them into the invoice on that. Or, it may have been invoice and just contract. More and more suppliers are finding more and more reasons to come to the same network. That increases the pool of who is there to discount.

The other thing that’s tied to it, and not discount specific, is the idea that it’s early payment when they raise their hand. We’re now seeing this area of what we announced at LIVE in AribaPay -- not only to allow the supplier to raise their hand to receive their payment early, but to be able to be paid in such a manner when they do that, they have full visibility into everything that went into the final dollar that comes into their account, with every invoice, every line item, every PO, so that they can reconcile it easily and quickly identify discrepancies.

So we really see the tying together, not only of the desire to be paid early, but then the actual mechanics around the settling of that payment

Gardner: And for global companies that are concerned about currencies, jurisdictions, and tax issues, this can be a big deal.

Hofler: Absolutely, it can, and particularly if they have multiple invoices around payment, keeping track of the differences. You get one lump sum and it accounts for 100 invoices that might have 20 line items each. That becomes a big issue to maintain, and the more global you go, the more complex.

Networked economy

Gardner: Of course, a recurring theme at Ariba LIVE was the networked economy -- and also the fact that you are, as part of SAP, using HANA and other analytics capabilities to bring more insight across the activities of the Ariba portfolio.

I was struck when Rick mentioned that he could compare the industry standard for payable terms and therefore adjust accordingly. Are there other metrics, analysis, or even predictive value that, as an aggregator of Dynamic Discounting terms, with all privacy, security, and anonymization brought to bear, more value add when it comes to being smart about how you do this?

Hofler: Absolutely. I couldn’t be more excited about potentially having all of the 15 years now or more of data on the Ariba Network of POs, invoices, and payment terms and early payments. All of this is brought together in such a way that we can do just that. We can take all that big data and turn it into information that’/s actionable.

There is so much there, not only from the aggregate standpoint. As you mentioned, we never, ever share which supplier we discount how much, but on an aggregate basis, what are some of the trends, what are some of the indicators that a supplier would be more willing to discount? Just on the data that I’ve tracked outside of HANA, not nearly as powerful as that, you’ll see certain patterns, end of quarters, end of certain seasonal cycles.
It’s not really that complicated. So that's not too bad. The challenge is getting the suppliers on and getting them engaged.

Having the ability to see that for a buyer or a treasurer to then make maybe more cash available for that particular time and plan for that, they can make more cash available to handle the spike in volume of discounting. There’s just tremendous potential there.

Gardner: Rick, any advice for other organizations that perhaps haven’t done Dynamic Discounting, but are evaluating it? Is there anything that you can offer with 20/20 hindsight that they would benefit from?

Gray: A couple of things. One, it’s not that bad of an integration. There’s not a whole lot of movement there. It’s not really that complicated. So that's not too bad.

The challenge is getting the suppliers on and getting them engaged. We actually purchased the software right when Ariba was rolling out Managed Services, so we were sort of grandfathered in prior to that and didn’t utilize the Managed Services when we implemented. We saw that our adoption rate was well below our target.

Six months or so afterward, we engaged the Managed Services, and within three or four months, we had reached the original target. So that was a big help and something I would strongly encourage. Listen to and use the partners. It’s not that we’re not smart enough or don’t want to work hard enough to do it. It’s just that we just didn’t really have the time and resources.

Gardner: Would you say, Rick, that this has paved the way for a different type of relationship between you and your suppliers? Has it increased collaboration and communication in any way, maybe a stepping stone towards more transparent and even more mutually beneficial business negotiations and relationships?

Next target

Gray: Yes, and we’re working on that, as far as a long-term contract is going into place. That's our next target right now with the smaller suppliers, with immediate need. Now, we’re looking to make sure that that’s the culture within the company. These are the payment terms and this is the tool to utilize going forward. We’re sticking to our guns, saying that there are no exceptions. Everyone goes through this, and that’s been beneficial.

Gardner: Last word to you Drew. How does this integrate into other things? You’ve already mentioned AribaPay. We’ve talked a little bit about analytics and visibility. The whole greater than the sum of the parts is where a lot of business services and those that avail themselves of cloud models can go. Where does this integrate into next? Where is the bundle? How do we make this a value add?
It’s very helpful for folks who are looking to get some technology to help them drive business process reengineering and to improve their business processes.

Hofler: It’s just a natural bundle for anything that has anything to do with P2P,  Ariba Collaborative Commerce, and Ariba Collaborative Finance. If you look at it as a process, classic process, everything ends up with an invoice to be paid.

So we bundle it in when the invoice is a part of any type of business process re-engineering that a customer is doing. We point it out to them as a natural next progression when they are going there.

