Bcg Technology Advantage

APRIL 2019

BCG TECHNOLOGY ADVANTAGE

• Are You Spending Enough on • Do You Have the Courage to Be an Cybersecurity? Agile Leader? • At Anheuser-Busch InBev, • Agile Leadership and the Art of Artificial Intelligence Is Letting Go Everywhere • When Agile Meets Outsourcing • Are Blockchain and the Internet • Using Agile to Help Fix Big Data’s of Things Made for Each Other? Big Problem • Bringing Digital Transformation to Airbus

AI Is a Threat to Cybersecurity. It’s Also a Solution. Boston Consulting Group (BCG) is a global management consulting firm and the world’s leading advisor on business strategy. We partner with clients from the private, public, and not-for-profit sectors in all regions to identify their highest-value opportunities, address their most critical challenges, and transform their enterprises. Our customized approach combines deep insight into the dynamics of companies and markets with close collaboration at all levels of the client organization. This ensures that our clients achieve sustainable competitive advantage, build more capable organizations, and secure lasting results. Founded in 1963, BCG is a private company with offices in more than 90 cities in 50 countries. For more information, please visit bcg.com. Preface Contents

This is the first edition of BCG Technology Advantage that I FEATURE am bringing to you as global leader of the Technology AI Is a Threat to Cybersecurity. Advantage practice. I’m thrilled to be leading such an im- It’s Also a Solution. 2 portant practice at BCG at such an important time— when digital, data, and analytics are reshaping industries, ANALYSIS competitive environments, and societies. Are You Spending Enough on Cybersecurity? 8 I hope you will find the articles in this collection helpful as you consider new technology and the impact it may have across your own organiza- Q&A tion. They cover a variety of topics including scaling AI, perspectives on At Anheuser-Busch InBev, cyber, experiences of bringing digital transformation to aerospace, and Artificial Intelligence Is several important elements of our high-impact work in agile. Everywhere: An Interview with Tassilo Festetics, Vice President I have just attended my second Davos—the annual meeting of the World of Global Solutions 14 Economic Forum. Technology topics and technology leaders were preva- lent throughout the agenda. I was struck by the evolution in the nature ANALYSIS of the discussions in the course of just a year. The focus is shifting from Are Blockchain and the broader concepts of “digital” to a clear understanding of where and how Internet of Things Made for technology and data will affect our businesses, our societies, and our Each Other? 17 lives. We live in exciting times for sure! Q&A Three themes emerged for me as I engaged in conversations and listened Bringing Digital Transformation to presentations at Davos. One is the incredible impact of AI and data at to Airbus: An Interview scale. There are many real applications of these technologies in today’s with Marc Fontaine, Digital business environment (and even more are emerging), and the impacts Transformation Officer 22 are significant. Another theme: the fact that there are many issues still to be resolved. There’s a real call to action for leaders, particularly when it VIEWPOINT comes to how we build and use algorithms, how to ensure ethical and Do You Have the Courage appropriate uses of data, and, importantly, how we help our workforces to Be an Agile Leader? 25 adapt to the rapidly changing environment. And, finally, there is a need for convergence in our thinking about technology and humanity and PERSPECTIVE putting people at the center of transformations. There are some really Agile Leadership and the Art important topics—from embracing design thinking, to agile and new of Letting Go 28 ways of working, to new approaches to workforce management and enablement—for leaders to consider. FOCUS When Agile Meets What technology-related themes are you following? Let us know at Outsourcing 30 [email protected]. FEATURE Karalee Close Using Agile to Help Fix Big Global Leader, Technology Advantage practice Data’s Big Problem 36

Boston Consulting Group | 1 FEATURE AI IS A THREAT TO CYBERSECURITY. IT’S ALSO A SOLUTION. by Ryan Goosen, Anna Rontojannis, Stefan Deutscher, Juergen Rogg, Walter Bohmayr, and David Mkrtchian

n May 2018, the New York Times reported that criminals, bad state actors, unscrupulous Ithat researchers in the US and China had competitors, and inside threats will manipu- successfully commanded artificial intelligence late their companies’ fledgling AI programs. (AI) systems developed by Amazon, Apple, The second is that attackers will use AI in a and Google to do things such as dial phones variety of ways to exploit vulnerabilities in and open websites—without the knowledge their victims’ defenses. of the AI systems’ users. It’s a short step to more nefarious commands, such as unlocking Companies are in a cybersecurity arms race. doors and transferring money. And while As cybersecurity firm Crowdstrike’s 2018 Alexa, Siri, and Google Assistant may be the Global Threat Report makes clear, attackers most widely used AI programs in operation, have easy access to more tools as the lines be- they are hardly the only ones. It’s not hard to tween state actors and criminal gangs fade. imagine cyberthieves targeting a financial Malware and identity theft kits are easy to institution’s AI-controlled customer recogni- find and inexpensive to buy on dark web ex- tion software or a shady competitor attacking changes. AI-enabled attack kits are on the another company’s AI pricing algorithm. In way, and we can expect that they will be fact, more than 90% of cybersecurity profes- readily available at commodity prices in the sionals in the US and Japan expect attackers next few years. to use AI against the companies they work for, according to a survey by cybersecurity Yet for all the inherent risk AI presents, part firm Webroot. of the answer might lie in harnessing the power of AI itself to strengthen existing cybersecurity set-ups. Our experience shows Companies can protect that companies can begin to protect their systems by integrating AI into their security, their systems by integrating starting now. AI into their security. A New Risk for Companies… The list of actual AI applications is already For people with responsibility for corporate long and growing. Faster and more accurate security—everyone from CIOs to CISOs and credit scoring for banks, improved disease di- CROs—AI presents two types of risk that agnosis and treatment development for change the nature of their jobs. The first is health care companies, and enhanced engi-

2 | BCG Technology Advantage neering and production capabilities for man- neers in this field, cybersecurity is of less con- ufacturers are just a few examples. A survey cern to companies that are lagging behind. in 2017 by BCG and MIT Sloan Management (See Artificial Intelligence in Business Gets Real, Review found that about 20% of companies a report by the MIT Sloan Management Review have already incorporated AI in some offer- in collaboration with the BCG Henderson In- ings or processes and that 70% of executives stitute, Fall 2018.) expect AI to play a significant role at their companies in the next five years. Companies’ AI initiatives present an array of potential vulnerabilities, including malicious With all the benefits, however, come substan- corruption or manipulation of the training tial risks. For example, machine-learning al- data, implementation, and component config- gorithms and certain other types of AI work uration. No industry is immune, and there are by using “training” data to learn how to re- many categories in which machine learning spond to different circumstances. They then and AI already play a role and therefore pres- learn by doing, incorporating additional data ent increased risks. For example: as they work, refining their approach in an iterative manner. (See “The Building Blocks •• Financial (credit fraud might be easier, for of Artificial Intelligence,” BCG article, Sep- example) tember 2017, and “The Big Leap Toward AI at Scale,” BCG article, June 2018.) From a secu- •• Brand or reputational (a company might rity perspective, that methodology presents appear discriminatory) two challenges. •• Safety, health, and environment (systems might be compromised that control Companies’ AI initiatives cyberphysical devices that manage traffic flow, train routing, or dam overflow) present an array of potential •• Patient safety (interference might occur in vulnerabilities. medical devices or recommendation systems in a clinical setting)

First, AI systems are generally empowered to •• Intervention in, or meddling with devices make deductions and decisions in an auto- connected to the Internet of Things (IoT) mated way without day-to-day human in- that use machine learning or AI systems volvement. They can be compromised, and that can go undetected for a long time. …And an Opportunity, Too Second, the reasons that a machine-learning The good news for companies is that they can or AI program makes particular deductions tap the power of AI to both upgrade their cy- and decisions are not always immediately bersecurity capabilities and protect their AI clear to overseers. The underlying deci- initiatives (so long as they layer in appropri- sion-making models and data are not neces- ate protections to the AI systems being used sarily transparent or quickly interpretable (al- for defense). Moreover, investments in AI will though significant effort is underway to likely have multiple forms of payback. improve the transparency of such tools). This means that even if a violation is detected, its For one, companies can build in better purpose can remain opaque. As more ma- protection and the potential to at least stay chine-learning or AI systems are connected even with the bad guys. AI not only enhances to, or placed in control over, physical systems, existing detection and response capabilities the risk of serious consequences—including but also enables new abilities in preventative injury and death—from malevolent interfer- defense. Companies can also streamline and ence rises. And we have already seen that improve the security operating model by while cybersecurity concerns are a consider- reducing time-consuming and complex ation in the adoption of AI, especially for pio- manual inspection and intervention

Boston Consulting Group | 3 processes and redirecting human efforts to improving methods that understand what supervisory and problem-solving tasks. AI baseline, or normal, network and system cybersecurity firm Darktrace claims that its activity look like. AI algorithms can detect machine-learning technology has identified any changes that appear abnormal—without 63,500 previously unknown threats in more needing an advance definition of abnormal. than 5,000 networks, including zero-day Another shift is to move beyond classic exploits, insider threats, and subtle, stealthy approaches based on machine learning that attacks. Consider the number of cyber require large, curated training datasets. Some incidents that the average large bank deals companies have employed machine-learning with every day, from the ordinary and programs in their security systems for several innocent (customers mis-entering passwords, years, and more advanced AI-based detection for example) to attempted attacks. They need technologies (such as reinforcement learning automated systems to filter out the truly and deep neural networks) are now gaining dangerous signal from the more easily traction, especially in IoT applications. AI can addressed noise. In the medium to long term, also provide insights into sources of potential companies that invest in AI can offer threats from internal and external sensors or operational efficiencies and potential small pieces of monitoring software that operating-expense savings. evaluate digital traffic by performing deep packet inspection. Note that for most companies, AI-based detection and potential The future of cybersecurity automated attribution will require careful policy design and oversight to conform with will likely benefit from more laws and regulations governing data use.

AI-enabled systems. Response. AI can reduce the workload for cybersecurity analysts by helping to prioritize the risk areas for attention and intelligently To enhance existing cybersecurity systems automating the manual tasks they typically and practices, organizations can apply AI at perform (such as searching through log files three levels. for signs of compromises), thus redirecting human efforts toward higher-value activities. Prevention and Protection. For some time, AI also can facilitate intelligent responses to researchers have focused on AI’s potential to attacks, either outside or inside the perime- stop cyber intruders. In 2014, the US Defense ter, based on shared knowledge and learning. Advanced Research Projects Agency an- For example, today we have technology to de- nounced its first DARPA Cyber Grand Chal- ploy semiautonomous, intelligent lures or lenge, a competition in which professional “traps” that create a duplicate of the environ- hackers and information security researchers ment to be infiltrated to make attackers develop automated systems that can figure believe they are on the intended path and out security flaws and develop and deploy then use the deceit to identify the culprit. solutions in real time. While it is still early AI-enabled response systems can segregate days, the future of cybersecurity will likely networks dynamically to isolate valuable benefit from more AI-enabled prevention and assets in safe “places” or redirect attackers protection systems that use advanced ma- away from vulnerabilities or valuable data. chine learning techniques to harden defenses. This can help with efficiency as analysts can These systems will also likely allow humans focus on investigating high-probability signals to interact flexibly with algorithmic decision rather than spending time finding them. making. Implementation of automated AI-driven re- Detection. AI enables some fundamental sponse will require careful design and strate- shifts. One is from signature-based detection gic planning, especially when it comes to us- (a set of static rules that relies on always ers that should be isolated or quarantined being up to date and recognizing an attack and systems that work at the digital-physical signature) to more flexible and continuously interface (such as critical links in manufactur-

4 | BCG Technology Advantage — Feature ing or supply chains, or critical-care medical and software, which give companies a new devices in hospitals or emergency settings). source of fast and inexpensive innovation, can also be a source of new vulnerabilities.

