Welcome back to our two-part interview with Sonatype’s VP of Security, Mike Griffin. In the previous installment, we began discussing how companies are made up of what they build, borrow, and buy, and how Sonatype helps with that they build (software) and borrow (source code).
Today’s installment continues the conversation and focuses on what companies buy (procurement) to make sure that what they’ve built and borrowed run properly, and how Sonatype helps make sure that this process is secure.
What are the benefits of mature procurement beyond reducing risk?
Mature procurement does more than just provide better levels of safety, it can also lead to improved sales enablement. When you know what to expect from your vendors, you develop a better understanding of the questions your customers are going to ask. This means that you’ll be able to provide better and faster answers.
One of the biggest problems is that organizations have a tendency to delay implementing anything but basic procurement systems and practices. You’ll find this is especially true when they’re small; they choose to focus on other things because they don’t have the headcount to properly monitor and manage procurement security as they should.
However, your organization is a link in the supply chain that your customers are purchasing from; they obviously want to know the health and hygiene of the companies they do business with. But part of providing that information about your own company is knowing the same things about the services and vendors that you’re bringing to the customer’s table.
To put it simply: the correlation between sales and procurement is more relevant than you might immediately think, they’re really different lenses of the same function.
What can organizations do better procurement-wise?
As with our recommendations about what makes up software, the first step is to find out what makes up your company.
You should know:
- What vendors you’re using.
- What you are using in terms of products and services.
- What contracts are in place and whether or not they are standardized.
An example of low awareness of products and services in your environment (care of ProgrammerHumor.}
Keep in mind that your organization is made up of more than your own people, processes, and technology. You are also, to some extent, made up of your vendors and their own ingredients.
For example, Sonatype employs Amazon Web Services (AWS) and the technologies they use. It doesn't make up every single product, but they are one of those key ingredients. So we have to know what AWS is composed of and we need to be able to answer those questions if our customers ask.
This isn’t top-of-mind for a lot of companies, but it’s incredibly important. Take the Log4j vulnerability, for example, companies had to quickly find answers to these two very important questions:
- Is it in our product?
- Are the services we rely on impacted?
Unsurprisingly, not many understood the vendors they were using. And if you don’t know your vendors, then you’re certainly not aware of what technology they’re using.
Sonatype tries to create easy solutions that empower organizations to take control of their procurement processes. When your organization knows exactly what’s in their product, you know where to go if something needs an adjustment, has expired, etc. And this isn’t something that can be pushed onto the back burner, these solutions need assigned care.
In the case of Log4j, many companies did not have the knowledge they needed, so they had to go about and perform a discovery. But discovery is only half the battle, after that, you have to figure out what was actually affected.
When performing a discovery, what are the major areas to look at?
There are four major pieces that you need to look at in order to assess the risk of your procurement processes:
- The tools that go into your products directly, including open source component software.
- The services and infrastructure that your products run on, like Azure and AWS.
- The tools you use to create your products, such as development platforms like IntelliJ or Eclipse.
- Any administrative or organizational business tools, like email or Zoom.
These are all entry points that put your organization at risk, and they are all connected to procurement.
Does a procurement process that’s more systematized, standardized, smarter, etc. better result in a better company?
It’s more about quality-in and quality-out. When you source quality components and technologies, you’re going to get a better outcome. But while all of those things need to be tied to a procurement process, it’s not one-size-fits-all by any means. Larger companies are going to need very different procurement systems than medium or small companies.
How does someone know if they have a good procurement system in place?
Ideally, procurement is not long and laborious, it’s clear, transparent, and automated as much as possible. The ultimate goal of good procurement is to create a healthy organization. A mature process allows you to manage risks both known and unknown, and to suss out unknown risks in a very efficient and scalable manner.
With good procurement, you know what you’re consuming and what goes into your product. The next Log4j will come along, it’s not an “if”, and if you know what makes up your company the reaction can be immediate. You can look at the code and throw it out if needed, or you can repeat it if that’s what needs to be done, but the important thing is that you get those answers ASAP. Any organization is going to be better off with eyes on all the risks.
And returning to what we talked about earlier around sales enablement, you’ll also be able to answer important questions from your customers during a very stressful time. Your ability to quickly react to questions about environmental things outside of your immediate control–such as cloud services–will improve when they’re well-managed. Knowing these things also allows you to shorten lead times for sales processes, and of course, it shortens your vendor procurement processes.
How does someone who has realized how important this is to their organization get started?
You might not be able to evaluate everything, but a good place to start is with what you’re paying for–just a basic evaluation. If they’re core to your company and being paid for, there should always be some consideration. This sounds incredibly obvious, but it’s not being done by many.