How Capgemini Optimizes Contingent Workforce Agility Using SAP Fieldglass

Transcript of a discussion on the growing importance of contingent workforces for businesses around the world to satisfy their skills and information technology needs.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: SAP.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Gardner

Our next digital business innovation discussion explores the growing importance of contingent workforces. As more businesses look to external workforces and services to satisfy their skills and information technology (IT) needs, the ability to manage those workers and services is lagging.

Even as upward of 42 percent of workforce spend is now going to external workforces, many organizations lack visibility into the nature of that spend. As a result, they can’t manage the productivity, nor the risk.

Stay with us now as we hear from a contingent workforce expert at Capgemini on managing the processes that best procure and support talent and skills agility.

To learn more about making the most of a diversified portfolio of workers, please join me in welcoming Andreas Hettwer, Vice President and Group Procurement Category Director at Capgemini in Berlin. Welcome, Andreas.

Andreas Hettwer: Hello, Dana.

Gardner: Andreas, what’s driving the need for external workforce management -- and specifically the role of contingent workforce workers -- there at Capgemini?

Hettwer: We are a big company with roughly 250,000 employees worldwide. At Capgemini, as a consulting digital transformation company, we innovate and address the entire breadth of client opportunities in the evolving world of cloud, digital, and platforms.

And that means we have a huge variety of roles, skills, and capabilities that we need to deliver to fulfill all of these kinds of projects. There are constraints in both capacity and in the niche capabilities needed. Our contingent workforce is part of our strategic component of making sure that we deliver great projects to our clients. This is why we need a contingent workforce program globally.

Gardner: And is the use of IT skills and workers a leader in this field? Is there something about IT specifically that lends itself to a contingent workforce?

IT contingency makes progress

Hettwer

Hettwer: Yes. First of all, from the skills perspective, we are an IT consulting company and therefore this is our major skill set that we purchase from the market. But, again, the variety is huge and therefore we need to make sure that we address all of the different sources to make sure that we have the right capabilities and capacity ready.

Gardner: And how long has this been going on? How long have you been working to perfect and improve the use of such a contingent workforce?

Hettwer: Quite a long time. We began in 2016. At first, we knew our spend of contingent workforce but we didn’t have a clue really about the numbers -- the headcount or the tenure of engagements.

We didn’t know what kind of external capabilities we had acquired from the market, including the roles and skills. We didn’t even know anything about the fulfillment rate or how long it took to source the right capabilities. We didn’t know if we had missed some opportunities to deliver the right projects to our clients.

On the other side, we were not able to understand what we had paid for the individual roles, skills, and levels per country, and whether this was a good price compared to the market. We didn’t know if that helped drive competitive bids toward our clients or not. Given this environment, we decided we needed to change. This is why we then began our global program.

Gardner: Of course, human resources (HR) organizations have had systems of record and processes to manage ongoing, full-time workforces. But when things are project-based and ad hoc, like you are describing, they are often funded from a variety of different budgets and from different elements within the organization.

Keeping track of that is very daunting. Why do you view this less as a HR task and more of a procurement task? How does that help to bring a unified view of all of these different worker spends?

Hettwer: You raise a good point. There is always the question of who owns the contingent workforce. Is it procurement, HR, or maybe the business unit itself? Or is it maybe another function in the company?

It was important that HR had a big focus on our own employees, with our employer brand, and to make sure that we attract the right talent from the market to deliver to our clients with our brand and across our portfolio.

From our perspective, it was important that HR had a big focus on our own employees, with our employer brand, and to make sure that we attract the right talent from the market to deliver to our clients with our brand and across our portfolio.

Contingent workforce for us was a bit of a minor labor component. We are talking about 6 to 7 percent of the complete population of our delivery capacity globally. Therefore we mostly wanted to address cost and risk. Procurement took the lead and came back with the right problem statement, delivered a solution and created the right business case to get executive approval for the global program. That’s how it evolved. We began this program and now procurement owns it.

But again, it’s a good question. It could also be through a different function. But at Capgemini we evolved it and own it right now.

Gardner: Andreas, it strikes me that you are a better organization in terms of fulfilling your mission and supporting your customers when you can find labor best where it exists rather than where you wish it were. How flexible can you be with a contingent workforce? Is this literally an addressable market that extends all over the world? Has the COVID-19 pandemic opened people’s eyes to the potential for more remote and flexible workforces?

Hettwer: Yes, absolutely. First of all, the contingent workforce has increased in the market. If you look at different research -- and even from the Capgemini Research Institute -- you see that the number of contingent workforce participants has increased over the last few years, starting with North America but also in Europe, and even now in Asia-Pacific and in India.

We needed to address this accordingly with some kind of innovation. We therefore developed a global program to make sure that we gain the best contractors in the market and that we use them recurrently.

Looking to the COVID-19 pandemic, we have seen dramatic changes. Suddenly, more clients are open to remote work. Our own organization has been open to remote work. We at Capgemini were able in a few weeks to have more than 95 percent of our own population working remotely. That helped us to really change this work environment and to have more contractors working remotely. So this is something that we need to address further in the future.

Gardner: Yes, COVID-19 has been a motivator and an eye-opener as organizations go more digital, with the ability to use workers regardless of their location. That will become more prominent, I expect.

Andreas, when we use contingent workforces, what are the benefits? What has it done for you at Capgemini?