The Race Is On In addition, AI can actually help malware Cybersecurity has always been an arms race. avoid detection. Although security companies In 2016, then-US President Obama talked to are increasingly introducing AI features and Wired magazine about his fears of an AI-en- behavioral analytics into their products, a lot abled attacker accessing the US nuclear of antivirus and end-point protection soft- codes. “If that’s its only job, if it’s self-teach- ware still rely largely on signature-based de- ing and it’s just a really effective algorithm, tection. In response, attackers develop tool- then you’ve got problems,” he said. AI in- kits that obfuscate the nature and sources of creases attackers’ speed, resilience, opportu- the malware, making it harder to recognize nities, and chances of success. Because AI al- by its digital fingerprint. gorithms are self-learning, they get smarter with each attempt and failure; their endeav- On the dark web today, anyone can buy a ors are continuously better informed and tailor-made virus guaranteed not to be de- more capable. Just as companies can use AI tected by the 10 or 20 or so major antivirus to automate and improve business processes, tools. But defensive systems gain knowledge hackers can automate the identification of over time. This knowledge could be thwarted vulnerabilities and exploit-writing. by an AI algorithm that adds to the stealthi- ness of a malware kit over time, masking AI algorithms tend to be public, often open- the malware’s identity based on what it source, software that is widely available on learns defense systems are detecting. (See the the internet and increasingly easy to use. Just exhibit.) like the software as a service that many companies use, malware as a service is common- Think about this scenario. Attackers often use place and a viable business for criminal play- botnets—global networks of hijacked devices ers. There is even a high degree of (like PCs, smartphones, and IoT devices)— competition among cybercriminal vendors to do their dirty work. Botnets are effective (which can leverage AI and machine learning tools, but they can do only what the attackers for competitive advantage) to create superior direct them to do. Suppose, however, that the malware. Moreover, open-source AI libraries command-and-control software directing a

Attack Kit Development and AI Productization Will Weaponize AI

The ﬁrst attacker NeoSploit kit is released, adding Most sophisticated kit yet, Nuclear, Terror exploit kit can detect toolkit is released obfuscation and anti-decoding begins delivering extremely user environment and deliver as freeware to avoid detection volatile and dynamic payloads speciﬁc and targeted exploits

Paid exploit kits are sold Mariposa kit adds Exploit kits begin Discovery of one of the ﬁrst like commercial software polymorphism to misappropriating cyberthreats using basic machine on the black market evade antivirus tools to avoid detection learning to evade detection

A ttc k kt de eloment Weaponized 8 8

ton roduct AI

Torch Open Source Machine Machine-learning framework Microsoft Cognitive Learning Library is released written entirely in C# is released Toolkit is released

Open source library Theano TensorFlow library created by is released enabling Python Google is released and adopted machine-learning models by Intel, Twitter, and Uber

Source: BCG analysis. Notes: Illustrative examples. COTS=commercial, off-the-shelf.

Boston Consulting Group | 5 botnet is replaced by an AI algorithm that •• How do we keep our training data pristine enables it to act in a semiautonomous and protect against biased inputs? fashion. The botnet now has the ability to learn which of its attacks are working and •• How do we protect the algorithms (or which aren’t, and it teaches itself to become their implementation)? more effective based on its results. •• Do we have control procedures that stop abnormal events from happening and a AI raises the stakes, with an Plan B in case we notice that our AI programs are behaving abnormally? advantage for attackers. They •• Do we have the technical and human need to get it right only once. monitoring capabilities to detect if our AI has been tampered with?

Now suppose that when the botnet discovers •• Have we made conscious decisions about a vulnerability in a company’s system, it is who (or what) can decide and control able to craft its own attack, according to its which capabilities? Did we assign AI assessment of the highest-potential scheme systems an appropriate responsibility (data theft, financial theft, or ransomware, for matrix entry? Do we constrain AI to example)—and update its attack toolkit as it decision support or expert systems, or do goes. AI gives the botnet the capability to di- we let AI programs make decisions on rect its own serial interventions—phishing to their own (and if so, which ones)? deposit a payload, for example, then exploit- ing a software vulnerability to gain access to •• Do we have the appropriate governance valuable data, and finally finding a way to ex- policies and an agreed code of conduct that filtrate the data. It can handle each task sys- specify which of our processes or activities tematically and on its own; it does not re- are off-limits for AI for security reasons? quire someone to steer it from outside—and its self-direction helps it avoid detection. In •• When using AI in conjunction with essence, AI enables botnets to adapt methods decisions on cyberphysical systems, do we and attack toolkits dynamically to operate have appropriate ethical, process, techni- continually at peak effectiveness and pene- cal, and legal safeguards in place? Do we trate more hosts. have compensating controls? How do we test them? AI raises the stakes, with an advantage for the attackers. They need to get it right only •• Have we aligned our cybersecurity once to score while defenders need to defend organization, processes, policies, and successfully 24-7-365. technology to include AI, to protect AI, and to protect us from AI malfunctions?

A Two-Part Challenge Some companies might find it useful to adopt Companies need to approach AI and cyber- a variation of the four-eyes principle—the security from two perspectives: protecting requirement that certain decisions or actions their own AI initiatives and using (AI- be approved by at least two people or enabled) cybersecurity to protect their full processes with strict underlying policies for set of digital assets (whether AI-enabled review—and employ redundant systems and or not). Both raise a lot of questions. Here implementations or complementary (AI) are some of the more urgent questions to algorithms that serve as a check on each consider about the first issue—protecting AI other. This, of course, comes at an extra cost initiatives: (similar to the human-based four eyes principle or the redundant flight-control •• How are we protecting our AI-based electronics on an airplane), which may affect products, tools, and services? some initially promising business cases.

6 | BCG Technology Advantage — Feature In a similar vein, here are some helpful Ryan Goosen is a project leader in the Zurich questions for the second issue, leveraging AI office of Boston Consulting Group. You may con- in cybersecurity: tact him by email at [email protected].

•• Where is AI being used in our cybersecu- Anna Rontojannis is a consultant in the firm’s rity portfolio? Zurich office. You may contact her by email at [email protected]. •• Is it being used in a manner that creates operational effectiveness, efficiency, or Stefan Deutscher is an associate director in cost reduction (at least in the medium to BCG’s Berlin office. You may contact him by long terms)? email at [email protected].

•• AI is not a panacea; do we focus sufficient- Jürgen Rogg is a partner and managing direc- ly on educating technicians and end users tor in the firm’s Zurich office. You may contact given that, on the one hand, humans are him by email at [email protected]. ultimately the key weakness in cybersecurity, and, on the other, they will have to Walter Bohmayr is a senior partner and jump in when AI signals that an issue has managing director in BCG’s Vienna office. You arisen or stops working as expected? may contact him by email at bohmayr.walter@ bcg.com.

he intelligence may be “artificial,” but David Mkrtchian was formerly a consultant in Tthe risks are all too real. Companies can the firm’s Los Angeles office. use powerful new capabilities to enhance their overall cybersecurity efforts and stay even with bad guys in the security arms race. They also need to evaluate how AI is used in their products and services and implement specific security measures to protect against new forms of attack. More and more cybersecurity products will incorporate AI capabilities, and external partners can help integrate this capability into cybersecurity portfolios. Companies can start with an objective assessment of where they stand using the questions outlined above. There is no good reason for delay.

Boston Consulting Group | 7 ANALYSIS ARE YOU SPENDING ENOUGH ON CYBERSECURITY? by Alex Asen, Walter Bohmayr, Stefan Deutscher, Marcial González, and David Mkrtchian

f you have any technology proliferating the false belief that If you are thinking about solving Ibudget responsibility, it’s a security can be ensured simply by your cybersecurity challenges by question you are going to hear— meeting some budget benchmark. purchasing new technology prod- a lot. “Are you spending enough ucts and services or increasing se- on cybersecurity?” It’s asked by The best response: answer the curity staff, you are likely looking customers, shareholders, regula- question with questions. That way, for guidance about how much tors, board members, and execu- you’ll hone your understanding of spending to allocate. But it’s hard tives wondering aloud if there’s a the landscape and begin to build to compare an individual compa- price at which peace of mind can cybersecurity competence—and ny’s spending against any bench- be purchased. cyberresilience—across your insti- marks. Some of the leading voices tution. Then you can make an in- in the industry prescribe very dif- Any leader—including CEO, chief formed decision about what’s right ferent approaches to calculating risk officer, chief information for your organization. spending on cybersecurity. (See security officer, even chief Exhibit 1.) These differences re- financial officer—who is asked the flect some fundamental truths, question will find it tremendously How Much Is Enough? misperceptions, and unknowns difficult to answer. A “yes” will No surprise, cybersecurity is about cybersecurity at this stage of leave you precariously positioned expensive and becoming more the game. if—or when—your cybersecurity expensive. falters. Say “no,” and you’ll likely Existing regulations offer no spe- trigger a scramble to purchase As the world becomes ever more cific guidance to help you under- something—anything—that can reliant on technology, and as stand what you are actually reverse that answer and protect cybercriminals refine and intensify spending on security. There’s also you from the perception of their attacks, organizations will no common definition or account- negligence. No shortage of vendors need to spend more on ing methodology to lend clarity. will step up to oblige with a cybersecurity. Indeed, Gartner This challenge is unlikely to be re- plethora of technologies, products, reports that average annual solved given that cybersecurity services, promises. But there’s no security spending per employee spending is often implicitly dis- guarantee that any of these “magic doubled, from $584 in 2012 to tributed across multiple depart- bullets” will really meet your $1,178 in 2018. Some of the ments’ budgets. Indeed, cyberse- organization’s needs. And if you leading banks and tech companies curity is inherently transversal. It move forward without proper have total annual cybersecurity requires partnerships between diligence, you risk spending too budgets that exceed half a billion the IT, risk, fraud, physical securi- much on the wrong thing and dollars and continue to grow. ty, compliance, and legal func-

8 | BCG Technology Advantage Exhibit 1 | No Standard Benchmark of Cybersecurity Spending Exists

Average spending varies by almost depending on source

. .

PwC Gartner Forrester diﬀerent benchmarking sources

Sources: The Global State of Information Security Survey, PwC, March 10, 2017; IT Key Metrics Data 2017, Gartner, December 12, 2016; 2017 Tech Budget Benchmarks, Forrester Research, March 28, 2017; BCG. Note: Measuring security spending as a percentage of IT spending is a common metric because technology intensity is often a key driver of security need. This is not to imply that security is solely an IT issue or that security spending is limited to the IT budget. tions; the lines of business; and What Are the Right Asking yourself the following three others. Some of the most effective Questions to Ask? questions can help. (Exhibit 2 sum- security-related spending will nev- Although, currently, some chief marizes the questions—and how er be part of the explicit cyberse- information security officers to prepare to answer them.) curity budget. For example, high (CISOs) reportedly enjoy unlimited security standards will drive up budgets that give them access to What is our risk appetite? One procurement costs, because the alluring and expensive new tech large government-owned bank in least expensive supplier might not nical solutions, no organization the Americas decided that its pub- have the required security capabil- has a boundless capacity to im- lic mandate required near-perfect ities and certifications. High secu- plement and operate simultaneous system availability, even in the rity standards can also increase improvements. Such a “give it our face of a cyberattack. With this low technology costs: secure software all and then some” approach to risk appetite, the bank was willing development methods require technology distracts resources to invest $250 million in high-per- more developers, for example, from more effective organizational formance backup systems—much and using strong encryption for and cultural improvements, and more than other organizations of web traffic requires more servers. can leave an organization less similar size would spend. Still, it’s And security can drive up HR secure. important to bear in mind that costs by requiring more-thorough even near perfect comes with re- background checks and training, Security is not a discrete layer to sidual risk that no amount of or a head-count-intensive review be piled onto the existing business. spending can completely mitigate. process in which two sets of eyes CISOs and other executives must must be applied to all key busi- collaborate closely to embed secu- Most of the time, an organization ness processes. rity in their organization’s culture must be prepared to accept a level and process. More than 70% of of risk that is not near perfect— Given these variables, determining breaches are caused by failures on that is, in fact, quite a bit less than the appropriate spending on cy- the part of people and processes, perfect. For example, after suffer- bersecurity should come only after so getting these organizational ele- ing a suspected breach, a US indus- a careful assessment of your orga- ments correct is crucial. (See trial manufacturer contracted with nization’s current—and future— “Building a Cyberresilient Organi- a technology vendor to ship pallets needs and capabilities. zation,” BCG article, January 2017.) of expensive next-generation fire-

Boston Consulting Group | 9 Exhibit 2 | A Cheat Sheet for Your Next Cybersecurity Budget Review

Wt s our rsk ette Develop an asset inventory. At early maturity levels, take a pragmatic approach to focus on inventorying and protecting the • Are the individual assets data, system, or process that we are most critical assets. The board must set your risk tolerance and protecting valuable enough to justify the investment or are ambition level, which should then inform a decision process on there other assets that should be prioritized instead? which assets and threats to prioritize and how much budget to • Is our ambition level in line with our business strategy? request.

Where will our investment be most effective? Is our understanding of our risks and capabilities sufficient to First, align your program with a relevant maturity framework. assess where our spending will be most effective? Then, gain an honest view of your current position and a target • Are we mainly aiming for regulatory compliance or for risk maturity informed by the board’s risk tolerance and ambition reduction and business enablement? level. Investments can then be ranked and put on a roadmap • Do we have adequate granularity, currency, and accuracy to according to their ability to move you from your current state to prioritize spending? the target state.

ow do we mke our nestments work Conduct an inventory of unused features among your current security tools. If a new tool overlaps but is better, consider the • Are these capabilities that we already have within our existing possibility of decommissioning the old tool. Always have a plan tools and solutions? for how new investments will be managed and integrated into • Will these capabilities be eﬀectively deployed and managed by existing processes. If it requires new hiring, have a plan for that existing staﬀ ? too. Ensure that redundancies are by design, not chance.

Source: BCG. 1For instance, ISO 27001 or the NIST Cybersecurity Framework (CSF). walls to every location where the crucial step in ensuring that requires understanding the risks manufacturer operated. At certain security resources are deployed you are facing, your risk appetite, locations, the firewalls were need- where they are most needed. and the defensive capabilities you ed and used. But it became appar- Second, with that understanding currently have. The gap between ent that they were not appropriate established, define a risk appetite risks and capabilities is where everywhere: the company had a in order to instill strategic direction investment must be targeted. This long tail of very small offices that in your security-spending decisions. process is effective only if risks are were not critical for company op- This is a key responsibility of the quantified and capabilities are erations, did not hold sensitive board of directors. (See Report from accurately gauged, however. data, and were sufficiently separat- Davos: Board Oversight of Targeting gaps is only a first step: ed from the critical systems. The Cyberresilience, BCG and World you also need to make sure you expensive firewalls, with their high Economic Forum report, January are spending in ways that will management overhead, were not 2017.) And, third, to the degree sustain your existing capabilities the right solution for these small possible, assess the financial impact as the environment evolves. offices. Rather, the right solution of the cyberattacks you might face; Otherwise, you’ll just create new was to accept the possibility of an this is essential to determining how gaps. inexpensive breach of noncritical much to invest to mitigate them. systems rather than investing mil- This third requirement is a difficult Cyberrisk, compared with other lions to protect low-value assets. undertaking, as the next question kinds of risk, like fire or flood, is a explores. new and evolving field, with limit- These examples demonstrate three ed valuable actuarial data to rely requirements: First, develop an Where will our investment be on. (This is a serious challenge asset inventory so that you know most effective? Getting the most even for the insurance industry.) what you are protecting; this is a value from your cyber investments It’s also true that given the pace of

10 | BCG Technology Advantage — Analysis technology change, past data is a how much risk is mitigated by ex- rarely use all the security tools and poor proxy for future cyber may- isting capabilities and where the features they have purchased. For hem. Put differently, you never gaps are. Here, it is crucial to un- example, a professional services have enough relevant data be- derstand not merely what capabili- company was planning to pur- cause the threat surface changes as ties you have on paper but how ef- chase a system that would allow it adversaries and computing plat- fectively implemented and to test email attachments in a safe, forms evolve. For now, at least, operated those capabilities actual- “sandbox” environment before making sound decisions regarding ly are. The difference between they could harm company comput- cyberrisk must involve both reduc- what is believed to exist and what ers. In the middle of the planning ing ambiguity to a bare minimum is providing operational value can process, the company hired a new and accepting that some degree of be wide. CISO, who discovered that the ambiguity is unavoidable. email security gateway the compa- One large consumer packaged ny already owned had an unuti- That is illustrated by the experi- goods company that had been re- lized feature for sandboxing. Her ence of one large health care pro- lying on an external auditor to as- staff enabled the feature and vider, which originally assessed its sess its cyberrisk and maturity dis- gained the functionality, with min- cybersecurity risks on an ordinal covered—after a breach—that its imal added cost or management scale—high, medium, and low. auditors had repeatedly mismea- complexity. Before embarking on Such assessments are a good start, sured its capabilities. Because se- ambitious investments or falling but ordinal scales are insufficient because one person’s “high” risk can be a 50% probability while an- Unforeseen dangers lurk, but decision makers other’s can be 70%. Those two fig- ures have fundamentally different cannot be paralyzed by these possibilities. implications for how much to invest to mitigate risk. You need to go further by attaching numerical curity audits often seek only to en- victim to the shiny-new-object at- probabilities and eventually mone- sure compliance with regulations, traction, it is paramount to verify tary estimations to the risks, lend- one of the most valuable invest- that the capabilities you seek are ing transparency and commonali- ments a company can make is to not already in hand. ty. Numerical reasoning provides get a holistic second opinion re- decision-making clarity, and or- garding its actual maturity: an as- Some tools or functionalities will der-of-magnitude accuracy is both sessment based on business risk, indeed be new to an organization, useful and possible. It’s hard to not mere compliance. Real cyber- of course. In those cases, it is im- make an ROI decision as a busi- resilience requires much more portant to consider the implicit ness executive without being able pressure testing and business un- cost of deploying, running, and to compare apples to apples and derstanding than is contained in a managing a new solution. Some se- dollars to dollars. checklist for a compliance audit. curity solutions are truly turnkey— (See Cybersecurity Meets IT Risk add-ons to an existing tool that It’s true that unforeseen and un- Management: A Corporate Immune leverage a similar user interface, imagined dangers lurk, but deci- and Defense System, BCG Focus, for instance. (Even those, because sion makers cannot be paralyzed September 2014, updated October they induce change, can have hid- by the specter of these possibili- 2018.) den process costs.) But many are ties. They must move forward with not. For example, one small finan- the best information and best in- How do we make our investments cial institution invested in a state- stincts they have. Then, they can work? Once you’ve identified the of-the-art monitoring solution and turn to building the organizational biggest gaps between your risk and threat intelligence feed—only to resilience necessary to address and your capabilities, you know where find that its existing staff did not recover from the unknown un- to spend. Next, you must deter- have the capabilities and expertise knowns.1 mine how to spend—but don’t as- to integrate these solutions into sume that this necessarily means the security workflow. New offer- Once you understand the possible you need to buy something new. ings often require existing security risks and their impact on your en- staff to climb a steep learning terprise, you can start to measure In our experience, organizations curve; they might even require hir-

Boston Consulting Group | 11 ing more staff. This is usually an spending to make each dollar deliv- consideration as misspending. You expensive proposition given the er greater value, by utilizing all the are overspending on security when massive talent gap in the field of features of existing solutions and you simply pay too much for what security. (See How to Gain and De- adopting new approaches, such as you get (a procurement problem, velop Digital Talent and Skills, BCG security automation and managed for instance) or if you are provid- Focus, July 2017.) security services. One company was ing a higher level of protection making a significant investment in than your risk tolerance mandates. Another cost element that is often identity and access management In this case, reducing the security overlooked when making purchas- (IAM; the ability to ensure that the budget is appropriate, but compa- ing decisions: the productivity im- right people have the right access nies that do this need to stand by pact a new tool can have on com- to the right assets). Benchmarking the risk appetite that they have de- pany productivity—a cost that’s showed that this organization was, fined. They must understand their exacerbated if the tool is poorly in fact, spending more than its risk and accept certain interrup- implemented. One corporate of- peers. But upon further review, we tions or breaches not as failures of fice, for example, introduced a found that this spending behavior management but as the strategical- solution for data loss prevention signaled not that IAM was a priori- ly calculated cost of doing busi- that, as a side effect, drastically re- ty, as one would expect, but that ness. This requires that senior duced data transfer rates and sys- the IAM capability was immature managers commit to respect the tem stability. In this instance, the and neglected and thus a source of thresholds they have set; when money saved by implementing the inefficient overspending. The firm breaches occur, they should not tool without proper field testing had a large team of people manual- punish a CISO for missing higher expectations that were not articu- lated, agreed upon, and funded. When it comes to security, redundancy is At the most advanced maturity often a good thing. levels, companies treat minor cybersecurity incidents as opportunities to raise awareness and sharp- was trivial compared with the neg- ly conducting routine administra- en response and recovery pro- ative effect on the business. tive IAM processes that can, and cedures that will be needed in the should, have been automated. By event of a major breach. For exam- Finding the resources to run a investing in consolidated systems ple, when one large bank identi- proof of concept or pilot can pay and automated processes, the firm fied hackers attacking its systems, big dividends. As you move into increased its IAM maturity and re- it monitored their activity in order the implementation phase, it is im- duced costs. to learn from it rather than mov- portant not only to document the ing immediately to stop them; only used features of the new tool but And there are other ways to free up once the attackers had stolen more also to inventory unused features cash for new security investments than $10 million did it try to expel in case you need to enable them while working within an existing them. (This kind of threshold later. Some leading organizations budget—standard cost-saving le- should be agreed upon up front, even log missing features so that vers like renegotiating license costs, but the actual number should be they can nudge the vendor to im- for instance, and consolidating du- well guarded; otherwise, an organi- plement them in a later iteration. plicative functions. But when it zation with a $10 million limit will comes to security, redundancy is of- see a lot of attacks leading to dam- ten a good thing, so you need to ages of only $9.5 million.) But How Much Is Too distinguish between the extra pro- Much? cesses and solutions that add no As the example shows, be wary of Regardless of what happens with additional value and those that complacency. It’s necessary to the budget, it will still be neces- lend useful redundancy or limit the continuously improve security just sary to monitor for misspending risk that is inherent to monocul- to keep up with the bad guys who and overspending. tures, which rely on a single solu- themselves are always innovating. tion and thus are less resilient. This need not engender We see many companies working misspending or overspending, to optimize their security portfolio Overspending is as important a though. A well-run security

12 | BCG Technology Advantage — Analysis department can enter a virtuous creasing or increasing security Walter Bohmayr is a senior partner cycle in which the efficiency-based spending or maintaining a level and managing director in the firm’s cost savings generated by new less or more than the median Vienna office. You may contact him investments free up money for the among your peers. by email at bohmayr.walter@bcg. next round of investments. com. The specter of a cybersecurity incident does not negate the need Stefan Deutscher is an associate di- Who Has the Answers? to be a judicious steward of rector in BCG’s Berlin office. You may We maintain that “how much are company resources, and security contact him by email at deutscher. you spending?” is not the key ques- spending is not a good proxy for [email protected]. tion to ask when assessing cyberse- security effectiveness. Yes, you will curity but concede that it’s a ubiq- have to devote some of your Marcial González is a principal in uitous one. When it’s asked, and it budget to this issue, but by asking the firm’s Bogota office. You may con- will be, most companies will turn the right questions you will target tact him by email at gonzalez.mar- to their CISO, who may or may not your spending wisely rather than [email protected]. be able to answer it. Ultimately, feeling pressured to simply throw though, the board of directors and money in the general direction of David Mkrtchian was formerly a C-suite are accountable. the problem. consultant in BCG’s Los Angeles office. Whatever your role—CISO or member of the board or C-suite— you need to be prepared to answer the question. Once you have asked Note and answered the truly necessary 1. How to Prepare for the Unknown Unknowns, World Eonomic Forum, January questions (summarized in Exhibit 2015. 2), you can develop a risk-based security strategy that you can stand Alex Asen is a lead knowledge ana- by. You will be prepared to justify, lyst in the Boston office of Boston with robust maturity and risk as- Consulting Group. You may contact sessments, your spending deci- him by email at [email protected]. sions, whether they involve de-

Boston Consulting Group | 13 Q&A AT ANHEUSER-BUSCH INBEV, ARTIFICIAL INTELLIGENCE IS EVERYWHERE AN INTERVIEW WITH TASSILO FESTETICS, VICE PRESIDENT OF GLOBAL SOLUTIONS

As AI goes mainstream, it is becom- Tassilo, thanks for joining us Most companies will have it some- ing integrated into the operations of to d ay. where, knowingly or unknowingly. traditional companies. Anheuser- Pricing is a great place to start. Busch InBev, the largest brewer and Thank you very much for having Pricing has very high returns. one of the largest fast-moving con- me. They’re very directly measurable. sumer goods companies in the world, There’s a lot of data available. is one such company. Could you perhaps start by com- And then there is the back office. menting on the core application The back office always comes With a brewing heritage dating to areas of AI? at the end because it’s not the 1366, Anheuser-Busch InBev is discov- sexiest area to look at. But I ering that AI can help in such diverse The first point is that AI is think that the entire back office tasks as pricing, the supply chain, everywhere in companies already. in companies is going to be and the back office. But it’s not necessarily an easy transition. Anheuser- TASSILO FESTETICS Busch InBev is a global company, and its data—the raw material of AI—is scattered. And until recently few em- About Tassilo Festetics ployees were highly skilled in AI. • Born in: Kitzbühel, Austria • Year born: 1978 That’s all starting to change. Education In his role as vice president of global • Master of science, genetics and microbiology, solutions, Tassilo Festetics has been University of Vienna overseeing the brewer’s global technology, analytics, and back-office op- Career Highlights erations for the past two years. His • 2017–present, Anheuser-Busch InBev, vice presi- team is quickly building AI capabili- dent of global solutions ties throughout the company. • 2015–2017, Anheuser-Busch InBev, vice president of finance • 2013–2015, Anheuser-Busch InBev vice president of information and Festetics recently sat down with business services Philipp Gerbert, a BCG senior part- • 2007–2013, Anheuser-Busch InBev, various positions ner and a Fellow at the BCG Hender- • 2005–2007, Accenture son Institute. Edited excerpts from • 2002–2005, Ottakringer Brauerei that conversation follow.

14 | BCG Technology Advantage substantially transformed by getting the resources and the capa- AI program, and how do you po- machine learning. bilities in place to be able to run tentially address their concerns? algorithms. How do you make change hap- I think this is obviously very differ- pen? How do you get the buy-in During that program, which of ent at different levels. Of course, of senior management? your actions proved most there are concerns. Just think important? about the point that I mentioned The answer is very easy. You show about the back office. I truly be- them the money. The moment you We went to India very early on. lieve that the back office is totally show the dollars, change becomes We started to hire the right talent, going to be revolutionized, but it’s much easier. But without joking, building capabilities that we didn’t very hard to go in front of my that’s the best way to get there. So have. Engagement with universi- team that runs the back office and focusing on the initiatives that ties was also important. We say, “Wow. I believe that the back have the highest returns first will worked a lot with MIT, obviously, office will disappear.” First of all, I pave the way for the rest. but also with universities in India. don’t think that people will lose their jobs. Their jobs are going to be transformed. You really need to “Focusing on the initiatives that have the high- go through a process of education so people are not afraid and un- est returns first will pave the way for the rest.” derstand that their jobs are evolving. It is basically creating awareness about what is happening—the How did you get the team up to You need to be able to build a transformation that is actually speed? brand so that you can recruit the happening—and demystifying it right resources you need. for people. This is probably the most crucial part and also the most complicat- With hindsight, what you would Let’s change perspective. What ed part. On one side, you need to have done differently? could Anheuser-Busch InBev ac- hire new resources. We are not a tually learn from other compa- digital company. We are a compa- I would have invested much earli- nies? ny that’s being digitized. So we er in these capabilities. I would had to bring people on board that have spent much more time on One thing that I think we haven’t have a greater understanding of data up front. If you look at most figured out is the career path for AI. But we are also training the of the projects that we are run- people who are working in the people we already have. For exam- ning, the data scientists spent 60% field of artificial intelligence. We ple, I took my whole team last to 70% of their time on data acqui- are asking ourselves, “How do we year to Berkeley, and we spent a sition, which is a huge loss of time. design the career path for these week on just machine learning and But that comes from a very frag- people? How do we make sure that artificial intelligence. mented data landscape. these people don’t leave us immediately but see opportunities In our research, we have ob- What were actually your biggest to grow in our company without served that building individual surprises? needing to change their jobs AI use cases is the easy part. The constantly?” hard part is to scale AI across a Many companies locate their back company. So what do you see as office in big towers where thou- Can you give us an example of the core challenges? sands of people are doing transac- how AI helped in your supply tions. If we fast-forward five to ten chain? The first one is access to data and years, these big towers will not be data availability. Our company has there anymore. These big towers We run 400 breweries across the been on a very long journey of will be replaced by a handful of world. They’re really manufactur- mergers and acquisitions, so our engineers that will basically tweak ing sites. They have a lot of mo- data landscape is extremely frag- algorithms. tors, and what happens to motors mented. And you mentioned the is they just break. They’re not like second one before. It’s basically How do employees perceive the people, who might have a head-

Boston Consulting Group | 15 ache before they get sick. They just to go outside of the baseline, you Thank you very much for having break. Once they break, your en- know your motor is starting to me. tire supply chain stops, and you have a headache. So before it gets need to replace the motor. sick and breaks, you can repair or Philipp Gerbert is a senior partner replace the motor. and managing director in the Munich We found a company that had a office of Boston Consulting Group. device that listens to motors and Tassilo, thanks a lot for sharing You may contact him by email at learns the baseline noise of the your thoughts and experience at [email protected]. motors. Some motors have five dif- Anheuser-Busch InBev. Let me ferent noises before they break. wish you lots of success in your The device basically listens to your program going forward. Thank machine, and the moment it starts you.

16 | BCG Technology Advantage — Q&A ANALYSIS ARE BLOCKCHAIN AND THE INTERNET OF THINGS MADE FOR EACH OTHER? by Zia Yusuf, Akash Bhatia, Massimo Russo, Usama Gill, Maciej Kranz, and Anoop Nannra

he hype surrounding IoT: From Hype to Reality The Case for Blockchain Tblockchain, the latest technol- As invariably happens with new with IoT ogy promising to upend the technologies, hype helped define Our findings show that there’s a business world, seems matched the early days of IoT. Investments select subset of IoT-related only by the attention paid to in IoT have skyrocketed over the applications for which blockchain another hot topic: the Internet of past two to three years but lag is a perfect match. Generally, these Things (IoT). Amid the noise, original estimates. According to a blockchain-with-IoT use cases can business leaders need to deter- February 2018 IDC study, project- create incremental value if they mine if experimentation that ed spending on IoT is expected to exhibit one or more of the combines these two early-stage hit $1 trillion in 2020, which rep- following characteristics: technologies can yield a sustain- resents a robust, four-year com- able competitive advantage. pound annual growth rate (CAGR) •• The need for high trust and transparency across devices managed by multiple parties For a select subset of IoT-related applications, that don’t typically trust one another blockchain is a perfect match. •• Reliance on a single version of truth by multiple stakeholders In this joint study by Boston Con- of roughly 15%. It falls short of a when individual records are sulting Group and Cisco Systems, December 2016 IDC projection, error prone and the cost of lost our aim was to better understand however, that forecast a market or compromised data is very how blockchain is being used by size of $1.29 trillion. high businesses building a distributed IoT network. Our research shows This shortfall reflects a healthy •• Device authenticity, critical that only a small subset of compa- recognition of reality. Several fac- because the impact of rogue, nies have started down this path, tors have inhibited IoT’s growth, tampered devices would be and most of those experimenting including a lack of technical stan- substantial with blockchain and IoT are still in dards, antiquated business and the proof-of-concept phase. Still, al- market structures, cultural issues, •• Reliance on autonomous ready it’s clear that these nascent technological complexity, and se- decision making and decentral- technologies, if paired together, curity and privacy concerns. To ad- ized transactions can disrupt a variety of business dress some of these issues, compa- sectors. nies are turning to blockchain. We identified more than 35 use

Boston Consulting Group | 17 cases of companies using block- sequent 12 to 18 months. The first dustries. The remainder are indus- chain with IoT and organized them is operations tracking and visibili- try specific. into five categories: operations ty, where 60% of the applications tracking and visibility, provenance were ready for production. The and authentication, autonomous second is provenance and authen- The Economic Value of machine-to-machine interactions, tication, where 33% of the applica- Blockchain with IoT service-based businesses (such as tions seemed ready for production. Blockchain with IoT can drive val- smart locks, smart vehicles, deliv- ue for enterprises. (See Exhibit 2.) ery, car leasing), and data moneti- In the remaining three categories, Here are three ways: zation (consumer goods usage scaled rollouts appeared likely to data, health data, and environmen- occur over the longer term. (Two •• Cost Reductions. Blockchain tal conditions, including weather more articles about blockchain allows for the creation of and pollution). (See Exhibit 1.) with IoT are forthcoming. One in- pooled, trusted data sets that volves track and trace in supply can be shared among multiple Most of the applications we identi- chains; the other concerns prevent- stakeholders, thus replacing fied are still in the proof-of-con- ing the sale of counterfeit goods.) middlemen. This elimination of cept phase, if not still on the draw- intermediaries, as well as the ing board. Our analysis shows that Our research shows that the auto- automation of transactions only about 25% of the use cases we motive and consumer industries across the value chain, will examined had completed the are ahead of others when it comes result in cost efficiencies. proof-of-concept phase. to working with blockchain and Consider, for example, the IoT. Following close behind are automation of the customs- Progress varied across the applica- health care, tech and telecom, and clearing process within a tions. In two of the categories, par- industrial goods. Nearly one-third supply chain, which reduces ticipants expected to launch an en- of the deployments we identified (and potentially eliminates) the terprise-grade rollout in the sub- are applicable across multiple in- need for customs brokers.

Exhibit 1 | Select Use Cases in Which IoT and Blockchain Drive Value in Tandem

ST T IT T N T

• • • • • • • • Autonomous-vehicle fleet • • • • • • • • • • • refineries • • • • • • • Drone flight mapping • • • • • •

Source: BCG analysis. Note: IoT = Internet of Things; P2P = peer to peer. Overall, only 23% of the deployments we examined had completed the proof-of-concept phase and were ready for a production rollout.

18 | BCG Technology Advantage — Analysis Exhibit 2 | The Value of Blockchain with IoT in the Short Term and the Long Term

Source: BCG analysis. 1Create new business models.

•• Revenue Enhancements. satisfy this regulatory require- potential, key challenges are likely Existing enterprises can use ment by collecting and main- to slow adoption: blockchain with IoT to min- taining the required audit trails. imize lost revenues (through Blockchain with IoT can also •• Limited Understanding of the prevention of counterfeit mitigate risk by ensuring the Blockchain. How IoT can drive sales, for example). Blockchain quality and authenticity of value for a great variety of can also unlock much of the products throughout their life businesses is widely understood. value of IoT by making possible cycles, which can help protect a Yet limited understanding exists what otherwise wouldn’t be company’s name and for blockchain and how it can practical or scalable: in the use reputation. solve complex business prob- of smart contracts, for instance, lems. For example, more than to automate transactions and We expect that the adoption of 40% of non-IT, board-level payments across devices. We blockchain with IoT, and the re- executives in the UK recently anticipate an array of money- sulting economic value, will occur admitted that they didn’t really making opportunities within in two phases, as has happened understand blockchain, accord- service-based businesses and during other technology evolu- ing to a survey by the search with machine-to-machine tions. In the short run, improve- and recruitment consultancy interactions and data ments in existing processes will MBN Solutions. monetization. drive value through cost reduction and risk mitigation. The long run •• Blockchain’s Poor Reputa- •• Risk Mitigation. Compliance will offer richer possibilities tion. Businesses have generally requirements continue to grow through revenue enhancement. embraced IoT. But blockchain more complex over time, partly We anticipate new business mod- is the underlying technology as a result of globalization and els emerging and see the potential that gave life to bitcoin and digitization. Consider, for in- for any number of new revenue other cryptocurrencies, and stance, the 2013 Drug Quality streams. blockchain’s reputation has and Security Act, which out- suffered (unfairly) because of lines the steps that the pharma- its association with initial coin ceutical industry needs to take The Challenges Ahead offerings (ICOs), which has to electronically track certain We’re still in the early days of people legitimately worried prescription drugs distributed blockchain, and IoT is only now about runaway valuations and in the United States. Blockchain moving into the mainstream. Al- a potentially dangerous bubble. with IoT could help businesses though pairing the two offers great Further eroding trust are re-

Boston Consulting Group | 19 ports, such as the one that •• A Need for Collaboration. •• Where to Place Your Bets. appeared in the Wall Street Blockchain derives value from More than 400 companies offer Journal in May 2018, that of the large-scale adoption. Buy-in an IoT platform. We estimate 1,450 digital coin offerings its from, and coordination among, that roughly 50 of them are reporters had reviewed, 271— multiple parties is essential in enterprise ready. (See “Who or nearly one in every five— order to reap the benefits in Will Win the IoT Platform raised a red flag because of most of the use cases that we Wars,” BCG article, June 2017.) plagiarized investor documents, assessed. Increasingly, business- Introducing blockchain to the promises of guaranteed returns, es are creating and joining equation compounds the or phantom executive teams. industry-specific consortia complexity. (See the sidebar “Is The hype surrounding block- because the true value in Your Company Ready for chain may spark healthy skep- blockchain-with-IoT initiatives Blockchain in IoT?”) Figuring ticism, but it can also cloud involves multiple parties that out what platform(s) to bet on rational judgment. are willing to invest time, and who to partner with are money, and effort as a group. significant challenges. Compa- •• Regulatory Uncertainty. Any That’s why companies need to nies need to decide which new technology or set of tech- involve all stakeholders when capabilities to build internally, nologies creates regulatory testing a new solution and which to acquire, and in which uncertainty as governments invest in what’s called a situations strategic partner- and regulatory bodies around minimal viable ecosystem, or ships can help bring about a the world wrestle with the po- MVE: a way of ensuring that successful transition from both tential impact of such advanc- the solution works for multiple business and technology es. Some countries, including participants. perspectives. China and South Korea, have already banned ICOs, while others, including Switzerland, IS YOUR COMPANY READY FOR have taken a more relaxed BLOCKCHAIN WITH IOT? stance. More debate among regulators is likely to emerge as The following are some of the players who are necessary to the use of blockchain with IoT critical questions to consider if drive value in a blockchain- spreads. your organization is considering with-IoT investment? a blockchain-with-IoT solution: •• A Lack of Standards and •• What are the business Enterprise-Ready Platforms. •• Does your company clearly drivers that propel a decision Eventually, the industry will understand blockchain and to issue tokens or leverage establish technical standards recognize that a blockchain- cryptocurrencies, and how that will permit rival systems with-IoT solution can be will you manage the associ- to integrate with one another. employed without also using ated risks, including regula- Until then, any early adopter a cryptocurrency? tory uncertainty, potential of a blockchain-with-IoT volatility, and perceptions by solution will have to brace •• Have you identified and customers and partners? for problems with interoper- gained executive alignment ability and scalability (if not on viable IoT and blockchain •• Have you both identified the obsolescence) if they tie them- use cases and ratified the right blockchain platform selves to a provider that doesn’t ways blockchain can create and adopted a technology survive. Collaborations such as additional value for your IoT blueprint that is aligned with the Trusted IoT Alliance have solutions? the identified blockchain- only recently started to form in with-IoT use case to better order to bring together key play- •• Have you identified and understand the technical ers in this sector. It’s still early brought on board key inhibitors with these days for a field that has seen stakeholders, such as technologies? the emergence of multiple com- partners, suppliers, peting blockchain platforms. customers, and ecosystem

20 | BCG Technology Advantage — Analysis A Matter of Time Zia Yusuf is a partner and manag- Maciej Kranz is the vice president of In the short run, the combination ing director in the Silicon Valley of- strategic innovations at Cisco Sys- of blockchain and IoT will mainly fice of Boston Consulting Group and tems, the author of the book Building focus on driving efficiencies inside the global lead for the firm’s Internet the Internet of Things, and a faculty companies and further automation of Things topic. You may contact him member at Singularity University. of the paper trails needed to satis- by email at [email protected]. You may contact him by email at fy risk and regulatory require- [email protected]. ments. Over the longer term, as Akash Bhatia is a partner and man- both technologies mature, compa- aging director in the firm’s Silicon Anoop Nannra is a director in the nies will use blockchain with IoT Valley office and the lead for BCG’s chief strategy office of Cisco Systems, to develop and scale new revenue Internet of Things topic in North where he heads the company’s block- streams. Dynamics will shift as America. You may contact him by chain organization. You may contact new business models materialize. email at [email protected]. him by email at [email protected].

But the combination needs time Massimo Russo is a senior partner to scale. In particular, blockchain and managing director in BCG’s Bos- needs time to mature and over- ton office. You may contact him by come some big obstacles—a lack email at [email protected]. of understanding as well as some technical and regulatory chal- Usama Gill is a principal in the lenges—before it can achieve any- firm’s San Francisco office. You may thing near its full potential and contact him by email at gill.usama@ offer business leaders the solutions bcg.com. they need to drive significant economic value in their companies.

Boston Consulting Group | 21 Q&A BRINGING DIGITAL TRANSFORMATION TO AIRBUS AN INTERVIEW WITH MARC FONTAINE, DIGITAL TRANSFORMATION OFFICER

Executing a digital transformation is zation mean to the aerospace And digitization will make a differ- challenging for any company, but es- and defense industry? ence of hundreds of billions of dol- pecially for a manufacturer of prod- lars in redesign. ucts as complex as commercial air- We are designing, over six to ten craft. For the past several years, years, a very complex product— I believe that this type of, almost, Airbus has been implementing a com- probably the most complex prod- fire-and-forget approach, when prehensive program to digitize its de- uct to be manufactured. And each applied in this hugely valuable sign, supply chain management, ser- time you get it wrong, for whatev- industry, is a source of vast vice support, manufacturing, and er reason, you have to modify it. opportunity if it enables you to other functions—as well as to transform its organization and corporate culture. MARC FONTAINE

As digital transformation officer for Airbus, Marc Fontaine has been lead- About Marc Fontaine ing this initiative for more than two years. A former officer in the French Education Highlights navy, Fontaine has served in various • Aston Business School, MBA executive capacities at Airbus and its • EDHEC Graduate School of Management, predecessor companies—including business degree leading the merger that created the European aerospace consortium—for Career Highlights more than two decades. He has also • May 2016–present, Airbus Group, digital founded several publishing and soft- transformation officer ware-editing enterprises. Fontaine sat • June 2012–May 2016, Airbus Group, chief of staff of the chief executive down with Loïc Mesnage, a partner officer and corporate secretary at Boston Consulting Group and • 2004–2007, Eurocopter, company secretary and chief of staff of the chief managing director of the firm’s Paris executive office office, to discuss Airbus’s progress • 2002–2004, Istar, chief executive office with its digital transformation and • 1998–2002, EADS (now Airbus), various positions, including leader of the goals it aims to achieve. business development for the defense division • 1993–1998, Aérospatiale, various positions, including leader of the Hello, Marc. Thanks for being merger of Aérospatiale-Matra and DASA, which created EADS with us today. What does digiti-

22 | BCG Technology Advantage close the loop more quickly with space business and in UAVs. Not same data—the same proof regard to the design and the because we were always engaged point—across functions and across operations of the aircraft. in direct competition, but because the business boundaries of the the new entrants were starting to company with suppliers and cus- What are the typical opportuni- enter a new dimension. The range tomers has proved to be the crucial ties that you’ve seen? of cost was absolutely staggering, factor in curing the plague of silos and the innovation potential of between engineering, manufactur- Typically the opportunities involve these companies was very impres- ing engineering, manufacturing re-creating digital continuity. sive. Also, the introduction of com- services, customers, and suppliers. When you look at the data across plex innovations close to our busi- the supply chain and down to the ness led us to question our own So the biggest achievement for us operations level for each aircraft, methodologies. was deploying that approach inter- you start to visualize larger patterns that you can fix much more easily than if you address discrete It’s a challenge to convey the necessary sense issues in piecemeal fashion. Otherwise, the silos of the industry of urgency and do the related evangelizing. prevent you from seeing these patterns. What, in your opinion, has been nally and now deploying it to cus- For example, in our factories, Airbus’s most amazing accom- tomers with Skywise and back- merging the data of 14 SAP sys- plishment in digital? ward to suppliers—an effort that is tems allowed us to reduce non- currently in the evaluation phase. quality on the ramp-up by up to Understanding the power of data 30%. By interacting with airlines integration led us to build a data Are you exploring other and by merging data from the air- lake for Airbus. And now, for the technologies in your digital craft in operation together with industry, we have the Skywise plat- transformation? our knowledge in customer sup- form, where we convinced our- port and services, and with Air- selves through pragmatic, use-case- Yes, we currently have nine road- bus’s engineering database, we re- driven implementation that the maps of digital capabilities that we duced the time required to fix fuel technology was ready for us to are sourcing, partnering, and pro- pumps on an A380—what we call leverage the incredible amount of totyping in our business for imple- “time to get a fix”—from 24 data that we have—in our facto- mentation and industrialization. months to two weeks. ries and engineering departments, These range from IoT [Internet of and in service aircraft, and on Things] to virtual IoT to compe- The steps we’ve taken toward data board the aircraft, and in the sup- tence in the Industry 4.0 revolu- integration and data utilization ply chain—to resolve use cases. tion around cobots, robots, and ad- have already begun unleashing in- ditive manufacturing. credible potential. On top of that, Convincing ourselves that the data you have the potential to add in- lake was possible—that it was You must have faced some road- telligence through analytics and secure and governable, and that blocks along the way. What were machine learning, to help people we could even share it with other the biggest ones? focus on doing their jobs and ap- parties—was a true revolution. For plying their knowledge, rather us, as a big company, it was also The first challenge, I believe, relat- than spending much of their time the answer to a deep contradiction ed to conveying the necessary simply gathering information. that we’ve been trying to resolve sense of urgency and to doing the for decades, which is how to be big evangelizing associated with it. How did you get started on this and nimble, how to empower Until people see how digital trans- journey? teams without relinquishing formation relates to their own is- control. sues and circumstances, they are Probably the starting point was a hard to convince. series of exploratory visits in Sili- The fact that people can act at the con Valley. We were also affected proper level, concurrently rather Another big challenge is value by new entrants, like SpaceX in the than sequentially, in using the measurement. In digital transfor-

Boston Consulting Group | 23 mation, we tackle and improve the we give them a new tool, but a platform for aerospace, and business in ways that traditional because it enriches their jobs. It where we are already talking finance mechanisms cannot fully gives them more power, it gives about third-party developers and evaluate, especially in asset-based them more decision-making power, APIs [application programming in- companies with traditional metrics and it helps them avoid the terfaces] for open ecosystems. for return on investment. frustration of being only one gear We’re starting to sound very techy in a very complex command-and- and very software. How has digital changed Airbus control mechanism. and Airbus people? So I really believe it’s leading to How do you see Airbus in five far greater efficiency at an indus- Digital transformation is about years? trial scale of several billion dollars. data, mostly—and humans. We Each time we have applied these should not forget the transforma- I don’t see it precisely, and I truly technologies, we have been look- tion part of digital transformation. think this is a good answer. There ing for two-digit improvement— Seventy-five percent of the effort is are some things about it, of course, nothing less—so we have to probably on the human part of the that are visible. I will implement choose the right fights. But the re- transformation. It’s not about tool the digital workplace and Industry ward is there. deployment. Tool deployment will 4.0 on the shop floor. We have not change the way a company op- clear targets about digital design Marc, thank you very much. erates if you don’t also change the and manufacturing deployment processes, the ways of working, the and new ways of working. At the Thank you, Loïc. culture, and all of the underlying same time, even in aerospace, with support-function measurements, Skywise especially, we are starting Loïc Mesnage is a partner and man- values, and metrics. to see improvements. aging director in the Paris office of Boston Consulting Group. You may I believe that digital changes the Thanks to digital, we are piloting contact him by email at mesnage. lives of the people who are potentially new business models, [email protected]. exposed to it—again, not because where we are starting to talk about

24 | BCG Technology Advantage — Q&A VIEWPOINT DO YOU HAVE THE COURAGE TO BE AN AGILE LEADER? by Marijke Brunklaus, Lindsay Chim, Deborah Lovich, and Benjamin Rehberg

aking the transition of alignment in and among the risen to their positions by doing Mfrom long-standing organi- teams. the opposite—keeping a firm zational norms to agile ways of grasp on their teams and man- working is difficult. Executives One key role of agile leaders is to aging toward outcomes. But if they have to unlearn many of the things set and maintain strong alignment and their organizations are to gain that led to their personal success, around overall company purpose, the benefits of agile ways of work- and the success of their compa- strategy, and priorities. ing, they will need to double down nies, in the first place. (See “Agile and let go. Starts—or Stops—at the Top,” Leaders need to communicate BCG article, May 2018.) In fact, their intent, explaining both the Here are six areas where you can one of the most common traps what and the why. Then comes start letting go. that companies fall into is rede- the hard part: leaders need to let signing the organization around go—and do so visibly—thereby agile principles and practices while releasing the teams to figure out The Steering Committee senior managers, who are not part how to address their assigned The role of senior leadership is to of the daily agile routines, keep doing things the way they have for years. (See “Agile Traps,” BCG Leaders need to let go—and do so visibly. article, May 2018.)

Agile is based on the principles of teamwork, autonomy, and alignment. The ability of teams to act challenges. The more alignment set the direction and boundaries, autonomously spurs both owner- that leaders are able to establish, creating alignment and enabling ship and creativity, enabling them the more autonomy they can teams to pursue their own de- to make quick decisions and move afford to give, and the more they cisions. This makes traditional fast. This combination of owner- can and should let go. steering committees obsolete and ship and decision making at speed potentially destructive: agile’s also accelerates the development In our work with many organ- benefits are lost when the results of talent on the teams, which en- izations, including our own, we of teamwork—a product innova- ables faster and even more effec- have encountered leaders who are tion, for example, or a faster inter- tive decision making. But a high great at the alignment half of the nal process—run hard into tradi- degree of autonomy works only equation but have a hard time tional processes and deliberate, when there is also a high degree letting go. These individuals have drawn-out management approvals.

Boston Consulting Group | 25 Agile is about transparency, which for external and internal custom- and behaviors no longer fit the cul- helps maintain alignment as well ers. They test their results to learn ture. (Companies that fail often re- as autonomy. Leaders should have what’s working and what needs alize that recalcitrant managers clear vision into what their teams fixing. This is a 180-degree turn were one of the principal reasons.) are doing (because each team’s from past practice for most compa- Letting go of loyal executives is no work should be readily apparent to nies, which have sought perfection easy task, especially when they others), and if management is tru- (or as close as possible) before roll- have long histories or track records ly committed, an agile process of ing out new products, services, or with the company. Still, it is best quarterly business reviews is ideas. Agile organizations share done decisively and early in the enough to maintain alignment and ideas at an early stage and solicit transformation process so that old focus in the organization, without feedback, which they incorporate, managers don’t act as an anchor the need for a steering committee. and then move on to other tasks. and new team members can step Progress can be tracked in more When senior management shows up and assume their roles. Ap- detail by active, personal engage- that it is willing to test and learn pointing the right people at the se- ment with teams and their projects as well, that makes it easier—and nior level sets an example and acts through periodic demonstrations more easily accepted—for their as a catalyst in the transformation or discussions of emerging issues, staff to take chances and learn process. It also sends an unmistak- rather than by tracking milestones. from experience, imperfection, able message to others who might and mistakes. be sitting on the fence of change: Leaders can spread and reinforce they need to get with the program alignment in a variety of ways that before they encounter a similar include modeling their own behav- Overemphasizing Skills fate. ior and strengthening governance Managers typically value—and mechanisms, measurement frame- reward—technical and functional works, and performance manage- skills. Agile leaders elevate behav- Old Ways of Managing ment practices. (See “How CEOs ior to the same plane. High-value Visible change, even if it is Keep Agile Transformations Mov- behaviors include collaboration, symbolic, demonstrates ing,” BCG article, July 2018.)

Nonessentials on the Visible change, even if it is symbolic, Leadership Agenda demonstrates commitment. Senior leadership is there to support the teams so that they can do their work; leaders should keep curiosity, flexibility, teamwork, and commitment. Successful lighthouse this basic principle in mind when a willingness to take chances and projects can establish momentum drafting the agenda for the senior- to learn. Some companies go so far and achieve scale as the results leadership team meeting. The as choosing team members on the roll in and the organization gains items that make the agenda should basis of behavior first—and then an understanding of what agile satisfy the simple criterion of assessing knowledge and experi- can accomplish. But the extra whether they further alignment, ence. These companies realize that push that comes from the CEO autonomy, or their teams’ work on while expertise and knowledge are and the leadership team visibly current tasks. Everything else can critical, they can add value only if adopting agile behaviors can play be let go. At the end of each the person with the skills also fits a crucial role in getting over the meeting, save a few minutes to into the new culture. inevitable hurdles. At one com- determine if the right things were pany, the senior-leadership team discussed and modify the next abandoned their corner offices meeting agenda accordingly. Talent That Can’t or for a shared table in the middle Won’t Change of the building—where they were Just about every management accessible to everyone. They also Perfection team that successfully transitions gave up their assigned parking Another basic principle of agile is to agile ways of working finds that places and turned them over to testing and learning. Teams build it needs to let go of some previous- client visitors, sending a combined MVPs (minimum viable products) ly valuable members whose style message of teamwork and client-

26 | BCG Technology Advantage — Viewpoint first priorities. And executive team Marijke Brunklaus is a senior advi- Benjamin Rehberg is a partner and members committed to hold sor to Boston Consulting Group and managing director in the firm’s New weekly get-togethers with staff in the former chief human resources of- York office and global coleader of the the company café, during which ficer of ING Netherlands. You may agile topic. You may contact him by they provided general business contact her by email at brunklaus. email at [email protected]. updates and answered questions [email protected]. but also spoke about what was working and what needed more Lindsay Chim is an associate direc- attention, both for them person- tor in the firm’s Chicago office. You ally and for the new organization. may contact her by email at chim. [email protected].

bandoning long-standing Deborah Lovich is a senior partner Aways of managing, and doing and managing director in BCG’s Bos- so visibly, secures agile leaders a ton office. You may contact her by double benefit. It furthers the email at [email protected]. transformation of their organizations through their own actions— and shows everyone that they are willing and able to let go of old habits and lead the way forward.

Boston Consulting Group | 27 PERSPECTIVE AGILE LEADERSHIP AND THE ART OF LETTING GO by Benjamin Rehberg

s agile takes hold within an organiza- Simplify the Agenda Ation, senior leaders tend to tighten their When drafting the agenda for senior-leader- grip. Old habits die hard. ship meetings, keep in mind that leaders are there to support agile teams in their work. But the most successful agile leaders do just The items on the agenda should be simple: the opposite. They create alignment around Are we furthering alignment, autonomy, and purpose, strategy, and priorities—and then teamwork? If so, you’re on the right track. Let they let teams go. This requires a mindset everything else go. that strikes some executives as entirely coun- terintuitive. But it works. Don’t Expect Perfection Here are a few ideas on how to loosen your Agile teams are supposed to test and deliver grip so that agile teams can thrive. a minimum viable product early and often. For companies used to perfecting a product or service before releasing it into the world, Drop the Steering Committee this can be an uncomfortable way of working. Agile teams move quickly, iterate frequently, and experiment boldly. But managers should expect agile teams to test new ideas, experience failure, and learn This is very hard to do when you have an from mistakes. Don’t let perfect be the ene- overbearing steering committee breathing my of good. down your neck. Teams must be given the autonomy to pursue innovative ways of working (as long as it fulfills the overall vision set by Reward Collaboration, Curiosity, senior leaders). Quarterly business reviews and Teamwork can be used to ensure that everyone is Traditionally, managers have focused heavily aligned and pulling in the same direction. If on hiring people who possess the right skills, you want to track teams’ progress more close- but agile teams require a broader set of highly, engage with them directly and ask for value behaviors, including collaboration, curi- demonstrations. These types of on-the- osity, flexibility, teamwork, and a willingness ground interactions and discussions will tell to take chances. you more than any milestone tracking or monthly reporting. Consider hiring for the right behaviors first—

28 | BCG Technology Advantage and looking at skills and experience second— get-togethers with staff in local cafés to share to ensure that you build teams fit for agile. best practices, lessons learned, and success stories.

Cull the Herd Find what works for your organization and As you transition to agile, a small fraction of stick with it. These signals telegraph that new employees just won’t come around. This is es- ways of working are for everyone—and pecially problematic when it comes to man- they’re here to stay. agers; leaders who take a halfhearted approach to new ways of working, or stubbornly resist change, can thoroughly undermine an enior leaders have grown accustomed to agile transformation. It’s important to ap- Sthe standard formula for success: work point leaders who can take charge of agile hard, set and maintain strong alignment, and teams and set a bold vision. stay on top of your teams to make sure they hit specific milestones. Most leaders are great And it’s important to consider removing at the first two, but reluctant to gives teams those who are unwilling to act as a catalyst more autonomy. Agile ways of working for change. require a much more hands-off approach, and the leaders who can adapt and are willing to let some things go will reap Make Agile Visible enormous rewards. Find ways to make agile visible throughout the organization. Shine a spotlight on success- Benjamin Rehberg is a partner and managing ful pilots that demonstrate what can be director in the New York office of Boston Con- achieved with agile. Rearrange the office lay- sulting Group and global coleader of the agile out to eliminate bureaucratic layers and facil- topic. You may contact him by email at rehberg. itate access to senior leaders. Hold weekly [email protected].

Boston Consulting Group | 29 FOCUS WHEN AGILE MEETS OUTSOURCING by Heiner Himmelreich, Peter Hildebrandt, Rohit Nalgirkar, and Joppe Bijlsma

s IT organizations introduce agile Agile demands that an interdisciplinary team Aways of working, they often run head-on works closely together during agile sprints into an existing business model that seems (development intervals of one month or less). incompatible: traditional outsourcing. The Agile maintains that a team shares informa- agile model, with its strong focus on team- tion, solves problems, creates minimum via- work, frequently clashes with the traditional ble products, and fails fast. And it asks that outsourcing model, which requires contract- team members work as equals and that they ing with vendors whose staffs are trained be given the flexibility to change direction primarily to follow instructions rather than quickly. For the agile model to succeed, one work collaboratively. team cannot punt to another; the members of both must execute together. To make the agile approach successful, IT organizations often assume that they must in- To foster this working relationship, source most of their development processes companies should partner with vendors, and forgo sizable outsourcing benefits, such tearing down the walls and enabling agile as reduced fixed costs and increased access to team members to work side by side, whether valuable skill sets. But organizations can in- virtually or physically, to achieve their goals. troduce agile and continue to outsource. This approach, which we call distributed When companies create strong partnerships agile, creates squads that are composed of with vendors, IT organizations can blend in- company and vendor staff members. All team house and vendor teams into cohesive units members participate as equals and work with that achieve breakthrough performance. a one-team mindset to understand the end user’s needs and to find solutions. (See Exhibit 1.) Many organizations have formed Getting Started productive and enthusiastic teams by taking In a traditional outsourcing relationship, an this distributed agile approach, while IT team “throws a project over the wall” to a sustaining the cost savings originally vendor; the vendor, in turn, completes its generated by outsourcing. (See the sidebar tasks and throws the project back. Although “Distributed Agile in Action.”) Getting started this arrangement works well for IT projects requires three steps. that use the waterfall model, which dictates that work cascade from one step to the next, Evaluate Distributed Agile Models this setup fails when it encounters the agile To create an effective partnership, a company work process. and a vendor must begin by evaluating dis-

30 | BCG Technology Advantage Exhibit 1 | Distributed Agile Alters the Outsourcing Workflow

Workﬂow Workﬂow

Onshore Onshore Oﬀshore Oﬀshore

Source: BCG analysis.

DISTRIBUTED AGILE IN ACTION

A global entertainment company that was agile teams but also collocated team facing significant market pressure from members at the start of each project and new entrants wanted to introduce an agile at key moments throughout development. approach so that it could speed up its IT By working closely, the team members development and remain competitive. But quickly engaged with each other and forged the company was outsourcing approximate- strong bonds. ly 70% of its IT development to a vendor in a time zone that was 12.5 hours ahead, As a result, the companies were able to and it was reluctant to eliminate this generate tremendous enthusiasm for the arrangement given that it was very satisfied approach in their respective organizations. with the vendor’s work. More than 90% of squad members saw the value of the agile work process and felt The company decided to approach the highly motivated. The average productivity vendor about fundamentally changing the of the agile teams was 15% higher than way they worked together. Rather than the that of prior development teams, and the entertainment company handing specific quality of their work was significantly projects to the vendor, they would partner better—by 65%, on average—as measured and adopt a distributed agile model in by the number of defects found in the which their staffs worked hand in hand to product. In addition, the company realized accomplish mutual goals. The company an estimated 20% run rate savings for the even involved the vendor in the design of project as a whole. the new approach: together, they tested various options and used the results to determine which one to pursue.

The partnership was a major success, in part because the companies followed several team-building best practices. The company and the vendor not only formed

Boston Consulting Group | 31 tributed agile models. We’ve defined three. Determine the Importance of (See Exhibit 2.) Collocation Some companies think that agile In the first model, most team members are development mandates collocation, but the onsite at one of the company’s primary loca- need for collocation depends on the project. tions and report to either the company or the A company developing a mobile home- vendor, depending on the long-term develop- shopping app knew that it was critical to ment plans. understand its potential customers in order to create a buying experience that met their The second model is similar in that the expectations, so the company required that product owners (POs), scrum masters, and the product owner and key team members business analysts are onsite at one of the collocate in the target market. Another company’s primary locations; however, all de- company insisted that its peer-to-peer velopers and quality assurance specialists in payment app be developed by a collocated this model are situated at one of the vendor’s onshore team, given that the requirements— locations. and the competition—were evolving quickly. In contrast, a company that was migrating its The third model specifies that only the POs call center platform saw no need for are situated at one of the company’s primary collocation, because the desired functionality, locations, while all other members are situat- requirements, and integration points were ed at one of the vendor’s locations. well understood by all.

Note that POs are typically company employ- Choose the Distributed Agile Model ees, because they need to be close to the busi- Deciding on the most appropriate distributed ness to understand its requirements and pri- agile model for each project or stage of orities. Scrum masters and business analysts development will mean understanding and can be employees of either the company or accepting the relevant tradeoffs, particularly the vendor. And developers and testers are in terms of available expertise, costs, and typically employed by the vendor. collaboration.

Exhibit 2 | Companies and Vendors Can Apply Three Distributed Agile Models

Depth of outsourcing eﬀort

Most team members are at Developers and quality Product owners are the only one of the company’s assurance specialists are at one remaining resource at one of the primary locations of the vendor’s locations company’s primary locations

Product owner It is critical to Product owner should collocate developers with stay close to the business quality assurance Scrum master specialists to accelerate feedback loops Business analyst

Developer

Quality assurance specialist

Resources at a company location Resources at a vendor location

Source: BCG analysis.

32 | BCG Technology Advantage — Focus Most companies prefer the first or second dor relationship may require a fixed-price model. While these models are more expen- contract for developing a predefined product sive, companies can more easily take advan- or service, a partnership requires a contract tage of their in-house skills, experience, and that allows the company to effectively hire business knowledge. In addition, most com- resources from the vendor for a preordained panies find it relatively easy to set up a team period. at one of their locations rather than at a vendor’s, particularly if the vendor is situated offshore. No matter which model is chosen, Managing the company- companies and vendors will want to collocate the majority of their team members for two vendor relationship is as or three sprint cycles before moving core team members to their ultimate location full- critical as ever. time, given that teams need time to adapt to new collaborative practices. The KPIs must also change. Traditional ven- Many companies and vendors choose a dis- dor contracts typically call for measuring tributed agile model and stay with it, while KPIs such as the time it takes to fix a prob- others try the different models over time or lem. The new contract should allow for mea- make a selection on a project-by-project basis. suring different KPIs. For example: Did the If a company’s systems are stable and the vendor assign the right people with the right processes under development are not critical skills and experience to the team? Did the to the business, for example, the company vendor allocate the appropriate number of may be open to using the third model from dedicated resources and what was the attri- the start. If the processes under development tion rate? How well did team members col- are critical, the company may feel more laborate? And how much work did the team strongly about starting with the first model tackle during a single sprint? and shifting to the second or third model only as the partnership develops. New Team Practices The reporting dynamic in a distributed agile model is different from that in a more tradi- The Partnership Approach tional outsourcing model: although there are After the company and the vendor have still various levels of expertise and seniority, agreed on a distributed agile model, they can everyone works on, and contributes to, the set up their new partnership, which must same product. A number of best practices have three interdependent parts: a new con- will help smooth the way. tract, new team practices, and tools and technologies to enhance team communication Build a shared culture. One of the most and productivity. important practices in distributed agile is building a culture in which people share an A New Contract understanding of agile principles and the role When companies and vendors partner with that each individual will play. The company each other, they risk being locked into the re- should coach and encourage its employees— lationship. As a result, managing the compa- as well as the vendor’s employees and ny-vendor relationship is as critical as ever. leadership—to make this cultural change a This requires a well-written, legally binding success. contract—one that clearly establishes charging mechanisms and governance meth- The company’s employees, in particular, may ods, including KPIs. have to learn how to change their behavior toward the vendor’s employees. For example, The new contract must reflect the change in the company’s staff should refer to an agile the company-vendor outsourcing relationship squad as the team; using terms such as the from a traditional one to a partnership mod- vendor team and the company team reinforces el. For example, whereas the traditional ven- differences rather than unity. In addition,

Boston Consulting Group | 33 team members should be considerate of each nature of agile development. In our experi- other. For example, if vendor employees are ence, companies that empower developers to offshore, they should not be the ones who al- begin writing code on the basis of their own ways work late; instead, team members understanding of an application can circle should alternate staying late or coming in back to the PO with a prototype, instead of early. Even small cultural adjustments can waiting for confirmation or clarification make an outsize difference. before they proceed.

Facilitate collocation. Another important Tools and Technologies practice, no matter which model is chosen, is Companies that implement distributed agile collocation. It can be particularly important should use tools and technologies to enhance during the first two or three sprints and just communication and productivity. Basic before any essential, quantifiable deliverables collaboration tools for screen sharing and are due. Some team members should collo- messaging are the minimum enablers for cate throughout that initial stage, and teams effective interaction. Teams also need can send ambassadors to visit company and communication tools that can bring everyone vendor sites on a recurring basis. However, together for live discussions. The company after a team is well integrated, it can reduce and vendor should therefore ensure that all how frequently ambassadors visit. When not members of a team are on the same enter- collocated, squad members who are located prise platform and that everyone has access in different time zones will need to adjust to high-quality audio and video equipment their work schedules to create dedicated time for conferencing, as well as to tools that slots with a three- to four-hour overlap so that support collaborative writing and whiteboard they can communicate with other members sessions. using videoconferencing tools. In addition, all team members should have access to agile life cycle management tools, A team must be fully such as Jira Software, which will improve transparency and help track KPIs. They committed to all agile should also have access to the same development environment for building, testing, and ceremonies. deploying new products and services. And companies should establish an integrated pipeline of work that allows team members Make a full commitment. A team must be in different time zones to continue to work fully committed to all agile ceremonies, on products after members in other time which take place biweekly to discuss progress, zones have finished their day’s work. demonstrate projects under development, and divide the work among team members. Collaboration may not always be straightfor- These ceremonies should be held at a time ward. In one instance, a company found that when all team members, even those in offshore team members were continually different time zones, can attend. In addition, missing videoconferences with US-based team members should be coached to under- members—but not for the reasons it expect- stand that every meeting is important. ed. The offshore members had a number of practical constraints. For example, the off- Empower vendor resources. If a vendor’s shore members couldn’t stay late for video- employees are unable to make their own conferences because the area around the of- judgment calls, progress will be slowed. fice wasn’t safe at night, and the team Instead, the company should ensure that members couldn’t join videoconferences vendor resources are empowered to make from home because they lacked the required decisions and move forward between meet- internet bandwidth. The company and ven- ings, rather than waiting for permission from dor quickly resolved this issue by paying for the PO. If they make a mistake, it can be high-speed internet connections in the homes fixed—particularly given the highly iterative of those who needed it.

34 | BCG Technology Advantage — Focus mplementing agile ways of working Peter Hildebrandt is a partner and managing Ithroughout the IT organization is a director in the firm’s Los Angeles office and the journey—a long one. Recruiting a vendor as a leader of the agile topic in North America. You partner for the journey lets companies may contact him by email at hildebrandt.peter@ transform IT development while continuing bcg.com. to reap the benefits of outsourcing. This distributed agile partnership requires that a Rohit Nalgirkar is a partner and managing di- company and a vendor cooperate on many rector in BCG’s San Francisco office. You may levels, learn from the results, and adapt contact him by email at [email protected]. together. For those that get it right, the rewards are large, including significantly Joppe Bijlsma is a principal in the firm’s New lower costs, access to a large pool of York office. You may contact him by email at technology-savvy talent, and an ability to [email protected]. work continuously and rapidly, even across multiple time zones.

Heiner Himmelreich is a director in the Amster- dam office of Boston Consulting Group and the global leader for IT sourcing. You may contact him by email at [email protected].

Boston Consulting Group | 35 FEATURE USING AGILE TO HELP FIX BIG DATA’S BIG PROBLEM by Fabrice Roghé, Erik Lenhard, Burt LaFountain, and Giulia Airaghi

gile has transformed software ings. Such techniques include establishing Adevelopment and taken hold in other milestones and scheduling meetings to align business functions. But it has not been business and technical staff. But those classic incorporated to the same degree in big data methods may not be enough to compensate projects. Although organizations of all kinds for scientists’ specialized knowledge and for are modernizing by using big data to power business leaders’ limited understanding of important decisions, the way they develop big data science. data projects remains decidedly old school. Organizations can overcome these challenges, The reasons for the lag are many, but in however, by incorporating agile practices many cases, the biggest reason is simple. Data throughout big data analytics projects. If they engineers and scientists often do not have the do, they can better focus on both their inter- depth of business acumen needed to fully ad- nal and external customers. Using agile can dress the key questions that their projects are also help employees feel empowered, which meant to answer. They may be great at math- can lead to higher quality data and better ematical modeling, computer science, and project outcomes. statistics but less adept at detecting the specific business meaning in the data or assessing the real-world business changes needed Big Data’s Big Problem and the to capture the value of their analytics. Agile Solution At their best, big data analytics detect pat- At the same time, business executives may terns that would require considerably more not understand data science well enough to time and effort to uncover using traditional fully appreciate how their key business ques- analytics tools. The widespread use of big tions could be answered. They often under- data analytics has powered breakthroughs in estimate what is possible and what is practi- areas as varied as medical diagnostics, people cal when implementing big data solutions. As management, and the ways organizations re- a result, the possible outcomes of a big data spond to consumer behavior. analytics project, and what is necessary to generate those outcomes, can easily get lost. Data scientists start big data projects with a theory about a business problem, such as Traditionally, IT departments and business how to predict demand for a car model on executives have used classic project manage- the basis of new features and past sales or ment methods to overcome these shortcom- how to determine how many employees an

36 | BCG Technology Advantage organization should hire to staff a new ven- rithm to test it; run the test; and then either ture given existing personnel and previous act on the results or continue refining the staffing levels for similar projects. They then model. Work on one task waits until the pre- build algorithms to test the theory using one ceding task is finished. But that process is in- or more forms of artificial intelligence, ma- efficient. In many cases, people spend more chine learning, optimization, or traditional time sitting in meetings and managing hand- statistics on a massive scale. If the theory is offs than they do on actual data-related activ- shown to be false, they may continue refining ities. The work itself may be misdirected and and testing it until they reach a valid conclu- wasteful. The final product is often late and sion. Or they may drop it and move to a dif- difficult for a lay executive to understand, ferent or more pressing business problem. and the impact is less than anticipated.

The results of big data analytics can be re- Frustrations with the waterfall method even- markable. In observing many companies, tually led software developers to improve the though, we have also seen significant failure process by adopting agile ways of working. rates, particularly when organizations at- Agile calls for working in a way that is itera- tempt to roll out those analytics on a wide tive, empirical, cross-functional, focused, and scale. When problems do occur, deliverables continually improving. (See “Five Secrets to such as any expected insights or process im- Scaling Up Agile,” BCG article, February provements may not materialize. More often 2016.) Common agile methods include assem- than not, the fault lies not with the data but bling cross-functional teams, which improve with the methods used to verify, process, and communications and reduce handoffs, espe- act on it. (See “How to Avoid the Big Bad cially when team members work in the same Data Trap,” BCG article, June 2015.) location. They also include development of minimum viable products (MVPs), rapid up- The heart of the problem is the manner in dates, and frequent feedback to ensure that which big data analytics are developed. Most the finished product delivers on expectations are built sequentially, applying the waterfall and goals. (See Exhibit 1.) method of project management traditionally used in software development. In the waterfall method, data scientists acquire, verify, Using Agile in Big Data Projects and integrate data; develop a model or algo- Agile has shown great promise in many fields

Exhibit 1 | Agile Speeds Up Traditional Big Data Projects and Improves Outcomes

• Long time to market • Teams work in silos with multiple handoﬀs • Lack of focus • Limited emphasis on delivering business value

Time

• Faster product design

Test • Frequent iterations to MVP MVP deliver an MVP Corrections customer customer Develop- ment feedback feedback MVP • Small, focused, cross- functional teams aligned

Design with business goals Requirements • Strong emphasis on Sprint Sprint Sprints continuous improvement and delivering business value Source: BCG analysis. Note: MVP = minimum viable product.

Boston Consulting Group | 37 besides software, including financial services, en days. The new programs led to direct in- marketing, and consumer goods. (See “Agile creases in revenue in a short period of time. to the Rescue in Retail,” BCG article, October 2018, and “Taking Agile Transformations Be- Rapid experimentation is appropriate not yond the Tipping Point,” BCG article, August only for big data analytics algorithms and the 2018.) In client engagements, we have seen data that a project is based on but also to en- agile empower teams to do their best work sure that an organization can understand and while ensuring that they are aligned with an act on the results. For this reason, in addition organization’s strategic goals. Given those to the algorithm and output, a big data proj- successes, we believe that agile could bring ect MVP includes the business and behavior- several specific benefits to big data projects. al changes needed to attain real results. For example, developing an algorithm to improve scheduling and dispatch for service techni- The goal of big data projects cians could also include developing a different process for notifying customers of upcom- is to solve challenges or ing appointments.

discover insights. Early Customer Feedback. The overriding goal of big data projects is not to build brilliant mathematical models but to solve Rapid Experimentation. Historically, testing practical business challenges or discover occurs near the end of big data projects, insights leading to actions that could benefit which means that business executives might customers. That makes it important to not see results until then. For example, a include customers in the process. If a project team building a predictive analytics model to is for an external client, a representative of help sales people convert leads might wait the client could be embedded with the team. until late-stage testing to show executives the If a team is working on a big data project for results. However, offering results so late in the an internal client, a member of that depart- process could lead to unclear expectations for ment might be on the team. When a Europe- the work to be done, methods to be used, and an oil refinery created a big data application possible outcomes. With agile, projects are that its engineers could use to optimize the broken down into manageable chunks that maintenance cycle of their key equipment, can be built and tested quickly. Teams for instance, some process and maintenance develop and test MVPs continuously. If the engineers were assigned to the teams that data analytics do not yield the expected developed the app. results, business executives find out right away and can correct their course. They could Prioritizing Value. Accomplishments that add ask the team to analyze different data, make value without increasing cost take precedence other modifications, or even, in some cases, over completing tasks in a predefined order. If abandon the project—all moves that save the team determines that including a particu- time and money compared with other lar feature will take significantly longer than methods. expected without providing a lot of additional value, the product owner—the team member A specialty retailer took this concept of rapid responsible for representing the customer— experimentation to heart when it convened can take this into account. The product owner an agile team that adopted the motto “Get can drop it and move on to lower-cost or 1% better each week.” The agile team—which higher-value items on the project backlog, a was composed of personnel from the data en- prioritized list of work items. gineering, data science, marketing, and cre- ative functions, among others—was tasked Cross-Functionality. Traditional big data with developing innovative big data market- projects fail most often for reasons that are ing and sales solutions. To do that, it ran agile largely unrelated to data analysis. In our sprints that produced incrementally new experience working with clients, 70% of a omnichannel marketing programs every sev- cross-functional team’s efforts reach beyond

38 | BCG Technology Advantage — Feature strict analytics into the business processes, People Empowerment. In a traditional big da- operational behaviors, and types of decision ta project, a project manager decides which making that the analytics suggest. To accom- priorities are most important and how they modate that scope, big data project teams will be met—even though he or she may not typically include personnel with a variety of understand the development process. When backgrounds. (See Exhibit 2.) The team can that power is delegated to a team, people make decisions without members needing become more engaged in their work and are approval from their individual bosses. Team more invested in the outcome. Unlike data members work out tradeoffs, conflicts, and scientists, who might work on multiple compromises in real time, which explains engagements, for example, agile team mem- why it is so critical for them to work in the bers are not staffed on several projects same location—preferably in the same room. simultaneously. Rather, they devote all their At the same time that they are working on time to the team, thus becoming more algorithms and data, teams may also be invested in the work. This singular focus also making changes to operating models and builds accountability. business processes. It’s no wonder that companies that have The European oil refinery mentioned previ- adopted agile are more successful than ously took such an approach when it incorpo- others in attracting digital talent and younger rated agile ways of working into three big workers—two groups of people who prioritize data projects launched as part of a larger dig- work that gives them a sense of purpose. (See ital transformation initiative. Each project How to Gain and Develop Digital Talent and had a dedicated scrum team with a scrum Skills, BCG Focus, July 2017.) master, a product owner, and personnel from such key functions as operations, technology development, asset maintenance, and IT. The Secrets to Using Agile in Big Data scientists from an outside advanced-an- Data alytics consulting firm were included on the Agile and big data may sound like a perfect teams. The teams and agile approach helped pairing, but getting them to work together is the refinery produce multiple MVPs within a not as easy as it may seem. To be successful, four-month span and industrialize a final keep several critical factors in mind. product considerably faster than it could have done in the company’s typical product devel- The algorithm is not the finished product. An opment cycle. Multidisciplinary scrum teams algorithm can be a thing of beauty or a waste also contributed to a more collaborative cor- if it cannot deliver results-oriented output in porate culture and drastically increased em- a way that a business department or organi- ployee engagement. zation can understand. Agile teams should

Exhibit 2 | Agile Teams for Big Data Projects Have a Cross-Section of Expertise

Asset Technology Data Data Outside management Operations development Planning engineering Design science consultant

Big data project

Source: BCG analysis.

Boston Consulting Group | 39 develop dashboards, infographics, or other ith so many positives to be gained visuals that readily communicate the results Wfrom incorporating agile into big data of their findings. They must also include as projects, companies might be tempted to dive part of their work the end-to-end operational in right away. But getting the best outcomes and behavioral changes that are necessary to takes substantial planning, including a thor- get real results. ough examination of what is needed and how it would affect existing personnel and pro- MVPs are distinct from prototypes. Proto- cesses. Conducting a pilot is a good way to types come first and generally are built with start. If it succeeds, agile can be added to historical data in order to verify that an more big data programs, a step that requires algorithm can do what it is supposed to do. If thinking about how to set up teams and get a prototype works, it is used as the frame for customer feedback. a more all-encompassing MVP that could potentially be released to end users. An MVP Fabrice Roghé is a senior partner and manag- also includes up-to-date data, a user-friendly ing director in the Düsseldorf office of Boston interface, core features, and operating in- Consulting Group. You may contact him by email structions. And since it has to work in a at [email protected]. business context, it includes relevant changes to processes and operating models as well. Erik Lenhard is an associate director in the firm’s Munich office. You may contact him by Stakeholders must accept imperfection. The email at [email protected]. iterative nature of agile development means that works in progress might not look great or Burt LaFountain is a principal in the firm’s perform as well as possible. Nevertheless, and Boston office. You may contact him by email at despite their flaws, they may indicate signs of [email protected]. progress toward a satisfactory solution. Accepting such imperfection may require Giulia Airaghi is a consultant in the firm’s stakeholders—who, in the past, saw only Milan office. You may contact her by email at near-final versions—to shift how they think [email protected]. about big data analytics projects. By encour- aging trial and error, stakeholders improve the odds that a project will move successfully from MVP to full-scale production.

Include more than just data science personnel. Agile teams should include a mix of talent assembled on the basis of need rather than on a standard structure or past experience. As a general rule, it makes sense to staff a project team with data engineers who can prepare the data, data scientists who can conduct the analysis, designers who know how to present the data, and a variety of business personnel who are familiar with the project’s business objectives and implications for existing processes. The goal is to blend people’s talents into a whole that is greater than the sum of its parts.

40 | BCG Technology Advantage — Feature NOTE TO THE READER

Acknowledgments For Further Contact Philipp Gerbert The authors of “Are Blockchain and Giulia Airaghi Senior Partner and Managing Director the Internet of Things Made for Consultant BCG Munich Each Other?” would like to thank BCG Milan +49 89 23 17 40 their BCG colleagues Aryan +39 0 2 65 59 91 [email protected] Kenchin, Vaibhav Malhotra, Neil [email protected] Shepherd, and Sunny Sood, who Usama Gill helped conduct the supporting re- Alex Asen Principal search for this paper. Lead Knowledge Analyst BCG San Francisco BCG Boston +1 415 732 8000 The author of “At Anheuser-Busch +1 617 973 1200 [email protected] InBev, Artificial Intelligence Is Ev- [email protected] erywhere” thanks Michael Spira for Marcial González his invaluable support. Akash Bhatia Principal Partner and Managing Director BCG Bogota The authors thank Meghan Huff BCG Silicon Valley +57 1 646 1240 and Stuart Scantlebury for their +1 650 282 8650 [email protected] contributions to this publication. [email protected] They also thank Katherine Andrews, Ryan Goosen Gary Callahan, Catherine Cuddihee, Joppe Bijlsma Project Leader David Duffy, Pete Engardio, Kim Principal BCG Zurich Friedman, Abby Garland, Alice Grif- BCG New York +41 44 388 86 66 fiths, Shannon Nardi, Michelle Raf- +1 212 446 2800 [email protected] ter, Gary Rivlin, and Mark Voorhees [email protected] for their writing, editing, and pro- Peter Hildebrandt duction contributions. Walter Bohmayr Partner and Managing Director Senior Partner and Managing Director BCG Los Angeles BCG Vienna +1 213 621 2772 +43 1 537 56 80 [email protected] [email protected] Heiner Himmelreich Marijke Brunklaus Director Senior Advisor BCG Amsterdam [email protected]. +31 20 548 4000 com [email protected]

Lindsay Chim Burt LaFountain Associate Director Principal BCG Chicago BCG Boston +1 312 993 3300 +1 617 973 1200 [email protected] [email protected]

Stefan Deutscher Erik Lenhard Associate Director Associate Director BCG Berlin BCG Munich +49 30 28 87 10 +49 89 23 17 40 [email protected] [email protected]

Boston Consulting Group | 41 Deborah Lovich Benjamin Rehberg Anna Rontojannis Senior Partner and Managing Director Partner and Managing Director Consultant BCG Boston BCG New York BCG Zurich + +1 617 973 1200 +1 212 446 2800 +41 44 388 86 66 [email protected] [email protected] [email protected]

Loïc Mesnage Jürgen Rogg Massimo Russo Partner and Managing Director Partner and Managing Director Senior Partner and Managing Director BCG Paris BCG Zurich BCG Boston +33 1 40 17 10 10 +41 44 388 86 66 +1 617 973 1200 [email protected] [email protected] [email protected]

Rohit Nalgirkar Fabrice Roghé Zia Yusuf Partner and Managing Director Senior Partner and Managing Director Partner and Managing Director BCG San Francisco BCG Düsseldorf BCG Silicon Valley +1 415 732 8000 +49 2 11 30 11 30 +1 650 282 8650 [email protected] [email protected] [email protected]

For information or permission to reprint, please contact BCG at [email protected].

To find the latest BCG content and register to receive e-alerts on this topic or others, please visit bcg.com.

Follow Boston Consulting Group on Facebook and Twitter. 4/19 BCG Technology Advantage April 2019 bcg.com