Rick made the point earlier that it really drives the business case too. It’s very helpful for folks who are looking to get some technology to help them drive business process re-engineering and to improve their business processes.

Sometimes, efficiency isn't enough in terms of savings to get that raised to the top of the project pile. Dynamic Discounting is a great way to add significant return on investment (ROI) to that business case, so that they can get their overall project approved. We’ve seen that happen time and time again. So it’s a great part of the bundle.

Gardner: Very good. I’m afraid we will have to leave it there. We have been talking about how American Electric Power improves their financial processes and billing operations using Ariba Dynamic Discounting.

And by examining a user's experience, in this case at American Electric Power, we’ve learned how a real-time business process approach to billing, ordering and settlement terms benefits both the buyer and the seller.

So a big thanks to our guests, Drew Hofler, Manage Cash Solution Marketing Director at Ariba, an SAP company. Thanks, Drew.

Hofler: Thank you, Dana. It’s my pleasure.

Gardner: And also Rick Gray, Senior Treasury Specialist at American Electric Power. Thank you, sir.

Gray: You’re welcome.

Gardner: And thanks to our audience for joining this special podcast coming to you from the recent 2014 Ariba LIVE Conference in Las Vegas.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Ariba-sponsored BriefingsDirect discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP company.

Transcript of a BriefingsDirect podcast on how both buyers and sellers can benefit from a cloud solution to discounting. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in:


Wednesday, April 30, 2014

Software Security Pays Off: How Heartland Payment Systems Gains Steep ROI Via Software Assurance Tools and Methods

Transcript of a BriefingsDirect podcast on how HP Fortify has helped one company improve their software security practices.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing sponsored discussion on IT innovation and how it’s making an impact on people’s lives.

Gardner
In this first of a two-part series -- Does Software Security Pay? -- we’ll discuss how Heartland Payment Systems in Princeton, New Jersey has leveraged software-assurance practices and HP Fortify to drive value within its IT organization -- and improve their overall business performance.

Join us now, as Ashwin Altekar, Director of Enterprise Risk Management at Heartland, shares his insights and knowledge with Amir Hartman, the Founder and Managing Director at MainStay, a marketing and IT advisory services firm in San Mateo, California.

Amir recently completed a software-assurance return-on-investment (ROI) study. He’ll now share details from that study on how HP Fortify has impacted Heartland’s IT organization and their developments.

We’ll learn how Heartland has improved results in innovative ways across the organization thanks to both security best practices and tools. With that, please join me now in welcoming our moderator, Amir Hartman.

Amir Hartman: Good morning, Dana. Thanks for having us, and I'm really excited about the program today. We have a two-part series, as you indicated, and the research that we did found some very interesting results from the companies that we interviewed.

Hartman
We found three main benefits to employing and institutionalizing a strong software security-assurance program with supporting tools. One was a saving that organizations are seeing. Second, it’s a risk-management benefit to the organization. Last, we actually saw some revenue protection benefits as well.

So I'm pretty excited to have Ashwin on the call today and have Ashwin share with us his experiences in deploying HP Fortify solutions and these practices within Heartland. Why don’t we start? Ashwin, could you give us a little bit of background, a little bit about yourself, and then segue for us into the software security landscape at Heartland?

Ashwin Altekar: Sure. I’m the Director of Enterprise Risk Management at Heartland. I've been working in information security for over a decade and have spent a large portion of my time performing application penetration tests and managing software-assurance efforts.

At Heartland, we take software security very seriously. We strive to be the trusted transaction provider, the trusted partner of the large number of merchants who depend on our payments and payroll services. With application security being such a large vector for attack, we’re very aware of the multiple controls necessary to keep our customers’ data secure.

We lean quite heavily on Fortify, first to understand, and then improve, our level of software assurance.

Previous scenario

Hartman: Let's take people back a little bit. Could you describe for us what the software-security scenario was like at Heartland before institutionalizing some of these practices and before implementing and rolling out Fortify.

What did things looked like before? Then, talk to us about why you went in a new direction.

Altekar: Prior to Fortify, or any automated tools, we relied mostly on manual inspection by developers using common security guidelines like the Open Web Application Security Project (OWASP) or assessments done by third parties.

Altekar
As our enterprise grew, it became harder and harder to be confident in our application-security posture with just manual inspection by development teams. Software assurance is very important to us, not just finding vulnerabilities, but understanding what percentage still remains. With manual efforts, there was just too much to do and not enough time.

We liked the breadth of programming languages supported by Fortify and we really liked the direct integration to the integrated development environment (IDE) for common IDEs like Visual Studio and Eclipse. So Fortify was just a natural fit for the need at the time.