Remote work benefits

Hettwer: From our perspective, we have four major categories of benefits. The first one is business impact improvement. It’s about fulfillment, making sure that we have the right talent on board and that we can fulfill the needs of our clients. We can therefore make sure that the clients are happy and that our projects will be delivered on time with the right quality.

The second aspect is cost-optimization. It’s always a very challenging market, and we need to be very competitive. Whenever you need contractors, be it for niche or core capabilities to be embedded in our projects, we need to make sure we do it correctly, with the right pricing, so it’s a win-win situation. When we are competitive in using the right contingent workforce at the right price, then it’s also possible to deliver the best pricing for our client. So cost-optimization was a second big aspect here.

Third -- and not a negligible issue -- is risk mitigation. More and more labor laws are coming up right now. And there are many tax-related topics, too. So whenever we can gain more visibility, we can better control our contingent workforce. We can also be sure that risk associated with the use of that labor can be mitigated across markets.

And then the fourth benefit is process efficiency. Bringing in contractors, or services from our suppliers, needs to be seamless -- from getting the right capabilities in, to invoicing, approval, and all what’s necessary. And that must be very efficient, because in an organization like ours, which is global in roughly 50 countries worldwide, we need to have proper, seamless processes end-to-end. Otherwise it’s an administrative burden that you can’t afford.

Gardner: And how about the issue of speed and agility? Oftentimes when it’s a full-time position, it can take months, if not longer, to go through the process of defining the role, hiring, vetting, and onboarding. Is there something about contingent labor that increases the speed and agility when you are satisfying your customers on a project-basis?

Suppliers increase speed-to-hire

Hettwer: Yes, absolutely. And I think this is also the beauty of contractors. You really have the chance to reach out to the market to identify the right contractors on time. And this is also why contractors from time to time come in, because it’s much easier and quicker to get them in, up to the moment until we recruit maybe somebody permanently.

And, for sure, we do this through a preferred supplier base, and this is part of the service-level agreements (SLAs) that we negotiate with our preferred supplier base. This is the speed, quality, and the pricing aspect.

We also invested in our Freelancer Gateway by Capgemini. That means we are addressing contractors directly. We have created the possibility for contractors to check the opportunities that we have on the contingent workforce side and apply accordingly.

But we also invested last year in our Freelancer Gateway by Capgemini. That means we are addressing contractors directly. We have created the possibility for contractors to check the opportunities that we have on the contingent workforce side and to apply accordingly to be part of our extended workforce.

This is very beneficial because more contractors don’t want to go through an external third-party; they want to reach out to us directly. And for us it’s a benefit because we can create an external workforce. We want to build a recurring workforce so that we have a relationship with the contractor market and to make sure that the right people work for us regularly.

Gardner: Now, we mentioned that procurement is the force through which you are operating here, and you have been in procurement for many years. Tell us about your procurement background and why you think the procurement legacy and approach to managing processes and costs lends itself to a contingent workforce management.

Total workforce management

Hettwer: I joined Capgemini in 2004, quite a long time ago. Before I had been a consultant for different companies. And, to be honest, during the initial years it was an immature market. The contingent workforce had not really been addressed during this time. We really started from scratch.

Now, in 2020, things have changed completely. We have technologies. We have managed service providers. We have really mature organizations that can help. The technology has evolved dramatically.

For example, for our Freelancer Gateway, we use technology from partners like SAP Fieldglass. We use artificial intelligence (AI) and automation to make this attractive process as easy as possible. The technology can help so much right now; it helps dramatically.

And as HR is on one side focusing on the permanent labor, we are focusing on the contracting side, but we are merging our capabilities through our Capgemini brand. This is exactly where we want to go, and this leads us to total workforce management.

Gardner: How has the SAP portfolio, in particular Fieldglass, helped you get a more repeatable and understandable process and move toward total workforce management?

Hettwer: When we began in 2016, we needed the right technology to support this because we couldn’t do everything manually. We need to have the right solution. And during this time, for sure, we did proper request for proposals (RFPs) and checked the market. SAP Fieldglass convinced us because, first of all, the technology had the right functions about what we wanted. It’s really also an end-to-end solution.

Secondly, we wanted a solution that has a global footprint. If you just come, for example, from North America, you don’t understand how Europe works -- or vice versa. It’s quite difficult. So we said we needed a global footprint with references in the different key regions. This was also why SAP Fieldglass was chosen because of this global footprint and the experience that they had. This really helped us in deploying our global program.

Thirdly, SAP Fieldglass was a strong provider with the right development capabilities because we wanted to be able to evolve. We didn’t want to have just one solution. We knew the technology would evolve and our program would evolve as well. Therefore, we needed to have a partner who can go with this program with us over several years. It’s not just a 12-month exercise, this is really something that needs to evolve.

And lastly, we needed somebody who could help us integrate a cloud-based solution into our IT systems landscape. It’s difficult when you have some cloud solutions and some on-premises solutions, you need to connect them accordingly. And that has worked. These were the reasons we selected SAP Fieldglass and since then we have worked very tightly together, and it works great.

Gardner: It seems like Capgemini is in a great position to be a leader in this field and to innovate because of your emphasis on IT, your understanding of systems, the need for flexibility, and your global footprint. You are an early adopter, but also a bellwether of where things can go with contingent workforce management.

How you have further innovated your Freelancer Gateway and trusted contractor programs?

Replace face-to-face trust

Hettwer: Like many others, we began with the contingent workforce functionality of SAP Fieldglass. This was the main purpose first of all -- to get this done. 

