Spotlight: CISO Engage, Merck's Automation Initiative and Software TD

Transcript

Suparna Goswami: Hello and welcome everyone to Spotlight - a session where we talk everything in the world of technology. In today's episode I'm joined by Rahul Neel Mani, who is vice president of editorial; Brian Pereira, who is senior director of editorial; and Shipra Malhotra who is managing editor. Rahul, Brian and Shipra, always glad to have you all join me for Spotlight. Thank you so much.

Rahul Neel Mani: Glad to be back at the spotlight, Suparna.

Goswami: Yes, it's after a long time, I think I'm having this combination. So, Rahul, I will start with you. You're back from Jaipur, where ISMG hosted its first offsite CISO Engage. Fascinating posts on LinkedIn by CISO community. There were sessions where the keynote speakers spoke about protecting your crown jewels. And there was a session where different groups were engaged in applying the MITRE ATT&CK framework to ransomware attack. Lot of stuff I've read, I've heard but I'd want to learn from you and tell our audience more about it.

Neel Mani: Thanks, Suparna. Yes, indeed, it was an exhilarating experience. This was perhaps the first offsite event in ISMG's history of 17 years, I must say. And unique in many ways, right from crafting the agenda to breakout engagements to tabletop exercises, and several other differentiators that we tried to create and I will give a systematic update of the key features of this offsite. So first, the two day offsite was attended by approximately 65 delegates. These delegates were drawn from across the country, across sectors, it was important to exceed the expectation and also differentiate from other competing platforms. Generally, the offsite events are considered like a captive audience. And that almost always is at the mercy of organizers. And their patience is tested several times during the event. However, we kind of outline the agenda to give the delegates a breather and help them be at ease. Secondly, the theme was quite new, which was Wartime CISO: From Battlefield to Boardroom, and therefore we had to align the speakers of that caliber. So we have we got Lt. Gen Rajesh Pant, who's the former National Cybersecurity Coordinator of the Government of India, and also Lt. Gen. Deepender Singh Hooda, who is a very decorated army officer, who's the former General Officer Commanding-in-Chief of the Indian Army's Northern Command, both of them to the responsibility to deliver keynotes and also did a joint session, which included some kind of tabletop exercises with the CISOs. When the army men talk, the atmosphere becomes very euphoric, and the delegates are totally engrossed in those sessions. Third aspect was that we also did some brainstorming and tabletop exercises with the help of five to six senior CISOs. And exercise was on application of MITRE ATT&CK framework on the hypothetical ransomware attack situation. The entire delegation was divided into eight teams, and each of them then brainstormed among each other. And in the end, a CISO was designated to present it to the jury within three minutes timeframe. It was a great effort, which brought together collaboration, communication, and creativity. Lastly, we, we did six breakout sessions, which were all going parallel to each other. Each of these six breakouts had a neutral moderator, which was a CISO of course, and about 10 delegates attending each one of them. These were intense conversations on a variety of contemporary and relevant cybersecurity topics. And these breakouts were, again repeated after a short break, so that the delegates could get a chance to sit through a minimum of two discussions. So I would say that, although the first experience, but this Engage Offsite was very intense, yet relaxed platform that we gave away to our CISO community members.

Goswami: Yes, I think intense and relaxed. That's the balance that we need to strike because the moment you say, you speak about Offsite, it is assumed that it is all fun, but we managed to have fun as well as good education and learning.

Brian Pereira: Rahul, I liked the fact that you kept it pretty involving this time, you got the audience to participate and do tabletop exercises. And I've been to a lot of conferences and I think this is something very unique and I hope we do more of this in our future conferences. So congratulations, you and your team.

Neel Mani: Of course and we got a very instant, positive feedback, not just positive, for the sake of it, but , some CISOs came up to me and other colleagues, giving them very elaborate feedback on how they found it more useful than many other platforms that they have been on.

Malhotra: So while Rahul had the firsthand feedback from these CISOs, who were attending, I went through a lot of LinkedIn posts by CISOs, who were attending, and they appreciated the format. And the whole engagement that was created, the simulation of attack and how they're going to respond to it was something that was appreciated and a lot of appreciation posts on LinkedIn. So I think that's kudos to the team.

