Monday, November 13, 2023

How accounts payable automation and agility drive long-term business productivity

The next BriefingsDirect business modernization discussion focuses on how optimizing and automating accounts payable (AP) functions gives businesses improved insights and levers to better transform.

We’ll examine how improved control and management over cash flow, payables, and related fiduciary functions elevate overall financial situational awareness.

Via adoption of intelligent automation, such new awareness -- and the greater efficiency it produces -- will further support the expected consolidation and convergence of financial operations within the typical office of the Chief Financial Officer (CFO).

  Listen to the podcastFind it on iTunes. Read a full transcript or download a copy.

Here to show how and share his insights as a business operations efficiency veteran and expert is our guest, Jason Kurtz, Chief Executive Officer (CEO) at Basware. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.


Here are some excerpts:


Gardner: Jason, let’s put some context around our discussion. What are some of the major trends shaping the need for better accounts payable automation, and why is there an imperative to add intelligence and automation to overall back-office business operations?

 

Kurtz: The imperative is we’re dealing in truly unchartered waters here for a lot of CFOs. If you think about what’s going on in our world, if you think about the macro-environment, we have potential recessions in some areas of the world. We have higher inflation rates, higher interest rates, and all that affects us in our businesses in various ways. If you think about supply chains, for example, we still -- believe it or not -- haven’t fully recovered from supply-chain disruptions from the pandemic.

 

Kurtz

These trends impact CFOs, and what’s going on in our world. We still have people working in hybrid or remote environments. We still have companies that can’t fill the jobs they have open, including in AP. Then we also have countries such as France, Germany, Poland, and Spain that are adding regulatory requirements for how you should send and receive an invoice.  Countries like Mexico and Brazil are changing their regulations on a regular basis.


Never before have we seen so many things impacting CFOs at the same time. You think about people like me, I’m in my mid-50s, I’ve never worked in an environment where there’s a recession plus high interest rates, plus inflation. You throw that in, and we’ve never seen this before. For many of us in these roles, it’s a unique time in history -- and in our careers -- that we’re dealing with so many challenges at once.

 

Gardner: Because there’s so much that’s unprecedented happening at once, it’s hard to look at the historic record and say, “Okay, I know what’s going to happen next.” There’s very little clear visibility as to what we’re going to be dealing with in terms of our top-line and needed constraints on spending over the next six to 12 months.

 

Kurtz: That’s 100 percent right. We are living with uncertainty right now. Few companies have great data and information to help them navigate such uncertainty. But one of the key documents, key pieces of information and data, is the invoice. If you can get that right, and gather great data from your invoices, man, that makes your job as a CFO a lot easier.

 

Gardner: To get that look at the full record and all of the data, that usually means more intelligence and automation around vital business processes. So, on the micro-level, what are the challenges facing businesses to gain more tactical and strategic control over their finance operations?

 

Kurtz: There are some really interesting challenges that you wouldn’t believe are still challenges. For a lot of businesses, we want to improve profitability in uncertain times. We want to unlock working capital. What’s one of the biggest barriers to that? Over 90 percent of companies say they can’t pay an invoice on time because they don’t have it approved in time.

You need automation and tools that can embed your policies and procedures into your workflow and your processes. You can't do that in a manual world. This is the reality for a lot of the companies we deal with.

Because they have bad data, because they haven’t enabled their suppliers, and because they’re often dealing with scanning and optical character recognition (OCR) documents of poor quality --  and it takes time to manage difficult exceptions – those are all critical hurdles. So, it’s important to solve these to unlock lots of hidden value.

 

Another challenge we talked about; companies don’t have a full staff in AP -- sometimes people are working remotely. How do you make sure those new people are trained, are more efficient, and effective? How do you know they’re following the policies and procedures for your company? How do you quality check the work they’re doing via remote work?

 

Because you want to do more with newer and fewer employees, you need automation and tools that can embed your policies and procedures into your workflow and your processes. You can’t do that in a manual world. So those are just a couple of examples, but this is the reality for a lot of the companies we deal with. From an AP perspective, they need improvements because these really are barriers to their success right now.

 

Gardner: Jason, both you and I have been in this business long enough to have seen wave upon wave of new technologies and approaches. And that was great, to use the best-of-breed solutions as they came online. But it has left many organizations with a scattered and disruptive mix of apps and silos that come from different eras.

 

Invoice intervention imperative

 

Kurtz: Yes, without question. We joke a lot about an earlier era of scanning paper docs using OCR, right? That’s just one example of what you’re talking about. For a lot of companies, scanning and OCR checked the box on adopting electronic invoicing. “We’ve done it.” But you and I know that that’s not really the case, right? You don’t get any good data out of that.