Then we moved to the next topic, which was delivery-based services, but this is more specific to areas where you have bigger spend areas to control. So you have to create governance.

But then we came to the direct-sourcing piece with our Freelancer Gateway to make sure that we use AI and automation to attract contractors directly and make sure that we have the best recurring extended workforce.

As I said, the pandemic was also an accelerator for this, and the use of remote contracting. And this is quite difficult because, remember, when you try to get contractors in, you need to do some interviewing. At a certain moment, people who seem to be good contractors and consultants who want to work for us would come on-site and we would get to know each other and then relationships start.

When you do these things remotely only, you never have a personal interaction with people, it's just video conferences. At a certain moment people need to have access to systems. Otherwise there is uncertainty about their capabilities and the security levels.

But when you do these things remotely only, you never have a personal interaction with people, it’s just video conferences. At a certain moment people need to have access to systems. If you don’t know these people, other than from the interview and the video conferences, there is uncertainty about their capabilities and the security levels.

This is why we needed to do something different, rather than just identifying and validating the contractors and then letting them work remotely. It’s about bringing in a level of trust that we have the proper qualifications and proper experience with people before they can work remotely for us.

And this is exactly something that we are figuring out right now. We are not completely done yet, but this is something that’s on the agenda as part of the “New Normal.”

Gardner: Andreas, when you have that digital, remote relationship rather than a more tactile, human relationship, you have to go on metrics and key performance indicators (KPIs). You need data that’s verifiable and repeatable. And in doing so you develop a greater understanding of your workers, your contingent workers, and the work itself. 

Is there something about going to a data-driven, digital-type of engagement that will pay dividends when it comes to the greater understanding through data-driven and metrics-driven definitions of your process?

Hettwer: Yes. I think it’s a combination of both, right? On the one side you need to have the technology and the right data. But when we started thinking about the new right taxonomy -- to understand and identify certain roles and skills -- it’s very difficult. We created a rate card structure to make this happen, to begin to talk to each other and understand the roles and skills across North America or in China or maybe in India. But we know that there is a bandwidth of skills that can be categorized over there.

So, we needed to have certain technology to help us identify the capabilities of individuals, and on the other side, matching this with the job postings, with the needs that we have.

The technology helps us to make these kinds of matches, and all of this data will drive to even more AI to get proper and quicker matching so that the quality of this matching process will increase. And this is also why, for example, we are focusing on recurrently used contractors because it forms loyalty that will lead to a win-win situation between the external market and our clients. This is exactly where we want to go. 

Gardner: And I certainly understand that building those taxonomies and creating the way in which you would measure the quality of the relationship for both parties is an ongoing process. But so far, just using the contingent workforce management and SAP Fieldglass to this point, tell us a little bit about what you have gotten.

Are there metrics of success, or key indicators that you can point to that demonstrate a return on investment or a rationale for why this makes sense?

Measures of success

Hettwer: Yes. First of all, we needed to have the spend coverage of 85 percent in a reasonable time. It took us some time to get there, but we are right now at the 85 percent. We recently went live in India with fully integrated solutions, and now we are at this level there, too. 

For sure, there are different countries still where we have not full coverage yet, but we do it with a light version of the solution so we at least have the chance to identify individual external workforces.

A second measure that is very important for us is the fulfillment rate. We are now at 80 percent of fulfillment rate on eligible demand. “Eligible” means there is always some kind of demand in the contractor environment that cannot be filled because it’s not needed anymore or it’s maybe that some things change and that means our own people can take care of this one.

So this is why we always say “eligible” demand is something that really needs to be fulfilled and here we are at 80 percent. And I think this is quite good, and we are further ahead of where we were some time ago. 

Another metric is the quality of job postings and aging, because if you have a job posting for contingent workforce that is in your system for 12 months, it just dilutes the KPIs and nobody is working on it anymore anyway.

We are right now at a level of below 30 days. That means whenever something is not filled within 30 days, it needs to be rechecked as to whether or not it is still needed, which means we always have proper demand so we can perform better toward our business goals.

Also quite important is time to fill positions; we have decreased this significantly. Currently we are on below 10 days from the job posting until the creation of the work order. So that means whenever there is really high demand for contracting site, we are able to fill this within 10 days. And, as you mentioned earlier, this is much quicker than recruiting people from the external market.

For sure, this will change with the “New Normal” because we have the possibility of a global remote workforce. There will be changes in what we need externally and what needs to be delivered from the internal side, and this is something that will evolve over the next weeks and months.

Gardner: And, of course, a very important measure of success these days is the perception of the customer -- the customer experience. Have you gotten any feedback as to how well your support of contingent labor works from your customers’ vantage point?

Hettwer: Yes, exactly. For sure, everything is client-driven for us. This is most important and there are some environments where you are not allowed to go with an external workforce. Others think more about the delivery-based environment and there we need to make sure that the right teams are available to deliver what we have promised.

There is always the question about if the contingent workforce needs to be engaged, and how can you ensure you select the right people, that you have the right suppliers in place, and that you are able to deliver what you are promising.

When we came up with our approach and showcased the suppliers -- the client base was very impressed. We even go out to our clients’ site, explain what we do, and how we do it. We even have clients thinking about how to adopt this contingent workforce management approach internally. So I think this is the best thing, if clients ask us to do similar things for themselves.

Gardner: Of course, those clients would let you know pretty quickly if things weren’t working out and so you have the ability to be reactive and agile as you adjust. It’s a feedback loop.