Hartman: I would imagine that with the space that Heartland plays in, obviously these issues are quite sensitive. And if you look at the marketplace, you’re seeing this explosion of mobile devices and mechanisms by which consumers are transacting. It makes this issue even more front and center.

Altekar: Absolutely. Our primary product or service of facilitating transactions is provided through software. So Fortify is definitely a key product that helps us position ourselves as a secure company. And to do so, we need to understand what security issues we have in our software.

Hartman: Ashwin, talk to us a little bit about the implementation itself, just some interesting facts. Then, if you could, segue into the impact that you’ve seen it have on the organization. What are some of the benefits that you've been able to deliver to the organization and to its customers through institutionalizing these practices and tools?

Altekar: At Heartland, we risk-rank our numerous applications and have various requirements on what each development team has to do to meet internal requirements.

One of our basic requirements is that all software applications be scanned using Fortify. From the information-security perspective, that has allowed us to understand what it is that we’re up against when we talk about software-security assurance. So, a large challenge is trying to figure out what it is we don’t know. Fortify allows us to quantify our level of effort and get the attention software security requires.

Also, we've been able to show the successes of many teams that embrace Fortify. They’ve been able to do more and learn more about software security in much less time.

Similar results

Hartman: In the research that we did, we found similar results. We found quite a number of organizations that were able to reduce the amount of time the developers were spending identifying and remediating. Because of the automated mechanism, they focused their attention on developing new value-add applications.

It's reallocating their time. It’s not that this stuff isn’t important. Obviously it's essential, but if we've got a way to do this faster and then focus the developers’ attention on different areas that are more value add, that was a big win. I don’t know if that’s something similar what you’re finding as well, as developers are making it part of their DNA.

Altekar: We absolutely do find that. There’s an old expression for spell check that if you see the correct spelling seven times, you would finally get it right on the eighth.

Our developers are bit quicker in learning about security best practices, but Fortify allows us to do a very similar type of reinforcement when it comes to specific software-security issues. They’re able to see the right way to do secure development through Fortify and then learn from that.
They’re able to see the right way to do secure development through Fortify and then learn from that.

Hartman: Let's shift gears a little bit here, Ashwin. Some of the things we noticed were a little bit unexpected. When we went into the study trying to figure out how companies are benefiting from effective software security practices, we were going in with certain assumptions.

One of the assumptions was that some of these automated tools and practices are going to obviously save time and save money on the developer side. Certainly, if I can address and remediate things early in the development cycle, that’s going to save me a tremendous amount of resources and money, versus down the road in post production.

But there were a couple of areas that we found in terms of benefits that companies were experiencing that were a little bit unexpected, and there were some innovative uses.

Can you share with us a little bit from your perspective, and from Heartland's experience, some of the more innovative uses of these practices and Fortify related to software assurance?

Altekar: We provide broad warnings about software security issues in general at the enterprise level, and Fortify allows us to really target our training efforts on the issues we see at the project level.

We can discuss those specific topics with the development teams when we interact with them and we can even point out the specific remediation tips within Fortify. That’s very helpful.

Secure development

Something else we’re looking to roll out right now is how we can visualize the different development teams and how they compare to each other in terms of software security. So we’re looking to see if we can incentivize secure development even before a line of code has been written.

Through some minor gamification, leveraging Fortify statistics between the various development teams here at Heartland, we hope to better train developers and, in turn, improve the overall development productivity.

There’s another interesting use that we have. At Heartland, from time to time, we acquire various companies or seek to be partners with them. During the evaluation phase, often we’ll use HP Fortify to determine the amount of work that we may need to do to get the acquired software into a production-ready state.

That has been helpful sometimes in negotiating the acquisition price or making sure that we factor that in and do and appropriate level of due diligence ahead of time.
When you start articulating and dictating to developers things that they should do, the reaction isn’t always positive.

Another common scenario for us is that we’re able to understand the quality of any third-party developers that we contract with and we can force strict standards on what secure development means.

Traditionally we enforce security through a legal contract that says the third party has to follow secure coding guidelines based on best practices, but with the implementation of Fortify we can say that they have to have a clean Fortify scan prior to finalizing a certain amount of work.

Lastly, our secure software development lifecycle (SDLC) process, which includes Fortify, signals to our partners -- especially our partners that value security -- that we’re very serious about software security and that we take a lot of the right steps, if not all the right steps, doing whatever we can to understand our vulnerabilities in software and to eliminate them.

Hartman: I love those examples. The healthy competition between the developers is a great idea. Perhaps it's a little bit melodramatic, but we hear a lot of this. When you start articulating and dictating to developers things that they should do, the reaction isn’t always positive.