 

You have to have manual intervention. It slows your processes down. It’s like using a pay phone, right? Or a fax machine. And no one uses those anymore. But there are still lots of people who have that as their e-invoicing solution, which is crazy.

Keep up with global compliance requirements using this interactive map.

And, to your point, lots of companies have layered different technologies onto their environment over time. Maybe it was a procurement solution, or a sourcing solution, or their enterprise resource planning (ERP) suites, and they’re trying to figure out, at least in AP, “How do I make all of that work? My invoices come and originate in different places.”

 

They ask, “How do I put something on top of that that is modern, usable, and purpose-built for me in that kind of an environment that’s very fragmented and has lots of different offerings and capabilities?” They need something that sits on top of that to make it all more efficient and effective for the AP department. So, again, you hit the nail on the head. There’s a lot of complexity in the companies that we work with.

 

Gardner: Part of the good news, as you alluded to earlier, is that the modern invoice has a beneficial role to play. When you go fully digital, you can layer into that resource lots of metadata, you can bring added processes to bear, and you can use that asset as a powerful tool to usher in benefits across other applications, data, and processes. When you do this right, and you unlock the superpowers with your invoice workflows, how does that set off cascading benefits?

 

Invoice data insights reap rewards

 

Kurtz: One that we haven’t talked about yet, when you get that invoicing data right and you have good data from across your suppliers, that gives you aggregate insights into what you bought from whom, how much you paid, and what the commerce trends are. That gives you the basis for accurate spend analytics.

 

In the current uncertain macro-economic environment, we’re trying to save money and use that money to fund growth where we can find it, or put it away in the bank for profitability, then spend analytics is a great place to start to optimize, right? But you have to have that invoice data first to fully understand what it is you bought from whom, the pricing, and all the added details. So that’s one.

Two, the other part of the invoice data goodness, comes from unlocking working capital. Many companies now discount payment terms so the buyer receives a two percent discount on the net invoice amount if they pay within 10 days. Otherwise, the full invoice amount is due within 30 days. But, if they can’t pay something in 10 days, they can’t get the benefit.

But imagine if we could unlock literally billions of dollars in potential early-payment discounts or working-capital benefits that we could then use to invest in our growth or direct to areas where our acute business needs are. But, again, you must have a working invoice with good data, well-structured and in a timely manner, to be able to handle that management of working capital optimization. Yet, lots of companies still can’t do that.

 

I think those are a couple of examples where the modern invoice can unlock a lot of economic benefits for companies in these uncertain times.

 

Gardner: It has only gotten more important to best manage cash flow now that we’re up to five percent or more on overnight interest rates. The imperative to get fast and detailed cash flow data, and bring that organizational efficiency and agility to bear in real time, is higher than at any time in at least the last 15 years, right?

 

Kurtz: That’s 100 percent correct, and so intelligence is more valuable for us as an organization, and for our large customers. That’s because, in many cases, they have billions of dollars in spend, so that they can unlock millions – even hundreds of millions -- in working-capital dollars due to those higher interest rates.

Such intelligence is also important for our customers' suppliers because their cost of capital is going up, too. When supply chains are still disrupted, who gets what when and at what terms? 

But that intelligence is also important for their suppliers because their cost of capital is going up as well. In this world, where we still have some limited supply chains, suppliers can’t always deliver 100 percent of what they did three years ago. They may still be at only 85 or 90 percent.

 

Who then gets what when and at what terms? Who gets that 85 or 90 percent instead of the requested 100 percent? I would hypothesize -- and our customers are telling us this -- those good payers, the people who pay on time for timely delivery, become the customers of choice. If there’s a limited supply, they may get more of their fair share. There are a lot of benefits for doing this well, being able to pay when you and your suppliers want to pay for the right reasons.

 

Gardner: You’re teeing up some of the changes needed in CFO-required skills. Whereas due diligence, operational integrity, and process efficiency may have been top of mind when it came to bringing new people into the office of CFO, now you’re talking about more analytical, entrepreneurial, and innovative skills. We need a different kind of person in these strategic thinking and data analysis roles, right?

 

CFO role encompasses more analytics 

 

Kurtz: Yes, absolutely. In almost every role in the finance department now, comfort with data and analytics is becoming more critical. Those are the skills that help with automation and gaining insight into how you best manage your resources and capital. Those two skill sets -- comfort with technology and proficiency with data and analytics -- are probably two of the most important.

The other thing we’re seeing is the office of the CFO is broadening its responsibilities, too. They’re taking on more operational responsibilities and further impacting their organizations. So, that means being consultative and being good influencers and educators. Those are all part of the skill sets that a good finance organization has to have right now.

 

Gardner: There is no closing the door to the back office and then only coming out once a quarter with an audit or report anymore, right?