Before we end, Andreas, let’s look to the future. We mentioned the idea of establishing trust and understanding, the relationship and the qualitative and quantitative value of work, but it seems to me that what we are talking about as contingent workforce expands is really a redefinition of a corporation or a business. The barriers of that business become fuzzy, even permeable.

Do you see the nature of business changing as we look to less of a walled garden and more of an expanding universe of skills?

The future is not fuzzy

Hettwer: Yes, I would say so. As I said, we call it global resourcing or global capabilities, and this is exactly where it will lead. It’s not that everything can be done remotely, but it will increase, and this will give us opportunities -- not only Capgemini – but also more from our contractor side. And this is exactly the right thing to address right now because only when we have the right people in place -- when we have the right contractors in place -- then we can do these kinds of things.

There will always be some deviation, right? As you see, more and more tax regulation will come, more and more labor laws will come in the different countries. And this needs to be addressed. There is a difference between external services and internal services, and this needs to be addressed.

I think it will not be as fuzzy as it looks initially so that you can’t differentiate anymore between an employee and a temporary contractor. It will always be a differentiation there from my perspective because of all these kind of tax, legal, and statutory requirements. But you can do things in a more homogeneous and more aligned way -- and this is exactly what it will lead to.

Gardner: What advice would you share with others who are interested in increasing the amount of contingent workforce utilization and management?

Hettwer: There is so much to learn that I could talk for hours. But the first thing that I have is whenever you want to start some kind of contingent workforce program, think about the pain points in your company.

Is it compliance risk? Is it a cost issue? Is it a fulfillment issue? What are the pain points that you have in your organization and start from there, create, then solutions, and then finally a business case. Because without a business case that is not approved by the senior business you will never succeed. So that is my first recommendation.

Whenever you want to start some kind of contingent workforce program, think about the pain points in your company. Start from there then create solutions and finally a business case. Without as business case approved by the senior management you will never succeed. 

The second one is getting clarity from the executive level about who owns such a program. This links very much to the questions that you had earlier; is it procurement, is it HR, is it somebody from the business? But there needs to be an owner, because otherwise you start a program and then you immediately start fighting about who owns it, right?

The third aspect is, if you want to go in such a global program, what about the governance? You need to have the right stakeholders in place. First of all, to get their buy in, and secondly, it’s about crowd intelligence. You are never the one who has the knowledge about everything. So if you get the right people on board from the different countries, from the different functions, then you will have all the intelligence that you need to create a program.

Then, you need to make sure that you have proper steering committees in place, because there will always be discussions and escalations, so make sure that you don’t get only the approval from the executive committee but also that you have regular decision points where these kinds of things will be discussed and decisions will be taken.

And last, but not least, prioritize. You will never be in the position to have a global program and make sure that in 12 months you have covered the globe; this will not happen. So, prioritize, make sure you start where you have the biggest pain points, you start there because initial success creates demand for deployment and will lead to its acceleration. So get success as quickly as possible in areas where really success is needed, talk about this one and that will help you really to accelerate.

Gardner: Well, very good, I’m afraid we will have to leave it there. You have been listening to a sponsored BriefingsDirect discussion on the growing importance of contingent workforces. And we have learned why managing those workers and services better enables businesses to further leverage external workforces and services to satisfy flexibly their growing skills and IT needs.

So a big thank you to our guest, Andreas Hettwer, Vice President and Group Procurement Category Director at Capgemini. Thank you so much, Andreas.

Hettwer: You are welcome. Thank you very much.

Gardner: And a big thank you as well to our audience for joining this BriefingsDirect digital business innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator throughout this series of SAP-sponsored BriefingsDirect discussions.

Thanks again for listening. Please do come back next time, and feel free to share this information across your IT and business communities.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: SAP.

Transcript of a discussion on the growing importance of contingent workforces for businesses around the world to satisfy their skills and information technology needs. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in:

• Contingent Workforce Insights: Expertise in Full Force
• How much do you know about your invisible workforce?
• Welcome to the New World of Work
• SAP Fieldglass Customer Success Stories
• Digital Partner Network for SAP Fieldglass Solutions
• Why customer experience management has never been more important or impactful
• Making Customer Experience Part of Your Company DNA
• What it Takes for Procurement Transformation - Fireside Chat with Practitioner
• Procurement 5.0: Optimizing Profitability and Sustainability
• Successful Digital Transformation Requires an Inspection of all Business Processes
• How an SAP ecosystem partnership reduces risk and increases cost-efficiency around taxes management
• Intelligent RPA Reshapes Procurement for Post-Pandemic Business Fitness  
• Intelligent spend management supports better decision-making across modern business functions
• Financial stability, a critical factor for choosing a business partner, is now much easier to assess

Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cyber Security Across Application Lifecycles

Transcript of a discussion on how new levels of collaboration and communication across disparate teams is needed to improve applications development speed and security.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Gardner

Today, we present a sponsored podcast discussion on improving cyber security in applications across their entire lifecycles. Increasingly, security is being integrated into software design, even as the pressure builds to bring more apps to market faster.

Furthermore, such trends as the Internet of Things (IoT), hybrid cloud services, mobile-first, and DevOps are increasing the demands and complexity of the overall development process. Key factors in improving both development speed and security include new levels of collaboration and communication across formerly disparate teams -- from those who design, to coders, to testers, and on to continuous monitoring throughout operations.

