Transcript of “Keeping up with the supply and demand chain”

Speakers: Dayne Turbitt (SVP & GM for Dell Technologies), William McLeod-Scott (Partner at Deloitte)

In this week’s webinar, we were joined by Dayne Turbitt, SVP & GM for Dell Technologies and Deloitte Partner William McLeod-Scott from Resilience practice who talked us through how to manage supply chain and what they’ve been doing to support their own and their clients’ IT infrastructure during the COVID-19 pandemic. 

Dayne, could you introduce what you’ve been seen?

“The last two weeks have been unprecedented. If we think about the massive shift we’ve experienced with work from home changes. We have seen a big demand on supply chain and mobilising work forces to help our clients stay in business. As that shift starts to stabilise, we’re seeing movement to the education space, and considerations around how people can undertake online learning. From a business perspective, it’s been a challenge.”

And William, you work in Resilience. How are you seeing companies respond to the current crisis?

“I did a bit of a canvass around a number of core clients over the last few weeks and I think generally, people have responded pretty well. A lot of the work that has focused on allowing companies to shift to remote working. Deloitte is used to working remotely, so for us this was relatively straight forward but there have still been challenges which reflect some of the challenges our clients have also faced. In terms of finding new ways to communicate, we’re using zoom now and one of the really interesting aspects is that under normal circumstances, most organisations would take months to roll out new systems. We did it in a week. We’ve been able to shortcut and move fast to make changes and facilitate our business. Dayne will talk through challenges of sending hardware out, but this has also been a challenge for us. As new people join the business, how do we get machines out to them and train them in an effective way? The result of these challenged? People focused inwardly for some time, so some projects have slowed. I sense from talking to people now that we are stabilising can look to start reopening out important work.”

Dayne, how have you faced the challenged associated with supporting clients?

“We have over 160,000 staff and have been pioneering working from home for fifteen years. We have all the technology available and shifted close to 150,000 people to work from home over a weekend because they already had the devices needed. It did however present some challenged in terms of our back office environment. For example, we didn’t have enough RAM so support the VPN.

We used our level of preparedness to help our clients. I can deliver laptops with the correct level of security to a client in Nigeria for example. Some clients however piece together parts of the supply chain themselves and some need end-to-end delivery. What I’ve seen in the last three to six weeks is a massive demand for anything that will enable staff to work from home… tablets, laptops etc. We’ve done our best to meet that demand and I think we’ve done well thanks to our supply chain. However, threat landscape has increased. Companies now have many more entry points for threat actors to enter so the new challenge is how you protect so many more end points. How to you protect your critical assets if an attacker does get in?”

Daye, you touched on threat actors and the vulnerability change. What changes have you see in these threat behaviours?

“I think they’re taking advantage of the situation. Using Secure Works, we take feeds from our client networks to observe behaviour changes. We have observed an increased volume or activity. More people are working from home and we see more phishing attacks taking place which take advantage of COVID-19 as a subject. One I saw was a false heat map of COVID-19 cases around the world, via an email with a link in. This is a hot topic, and the email was presented well. Two changes I’m seeing;

  1. An unprecedented amount of attacks
  2. An increase in using COVID-19 as an entry point.”
William, you touched on changes in resilience. Have you seen any key changes?

“We’ve seen one in particular, and it’s one we will need to consider collectively, which is the topic of work area recovery. In these circumstances, how does work area recovery work? The answer is, not well. The feedback I’ve had from my clients is that when they’ve tried to invoke their work area recovery plans, it hasn’t been possible as everyone has tried to invoke at the same time. It’s remarkable as the preparation has not worked as effectively as people thought.

With such a huge number of devices being shipped, and the increased use of desktop anywhere etc. the whole resilience picture needs to be reassessed, specifically whether you continue to spend budget on work area recovery or if it’s better to have equipment available to work from home effectively.”

We talked about the logistics of moving workforces to home, but how does this relate to data centres? Do you know how long a data centre could be frozen before the risk starts to increase?

“I can give you some anecdotes from a client in Scotland. What they have achieved in eight weeks would have ordinarily taken them eight months. What this is pointing to is a change to control processes and the change freezes, and how we make these more flexible. If I take Dell Technologies as an example; we had to get into the data centres to upgrade the RAM to support our VPN. It’s not something that we could delay so change control processes weren’t used. People are making pragmatic decisions on what needs doing and are trying to decide what’s critical. Is it addressing a threat? Is it addressing revenue generating activity? What’s critical…?
What I’ve seen to date is the mass mobilisation of end point devices. The question now is how do we maintain our data centres in this environment? Well, how up to date is your data centre? Sadly, most of us are out of date, leading to more challenges. Right now we need to work out what changes we need to make to keep the ship afloat, but moving forward, we need to ask how to allocate budget so in the event that this happens again, you can remotely manage your end points and data centre remotely.”

“From Deloitte’s perspective, we haven’t been implementing change control freezes. We are maintaining our data centres but in a different way. Sometimes remotely and in person. One of the interesting points is that we run a Cyber Incident Management service and very often those teams need to go into the data centre to support recovery. We are doing it right now. It’s been challenging to be able to do that as we’ve implement new policies and plans to protect them. We have been able to overcome these challenges, thanks to thinking on our feet and enabling our people to do what they need to do to get the job done.”

We’ve talked about the present, but what permanent changes do you think will occur as we move into the recovery and thrive stages of the COVID-19 crisis?

“One of the things we’re thinking about is the old fashioned expression of ‘work from home’ (WFH). This is likely to change to ‘work from office’. There is going to be a significant proportion of our people who will work much more remotely, introducing many challenges relating to end point security and data security. How do we ensure people aren’t taking photos of our data in their homes? We need to consider these differently. There is going to be a permanent shift to an increased amount of home working, which makes perfect sense as we continue to see peaks of COVID-19 infections and commercially, look to lose office rental space.”

“We have been implementing work from home for a while and there has been a lot of resistance to the concept from both managers and people. I think that resistance will change completely now. We are much more comfortable on camera, we have more ability to be on camera etc. It will help to make us a more globalised organisation. At Dell Technologies, we have a mantra to hire the best, no matter where they are so I think this will drive an interesting approach to globalisation.

From a security perspective, we recently acquired Carbon Black. We acquired it to respond to the endpoint security challenge we were facing. We decided we want to embed security into our clients’ device. Carbon Black detects issues and enables us to provision remote security. It’s pointless having end point detection If you aren’t patching vulnerabilities. End-to-end solutions mean providing a secure device with secure applications to a client with a secure network.”

Dayne, there’s been a lot of reprioritisation, In the aftermath of COVID-19, are you expecting a backlog in demand of certain product lines as clients get back on track?

“We all watch the news about the flattening of the curve, and we also have our own curve. The biggest demand has been for our business laptop. Our biggest challenge was how to meet this demand. We put a logistics team in place to manage it. To meet the time frames (a need for 5000 laptops in a week for example), we mobilised as quickly as we could to achieve it. We were advantaged by having multiple manufacturing points around the world. Whilst manufacturing has reduced but financial services have boomed, we were able to work with our clients to identify what was on route and could be redirected to meet greater need for example, in the NHS.
Now we’re seeing the curve flattening, most companies are moving into longer term planning. I’m more concerned that companied have had to mobilise budget they didn’t plan to on prioritised projects, and therefore how these prioritisation changes will drive new demand requirements.”

How do you see supply chain changing in the future?

“It’s interesting, I think our supply chain responded very well. The biggest challenge we face is component supply. Whilst we run our Dell factories in a certain way, meaning we weren’t that impacted by COVID-19, we were impacted by component suppliers shutting down. We weren’t able to source hard drives, for example. I think looking into the future, the supply chain will need to be more considered. More health safety conscious operations will need to be prioritised to protect supply chains.” 

“It’s not immediately obvious, but the power of relationships is so critical in these types of situations. What we have seen with our incident response is that when you have good relationships with your supply chains vendors and IT providers and you’re able to reach the right people, the response is much faster. When we come out of this crisis, many companies, particularly the smaller ones, are going to struggle to understand where their problems which is going to be really critical to help them supplying you and keeping you safe.”

“There’s been a lot of debate over the last few years and I think as a tech supplier, we’ve been able to lean on diversification. One part of the business reduces as one part booms, making us a stable partner to work with. Also, as we’re such a large technology provider, many companies choose us. I’m sure our Executives have been on calls calling in favours for our clients too. It’s interesting to see how this changes the dynamics in partnership. We were able, in most cases, to resolve issues and it shows the strength of the relationship. Leaning on a stable and solid company like Dell and Deloitte becomes more critical than ever in times like this.”

William, we’ve seen the need to be pragmatic and adaptive to change, leading to adaptive governance. Is this likely to cause audit and compliance issues?

“Issues yes. But can they be resolved? Yes. I think the pragmatic steps that have been taken in Deloitte (rolling out Zoom in a week, for example) will continue and need to be reviewed. As things start to move into the new normal, we will start addressing these issues. As we shift into more of a ‘work from home’ environment, we do face different types of cyber challenges such as data protection. One of the things we think about is the home working environment. Are our people working in shared spaces with other companies at home? How does data security work in these situations? As we all start to review our different operations, there are going to be some compliance and controls challenges we will need to address and think about.”

What is your biggest cyber risk concern?

“Deloitte is a great example with your Zoom rollout. If we work with our clients’ security audit and compliance teams, it’s normally a long process as they’re very risk averse and not agile. This new environment will challenge those norms. I think we will adopt a new agile approach to security. i.e. we need to roll out quickly but let’s ensure we’re safe. It’s unrealistic to think you can stop threat actors getting in, but your biggest concern should be how protected you are. These things are quite easy to address and we need to prioritise them.”

“We’re seeing an increasingly large number of clients implementing in a backstop. Where do I go to recover my organisation in the case scenario? This is driven by Executives who are worried that whilst online working improved accessibility and allows us to run our business better, it opens us up to more ransomware attacks. Consider what it is you need to be able to recover. Many of our clients are looking at their critical infrastructure and applications to get them back up and running. But it’s not the same as disaster recovery. It’s how you take things offline to be able to rebuild. This needs to be prioritised, something that is currently happening with regulators.”

Considering an end-to-end framework, is there one for cyber security and how do you apply it during a crisis like this?

“Everyone will have a pandemic plan but I imagine many of these were made in years ago and didn’t actually reflect what was required. Is there a playbook? Not really. There is a set of actions and ways we can address this, but applying your current processes and policies and then tweaking them to apply to a pandemic is the right answer. It’s interesting that some of the countries that have done really well during the COVID-19 crisis are those that have faced significant environmental disruption. Canada, for example, has a work from home culture as they may be snowed in. Your snow day plan works and can be tailored for any change.”

“There’s no one framework. No one was prepared for the scale of this pandemic. The Spanish flu was the last time we saw something of this scale, and that was before technology presided. You can however, use a series of playbooks. If you breakdown the problems and stitch together each individual playbook, the combination of end goals becomes one. At Dell, we had some fundamentals in place to mobilise working from home quickly and securely. We weren’t perfect but I don’t think the answer is overly complicated. Use the building blocks and flex around them to respond to different scenarios.”

Did you find this useful?