The EXA Consulting Group, represented by its President, Alex McPhail, hosted and moderated its second annual cybersecurity conference on May 12, 2021. This year, the event focused on Agile Procurement and Cyber Space and included expert speakers from government, industry, and the NGO sectors to discuss this challenge.
Mr.McPhail’s opening remarks set the stage for the urgent need for Agile Procurement. Traditional procurements determine requirements before the procurement and development processes. They are output-based, meaning the client measures success based on what the contractor delivers. Traditional procurement risks delivering cyber solutions that become obsolete years before they go into service.
Agile Procurement is an iterative process that incrementally specifies and designs the solution in each cycle. It is outcomes-based, meaning the client measures success based on what he can do with what the contractor delivered. Agile Procurement addresses obsolescence at each cycle, ensuring the client receives a relevant and usable capability.
He concluded his opening remarks by asking what the cost of doing nothing is in an era where cyber threat obsolescence is measured in days, not years. "How long," he challenged, "can governments sustain traditional procurement in the Era of Cyber?"
"Agile Procurement is not new," asserted Syed Hasan, Acting Director of theInnovation and Agile Procurement Directorate at Public Services and Procurement Canada. From a government perspective, Agile Procurement consists of four factors:
· an iterative approach for deliverables,
· a focus on outcomes,
· cross-functional teams, and
· collaboration with suppliers.
While Agile is successful, it may not be suitable for every product or procurement case.
Mr.Hasan dispelled several myths about Agile Procurement:
Myth: Agile Procurement is fast.
Fact: Agile is more responsive to changes during the process, but it may not be faster overall.
Myth: You do not need to plan.
Fact: Agile requires careful, detailed planning, both in advance and during the process.
Myth: Agile eliminates risks.
Fact: Agile breaks bigger risks into smaller risks that you can address more easily.
Myth: Agile prevents failure.
Fact: Agile lets you fail faster on a smaller scale and then learn, adapt, and move forward.
Historically, Agile Procurement existed but without its current name. In the United States Military, many programs and weapons were developed in such a manner, outside of the conventional-traditional system, as Eric Lofgren, Senior Fellow at George Mason University Center for Government Contracting, explained. The threats we face are continuously increasing, and there is a need to change the existing processes. "The good news is that we have already done it before. We have to reprioritize what we really want," John Scott, President of Ion Channel and Fellow in New America's Cybersecurity Initiative, reassured.
For Shared Services Canada (SSC), the goal is to achieve outcomes through a collaborative and secure ecosystem. Chris Wharram, Director of Infrastructure Security Planning and Capability Development at SSC, went further by adding that it helps "to incentivize meaningful feedback from industry, to encourage competition." He asserted that it also gives the ability to focus more on technical superiority rather than just focusing on the budget itself. The general goal added Gary Cooper, Cyber Security Procurement at SSC, was to create a cybersecurity vehicle. The idea behind it was to "create a secure supplier ecosystem," as Mr. Cooper worded it. With the use of agate-type mechanism, they now have a pool of 89 trustworthy vendors. "Cyber threat actors are real," he stressed. Therefore, it is essential to focus on collaboration. There is still room for improvement.
Bob Gordon, Executive Director of the Canadian Cyber Threat Exchange, offered a different but equally relevant perspective. "If you are connected, you are vulnerable." Cyber attackers are rapidly evolving and opportunistic. There is a different range of these threat actors such as state espionage, criminals stealing intellectual property, committing fraud, and holding networks for ransom. For Mr.Gordon, the way to overcome these threats is through collaboration and the institutionalization of sharing information regarding cyberthreat through sectors and various groups of people.
Marc Duchesne, Vice President of Bell Canada, offered a different but critically relevant perspective: you are only as secure as your weakest link. Deep investment and trust in supplier relationships lie at the heart of Agile Procurement. You need trusted suppliers with the knowledge, speed, and accuracy to take the appropriate measures swiftly to protect the community of enterprises, Mr. Duchesne explained.
Jen O’Donoughue, RCMP Chief Financial Officer, explained that, while Agile Procurement works, outcomes are harder to define than you might think. The process starts with careful and complex trade-off analyses before stakeholders can agree upon a set of outcomes. She further explained that solid risk management is pivotal to Agile Procurement success, both at the outset and at every stage. Finally, relationships with suppliers are a key success factor.
In his closing remarks, Mr. McPhail observed how different each person’s perspective was and how valuable and critical they were to synthesizing a coherent understanding of Agile Procurement in the era of cyber. Successful Agile Procurement requires a collaborative approach among many stakeholders across a wide range of disciplines and responsibilities.