We're here now with two experts from a Capgemini and Hewlett Packard Enterprise (HPE) Alliance to learn how to create the culture, process, and technologies needed to make and keep today's applications as secure as possible.

Please join me now in welcoming our guests, Gopal Padinjaruveetil, Global Cyber Security Strategist for Capgemini. Welcome, Gopal.

Read the Latest Insights
On How to Protect
Your Enterprise Applications

Gopal Padinjaruveetil: Thank you, Dana, for having me. Excited to be here.

Gardner: We're also here with Mark Painter, Security Evangelist at Hewlett Packard Enterprise. Welcome Mark.

Mark Painter: Thank you, Dana. It’s great to be here.

Gardner: Let’s start with you Gopal. What do you see as some of the top trends that are driving the need for improved security for applications? It seems like we're in the age of "continuous everything" across the entire spectrum of applications.

Padinjaruveetil: Let me talk about a few trends with some data and focus on why application security is going to become more-and-more important as we move forward.

There's a report saying that there will be 50 billion connected devices by 2020. There was also a Cisco report that said that 92 percent of the devices today, connected devices, are vulnerable. There was an HPE study that came out last year said that 80 percent of the attacks are now happening at the application layer.

If you put together these three diverse data points coming from three different people, we see that there will be 37 billion devices in 2020 that are deemed to be vulnerable. That’s very interesting, 37 billion devices vulnerable in 2020. We need to change the way that we develop software.

Key trend

The other key trend that we're seeing is that agility is becoming a prime driver in application development, where the business would like to have functionality as early as possible. So the whole agile development methodology driving agility is becoming key, and that's posing some unique problems.

Padinjaruveetil

The other thing that we're seeing from a trend perspective is that apps and data are moving out of the enterprise landscape. So the concept of mobile-first, free the data, free the app, and the cloud movement are major trends that affects the application security and how applications are being developed and delivered.

The other trend is regulators. In many critical industries regulations are becoming very strict with cyber crime and advanced actors. We're seeing nation states, advanced actors, coming into the game and we're seeing advanced persistent threats becoming a reality. So that’s driving another dimension to the whole application security.

Last, but not least, is that we see a big shortage of cyber security talent in the market. Those are the trends that drives the need for a different look at application security from a lifecycle approach.

Gardner: Mark, anything to offer in terms of trends that you are seeing from HPE, perhaps getting more involved with security earlier in the process?

Painter: Gopal gave a very good and very thorough answer and he was dead-on. As he said, 80 percent of attacks are aimed at the application layer. So it actually makes sense to try to prevent those vulnerabilities.

Painter

We propose that people implement application security during the development cycle, precisely because that’s where you get the most bang for your buck. You need to do things across the entire lifecycle, and that includes even production, but if you can shift to the left, stop them as early as possible, then you save so much money in the long run in case you are attacked.

We do a study in conjunction with the Ponemon Institute every year, and since 2010, every year, it shows that attacks increase in frequency, they're harder to find, and they're also increasingly costlier to remediate. So it’s the right way to do it. You have to bake security in. You just can’t simply brush it on.

Gardner: And with the heightened importance of user experience and the need for moving business agility through more rapid iterations of software, is it intuitive to conclude that more rapid development makes it more challenging for security, or is there something about doing rapid iterations and doing security that somehow can go hand in hand, a continuous approach? Gopal, any thoughts?

Rapid development

Padinjaruveetil: There's a need for rapid applications, because we're seeing lot of innovations coming, and we welcome that. But the challenge is, how do you do security in a rapid world?

There is no room for error. One of the things from a trend perspective is IoT. One of the things I tell my clients is that if you look at traditional IT, we're operating in a virtual world, purely a virtual world. But when you talk about things like operation technology (OT), we're talking about physical things, physical objects that we're using in everyday life, like a car, your temperature monitors, or your heartbeat monitors. These are physical things.

When the physical world and the virtual world come together with IoT, that could have a very big impact on the physical layer or the physical objects that we use. For example, the safety of individuals, of community, of regions, of even countries can now be put in danger, and I think that is the key thing. Yes, we need to develop applications rapidly, but we need to develop them in a very secure way.

Gardner: So the more physical things that are connected, the more opportunity there is to go through that connection and somehow do bad things, nefarious activities. So in a sense, the vulnerability increases with the connectivity.

Padinjaruveetil: Absolutely. And that’s the fear, unless we change ways of developing software. There has to be a mindset change in how we develop, deploy, and deliver software in the new world.

There has to be a mindset change in how we develop, deploy, and deliver software in the new world.

Gardner: I suppose another element to this isn't just that bad things can happen, but that the data can be accessed. If we have more data at the edge, if we move computing resources out to the edge where the data is, if we have data centers more frequently in remote locations, this all means that data privacy and data access is also key.

How much of the data security is part of the overall application security equation, Gopal?

Padinjaruveetil: One of the things I ask is to define an application, because we have different kinds of applications. You have web services and APIs. Even though those are headless, we would consider that those are applications, and applications without data have no meaning.

The application and the data are very closely tied to each other, and what's the value? There's no real advantage for a hacker just to have an application. They're coming after the data. The private data, sensitive data, or critical data about a client or a customer is what they're coming at.

You bring up a very good point that security and privacy are the key drivers when we are talking about applications. That is what people are trying to get at, whether it's intellectual property (IP) or whether it’s sensitive data, credit card data, or your health data. The application and the data are tied at the hip, and it’s important that we look at both as a single entity, rather than just looking at the application as a siloed concept.