 

Kurtz: That’s right, you can’t do that. You just can’t do that.

 

Gardner: Let’s put some meat around some of these solutions in practical terms. How are these AP automation solutions paying off in brass tacks?

 

Productivity, processing, profits -- all up

 

Kurtz: We’re seeing incredible benefits. When we see automation in the AP function, you go from a company on average processing maybe 5,000 to 7,000 invoices per full-time annual employee equivalent (FTE) to companies processing, 30,000 to even 50,000 invoices a year per FTE. So, that’s a massive productivity benefit. You see the level of electronic invoices from your suppliers going from, on-average for most companies at 34 percent to some of Basware’s best-in-class customers attaining 99 to nearly 100 percent.

OCR is no longer the answer to processing PDF invoices, but AI-powered solutions are.

So, again, that plays into the benefits of accessing great structured data around an invoice. If, for example, you examine invoice processing time, most companies average around 11 days for AP functions. But Basware’s best-in-class AP customers are looking at hours or minutes, certainly less than a day, for processing. And that’s part of what you need to do to unlock the working-capital benefits. And you see companies with 20 to 30 percent of their invoices being touchless -- meaning you never physically have to manually have an intervention into an invoice from receipt through payment – are up from formerly around 21 percent. But again, Basware best-in-class customers are gaining with more than 90 percent being touchless.

 

These are the kind of metrics and value that AP automation solutions, and in particular Basware, customers are able to achieve.

 

Gardner: Can you apply these tactical metrics to also measure improvement in overall business productivity and financial returns?

 

Kurtz: Sure. Take a look at a customer of ours like Heineken. They implemented Basware’s AP automation solution. It streamlined invoice processing, reduced manual efforts, and improved data accuracy and efficiency. All of that resulted in greater than 40 percent reduction in their cost to process invoices within their function as a whole. So more than 40 percent reduction in overall AP team and organization costs by implementing an AP automation solution.

We can be really impactful. The same kind of thing happened at Toyota Industrial, another customer of ours, where they saw similar benefits from streamlining the invoice processing, reducing manual work, and getting suppliers to send invoices electronically. They attained better data, but also significantly reduced cycle times and earned invoice processing time savings. And that lead to better spend visibility and access for a well more than 50 percent reduction in the cost of processing within accounts payable as a whole.

Those are some of the benefits. I think the order of magnitudes are really incredible and transformational. We’re talking about literally millions of savings in hard dollar savings and then tens of millions of dollars in potentially in working-capital benefits as well.

 

Gardner: You can’t define productivity much better than that, right?

 

Kurtz: I like to think so.

 

Gardner: Okay, we have those direct, hard number AP improvement benefits. But as we alluded to earlier, there are some burgeoning types of benefits that come from having the data analytics and capability to innovate on larger strategies for buying, spending, and paying. Let’s talk a little bit about some of the ancillary benefits that come when you automate, when you go truly digital, and when you explore innovations around how the business itself operates.

 

Tech-savvy, budget-aware people thrive

 

Kurtz: Yes, there are a bunch of benefits. Let’s not underestimate the people benefits, right? So many of us are working in hybrid working patterns and remote working environments. I think one of the real benefits is to be able to onboard our people faster and have better productivity from them that much faster than you can in a non-automated world. So that’s one.

 

Two, you can attract a higher level of quality of candidate, particularly -- not to stereotype -- younger generations who are attracted to the technology that we need to incorporate into finance functions over time. They’re attracted to great technology and purpose-built technology. So, that’s another interesting example of ancillary human capital benefits of modernizing AP operations.

So many of us are working in hybrid working patterns and remote work. A real benefit now is to be able to onboard people faster and gain better productivity from them much faster by being in an automated environment.

Another one is clearly the savings visibility, right? And we have customers who are using that spend data that you get from invoices that we talked about to identify tens of millions of dollars in savings from having better data associated with invoices.

 

Toyota, again, is a good example. If you think about the overall finance function, one of the things they use our AP solution for and can gain from improved invoices data is the capability to rapidly monitor budgets. By improving their budget awareness, and having better conversations sooner in their fiscal quarters, they get a head start on performance metrics to know where they stand relative to budgets -- and being able to then act swiftly. They tell us that’s one of the really big benefits.

 

Again, that fits in with the overall CFO theme of being more consultative, being more of a business partner. That comes in large part from being able to see data, gain insights, track trends – all much earlier in the process. You simply can’t do that if it takes you 11 days to process an invoice, or you retain only 50 percent of the data, or you get garbage for data because it’s scanned, and then you have to go back and manually figure out what it is.

 

All of those are some of the ancillary yet impactful benefits that we’re seeing.

