Technology is advancing at an exponential rate. Now, advances in AI and analytics mean devices will likely expand their functionality and capabilities well beyond the date of their original procurement.
That means that for any IT-related investment, it’s not enough to focus solely on traditional factors such as the legality, functionality, suitability, and cost of the product itself at the point of purchase. It’s just as important to understand the viability, trustworthiness and any likely risks that could result from association with its manufacturer and suppliers for the entire predicted lifetime of that product.
This is particularly relevant to the realms of video surveillance and the Internet of Things (IoT). Increasingly, governments are tightening regulationsto prevent the ongoing use of devices associated with human rights abuses or that present an unacceptable level of cybersecurity threat.
Supply chain blind spots
According to the Cyber Security Breaches Survey 2024, commissioned by UK cyber resilience to align with the National Cyber Strategy, just 11% of businesses assess the risks posed by their immediate suppliers. In a predominantly digital age, that is deeply concerning.
It suggests there is not enough emphasis on the origin of devices responsible for the breaches or manufacturers who made them. Without this, how can any organisation ever hope to demonstrate compliance with its own commitments to uphold the highest standards of cybersecurity and ethics in procurement?
If they don’t appropriately audit and document these issues, how can organisations possible identify the technical, financial and reputational risks of selecting one manufacturer over another?
Risk management in procurement
Risk can never be reduced to zero, so it must constantly be reassessed based on an organisation’s activities, sensitivities, and risk tolerance. These risks will manifest in several different forms, some of which the procurement function can actively control and others which it can only react to. With the appropriate forethought, however, organisations can idenitify many of the most likely risks in advance. They can therefore take steps to reduce, mitigate or transfer the risks before disruption strikes.
For example, when evaluating any IoT related ‘smart’ device or solution, cybersecurity must be a key consideration. Organisations could reduce risk by stipulating that they will only consider working alongside suppliers who have achieved relevant accreditations and who submit themselves to regular third-party penetration testing.
They could then look to mitigate this further by doing their own due diligence of the cybersecurity track record for each tender response. Finally, they may choose to transfer some of the remaining risks by revisiting the organisation’s cyber insurance coverage.
Building bridges between IT & procurement
As outlined above, a growing threat is that of scheduled upgrades increasingly leading to the adoption of ‘smart’ IP connected devices, requested and managed by departments other than IT. These devices no doubt provide valuable new functionality. However, they also come with additional responsibility for their on-going management that organisations need to consider.
Responsible procurement professionals have a duty to ensure they bring in the right individuals from across the business to ensure their appropriate evaluation. This is where the proactive involvement of the IT department becomes so vital. It brings much needed familiarity and expertise with the process of ensuring a product is viable. With the involvement of the IT team, it’s much easier to determine if a product can be securely and cost-effectively adopted over a multi-year period. It therefore puts procurement professionals in the best position to take an informed view of which of the presented options are in the best long-term financial interests of the business.
‘Digital asbestos’ & CCTV blind spots
Technology used for video surveillance and physical security is many organisations’ biggest blind spot. This is because these cameras typically make up the largest software system deployed within a business not managed by IT. Internally, man organisations still think of security cameras as the “closed-circuit” analogue devices that were in circulation 20 years ago.
Consequently, as a society we have witnessed, and continue to see, the widespread adoption of insecure cameras and other IoT devices. These devices are manufactured by state-owned companies with strategic interest in exfiltrating data, intelligence or intellectual property from rival governments, private businesses, and individuals. This is especially true when the country and the companies in question have a widely demonstrated and well-documented set of cyber risks associated with them.
In the UK, the Central Government has banned devices manufactured by Chinese state-controlled companies on national security grounds. And yet, organisations across the public and private sectors continue to deploy these devices at scale. That isn’t sustainable or wise.
Of course, we shouldn’t blame procurement professionals for the purchasing decisions taken before these risks became widely known. It’s the same as asbestos several decades ago. Today, however, the risks are known and documented. Procurement professionals have a duty to stop adding to the problem and take steps to mitigate the risks. As with asbestos, the first step once the dangers were clear, was to no longer add to the problem. The second was to put plans in place to deal with what had been put in place by an earlier generation.
Final thoughts
No procurement leader wants to be the person who ignored the warning signs and forced the organisation into “buying cheap, buying twice”. Or even worse, exposed the organisation to damage from which it was unable to recover. Price is of course an important factor, but the true goal should be to achieve value.
The Procurement function has never been more important in terms of building the culture, people and processes needed to ensure buying decisions are taken that are in the best long-term interests of the business. For procurement professionals, and those sat around the boardroom table, it all comes down to understanding the risks, accepting responsibility and having the determination to invest