These are folks who think they’re developing great code and they’re quite independent. So, thrusting upon them new ways of doing things sometimes can be met with some resistance. But that notion of healthy competition and gamification between groups is a great idea.

And your point about leveraging these capabilities and these tools in the acquisition process is something that we’ve heard. When we did this study three years ago, that was something that one or two companies were leveraging. Your example is great.

Leveraging practices

It's not necessarily acquiring companies. It could be the acquisitions of certain technology and software assets, websites for example. Those things are ripe for leveraging these kinds of practices and tools. So that’s great example.

Let's move on to more insight on how this has differentiated, or been used to differentiate, Heartland. Obviously, in the space that you play in, security is at a premium, as is being able to ensure your customers that you've got a terrific approach. Can you talk to us about that in terms of  whether this capability helps you differentiate in the marketplace?

Altekar: As I'm sure you know, security is more important than ever in our customers’ minds. When it comes to transactional security, we've heard of a few high-profile reports about payment security and breaches lately. That has really raised awareness and that’s great, especially since many of Heartland’s products and services focus on security.

Confidence in the quality and security of our software product is absolutely a differentiator. It allows our customers to focus on their business without having to worry about technical security issues in their day-to-day operations.
Having trust in a brand, having trust in a company and its products and services, is very important for our customers.

Having trust in a brand, having trust in a company and its products and services, is very important for our customers, and our secure SDLC allows us to articulate why it is they should have that confidence in us.

We can tell them that we have secure development training, we have a static source code analyzer, we use dynamic tools, we have manual inspection, we have third-party assessments. These are all things that especially our larger customers appreciate. They understand that this is what you need to do in today’s day and age to have secured products.

We’re able to elaborate on the multitude of things that we do, and many of our partners are very thrilled to partner with us because of that.

Hartman: That’s well said. Ashwin. Think a little bit for me around what it took to institutionalize some of these practices. You mentioned a little bit earlier about the use of gamification and healthy competition among development groups, but institutionalizing effective software-assurance practices is easier said than done.

Can you help us understand what were some of those key factors throughout this journey, and it is a journey? It's not just one quick little implementation and then you are off and running. It's definitely a journey from the customers we've talked to. What are some of those key success factors in institutionalizing such tools and practices across an organization?       

Changing variables

Altekar: Journey is a great word for it. There have been so many times when I thought that we were finally at a place where we need to be, and then, one of the variables changed.

The first thing that you can do is be very clear about what development teams need to do for internal compliance when it comes to software assurance. That could mean setting specific metrics or making sure that they have well defined processes. But whatever is right for your organization, you have to repeat that message often.

I used to think that I was just constantly talking about security, and everyone was tired of it, but one of the key lessons I learned was that it's impossible for you to repeat that message too often. So be very clear about what it is you want them to do and say it often to anyone who will listen.

The second is to make it easy. Make it very simple for various development teams that integrate into your software assurance processes. So understand the challenges that individual teams face in implementing security during the development life cycle. One team’s problem, if they are doing an agile development process versus waterfall, could be very different depending on those scenarios.
The key success factors are just to be clear about the message, make it easy for people to integrate, and then measure how well everyone is doing.

Make sure you understand their challenges, whether it's process, time, or the right tools, and make sure that you’re able to solve for those. Thankfully, for us, Fortify has been very easy to integrate into the IDE. We've been able to automate with it, so it's been flexible in a number of different scenarios for us.

Finally, quantifying, measuring progress over time. It's very easy to sit back and say, “These guys implement Fortify” or “We have manual tests for them” or “They take all the required training,” but it's great to quantify each, so that you provide feedback to senior management and talk about many of the success stories.

If you can provide quantitative information and share those success stories everywhere throughout the organization, you’re able to reward everyone’s efforts. In summary, the key success factors are just to be clear about the message, make it easy for people to integrate, and then measure how well everyone is doing.

Hartman: That’s a great summary, and last one, especially to your point, sounds easy. It's not that trivial of an activity. It's being able to communicate to leadership as well as to the troops.

Leadership, especially in a set of measures or metrics that resonate with them, is not an easy task. There are a lot of activities that get done as far as software security and software assurance practices go, but translating that into a language that a senior business leader is going to understand is not an easy task. That’s a very good point.

A couple of last questions for you. If you could take a look back for us with this journey and when it started and the success you've had, is there anything you would do a little differently?

Be repetitive

Altekar: One of the things I already mentioned was to be repetitive about the importance of software security and what needs to be done. There is always someone who hasn’t heard that message, and it's important for them to hear it as well.