 

Gardner: Given the ongoing tight labor market, it sounds like the role of the finance people can now better help innovate for other parts of the organization, such as human resources. Better tracking payments and processes can help exploit a gig economy of contractors or use different forms of labor while tracking the costs in full.

 

So, is there an elevation that we should expect to see in terms of the status and impact that the finance office can have across the business?

 

CFO: From counter to consultant

 

Kurtz: Without question that’s the case. Here at Basware, our CFO is becoming more of a consultant, business partner, and adviser to other functions within the organization. That is a very common trend and theme we’re seeing as CFOs have broad influence and more operational span of control. They are changing from being the counter to being the financial consultant.

 

These new types of CFOs are bringing the insights from all of that data that we’ve talked about and helping the whole business operate better and deliver on expectations of profitability, growth, or whatever it is that that function is focused on.

Move from manual ways of working to the most automation AP processes possible.

And then, if we want to be really provocative about where this leads, you might have AP organizations that become profit centers. Because of the cost-reduction elements that they can take out, the working-capital benefits that they can unlock, and the ability to attract more supply -- all of those things help with investment, innovation, and growth. We might someday be looking at finance functions that are profit centers instead of cost centers.

 

Gardner: Interesting! Well, that’s a good segue to the last part of our discussion, which is what can we expect next? What’s in the future when we exercise true and pervasive AP automation? When will we be able to further avail ourselves of tools like machine learning (ML), artificial intelligence (AI), and instill an analytics culture within our businesses? What does your crystal ball show you coming for the modern accounts payable impact when we do it right?

 

Kurtz: We’re going to see a world in the not-too-distant future where in 95 percent-plus of the time, an AP person won’t ever have to touch an invoice. We will have better data from an invoice. Using AI, we will gain the capability to match and handle nearly all exceptions. We already have this today, but it’s going to keep getting better and better.

Soon more than 95 percent of the time an AP person won't ever have to touch an invoice. And we will have better data from that invoice. Using AI, we'll handle nearly all exceptions ASAP.

And you’re going to see these AP teams become much less, “How do I manage this exception? How do I go track down who the buyer was; what happened?” and all of that, to more of, “Hey, now I can think about what’s the best way to deploy my working capital. How do I take this data that we’re getting and spot impactful trends in it?”

 

As we become more touchless and automated, it’s going to free up value-added time to enable CFOs to be the business optimization partners, to spot trends, to understand better what’s happening in the business, and to bring ideas, solutions, and creativity to the rest of the organization. That will, in turn, fund the innovation that we want, fund the growth that need, and not just be a cost of doing business that we’ve been in the past.

 

Gardner: Yes, no better way to get a sign-off on something then when you can tell them it’s going to pay for itself, right?

 

Kurtz: That’s right. That’s exactly right.

 

Gardner: Jason, where can people go to learn more about these trends and solutions? Where do you look for good analysis and information about these trends, markets, and solutions?

 

Kurtz: At Basware, we do our best to be educational and share what we see happening in the industry as well as track industry trends and benchmarks. You can go to Basware.com to see that or follow us on LinkedIn. We post a lot of content on our LinkedIn page.

I like to read a lot of the industry analyst content that comes out. I think there is some really good stuff. I know recently I’ve done some good reading on benchmarks from Ardent Partners. They’d done some really interesting studies. Forrester has interesting studies that I’ve been reading about as late. So, those are two great examples.

 

Basware is also a founder and innovator around EESPA, one of the leading associations of invoice and AP automation providers across Europe. We’re constantly working together to bring forth ideas and innovation on how to bring more automation to the industry.

See how your organization stacks up on the top AP metrics comparisons.

And then frankly, Dana, most folks joke about me being a Chief LinkedIn Officer, and I’m a LinkedIn addict. I think there’s all kinds of great data that I find around LinkedIn and I’m constantly looking on there and finding interesting articles and information. So, just a few thoughts on where we can find some interesting insights.

Listen to the podcastFind it on iTunes. Read a full transcript or download a copy. Sponsor: Basware.


You may also be interested in:

Thursday, September 28, 2023

How dashboard analytics bolster security and risk management insights across IT supply chains

The next  BriefingsDirect security enhancement discussion examines how innovative managers are increasingly benefiting from interactive dashboard analytics. The resulting actionable knowledge elevates security situation awareness to the higher order value of overall business risk assessment and mitigation.

Learn how Bruce Auto Group has gained such deep insights -- not only into how its distributed apps, systems, and data are secured, but also into the hidden risks that can develop across entire IT and data services supply chains.


Listen to the podcast. Find it on iTunes. Read a full transcript or Download a copy. 

 

Here to share his story on how to elevate IT security to a mission-critical value of comprehensive risk mitigation and overall business resiliency is Paul Jobson, Director of Marketing and IT Strategy at Bruce Auto Group in Wolfville, Nova Scotia, Canada. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.