Solving problems

Gardner: Let’s look a little bit at how we go about helping organizations approach these problems and solve them. What is it that HPE and Capgemini have done in teaming up to solve these problems? Maybe you could provide, Gopal, a brief history of how the app security alliance with these two organizations has come about?

Padinjaruveetil: Capgemini is a services company, and HPE has great security products that they bring to the market. So, very early on, we realized that there's a very good opportunity for us to partner, because we provide services and HPE provides great security products.

One of the key things, as we move into agility or into application development, is that many of the applications have millions of lines of code. These are huge applications, and it's difficult to do a manual assessment. So, automation in an agile world and in an application world becomes important. That's a key thing that HPE is enabling, automation of security through their security products and application space. We bring the services that sit on top of the products.

When I go and talk to my clients about the HPE and Capgemini partnership, I tell them that HPE is bringing a very tasty cake, and we're bringing a beautiful icing on top of the cake. Together, we have something really compelling for the user.

At a high-level, what we're trying to do is expand the application security scope, and that basically includes three big buckets. Those are secure development, security testing, and then continuous monitoring and protection.

Gardner: Let’s go to Mark in describing that cake, I would imagine there are many layers. Maybe you could describe it for some of our listeners and readers who might not be that familiar with what those layers are. What are the major components of the transformation area around security that HPE is focused on?

Painter: At a high-level, what we're trying to do is expand the application security scope, and that basically includes three big buckets. Those are secure development, security testing, and then continuous monitoring and protection.

During the development phase, you need to build security in while the developers are coding, and for that specifically, we use a tool called DevInspect. It will actually show secure coding to a developer as he is typing his own code. That gets you much, much farther ahead of the game.

As far as security testing, there are two main forms. There is static, which is code analysis, not only for your own code, but open-source components and other things. In this day and age, you really are taking security into your own hands if you trust open-source components without testing them thoroughly. So, static gives you one perspective on application security.

Then there is also dynamic scanning, where you don’t have access to the code, and you actually attack the application just as the hacker would, so you get those dynamic results.

We have a platform that combines and correlates those results. So, you get to reduce false positives and you can trust the accuracy of your results to a much greater detail.

Sustained frequency

We also provide services, but the whole thing is that you have to do this with sustained frequency. Maybe 10 years ago, there was a stage-gate approach, in which you tested at the end of the development cycle and released it. Well, that’s simply not good enough; you have to do this on a repeatable basis.

Some people would probably consider that the developmental lifecycle ends once the product is out there in the wild, but if anything, my experience in the security industry has taught me that software plus time equals vulnerability. You can’t stop your security efforts just because something has been released. You need that continuous monitoring and protection.

This is a new thing in application security, at least if you call something that’s almost a few years old "new." With something called App Defender, you can actually put an agent on the application server and it will block attacks in real time, which is a really good thing, because it’s not always convenient to patch your software.

At HPE, we offer a combination of products that you can use yourself and we also offer hybrid solutions, because there's no such thing as one-size-fits-all in any environment.

Read the Latest Insights
On How to Protect
Your Enterprise Applications

We also offer expertise. Gopal was talking earlier about the lack of qualified candidates, and Forbes has predicted that, by 2019, a full quarter of cyber security jobs are going to be unfilled. Organizations need to be able to rely on technology, but they also need to be able to find experts and expertise when they need it. We do a lot at HPE; I will leave it at that.

Gardner: Gopal, how do these products, these layers in the cake, help with the shifting-left concept, where we move more concern about vulnerability and security deeper into the design, earlier into the coding and development process? Where do the products help with shifting left?

Padinjaruveetil: That’s a great question if you decompose or if you analyze application security as a cake. Security vulnerabilities in applications come from three specific areas. One is what I call design flaws, where the application itself is designed in a flawed manner that opens up vulnerabilities. So a bad design, in itself, causes security vulnerabilities.

The second thing is the coding flaws. Take an Apple iPhone or something like that. If you look at the design of an iPhone, the actual end product, there will be a very close match. A lot of problems we have in software industry are because there is a high level of mismatch between the design and the actual product itself as coded.

Software is coded by the developers, and if the developers aren't adding good code, there's a high possibility that that vulnerability is introduced because of poor coding.

Configuration parameters

The third thing is that the application isn't running in a vacuum. It's running on app servers and database servers and it’s going through multiple layers. There are a lot of configuration parameters, and if these configuration parameters are not set, then it leads to open vulnerability.

From a product perspective, HPE has great products that detect coding flaws. Mark talked about DevInspect. It's a great tool from a dynamics perspective, or hacking. There are great tools to look at all these three layers from a design flaw, from a configuration flaw, and a coding flaw.

As a security expert, I see that there is a great scope for tooling in the design flaw, because right now, we're talking about threat modeling and risk determination. To detect a design flaw requires a high level of human intelligence. I'm sure that in the future, there will be products that can detect design flaws, but when it comes to coding flaws, these tools can detect a coding flaw at 99 percent accuracy. So, we've seen a very good maturity in the application security areas with these products, with the different products that Mark mentioned.

Gardner: Another part of the process for development isn’t just coding, but pulling together components that have already been coded: services, SDKs, APIs, vast libraries, often in an open-source environment. Is there a way for the alliance between Capgemini and HPE to give some assurance as to what libraries or code have already been vetted, that may have already been put through the proper paces? How does the open-source environment provide a challenge, or maybe even a benefit, when done properly, to allow a reuse of code and this idea of componentized nature of development?