The other thing is that it's okay to be a bit more realistic in what an organization can do. Just because there's lots of security work ahead of you, it doesn’t mean that the organization is able to get it all done immediately.

So it's important to create realistic goals and time frames that the organization can meet, versus trying to get everything done all at once. It changes from organization to organization on what that means, but I've learned to have realistic goals, rather than ideal goals.

Hartman: The goal-setting and the expectations and constant communication of reinforcing of those goals is definitely critical.

Going forward then, what's next for Heartland and specifically in this space? Can you paint us a picture for what's next in the horizon from an SSA standpoint, let's say, the next 12 months or so?
My next goal is to combine all our different tools and get even more value out of them running in sync with each other.

Altekar: I'm really excited for the next year at Heartland. We’re at a place where we have many of the right tools. We have many of the right controls at the right time during the software development lifecycle. 

My next goal is to combine all our different tools and get even more value out of them running in sync with each other - trying to add one and one to get three, versus just the two that we have today.

Going forward, I’d really like to continue to automate and leverage the individual tools and get them working together so that we get, one, richer information about our security posture, but two, to get more actionable and precise information on what various development teams need to do, or what the security team needs to do to better support software assurance efforts.

Hartman: Ashwin, I really appreciate your sharing this with us. You have a lot of great insights. Obviously, as you pointed out, this is very much a journey. It's not something that’s a week, month, or multi month effort. It's constantly changing and morphing. Again, your insights were very, very valuable and I appreciate them. So, back to you, Dana, on this one.

Gardner: Thanks, Amir. You've been listening to the first in a two-part sponsored series -- Does Software Security Pay? -- examining how Heartland Payment Systems has leveraged software assurance best practices and HP Fortify tools to drive value inside the organization and improve their overall business performance.

And we've seen how a recent software assurance return on investment study from MainStay demonstrates how HP Fortify has measurably positively impacted Heartland’s IT organization and their developers.

Please join me now in thanking our moderator, Amir Hartman, Founder and Managing Director at MainStay. Thank you so much, Amir.

Hartman: You got it, Dana. I appreciate being here.

Gardner: And also, a big thank you to our special guest, Ashwin Altekar, Director of Enterprise Risk Management at Heartland Payment Systems. Thank you so much, Ashwin.

Altekar: Thank you.

Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this on going sponsored discussion of IT Innovation and how it's making an impact on people’s lives. Thanks again, for listening and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on how HP Fortify has helped one company improve their software security practices. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in:

Tuesday, April 29, 2014

Ariba's Product Roadmap for 2014 Points to Instant, Integrated and Data-Rich Business Cloud Services

Transcript of a BriefingsDirect podcast on what to expect in the near future from Ariba and from the Ariba/SAP synergy.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP company.

Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast series coming to you from the recent 2014 Ariba LIVE Conference in Las Vegas. We’re here the week of March 17 to explore the latest in collaborative commerce and to learn how innovative companies are tapping into the networked economy.

Gardner
I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Ariba-sponsored BriefingsDirect discussions.

Our next interview examines the Ariba product roadmap for 2014 and beyond. We’ll now learn more about the recent news at Ariba LIVE and also what to expect from both Ariba and SAP Cloud in the coming months.

To hear more about Ariba’s product and services roadmap, please join me in welcoming Chris Haydon, Senior Vice President of Solutions Management for Procurement, Finance and Network at Ariba, an SAP company. Welcome, Chris.

Chris Haydon: Thanks, Dana. Good to be here.

Gardner: Before we get into the news, what’s changed in this business-network market and the community around it the past year? What are you hearing from customers? What’s shifted since we spoke last?

Haydon: At the baseline, there’s a lot more interest. People are just starting to really understand what business networks really mean.

Haydon
In some of the conversations coming through, large corporate enterprise buyers are really looking for a single hole through the firewall, if you like. They’ve done some great work in optimizing their internal business processes, but they really understand that the next undiscovered country is in collaborating with their suppliers.

But it’s not just their suppliers. It’s payment providers, logistics providers, and a whole heap of supply-chain stakeholders. We’re seeing that larger conversation over not just a single business process, but a holistic business-process view.

I think the other really interesting thing isn’t a trend. It's probably a confirmation of what we already knew, particularly in the southern hemisphere. Mobile is on the increase and is now bypassing of the laptop, specifically in some emerging markets.

They’re the two macro trends that we are seeing that are manifesting themselves in our new business acquisitions. 

Mingling with others

Gardner: So “mobile first” is really important, as is this notion of a boundaryless organization. You don’t just exist as an island. If you’re going to be really adept and productive and develop some of the great insights you can through data, you need to allow your borders to mingle with others.