Here are some excerpts:


Jobson: Like many auto dealerships, Bruce Auto Group started off as a family-owned business. I bring that up because when it’s a dealership of one store, IT security tends to be an afterthought. But if we roll back the tapes to 15 years ago, we were lucky to have had someone related to the family who took an interest in the IT and secured us before it was in vogue. It was probably overkill at that time.

 

Jobson
Like most automotive retailers, everyone has been going through consolidation. We began from humble roots in 1927. Until the last decade or so, we were one or two stores. Now, we’ve expanded to 10 dealerships, spread across close to 200 miles, with head office consolidation, and, of course, a lot of remote workers. So, the IT security part has really gained prominence in the past couple of years.

 

Gardner: Like most expanding organizations, it’s not only what goes on inside your business, you need to also keep track of the many tendrils that extend out to your service providers. That includes online interactions, as well as emails and communications. We’re all now part of a complex, rich ecosystem, and risks sometimes pop up between the cracks among these organizations.

 

Security as diverse as each buyer

 

Jobson: Yes, and car dealerships are unique in the sense that although our businesses may appear similar, each of the original equipment manufacturers (OEMs) – such as HyundaiFordGM -- they all have their own niches. They all have their own way of doing business. Of course, our integrations with them are critical to the way we do business.

 

As a result, we don’t get to scale as easily as some other businesses do. It’s as if with each IT solution, we start with customization and then find a way to make it more standardized across  the group.

 

Gardner: And, of course, the car business is really the transportation services business. So, the way you communicate and gather financial data from your customers, not just your suppliers, is essential. Therefore, you need to be especially secure and resilient. No one in the ecosystem wants to think that communicating with their automotive transportation provider is a risk.

 

Jobson: That’s right. What we’ve learned is that security is synonymous with privacy. When people apply for a car loan, they’re providing us critical information. There’s an ongoing relationship because we continue to service these people. We want to do everything we can to protect their information.

There's a lot of hard work to do in the IT world, but by focusing on making us secure, we actually help to make the client secure as well.

There’s a lot of hard work to do in the IT world, but one of the nice synergies is that by focusing on making us secure, we actually help to make the client secure as well. So, we really appreciate the importance of that part.

 

Gardner: You are the digital man in the middle, right? You’re in between all of those suppliers for parts, for OEM cars, and for financial services. You have a panoply of financial organizations – from credit to insurance to government agencies -- and that all leads back to the customer and their data.

 

By being in the digital middle, you’ve had to move beyond mere IT security and into risk management.

 

Jobson: Well, that’s right. Keep in mind, too, that a lot of times your biggest risk is people. You have a new employee, and it takes time to onboard and orient them. You must build systems that consider where people are, and not put them at risk. We’re the first line of defense to make sure we’re protecting both our security and the private information of our customers.

 

Gardner: That requires both education and awareness, which brings us back to the need for visibility -- not just inside your own systems, but as far and wide as possible. How have you developed such extended enterprise risk management (ERM)?

 

Risk management at root of protection

 

Jobson: That’s a great question, and it’s been really interesting. My background is in digital marketing and enterprise software. Security has always been an aspect of that, so I’m comfortable working with cloud applications and setting up service integrations. It’s second nature. So, it became logical as we expanded that this would fall under my domain.

 

The challenge was, coming from a marketing background, we have a lot of people to help us with security, but it’s more about putting together an operational plan. How do you put the day-to-day activities all together? That was a challenge. We needed a way to communicate that to the executive team.

 

To adopt such a risk management strategy, we worked with Bitdefender because we really liked their people. On a quarterly basis, we’d get together, and they’d give us a rundown of what they had been seeing in the field and across our businesses.

 

That’s how we came across their dashboard with the executive summary. The second I saw that, I knew I had my tool to manage our day-to-day progress on securing the enterprise.

 

It’s funny, when you come from the outside, your first perception is it’s the people and the passwords that are going to be the highest risks. And when you know your risks, you can manage them. For us, the first ground zero for IT security was making sure we understood these risks.

 

So, we put in endpoint security across the organization. We run about 300 desktops. Installing that on every single one of them was a logistical feat. But everyone understood why, and we did it. Once we did, we started to get all these signals back to our Bitdefender GravityZone executive summary dashboard.

 

For the very first time we got a score. I wish I could say differently, but when we first got our score, the risk was high. It indicated a high level of risk, and that made all of us very uncomfortable. We immediately began to determine what our risks were. We found some real surprises.

 

Our top category was misconfigurations, and those misconfigurations could be anything from a printer that has not been updated to a traditional user of computer services. The first reflex is to think about your laptops and desktops. You don’t always think about the printers, but it’s a computer in the same sense as your desktop endpoint is.