Another part of the process for development isn’t just coding, but pulling together components that have already been coded.

Padinjaruveetil: That’s a great point, because most of the modern applications are not valid applications. They talk with other applications. They get data from other applications, data through Web service interface, a REST API, and open source.

For example, if you want to do login, there are open-source login frameworks available. If there are things that are available, we'd like to use them, but just like custom code, open source is also vulnerable. There are vulnerabilities in open source.

Vulnerability can come from multiple things in an application. It can be caused by an API. It can be caused by an integration point, like a Web service or any other integration point. It can be caused by the device itself, when you're talking about mobile and all those things. Understanding that is a very critical aspect when we're talking about application security.

Gardner: Mark, anything to offer on this topic of open source and/or vetting code that’s available for developers to then use in their applications?

Painter: Well, it’s not an application, but it’s a good example. The Shellshock vulnerability was due to something wrong with the code of an open-source component, and that’s still impacting servers around the world. You can’t trust anybody else’s code.

There are so many different flavors of open-source components. Red Hat obviously is going to be a little better than your mom-and-pop development team, but it has to be an integrated part of your process for certain.

Cyber risk report

There is something Gopal was saying. We do a cyber risk report every year at HPE, and one of the things we do is test thousands and thousands of applications. In last year’s results, the biggest application flaw we found were basically configuration flaws. You could get to different directories than you should be able to.

Application security is not easy. If application security were easy, then we still wouldn’t be having cross-site scripting vulnerabilities that have been around almost as long as the web itself. There are a lot of different components in place. It’s a complex problem.

Gardner: So it’s important to go to partners and tried and true processes to make sure you don’t fall down into some of these holes. Let’s move on to another area, which is also quite important and difficult and challenging. That is the cultural shift, behavioral changes that are forced when a shift left happens, when you're asking people in a traditional design environment to think about security, operations, configuration management, and business-service management.

Gopal, what are some of the challenges to promulgating cultural and behavioral changes that are needed in order to make a continuous application security culture possible?

Padinjaruveetil: That’s a key aspect, because most of the application development is happening in a distributed team, and things are being assembled. So there are different teams building different things, and you're putting together the final application product and deploying it.

There are very good industry standards coming out, but the challenge is that having a policy or standard alone is not sufficient.

Many companies have now started talking about security policies and security standards, whether it’s Java development standards or .NET development. So, there are very good industry standards coming out, but the challenge is that having a policy or standard alone is not sufficient.

What I tell my clients is that any compliance without enforcement is ineffective. The example that I give is that we have traffic laws in India. If you've been to India and you look at the traffic situation there, it’s chaotic. Here, you see radar detection and automated detection of speed and things like that. So enforcement is a key area even in software development. It’s not enough to just have standards; you need to have enforcement.

The second thing I talk about is that compliance without consequence will not bring the right behavior. For example, if you get caught by a cop and he says, "Don’t do this again; I'll let you go," you're not going to change your behavior. If there's a consequence, many times that makes people change behaviors.

We need to have some kind of a discipline and compliance brought into the application development space. One of the things that I did for a major client was what I call zero tolerance. If you develop an application and if we did find a vulnerability in the application, we won't allow you to deploy it. We have zero tolerance on putting up unsecured code when we use one of these great products that HPE has.

Once we find an issue with a critical or a high issue that’s been reported, we won't let you deploy. Over a period of time, this caused a real behavioral change, because when you stop production, it has impact. It gets noticed at a very higher level. People start questioning why this deployment didn't go.

Huge change

Slowly, over a period of time, because of this compliance and because of the enforcement with consequences, we saw a huge change in behavior in the entire team, right from project managers to business analysts making sure that they are getting the security non-functional requirement correct, by the project managers making sure that the project teams are addressing it, the architect making sure the applications are designed correctly, and the testers making sure that the testing is correct. When it goes into an independent audit or something like that, the application comes out clean.

It’s not enough if you just have standards; you need to have some kind of enforcement with that.

Gardner: Mark, in order to have that sort of enforcement you need to have visibility and measurement. It seems to me that there's a lot more data gathering going on across this entire application lifecycle. And big data or analytics that we have in other areas are being brought into this fold.

Is there something about automation, orchestration, and data analytics that are part and parcel of the HPE products that could help on this behavioral shift by measuring, verifying, and then demonstrating where things are good or not so good?

Over the past 10 years in the security industry, we've changed from the idea of we're going to block every attack, to one that says the attackers are already inside your network.

Painter: One thing that HPE uses to build it in is secure coding, but also we talk about detect and response. We have an application product that integrates with our security and monitoring tool from ArcSight.

So you can actually get application information. Applications have been a typical blind spot for Security Information and Event Management (SIEM) tools, and you can actually get some of those results you are talking about from our SIEM technology, which is really cool.

Over the past 10 years in the security industry, we've changed from the idea of we're going to block every attack, to one that says the attackers are already inside your network. This is part of that detection. Maybe you didn’t find these. You can see active exploitation in other words, and then you can track it down and stop it that way.

Fifteen years ago, you had to convince people that they needed application security. You don’t have to do that know. They know they need it, but they just might not exactly know what they need to do.

It’s all about making this an opportunity for them to get security right, instead of viewing it as some sort of conflict between the need for speed and agile development and the need to release balanced against the needs of the enterprise to actually be secure and protect themselves from potential data breaches and potential data loss and all the compliance issues and now legal challenges from individual actors and all the way down the line.