Haydon: That’s right. And it’s a network effect as well. People don’t want to do all the heavy lifting themselves. They’re really starting to understand that there is the network here. I can adapt, not adopt, so to speak, and really accelerate the business by leveraging the existing community.

Gardner: What about technology? Have there been any technology shifts that we’ve had in the past year that have enabled some new and interesting things at the business networks and applications level?

Haydon: We’re in the early stages of redoing parts of our technology to take advantage of where the growing trend is going to come. We spoke about mobile, but it’s not just mobile. It's more about user experience and how we focus specific use cases on where an improved screen, an improved device, or both makes sense in the user context. That’s a really big change for us as well.

We’ve spent the last 12 months, and we will spend a good part of the next 12 months, rebuilding the platform to really be able to take advantage of these larger trends around real-time analytics, big data, and all that, but translating that into actual actionable use cases.

Gardner: What are the highlights for you at Ariba LIVE 2014?
We have some amazing customers, and the adoption of our customers is just superb for us.

Haydon: There are so many. First, there’s another record turnout. We have some amazing customers, and the adoption of our customers is just superb for us. We want to drive more value into both the buyers and the sellers.

There are some pretty interesting announcements that we’re doing. We announced AribaPay last year, and we are happy to announce this year that that’s well on track. We’re going to be doing more on AribaPay, but this is really transforming the B2B payment space and leveraging that. We want to bring the payment process within the visibility and the view of the network. We think that’s pretty huge.

Second, you’re going to hear about us doing more innovation than ever before. We have some significant investment from SAP, which will translate itself into globalization -- moving into Russia, moving into China -- and into new business processes, like supply chain and payment, as well as leveraging the great infrastructure and platform that SAP has in mobile. You’ll see three to five mobile-centric use cases delivered in Ariba within the next 12 months.

Gardner: What about the Ariba-SAP synergy? How has that changed Ariba. It’s been a while now since the merger and acquisition. What can you tell me about the relationship and the character of the company?

Embracing the cloud

Haydon: SAP has really embraced the cloud. And it has worked so well in terms of a lot of the cloud DNA that Ariba brings to the table. SAP has truly embraced that.

And for us within Ariba, there are three or four dimensions. One is certainly global, and SAP is everywhere. A global sales force and, more importantly, global know-how is very important.

Number two is industries. Historically, Ariba was not very industry focused. Now, with SAP, with their vast industry expertise, it really will enable us to drive great solutions into specific industries globally.

And last, but not least, it’s getting access, from a product-management perspective, to lots of new things to play with and great platform tools. We have HANA, and we have released some products on HANA starting this weekend.
We’ve seen some really great synergies in the first 12 months and we expect more next year.

We’re going to continue to do that. We’re going to put the network on HANA, accelerate that investment in mobile, other aspects on reporting, and deep integration with the business suite. We’ve seen some really great synergies in the first 12 months and we expect more next year.

Gardner: Let’s look at this whole spectrum of data and analysis. Data scientists and business intelligence (BI) professionals have been creating reports and developing the fruits of a data infrastructure for years, but what we are starting to see now is the use of analytics and visualizing the analytics.

We’re giving it to folks down on the line of business, not just at the very tip of the organization, but throughout the organization. How has this need and demand for greater data and greater analysis capabilities translated into what you’re doing at Ariba and SAP?

Haydon: This is actually part of why people understand the business network and why the business network is starting to take off. If you think about what’s so great about SAP/Ariba and our great capability, we have this great business network, more than 600 billion in spend, and more than a million suppliers.

I’ll go into technology for a second. It's the promise of what an in-memory database can give us. Imagine when we can put all of those transactions in real-time that are flowing today, imagine when we double it over the next three years or something like that.

Power of HANA

And we put that in real time because of the power of HANA, real-time analytics, whether it's lead time or a moving price average. We won’t just dish it up in quarterly reports that an executive sees. What if a supplier is responding to an order confirmation and they can see that the average lead time has changed? They can take an action and do something about it to fill their customer’s needs.

What if you’re a procurement officer and you’re going to do a sourcing event? You can see that five extra suppliers come on or there is some problem with your core supplier because they are out of stock. If there’s a natural disaster hitting, what if you can see that real-time?

That’s the promise that big data and analytics delivers in something like the business network, which gives us a holistic view that is unparalleled, particularly when we are able to marry that with the master data that exists in the applications or in the enterprise resource planning (ERP) systems.

Gardner: What strikes me, Chris, about this era is that for so long, companies relied on their own data and their own analysis. There was really a wall around the activity with BI.