 

Once we began to understand the true risks, we looked at security very differently. We realized that every connected device was potentially a risk that we needed to pay attention to. We liked the Bitdefender dashboard because it told us where we were on a score of 100, and it broke that down into three categories: misconfigurations, app vulnerabilities, and human risk.

 

We were quickly able to target the high-risk areas in each one of those categories. We put weekly plans into place for the IT team to say, “Okay, this week we need to address this.” And it was much more fun and so there was more engagement from the IT team because we were proactively setting the agenda.

Once we began to understand the true risks, we looked at security very differently. We  realized that every connected device was potentially a risk that we needed to pay attention to.

It wasn’t just the typical, general red flag alert: There’s something wrong with a computer. It moved us from firefighting to fire prevention. And I have to tell you, we got hooked. That’s the way my team wants to work. They can collaborate together. They’re excited to come back and say, “We worked on 40 endpoints and got the risk from high to medium.” That’s instant reward and you get gratitude for protecting the whole organization.

 

There wasn’t a measurable way to go back to the team and say, “You did well,” until we had this dashboard. We all saw the risk score coming down in real-time, in front of our eyes, and it just transformed the way that we work as a team.

 

Gardner: It gives you a whole new sense of knowledge about your situation, and to what degree you can be in control over your destiny. But also having those scores gives you some ammunition you can take to other people in terms of, “Here’s what we’re accomplishing. Here’s why we can get cyber insurance if we want to. Here’s how we can increase the knowledge across our workforce about how to be better prepared or to modify behaviors.”

 

It certainly sounds like you’ve crossed the Rubicon, if you will, of not being a deer the headlights, unaware of what’s coming next, and instead being in charge of your destiny and having the tools to further reduce risk.

 

Deal with risk consciously, confidently

 

Jobson: That’s right. There’s a matrix where you’re unconsciously unaware, and then you get conscious on risks. I’d say we’re now consciously competent. Although some days we roll back, we’re more and more in the consciously competent part. The IT team is more comfortable approaching big tasks because, again, we can be proactive. We’re ahead of the curve. We’re not waiting until there is a situation. We’re dealing with it before it’s a problem.

 

For example, in just six months we have effectively accomplished an agenda that had hovered around for three to four years. I attribute that to having a score. Anyone out there who’s wondering what the first step is: First, I would say, is read the Cybersecurity Framework by NIST. It’s an overwhelming document at first, but it’s an unbelievable document because it gives you context. Once you’ve read through it, and then you match it up with a scorecard – such as we’re getting right now with the Bitdfender executive summary -- you’re able to put a game plan in place for everything you need to do.

 

Gardner: Let’s drill into the executive dashboard. While you’re getting a top-level view, because  there are agents and technologies to bring you all the information you need, you are able to drill in and find out more information. But it doesn’t flood you like a fire hose with too much information.

 

How confident are you that you’re attaining a comprehensive view when you drill into the level of detail that’s possible?

 

Jobson: The dashboard and the sensors -- you could think of your whole network as sensors – are giving us information much faster than we could realize from our own logs and audits. For example, we have a Voice over Internet Protocol (VoIP) system that a threat recently emerged in rather quickly. It was developing literally by the hour, and the dashboard was the first one to bring it to our attention.

 

Incidentally, twice a day, I look at the IT news and it was only in the second half of the day that this threat started to emerge in the news. But our GravityZone program served that up to us first thing in the morning. We were already ahead of the threat. That allowed me to reach out to the suppliers earlier. I wasn’t waiting in line saying, “Okay, what’s the best way?” We still needed to function as a business. Right away we were able to mitigate the situation quickly. And to our knowledge, we mitigated a rather large risk with very little disruption to our staff -- and more importantly, no privacy breaches.

 

Gardner: With that sense of accomplishment, you’re able to reduce the overall stress on your IT and security staff. That’s important these days because it’s hard to find and hold onto qualified people. If you can give them an environment where they feel like they’re making a difference, they have the tools to attack these problems early -- and do it so they’re not in a fire drill -- that must make for a good labor environment.

 

Move beyond reacting to assessing

 

Jobson: Yes, that’s a really good way to say it, Dana. When you’re reacting, you’re just reacting. You haven’t had time to read through the different mitigations, the plans A and B. Now, most of the time, we don’t have to react with intensity. We still need to act, but we have different mitigations in place. The team can talk about what’s the best approach. We can do a store by store and kind of learn from each store as we apply the process. We can do a quick follow-up with the team and say, “Okay, great. What problems did you encounter? Were there any dependencies that were affected?” So, it’s the way to go if you want to come out of this and be able to go home and sleep well at night.