Goswami: Yes, and hopefully, we'll have more such offsites or more successions and events in future as well. So Brian, moving to you, you wrote a fantastic piece on how Merck boosted its efficiency with the help of RPA bots. So can you tell us how automation and bots are helping Merck Life Sciences with regulatory paper submissions, etc?

Pereira: Yeah, sure, Suparna. So this was a challenging story to do, but a unique one nonetheless. As you may know, Merck is global pharma giant with a legacy of 350 years. So they already have established processes, and they deal with regulators. So this was something unique for them to take on using automation and bots. And just to give you a bit of background, they were struggling with this challenge. , whenever you do, you launch a product in a new country, a new product, it could be a medical device, drug or a service, you have to deal with regulators like in the U.S., you have the FDA, and you have the EMA in Europe. So each country has a regulator, and there is a lot of paperwork to be done. And this paperwork can take months to complete, you also have to deal with trade associations. So four years ago, the Merck team in North America was spending 60% of their time every month to complete 30% of their daily time to convert these 6,000 purchase orders that were received into purchase requisitions, it was very time consuming task. And since it was done manually, errors were creeping in. So they decided to use bots and automation to kind of take on this challenge and solve this problem. And the results were that they improve their turnaround time, there was a 60% reduction in turnaround time, and they achieved 97% accuracy. And with bots, Merck could clear a backlog of paperwork for 30,000 products within a month. So tremendous achievement using automation and bots, although there were a lot of challenges, because no other pharmaceutical company had ever done this before.

Goswami: Yeah, like you mentioned, Brian, like life sciences industry, you don't hear they use a lot of bots. So what were some of the challenges that you spoke about? What are some of the challenges that Merck adopted? And what were some of the internal apprehensions towards adopting bots that they had?

Pereira: Yeah, like I already mentioned two challenges. Initially, they were facing this problem of with their processes, they had to reengineer their business processes, because this was something new. But they faced a lot of internal resistance. The traditional company with age old, decades old processes, doesn't want to change anything now, when everything works well. Also, when you're dealing with a regulator, you don't want to mess around there's a lot of risk when you're trying something new. The other challenge was that you had this order entry teams, data entry team, which was manually converting purchase requisitions into purchase orders. And now they were told that you're going to bring in bots and automation, and everyone feared for their jobs a bot is going to replace me. And so the Merck's bot development team had a lot of convincing to do there that you're not going to lose your job, it's going to make your job easier. The other challenge was they took on a pilot project with Korea - Korea leniency project - so language was a problem. And they solved that by using natural language processing, they needed language proficiencies. The other challenge is that 60% of their activities deal with unstructured data and that's still a problem that they're trying to solve. And they're looking around for more automation solutions. So primarily these were the challenges change management, acceptance by senior management legacy, a lot of traditional processes in place. But after taking on this Korea leniency project, and it was a success, within a month, they could clear a backlog of paperwork. After this, they moved on to another project in Japan, it was called the ISHL inventory project. And after that, they took on even bigger things like order screening, which is the next level in the whole process. And today, they are doing this in 23 geographies successfully. So I think a lot of changes have been at Merck Life Sciences. And now everyone's more convinced with the technology and automation and Merck is moving forward and exploring more uses of automation.

Neel Mani: Process automation is something which is quite age old. However, each industry has its unique challenge to deal with both culturally and technologically. Also, from a regulatory perspective, industries are finding it tough to maintain manual processes, and that results into delays, that results into inefficiencies, inaccurate data. And with the advent of more AI technologies, generative AI technologies, these bots are now going to get more intelligent and therefore the output will be much better than what was delivered earlier. So exciting times. Process automation will never go out of fashion, I guess.

Goswami: You all keep interacting with the technologies, the CIOs. Is job still a primary concern when it comes to adopting AI or RPAs? Is job still for all industries is the primary concern?

Neel Mani: I would take a shot on this and the answer to that is both Yes and no. The answer yes, is we are we are witnessing it that all the mundane tasks are being automated. And therefore people who were used for simple data entry operations or or non-innovative tasks, they had to give up their jobs to bots and robots. However, who will train them? Who will get to the next level of that process automation that will be humans? So if the organizations plan reskilling, well, then these people might save their jobs and would not get into the danger of joblessness.

Pereira: Yeah. And just to add to that, they still need to have 2% of humans in the loop. As Dr. Radhika Mahadev, who's the head of RPA at Merck Life Sciences, told me 2% of humans are mandatory required by the regulator for doing the cross checking and the verification, which a bot cannot do. So I'm glad to say that humans are not going to be completely replaced, but they need to reskill for this.

Malhotra: So I agree that humans will always stay in the equation and organizations are adopting RPA aggressively. What they need to deal with is that the workforce that is going to become redundant as a result of the RPA implementations, how do they ensure, like Rahul said the reskilling, that is where they need to focus on to ensure that the workforce feels that kind of security, the job security and they don't become totally redundant.

Goswami: So, but as I said, there are exciting times ahead and history is also has said that any new technology, people tend to have that fear that whether they will lose their jobs or not. But historically, also, it has always happened like that. But Shipra, I would now like to move to you. You wrote a story on software technical debt. And in that you mentioned how it has transitioned from being a technical problem to a business problem. So can you explain more on that?

Malhotra: Yeah. So the software technical debt, technical debt in general and software technical debt, in particular, were always considered an IT issue. However, over the last half a decade what we have seen is that it is gradually becoming a business issue something concerning the management as well as the business functions, because it has business financial and innovation, as well as security repercussions if it is not addressed. So the reason why it is a business problem is because it is becoming a major roadblock to digital transformation and innovation initiatives. And companies have a very limited resource available. And they need to allocate it between fixing the bugs, fixing the shortcuts that they had taken during the development cycle, or putting it in adding new features modernization and innovation. So when they have to allocate the limited resources between these two, of course, significant amount goes into retiring the technical debt, and therefore innovation, and digital transformation takes a hit. , according to a study that was done by Consortium for Information & Software Quality in 2022, the accumulated software technical debt burden for enterprises in the U.S. alone is 1.5 2 trillion. And going forward, we don't see this. Rather, we see this going up further, because 100 billion new lines of code are created each year, finding fixing and retiring the technical debt with automated tools is no longer enough. Therefore, unless quality is baked in from the scratch, each new line of code created today contributes to the future technical debt burden. So I'll just elaborate further on the business problem that comes with software technical debt. So like I mentioned, it kind of slows modernization and innovation efforts, because the legacy software that you have, it doesn't work with a lot of your new systems, new software. Therefore, it becomes a roadblock to the digital transformation initiatives of organizations. For instance, if you want to put in place an AI system, a lot of these legacy systems might not talk to the AI system, therefore, it hinders your implementation of AI systems. Now, the bugs that are there in the software, they impact on the customer experience, because the applications that are - let's say, customer facing applications will have performance issues, also increased security vulnerabilities because of the bugs. In fact, some of the biggest cyberattacks in the last decade, including the SolarWinds, Log4j, and Twitter breach, they were a case of software bugs leading to a security, compromise. And of course, all this leads to decreased business performance and rising cost of development. So all this put together has business implications, financial implications, as well as security implications.

Neel Mani: This is an ongoing debate. And to be a devil's advocate, it is very easy from a vendor's perspective to talk about technical debt and therefore, comment about the quality of code. However, if we talk from a CIO's perspective, they have to deal with a lot of harshness internally and frictions internally when it comes to budget allocation for refreshing their obsolete software libraries, codes or algorithms. Now, besides software codes or components that are being used, this whole thing can also be applied to entire system designs in architecture. And certainly it has repercussions because if you do not update your libraries and codes, there are older versions that become very prone to vulnerabilities and attacks. However, we also have to think from the CIO's perspective that not all the debt is always bad just like what we do in cybersecurity that we segregate the data into crown jewels and not so important, here also we apply the same logic.

Malhotra: So very true, because much of the legacy software today automates a lot of these core business functions. So, therefore, the challenge is harder to address and it is not as straightforward as it may seem, because in many cases, these software systems they represent a single point of failure risk to the business. So in case you are retiring legacy software which automates your core business functions, and if there is a failure and it is a single point of failure, then all your important and critical systems will come down. So therefore, like Rahul said, it's easier said than done. It's not as straightforward as it may seem.

Goswami: Shipra, what steps are they taking to reduce this debt?

Malhotra: So there are two aspects here. One is that retiring the existing technical debt and the second is how to ensure that you don't incur or collect more technical debt going forward. So one is addressing what has already happened. And second is to ensure that we don't face the same problem going forward. So I'll talk about how to first stop technical debt from getting accumulated in the future. And that is where a lot of buzz that is there around DevQualOps, which is about quality being baked in into the development cycle right from the scratch, something like what we are talking of DevSecOps, where it's baking in security right at the early stage. Now, this is still a niche concept. It is not as widespread as DevSecOps. But it is possible that eventually, DevOps will evolve towards DevQualOps and DevSecOps also becomes a part of it. So this is the way to ensure that any new line of code that is created today, does not contribute to the future technical debt burden. Now, when it comes to retiring the existing technical debt, first of all, a very strategic approach is required. Like Rahul said, with the data, we identify the crown jewels, and therefore the same thing with technical debt, we have to identify what technical debt can be retired first, and then move towards the more difficult technical debt burdens. So the different ways of doing it as putting in place process to track and report technical debt, guidelines for managing technical debt and retirement because all this is something which the IT team, the CIO's team is aware of, but this awareness needs to be created across business functions so that they can report the technical debt right at the very beginning. So educating teams on technical debt and how to report it. That's what I said. Tracking systems, including software where technical debt occurs regularly, tracking technical debt in the new systems, including software, incorporating technical debt management into the overall innovation strategy, and most importantly, appointing a dedicated senior leader for managing technical debt because almost more than 50% or other 40% of the IT budgets go into managing technical debt, therefore, a senior dedicated person is something that can help address this issue.

Neel Mani: , a simpler way to do away with this is to outsource.

Goswami: Yes. But before we wrap up a quick question for all of you. So if you were to write a book along with the CIO or the CTO, who would you pick and why.

Neel Mani: Okay, I can go first. So I have had a chance to talk to this gentleman called Tony Saldana, who is a former CIO of Procter & Gamble, and has already authored two books. And both the books, the topics and the areas are fascinating. One book is Why Digital Transformations Fail. And the second book is Revolutionizing Business Operations: How to Build Dynamic Processes for Enduring Competitive Advantage. Now, he shares practical and actionable insights as to how a CIO should absorb and use IT, and where do they go wrong? And that's an area of interest to me as well.

Goswami: Excellent, Brian?

Pereira: For me, it would be Vijay Sethi, who's the former CIO, former head of HR and former head of CSR at Hero MotoCorp, which is the world's largest two wheeler manufacturer. So why Vijay Sethi? Every time I met Vijay, I would learn something new about IT and business alignment. Now Vijay has a lot of exposure to the business aspects. He has a business background, and I think he was one of the few CIOs who aced the IT business alignment. And if I were to write a book, it would be on this topic with Vijay.

Goswami: Great! And Shipra?

Malhotra: Okay, so, for me, it would be Nicholas Colisto, who is the senior vice president and CIO of Avery Dennison. So the reason being that Nicholas wrote, so called CIO bible. The title of the book is The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value and this book was ...the first edition of it came out in 2012. Now, over a decade since the book was published, the business landscape, the IT landscape has completely transformed. So it would be interesting to write a book with him seeing how , how the CIO playbook looks like now and how it is completely different from what he had written about 12 years back.

Goswami: And do some of those concepts still apply?

Malhotra: What applies and what needs to be thrown out of the window now?

Goswami: Great. Brian, Rahul and Shipra, thank you so much. Pleasure to catch up with you all on Spotlight. Thank you so much for sharing your views here.