Gardner: Gopal, before we close out, let’s look to the future a little bit. What comes next? Do you expect to see more use of data, measurement, and analytics, a science of development, if you will, to help with security issues, perhaps feedback loops that extend from development into production and back? How important do you think this use of more data and analytics will be to the improved automation and overall security posture of these applications?

Continuous improvement

Padinjaruveetil: You need to have data and you need to have measurements to make improvements. We want continuous improvement, but you can’t manage unless you measure. So we need to determine what are the systemic issues in application development, what are the systemic issues that we see constantly coming?

For example, if you're seeing cross-site scripting as a consistent vulnerability that’s coming across the multiple development team, we need to have some way to make sure that we're seeing patterns with the data and looking at how to reduce these major systemic errors or vulnerabilities in systems?

You will see more-and-more data collections, data measurements, and applying advanced methods to look at not just the vulnerability aspect of it, but also the behavioral aspect. That’s something that we're not doing, but I see a huge change coming where we're actually going to see the behavioral aspects being tracked with data in the application lifecycle model.

You need to have data and you need to have measurements to make improvements. We want continuous improvement, but you can’t manage unless you measure.

Gardner: Another thing to be mindful of is getting ready for IoT with many more devices, endpoints, sensors, biological sensors. All of this is going to be something coming in the next few years.

How about revisiting the skills issue before we sign off? What can organizations do about  maintaining the right skill sets, attracting the right workers and professionals, but also looking for all the options within an ecosystem, like the alliance between HPE and Capgemini. How do you see the skills problem shaking out over the next several years, Gopal?

Padinjaruveetil: If you look at many of the compliance frameworks, like NIST or ISO 27001, there's a big emphasis on control being put in place for security awareness and education. We're seeing a big drive for security education within the whole organization.

Then, we're seeing tools like DevInspect. When a developer writes bad code, if you give the feedback instantly that right now you have written a code that is bad, instead of waiting for three months or four months and doing a test, we're seeing how these tools are making changes.

So, we're seeing tools like DevInspect and helping developers to actually make themselves better code writers.

Painter: Developers are not natural security experts. They need help.

Padinjaruveetil: Yeah, absolutely.

Additional resources

Gardner: That was my last question to you, Mark. Can you suggest places that people can go for resources or how can they start to prepare themselves better for a number of the issues that we have discussed today?

Painter: It’s almost on an individual basis. There are plenty of resources on the Internet. We provide training as well. Web application security is actually one of the best places for organizations to leverage Capgemini to do their web application security testing.

The job crunch is the number one concern that enterprises have right now as part of security in the enterprise. There's a lack of qualified applicants, which says a lot when that’s a bigger concern than a data breach. We do a State of the SOC survey every year, and that was the result from the last one, which was a little surprising.

But apart from outsourcing, you need to find those developers who have an interest in security in your organization, and you need to enable them to learn that and get better, because that’s who is going to be your security person in the future, and that’s a lot cheaper and a lot more cost-effective than going out and hiring an expert.

I know one thing, and it’s a good thing. I tell my boss repeatedly that if you have good security people, you're going to have to pay them to keep them. That’s just the state of the market as it is now. So you have to leverage that and you have to rely on automation, but  even with automation, you're still going to need that expert.

We are not yet at the point where you can just click a button and get a report. You still need somebody to look at it, and if you have interesting results, then you need that person who can go and examine those. It’s the 80/20 rule. You need that person who can go to the last 20 percent. You're going to have automation, tools, and what have you to get to that first 80 percent, but you still need that 20 percent at the end.

Read the Latest Insights
On How to Protect
Your Enterprise Applications

Gardner: I'm afraid we'll have to leave it there. We've been discussing improving cyber security and applications across their entire lifecycles. We’ve learned how improving both development speed and security comes with new levels of collaboration and communication across disparate teams.

So please join me in thanking our guests, Gopal Padinjaruveetil, the Global Cyber Security Strategist for Capgemini, Mark Painter, Security Evangelist at Hewlett Packard Enterprise.

And a big thank you as well to our audience for joining us for this Hewlett Packard Enterprise-sponsored application security transformation discussion.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of business transformation discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Transcript of a discussion on how new levels of collaboration and communication across disparate teams is needed to improve applications development speed and security. Copyright Interarbor Solutions, LLC, 2005-2016. All rights reserved.

You may also be interested in:

• Intralinks Uses Hybrid Cloud to Blaze a Compliance Trail Across the Regulatory Minefield of Data Soveriegnty
• ITSM automation and intelligence gains deliver self-service help to more users
• How Etsy uses big data for ecommerce to put buyers and sellers in the best light
• IoT plus big data analytics translate into better services management at Auckland Transport
• How HPE’s internal DevOps paved the way for speed in global software delivery
• Extreme Apps approach to analysis makes on-site retail experience king again
• How New York Genome Center Manages the Massive Data Generated from DNA Sequencing
• The UNIX evolution: A history of innovation reaches an unprecedented 20-year milestone
• Redmonk analysts on best navigating the tricky path to DevOps adoption
• DevOps by design--A practical guide to effectively ushering DevOps into any organization
• Need for Fast Analytics in Healthcare Spurs Sogeti Converged Solutions Partnership Model
• HPE's composable infrastructure sets stage for hybrid market brokering role