 

Gardner: Right. And it’s interesting, too, Paul, because you are not trained as an IT person, but you’ve been able to get into this at a higher risk assessment and mitigation level. By having the right technology, you have crossed a barrier from when only a techie could do this to now, when somebody who can use the tools well is managing rather than struggling.

 

Jobson: One of the interesting side-effects of having a dashboard like this is you can focus on the people element. At the end of the day, for me, I wish IT stood for innovation and team, because we’re using the tools to help people be more productive. We’re assisting the team with solutions that work for them and allow them to function better and better.

The second we see the dashboard alert and look at the affected devices ... we tighten our policies. People are more understanding because we share the insights that we get from the security system.

What’s nice about having a tool like this is that you’re actually able to share the information with the users. Sometimes we’ve had to reach out to users and say, “You know what? Sorry to interrupt you, but our system has flagged you. You have an app or configuration that’s been flagged as high-risk. We need to deal with it immediately.”

 

By just seeing the words “high-risk,” our users deescalate. They do not wonder, “Okay, do you need me to do this? Do you really need to touch my computer right now while I’m at work?”

 

They may be with a customer, but the second we see the dashboard alert and look at the affected devices, we say, “Hey, sorry, but you’re one of them.” As we tighten our policies, people are more understanding because we share the insights that we get from the security system.

 

We can say, “Listen, it’s not that we want to block you on this photo app, or it’s not that we don’t want you to be able to put your favorite picture on the desktop background. But there is a greater agenda that we have, and these are some of the ways we’ve been told to mitigate it,” whether it’s from signals from our security system or from looking to the NIST Cybersecurity Framework.

 

Gardner: We would be remiss in talking about your security posture if we didn’t bring up email. It is still one of the leading threat vectors -- after all these years. Tell us how you deal with email security. I’m sure you have it coming in all different directions. Is there a way in which you’re managing your email issues and leveraging this dashboard at the same time?

 

Successful email security systems

 

Jobson: Yes, email security is the single most important vector of any security program because it’s where the rubber meets the road for most users. That’s where we get the most outside influences.

 

We have a three-tiered approach to how we do things. First, we make sure to protect all the endpoints. Second, we secure the network using an XDR solution. But last, and we did it last because it’s the most involved, we have an email security process in place. And when I say it’s the most involved, it’s because if you are truly trying to achieve email security, you are going to put in rules and guidelines that are going to be restrictive.

 

So, on a typical day, we probably quarantine about 800 emails that get reviewed quickly by the IT team. They are assessed for their risk and then forwarded on. But what’s nice is we’re able to quickly see patterns. We’re also able to call people and say, “What are you sending? You’re sending an encrypted, password-protected thing. We have no idea what’s in there. Is there a way we can make a change, or is there another way we can get the information, like can we get it off a web link?”

 

We find a way to reduce the risk. And when we’re sharing with our suppliers, some are rigid. They can’t make the changes, but we have had some that said there is another way to deliver the service.

 

Combined, that all reduces the risk from email. But something else amazed us initially. When I said we were quarantining about 800 a day, we get about 2,000 that are genuine spam. They’re not all evil, if you will. Some of them are just people promoting themselves. But when you have 300 users a day using their computers, there will be risks in the spam. By putting in this frontline of defense, we have not had any significant scares, and I attribute it to our processes.

 

The email security feature I like the most: Every single link in an email, when it is clicked, goes through a secure scanner first. So, we don’t have to count on a person who’s a day or two in who doesn’t know if they’re receiving a legitimate link from one of the manufacturers or not. The system has their back on that. We’ll scan it for them.

 

And we do get some angry calls every now and then from someone saying, “I was trying to do this. I’m blocked.” But it changes very quickly when we go back to them and say, “Hey, you know what? Are you aware that was a malicious site? Did you know that site was trying to take your credentials and our system blocked you and protected you?”

 

The business team is just so much more supportive of additional initiatives once they’ve gone through that process. You don’t know what you need until the need comes up. So, once they’ve gone through that process, we just find they’re so much more willing to help secure the business.

 

Gardner: And again, with email -- like some of your other services you mentioned earlier -- it’s the knowledge about what’s going on that brings you to that higher-order discussion about how to be risk-averse rather than how to be unproductive. And so, that’s the key, I think, is you’re able to get people’s buy-in rather than have it just seem like they’re being naughty.

 

Jobson: That’s right. But I will say to anybody implementing it, there is a transition period. The first day you turn it on, be prepared. One of the things we’re learning is communication is critical. We do a style of management that’s all about cascading messages to employees and we found that, you know what? I think the perception of the IT team sometimes is, “Oh, does anybody notice what we do?” The answer is yes. On a grand scale, they notice what we do.

Communication is critical. We do a style of management that's all about cascading messages to employees. They notice what we do.

When we make small changes, users are affected, and they communicate back to us. So, good messaging helped us get through it. We had a tuning process that we did and we were grateful to our user’s patience while we did it. But today, everybody’s confident that we’re much more secure because of these measures that we put in place and it’s worth the inconvenience or sometimes having to wait an extra hour for a flagged email to pass through the gates.

 

Gardner: The alternative might be that your business is down for three or four days -- and talk about aggravation.

 

Jobson: That’s right, and the reality is we just can’t monitor the volume. You need to leverage a system to monitor that for you.

 

Gardner: IT and security people are dealing with so many different tools. There’s a new tool coming out every week for some other new aspect of security issues. What’s your philosophy about how to handle that sprawl, to get the most out of the tools but without being overwhelmed by them? Is the dashboard part of that ability to get the right balance?

 

Plan ahead to prevent tool sprawl

 

Jobson: That’s a great question. You need a plan on how you’re going to implement these things. For us, in looking at the dashboard, we love the information that we get back. It scans a lot of the network, but there were some limitations on endpoint security.

 

That led us to the next path, which the NIST Cybersecurity Framework also hinted at, and that’s the internet of things (IoT). And for us that meant raising our awareness about how much priority and privilege each device should get. We started to think about segmented network security, which is what you can do with XDR. So, we’d have networks for IoT, networks for our guests, networks for our main enterprise business, network for staff devices, and we’re able to reduce the risk by going into these specific lanes for each category.

 

When you get a signal back from the dashboard, the solution isn’t always an IT thing. Sometimes the solution could be sending a memo saying, “Please don’t install any unapproved apps unless you reach out to the IT department first.” Or it might be going further, as we’ve done, and put some clamps down on what can or cannot be installed on people’s PCs.

 

So, we have used education, restructuring the network, calling the manufacturers, and further isolating some devices. We have some suppliers that have devices that they never update. It’s not our property. No problem, we’ll put that on a network outside of our regular network to keep us safe. So, each one is a problem to solve. How you solve it is really up to you.

 

Gardner: Right. But the key is that you have that knowledge and insight that the risk is there.

 

Jobson: Absolutely.

 

Gardner: Before we close out, Paul, let’s look to the future. How do you expect to leverage automation more? You said you can’t do this all manually, and even using intelligence to gain a larger view of risk. Do you look to the dashboard to help you attain more automation and intelligence?

 

Embrace expertise to manage threats

 

Jobson: The dashboard is one of the tools we’re using, along with Bitdefender GravityZone. There is a series of tools we use to manage things. One thing we really like is like the Bitdefender Threats Xplorer. A lot of people’s notion of security is just an antivirus scanner on the PCs. Scarily, for a lot of businesses, that is their level of understanding. But the threats are becoming more sophisticated. You can either ignore that or you can work with partners that have more experience.

 

As we look to the future, XDR has been an area where we’re paying more attention. It gives us greater insights on the devices that aren’t PCs and it watches our whole network. But it’s also giving us in real time a description of the threats as they’re happening.

 

For example, we recently had an incident. It was from a remote software that we use to support people. The supplier made a change in their software, and the change had a piece of software that was associated with malignant code. That malicious software was attacking businesses, and we were in a meeting at the time, the whole IT team, and our system started to shut down users.

 

By the fourth or fifth person being shut down, someone knocked on the glass and pulled us out of the meeting, and said, “You know, there’s four or five PCs shut down.” We were nervous that this was a virus. In fact, what it was our system operating in real time. When it saw a threat, it turned that PC off and isolated it. When it did that, the software, the remote software would go to the next node and try to scan the network. And, so, it would be shut off, too.

 

In a very short amount of time, it shut off the five offending PCs. If that had been a real risk … What’s so great is my team cannot be on alert all of the time. We are relying on the automation and technology to take care of things and let us to do the analysis after-the-fact. If you’re not leveraging these tools that can do that for you, you might be creating a lot of risk for yourself.

 

Gardner: Any recommendations to those listening?

 

Jobson: In IT, you have so many choices. I mean, you just have to run any popular program, PC optimization program, and it’ll tell you 1,700 fixes you can do to fix your PC. You scale that over a large organization, and you can literally have hundreds of thousands of choices.

 

For us here at Bruce, the tech team, it was critical that we had something that prioritized it from a risk point of view -- from mildly inconvenient to threatening your business. Once we had that prioritization, and the whole team understood what it meant, that’s when we started to gain enormous traction on long-standing issues with how we were managing our PCs.

 

In order to have a game plan, you need to know what the objectives are. Our Bitdefender scorecard helps us identify the highest priority objectives.

 

Listen to the podcast. Find it on iTunes. Read a full transcript or Download a copy. Sponsor: Bitdefender.

 

You may also be interested in: