Product Security & the Supply Chain: Anders Lillevik Of Focal Point On Ensuring Integrity in the Manufacturing Sector

This article was originally published in Medium.

“Know your suppliers and their suppliers — Most often the failure of a companies’ ability to deliver product comes down to the failure of one of their suppliers or ability to receive raw materials.”

Supply chain security is a critical aspect of the manufacturing industry. With numerous suppliers and partners involved, the potential for security risks is high. How do product security managers ensure supply chain security? How do they identify and address potential risks associated with suppliers and partners? As a part of this series, we had the pleasure of interviewing Anders Lillevik.

Anders Lillevik is the CEO and Founder of Focal Point — a company providing an end-to-end enterprise procurement orchestration platform. For more than 20 years as a Chief Procurement Officer, Anders has helped organizations such as Fannie Mae, QBE Insurance, and Webster Bank optimize their procurement operations. In these roles, he has managed teams of 120+, including $8bn annual spend and $5m annual procurement software expenditures.

As an industry veteran, Anders had a vision for procurement departments to shift from pure cost centers to strategic contributors to the top and bottom line. In 2020, he set this vision in motion and founded Focal Point to address the unmet need for a complete solution that connects the tools for every aspect of procurement orchestration across siloed data and processes. Focal Point empowers Chief Procurement Officers to move up the digital maturity curve across the entire procurement process.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Igrew up in a small town in Norway called Molde, a town of about 20,000 people. My father was the superintendent of the school district and my uncle was the chief of police, so I was not able to get away with anything. I moved to Canada at the age of 19 to attend McMaster University and graduated with a Bachelors’ degree in Economics and an MBA.

Is there a particular story that inspired you to pursue a career in cybersecurity/supply chain? We’d love to hear it.

It ended up being a happy accident as I do not believe most people go into university wanting to work in procurement and supply chain management. I was taking my MBA on a co-op basis, meaning the program switched between work and school in four month increments. My first co-op placement was at Bank of Montreal (now BMO) as an analyst in the procurement team.

I ended up building the departments’ first spend analytics tool combining three spend sourced into a single SQL database on a single PC. Back in the late 1990’s this was done on a x486 pc with a whopping 100mb hard drive, you can imagine how slow it was.

In the middle of the engagement I was offered a full time position in the procurement team there and I decided to stay. My career in procurement had started and I never looked back.

Can you share the most interesting story that happened to you since you began this fascinating career?

It has been an interesting journey. Probably the most formative was when I was in my mid twenties and taking a large organization through a very large outsourcing initiative in the IT organization.

The people whose jobs would be impacted were the same people who were doing the request for proposal requirements and scoring the supplier responses. These people were obviously very emotionally invested in the outcome of the competitive bids as the chosen organization would likely become their employer in the future which would determine where they would work, their pay and benefits packages. Also, a few of the scoring participants had worked at one or more of the competing companies before their current jobs.

At the beginning of the scoring it was very clear that some respondents were not scoring based on the responses but rather based on who they wanted to win. This was evident when, for example, two providers would have the exact same equipment listed in their responses and certain respondents would score the same equipment from different companies differently.

It was clear that I needed to intervene in the process and make sure we objectively scored the solutions for the best outcome of the organization and not the individuals involved. We ended up spending three days going line by line in the RFP responses and team scoring the solutions in real time, rather than separately. This was a very emotional process for all people involved and it was not without challenges. What this taught me was that people matter and where personal and professional lives intersect, we have to rely on the process to drive the right outcomes.

As a professional in my mid-twenties it was eye opening to manage people who were both more senior than I was, as well as (in most cases) twice my age. It was a humbling experience.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Curiosity — When I was a kid I always wondered how things worked and probably spent more time breaking my dads stuff than I did learning things in the pursuit of learning. Later in life I was able to actually learn things when I was broke and owned a 1984 Ford Topaz and needed to keep that car running in order to have transportation. In my business and managerial career I always spent a lot of time asking “WHY?” and “HOW?”, and spent a lot of time job shadowing people at every level of my organization and outside to understand their day to day work tasks and how we might be able to improve it. Even at a senior executive level I like learning from the resources answering the phone, doing items processing or fulfilling requests.

Empathy — As a relapsed stage four cancer survivor who started two jobs during treatment I know that it is hard for most people to know what co-workers are going through at any point in time. One of my managers who had managed me for less than a month when I relapsed was the kindest and most thoughtful person I could have imagined and he is one of those people, to this day, I would follow into a burning building. Showing compassion and understanding is very powerful and incredibly motivating.

Passion — Whatever you do, make sure you give it 100%. I know some people just want a job and are happy doing the tasks in front of them, which is perfectly OK, but I never quite identified with that. Making small improvements, coming up with new ways of doing things and striving for better results.

My old man would not even look at my report card sometimes and just look me in the eye and ask “did you do your best?”, which was his only barometer. Now, later in life with a kid of my own I strive to reward effort over outcome, which I believe is the right thing most of the time.

Are you working on any exciting new projects now? How do you think that will help people?

We are working with a large insurance company to centralize all interactions with procurement within our solution. This means each of their 40,000 employees will be able to go to one place to find services for anything from booking travel to outsourcing a function.

Users will either be guided to self-service options or handled within Focal Point and provided updates as their requests are being fulfilled and worked on.

This gives users a single point of entry for procurement and periodic updates and visibility to where their requests are towards completion.

This benefits users tremendously over the “traditional” way of procurement where users would have to decide between the many different paths available to them. Being guided to the right place the first time and getting streamlined processes with automated notifications is a significant enhancement to the “old” way of procurement interactions.

Let’s now shift to the main focus of our interview. Can you provide an example of a real-world incident where compromised integrity in the supply chain led to product security issues? How was the situation addressed, and what lessons can other organizations learn from that experience?

A while back, a major computer manufacturer who we all know by name were sourcing low cost components for each of the internal parts of their laptops and desktops. This was an extremely effective way to keep costs contained and win business for the manufacturer who were unbeatable on pricing.

Large organizations, in order to maintain costs and management overhead, would set standards for desktops and laptops up to one year at the time and select manufacturers for those standards for that period.

A part of the onboarding of these new standards was to create “images” of these PCs. In other words, to ensure IT would know exactly what components were inside each PC and have a mechanism to push software updates down to each of these devices for all hardware and software to maintain the computers current.

This worked really well until the computer manufacturer switched manufacturers of internal components without notifying their clients of the change (because they did not have to, contractually). All of a sudden, even though the company was buying exactly the same computer model, the software updates being pushed down to the computers no longer effectively protected the assets. In some instances, the computers did not work when deployed, and in other cases, the computers seemed to work but firmware and other updates failed to load. This exposed the organization to known day-zero vulnerabilities.

The issue was discovered by the computers that stopped working and it took a while to realize that the hardware shipped from the manufacturer was different than what was imaged. The short term fix was to re-inventory all assets acquired from the manufacturer and then creating images for each variant, which was exactly what IT was trying to avoid by creating annual standards.

The longer term solution was to select hardware providers that would be able to keep their hardware configurations fixed for the duration of a contract. While the hardware costs might be slightly more than the low cost provider, the Total Cost of Ownership (TCO) was lower for the lifetime of the asset.

The learnings from this was that buyers need to consider TCO, not just the purchase price. At the same time it is important to find out if manufacturers can guarantee product consistency over time and not make the assumption that they would.

Are there any regulatory frameworks or industry standards that address the importance of supply chain integrity in the manufacturing sector? How can organizations align their practices with these standards to enhance product security?

The one that comes to mind first is ISO28001 which is developed to organize operations of security within the broader supply chain management system, and sets out best practices for implementing supply chain security, assessments, and plans.

Whatever standard an organization chooses to follow it is most likely a crawl, walk, run implementation to get fully operational. Most manufacturers are likely well on their way to being compliant with most standards. Determining what gaps to cover and in which sequence based on cost, effort and potential risk is key.

How does the concept of traceability tie into ensuring integrity in the manufacturing supply chain? What role does it play in identifying potential security breaches or vulnerabilities?

Traceability is becoming key for a variety of reasons besides supply chain resilience, security and vulnerability. Many companies need to be aware of the origin of the parts and components of what goes into end products for reasons such as conflict minerals, country of origin, fair labor standards, logistical routes and many more.

First, from a supply chain vulnerability perspective, the country of origin and the path each part on the BOM needs to take before it reaches the assembly point is crucially important. Not only do you have to factor potential factors where instability factors in from a country of origin perspective but also the route each component takes to get there. A delay in a single component can (and likely will) hold up the assembly process so it is important to have traceability for every component on a BOM.

Second, having visibility on where raw materials are coming from to create the components on a BOM is important as raw material availability, country of origin, and shipping routes can impact the subcontractors ability to fulfill the orders expeditiously.

Recently there has been a push to limit distances traveled for raw materials to reach component producers and travel distances for components to travel to the final assembly point. This is both to speed up the overall process but also to decrease the overall risk associated with distance traveled. In addition, reducing the overall travel of materials significantly reduces the carbon footprint associated with an item and other ESG related factors. As a result, significant component manufacturing has been moved from Asia to areas closer to the final assembly point.

Are there any emerging trends or technologies in the manufacturing sector that can help enhance product security and supply chain integrity? How can organizations leverage these trends to stay ahead of potential threats?

Many of the trends we’re seeing are in terms of the digitization of the supply chain and procurement functions to provide greater visibility through organization and management of vendors and assets. Companies like Tracelink, for example, are developing solutions for global supply chain traceability.

Tracelink in particular is serving the pharmaceutical industry, which requires an extensive level of product and process security. It allows manufacturers to seamlessly connect with other points of contact in the pharmaceutical supply chain, offering visibility and traceability across the entire process and distribution line.

Organizations and companies need to consider how they are ensuring all points of access in the supply chain are being monitored and organized in order to avoid security breaches and protect all players in the entire procurement process.

Here is the main question of our interview. What are the “5 Things We Must Do To Ensure Product Security in the Manufacturing Sector?” and why?

1. Know your suppliers and their suppliers — Most often the failure of a companies’ ability to deliver product comes down to the failure of one of their suppliers or ability to receive raw materials.

2. Know where your components are being shipped from and where the materials needed for those components are being shipped from — That freighter was stuck in the Suez Canal for six (6) days but created a 60 day backlog with significant volumes deciding to take, much longer, alternative routes.

3. Have secondary suppliers available just in case — the fire in a single computer chip factory in Japan in 2021 is still impacting supply chains for things like chips for cars and consumer electronics. The impact of the chip shortage (as it is now known as) was felt the hardest by companies that did not have secondary suppliers at the ready. Companies that reacted from a standing start lost out to prepared companies.

4. Being nimble is very important — The first in line to get their supplies are usually companies that have existing relationships with suppliers with stock on hand. Second in line are companies able to identify the issues and react quickly to develop plans to fulfill requirements. Based on personal experience and from talking to people affected by these and similar issues, the companies who were able to react quickly faced only minor impacts due to shortages. Having slow, onerous and laborious processes during an emergency can leave organizations last in line for precious commodities and will almost certainly guarantee you will be at the back of the line behind your competitors.

5. Planning and internal collaboration is still key — Working with your internal engineering, logistics and demand forecasting organizations is still key to ensuring you have resilience and security in your supply chains. Having open lines of communication as things move and shift on the ground is key to problem solving and coming up with ideas that can move the needle.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂

Be kind to people, both inside and outside your organization. Show up with a certain amount of empathy and understanding every day. People have their own battles at home, at work and with their families and don’t usually show it. I have never known kindness not to be paid back in exponential amounts and, best of all, it costs you nothing.

How can our readers further follow your work online?

You can follow me on LinkedIn where I am active and regularly sharing insight and content.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.

ABOUT THE AUTHOR