But now, with things like third-party networks, like the Ariba Network, they can start to get data that might be anonymized. Privacy issues have been worked out and people are allowing data to be shared. That’s where these real insights are coming. It’s the volume, velocity, and variability of the type of information.
None of this happens without the appropriate privacy, anonymization, aggregation, and all of that.

So what comes in terms of a business application benefit? Where are you driving these visualizations and this data? What can we expect in the next 12-18 months in terms of analytics meeting business applications?

Haydon: The first one, which we have already announced, is Supplier InfoNet, which is our HANA-based alerting and supplier information system, which can also feed in. We’re  releasing that and we’ll be building that integration into our solution set. That’s the first thing.

We’re kind of feeling our way here, and you brought up an excellent point. None of this happens without the appropriate privacy, anonymization, aggregation, and all of that. That’s the given that you have got to work out first.

But once you have that, we want to look at point areas to road test what it looks like. Maybe we just show to a supplier and say, “When you’re responding to an event, your lead time is x percent slower than all your other competitors.” There’s some peer pressure, and we’re not sharing anything else, but it actually helps the salesperson understand where they are.

It’s the same thing on the buy side. If you confirm that the moving average price of this commodity in the United States moved by 5 percent, you might want to consider having a sourcing event. Those are the type of point things.

Most meaningful

The holistic dashboarding and automated alerts will come. We just want to work out those flows and what’s most meaningful. That’s where we go back to the point about the user experience. How do we do that? Do we need to expose that in a mobile app with an alert, or is that just an icon that pops up on your screen, or both. That’s how we want to intersect the two.

Gardner: Let’s move into mobile. You mentioned "mobile first." That’s really an interesting concept, but it seems to me that it's more than just a screen definition. You really need to rethink processes when you start to go to that mobile tier and recognize that people are 24x7, regardless of location, intersecting and  interacting with business processes. So what should we expect from mobile innovation?

Haydon: I wouldn’t even couch it as “mobile first,” but “mobile as required.” First and foremost, what we are focusing on for our mobile strategy is, notwithstanding putting in place, just the core platform to enable it. When we’re looking to our features that we build in our products, we want to focus, which, as you were alluding to, is how does the end user need to consume this information?

If it does make sense that a mobile device is able to present that, then we’ll do it. We are not doing it for the sake of having a mobile solution, just to have it out there. We don’t need to do that.
We want to take a focused approach. We want to embed the mobile development paradigm within our current development product teams.

Obviously, some things bubble to the top, approval apps or flipping a purchase order or a new event, and we will do those. But we want to be quite systematic in what we’re going to do.

Also, from a product development sense, we want to take a focused approach. We want to embed the mobile development paradigm within our current development product teams.

What does that mean? It means we’re not going to have a mobile team out on the left, running and building 500-600 apps that they think they should build, and then our core feature team doing it. We’re going to have our engineers, our product managers, our quality assurance (QA) people thinking about mobile in parallel with the screen and how that enhances the customers or the user experience to deliver the business outcome.

While we might be somewhat slow compared to others, some competitors are saying they have 20 mobile apps. We think our way is going to deliver better business outcomes by taking the user experience construct and making that, whether that’s mobile, analytics, or screen, all in the same context.

Gardner: I like the idea that it's process first, regardless of the screen, but this seems to give you an opportunity to move and scale into new regions in some markets. In China, for example, the smartphone is the primary device and screen.

It also allows you to scale down smaller businesses. You can run a business on a smartphone. Why not have cloud business services to accomplish that? What about that global reach? What do you expect for the next 12-18 months in terms of expansion vis-à-vis any number of services, but mobile being part of that?

New data centers

Haydon: A couple of things. Number one, since we first spoke, we announced our first European data center, and that was commissioned in December. We already have a number of customers live already. We’re in the process of dealing with that. 

We have also announced data centers in China and Russia for our applications. So in terms of just global deployment, we’re investing in data centers which will deal with a lot of the data privacy and encryption table stakes to even get started.

And then, just being on the back of SAP is one of the really great synergies that we get, in that they have in-country local product managers who are born and bred and live in the jurisdiction to be our proxy customers, the voice of the customer actually in-country as we look to embed in there. 

Gardner: Into our next subject. What about governance, risk, and compliance (GRC) topics and issues. It seems that we can’t really divorce concerns about privacy and security and risk amelioration from business activities, especially as we consider that boundaryless organization. We want to expand into new markets and allow enterprises to do more business and supplier activities across these boundaries.
All decisions -- procurement, supply chain or others -- are made with a risk-management focus.

So how do we think about embedding GRC both as a process and as a technology in the Ariba roadmap?

Haydon: Ariba had a pretty good legacy of being at the forefront on a lot of that. Maybe we didn’t give ourselves credit, but for the longest time, we have had security, privacy, availability, and confidentiality processes and certifications. Some competitors have one, some competitors have two or three, but we had five.

We are also payment card industry (PCI) compliant. That’s a pretty high threshold. I know other companies have PCI compliance, but I mention those points because that’s part of our DNA. You have to start thinking about that, you have to understand enterprise problems and build your operations, your infrastructure, and your technology around that. We’re in a pretty good state.

Obviously, these GRC compliance processes are growing. Risk management is like a new mantra. It's the forefront of anything else.

I mentioned our data centers. One aspect of dealing with in-country data privacy, obviously, is having a data center in a jurisdiction. As I said, we commissioned our European data center. One in Germany is primary, and there is a failover elsewhere. That should deal with a lot of EU data-privacy concerns. Then, Russia, China, and so on.

The second piece that we do have, being as part of SAP, is that SAP has a very comprehensive GRC process themselves to make sure that they don’t do business with customers that are on particular restrictions or watch lists internationally. It's not just the US or the EU, as I understand. SAP reviews 13 or 14 data sources, not just one or two.

Trading partners

So we’re bringing those processes into the Ariba Network to make sure that we don’t do that, but we also notify our trading partners as well, and that’s part of the value-added service. You may well be doing transactions or trying to do an event with someone not appropriate from a risk perspective.

The last piece, a little bit related to this from the roadmap, is that, in the course of this year, we’re looking to build out on the Ariba Network support for US public sector. Once you start into the public sector for business process transactions, you get a whole heap of compliance issues on encryption, accessibility, and a couple of other dimensions. Those requirements will be built into the network and also to our applications over the next 12 and 24 months.

Gardner: Now, back to products and services. Often, at these Ariba events, and I’ve been at quite a few, we hear about services that people are familiar with, but there are layers of new functionality and features. Are there any that pop out in your mind from 2014 that we should go over and s reflect on as maybe changing the way people think about doing business vis-à-vis cloud and vis-à-vis the networked economy?
We said we’re going to do a lot of innovation. We’re going to deliver on that innovation.

Haydon: Yeah, there are a couple. One is something released in Quarter 4, at least for our SAP clients. We have native connectivity between the SAP Business Suite and the Ariba Network. You don’t need middleware. It's a downloaded extension pack.

It's pretty game-changing, when you can download something and an order can go out of the Business Suite straight to the network natively. Let’s just remind people of that. That’s pretty nice.

Number two, we have a lot of new features and products coming out, as we said. We said we’re going to do a lot of innovation. We’re going to deliver on that innovation. I’d like to quickly talk about four.

AribaPay, which we touched on, is changing the role of B2B payments on the payment side.

At the top end of the funnel, we are also launching Spot Quote. This is pretty interesting. Forty percent of procurement activity is on contract or on catalog. In some industries, it's greater. This Spot Quote process enables us to take these tactical three bids in a buy from a buyer programmatically and put that out into the business network to be bid upon, and we can also identify new suppliers.

What's exciting about that is lot of process efficiency for buyers, but also for a seller. Think about this. It's almost like the budgets are already largely being committed, and they have a close date. It almost drops to the bottom of the pipeline. That’s pretty nice. It might not be the biggest deal, but I’ll take it.

Supply chain

We’re also releasing our first version of the supply chain, focusing primarily on retail use-case scenarios, working very hard with SAP to have end-to-end connectivity, and we are very excited about that.

Last, but not least, services on the network as well, extending a whole new type of collaborative services for estimate-based services, are going live.

So we have more innovation. It's supporting both buyers and suppliers, and going globally, in terms of Russia and China, and we’ll be adding Brazil and Mexico invoicing as well. So there are a lot of exciting things on the business network for customers, not only in the USA, but globally.
We’re also releasing our first version of the supply chain, focusing primarily on retail use-case scenarios.

Gardner: Well, great. I’m afraid we will have to leave it there. We’ve been talking about the news here at Ariba LIVE and also what to expect from both Ariba and SAP in the coming months.

And we have learned the latest in the way Ariba and SAP are working together helps innovative companies thrive in the networked economy as they look to be more data-driven, exploit mobile tier processes, and of course keep their data and business safe.

So a big thanks to our guest, Chris Haydon, Vice President of Solutions Management for Procurement, Finance, and Network at Ariba, an SAP company. Thanks, sir.

Haydon: Thank you.

Gardner: And thanks to our audience for joining this special podcast coming to you from the 2014 Ariba LIVE Conference in Las Vegas.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Ariba sponsored BriefingsDirect discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP company.

Transcript of a BriefingsDirect podcast on what to expect in the near future from Ariba and from the Ariba/SAP synergy. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in: