Security Guard: Questions and Answers with Dennis Omanoff
Security expert Dennis Omanoff stands watch over global supply chains, trying to protect them from cyber security attacks. If you’re not concerned about the threat now, you will be after reading this interview.
When most people think of McAfee Inc., they think of security software. But many may not realize that McAfee’s portfolio includes intrusion detection and prevention products that cost anywhere from 11 cents all the way up to the price of an E-class Mercedes.
Since its founding in 1987, Santa Clara, Calif.-based McAfee has grown into the world’s largest dedicated security technology company. The statistics tell the story: Annual sales in excess of $2 billion; 125 million users, including 94 percent of Fortune 100 companies; more than 180 million mobile devices are shipped with McAfee; 120 countries make up McAfee’s global footprint.
“McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security,” according to the company’s corporate profile. “McAfee is relentlessly focused on constantly finding new ways to keep our customers safe.”
In February 2011, the company was acquired by Intel Corporation for more than $7 billion. Wall Street analysts were somewhat mystified by the acquisition, but to Dennis Omanoff, McAfee’s senior vice president, chief supply chain officer, chief procurement officer, corporate facilities and real estate, it made perfect sense. With cyber security intrusions and threats rising exponentially for every aspect of technology—from silicon chips, smartphones, enterprise servers, and cloud computing to national defense and critical infrastructure grids—there’s a pressing need to embed security at new levels , including in the chip itself.
As in every other product-based company, McAfee’s supply chain supports the business by providing all the logistics activities required to deliver goods to customers. But McAfee’s supply chain goes well beyond that traditional role, operating on a strategic level not typically found in many companies.
For his part, Omanoff brings 25 years of operations and quality control experience to his role. Prior to joining McAfee, he was vice president of operations and investor relations at Jetstream Communications, a telecom start-up. He has held executive-level positions at Advanced Fibre Communications, ForeSystems, StrataCom Communications (a Cisco company), and SynOptics Communications.
Additionally, Omanoff served on the board of directors for the California Center for Quality, Education, and Development, and was a Malcolm Baldrige National Quality Examiner, appointed by former U.S. Secretary of Commerce Ron Brown.
Omanoff holds a bachelor’s degree from Fordham University and a master’s degree in business from the Hofstra Graduate School of Business. He attended The Wharton School of the University of Pennsylvania for Corporate Governance, as well as the Stanford Graduate School of Business, and the School of Engineering for Global Competitiveness.
In early November 2011, Omanoff sat down with Inbound Logistics to share his views on supply chain management, security, and the U.S. business climate.
Q: Supply chain management traditionally has been about getting the right product to the right place at the right time and cost. You have a broader view of the supply chain’s role. Could you share it with us?
A: I had an epiphany several years ago while attending a board of directors course at Wharton, along with many high-powered executives from Procter & Gamble, USAA, CSX, Texas Instruments, and large brokerage firms. I was a little intimidated.
Then I met the president of a circus company. “I had a real problem with my business,” he told me. “Every time I pulled into a town, people complained about how I treated the animals. I had to change venues every night, which was very expensive. I also had to deal with the lion tamer, who wanted to be paid more than anyone else. And the clowns—they were wild.”
So the president decided to re-define his business completely. He got rid of the animals, fired the circus stars, and booked only fixed venues. And we all know the result: Instead of charging $25 a ticket, his company—Cirque du Soleil—now fetches $200 a ticket, and is phenomenally successful. That’s called Blue Ocean Strategy, and it’s about not just beating your competition, but making it irrelevant.
I went back to McAfee and started considering how we could collaborate with customers more creatively to leverage how we go to market collectively.
For example, we outsource business process for copiers to Xerox. But we’re a security company, so we can’t have a copier’s hard drive walking out the door with data on it when we turn in a machine. We looked at how we could work together not only to protect ourselves, but to build our business.
Our collaboration culminated in Xerox installing data loss protection on all its devices, giving them a competitive advantage and expanding our business into a new market. Now we are partners and sell our products through Xerox.
These kinds of strategic partnerships are much more exciting than a typical vendor-supplier relationship. They deliver better value to the customer, grow our company, and serve stockholders and employees.
The idea is to establish 360-degree relationships where we figure out how to do business on a strategic level with our suppliers. We look for ways to redefine our supplier relationships in terms of opportunity rather than just grinding them down on price.
To help achieve these goals, we study suppliers’ customer, employee, and stockholder metrics. We also scrutinize leading and lagging indicators to determine where the company has excelled and where it has fallen short. Moreover, we benchmark ourselves against the “gold standard”—10 companies whose supply chain performances are recognized as top-notch. Benchmarks help us understand when good is good enough.
For instance, we benchmark profitability and operational efficiencies. But we have to look at these factors holistically. We can determine which supplier leads in inventory turns. But we also want to benchmark on-time delivery performance or performance against un-forecasted orders.
Optimizing one metric gains a tremendous advantage in that area, but not in another. The ideal is to strike a balance.
Q: You’ve delivered several presentations warning of a new and potentially disastrous threat to global supply chains: cyber security attacks. Could you explain?
A: Before Sept. 11, 2001, most supply chain professionals focused security measures on preventing the theft of valuable goods in their manufacturing and transportation operations. After Sept. 11, we focused on preventing weapons of mass destruction—or disruption—from being placed in cargo containers or other conveyances headed to the United States.
Today, there’s a potentially more destructive—and often overlooked— danger to the supply chain community: cyber security threats. The volume and sophistication of cyber threats from totalitarian governments or nefarious individuals is increasing exponentially.
This 21st-century threat jeopardizes not only our information infrastructure, but the supply chain community, and at all levels of high-tech software and hardware products that connect with local or enterprise-wide networks, both hardwired and wireless.
Concerns about the “injection of viruses” into high-tech hardware products during their journey from manufacturing sources to customer delivery continue to grow. These concern are especially high with regard to government agencies. More than natural disasters, financial instability, or political upheavals, what keeps me up at night is the fear that bad guys are injecting into products bad stuff that can disrupt, bring down, or steal confidential information from networks.
In the past two years, persistent and highly organized cyber attacks such as Stuxnet, Aurora, Wikileaks, ShadyRAT and Night Dragon (see sidebar) illustrate how cleverly the bad guys can worm their way into the world’s most protected networks and either sabotage them, steal intellectual property, or compromise government trade or military secrets.
So the question is, how safe are our networked products—from software to computers to servers? How do we protect the integrity of our supply chains and the products they carry?
Q: What’s the answer to that question? How do we protect our supply chains and the products they carry from malicious cyber intrusions?
A: About 18 months ago, I met with an undersecretary of defense for supply chain. (The U.S. Department of Defense is a McAfee customer.)
In supply chains, the undersecretary said, we are always concerned about doing things better, faster, and cheaper. So we’ve outsourced to China. But that has created an unforeseen risk—one that is of grave concern to national security. Night Dragon and other cyber threats are examples of nation-states or totalitarian regimes aggressively seeking intellectual property and testing cyber terrorism and warfare.
China is neither safe nor secure as a production source, the undersecretary told me. There are no data loss or IP protection mechanisms—a situation that could subject product to inadvertent dangers. When you see a picture of our stealth bomber sitting in China, or learn that its ballistic missiles are based on our design, you have to wonder how that happened.
The undersecretary wanted McAfee’s help. “First, I want you to obfuscate the supply chain so no one can figure out what is in a box being delivered to a defense agency,” he said. “Second, I’d like a supply chain where the contingent labor is a group we can qualify. Third, I want my suppliers’ CEOs to be willing to take a call from the Secretary of Defense in time of dire need. Finally, I want to establish a Trusted Source program.”
During the past 18 months, McAfee has worked very hard to achieve these goals.
To obfuscate our supply chain, we architected a global operation based on late-stage postponement. Component parts are secured via distribution partners from multiple locations, then assembled, converted into finished products, and shipped by trusted sources. Any of our products can be made or assembled from any of our strategic locations in Europe, North America, or Asia, and shipped to any other locations, almost at a moment’s notice.
The final assembly and hardware conversion—whether software, adaptor cards, or some type of interface card—and final shipment can be postponed until the last minute, and done very quickly. We aim for 20 minutes from the time an un-forecasted order comes in (lead time on predictable orders is 30 days). With this type of sense-and-respond network, we obfuscate the trail of quickly assembled final products so that it’s nearly impossible to know beforehand what a product is and where it’s headed—whether to an energy grid, nuclear power plant, or government agency. This helps protect our ‘sensitive’ customers.
Further, it’s critical to keep inventory and backlog as low as possible. As the saying goes, “Inventory at rest is inventory at risk.” Keeping inventory moving not only makes good financial sense, but also good security sense.
McAfee also required all suppliers to have an information security policy in place for data loss prevention and system control. Most of our suppliers agreed.
Making these changes in our supply chain was no small task. After all, we have 35,000 SKUs on our price book.
How did we do it? Take the example of a PC, which is comprised of a processor, a power supply, some physical packaging, a combination of flash memory, and some spinning media. We worked with our 16 product engineering teams to coalesce our products to use the fewest base items, then create 10 basic configurations, enabling us to make every product we offer out of 170 SKUs. Then we add the software load at the last minute.
By simplifying our product configuration to make late-stage postponement possible, we reap some big rewards. We turn inventory 55 times a year and our unshipped backlog is .2 percent. Usually, you can’t achieve both high turns and low backlog at the same time.
By having a geographically dispersed supply chain, and trusted partners that can operate as a single unit, we can satisfy the unique requirements of customers in various regions. For example, “Assembled in the USA” verification helps meet stringent U.S. (and some European) government requirements. But similar in-nation rules and incentives are imposed in other parts of the world, necessitating a highly flexible and segmented supply chain.
These different security requirements can be met with what Dr. Hau Lee at Stanford University calls “multi-polar, differentiated supply chains.” In other words, complete regionalized supply chains working either independently or as a unified operation can meet localized and globalized customer demands while also creating an operation that protects products from being sabotaged by the latest cyber virus somewhere along the way.
Q: Let’s get back to supply chain management as a discipline. How would you characterize supply chain leadership today?
A: Supply chain leadership is about being adaptive; it’s not about continuous improvement. If I only focus on continuous improvement, I miss the breakthrough innovation.
Leaders also have to be able to work with different groups outside the supply chain, and have good customer relationship skills. They need to understand marketing, sales, and every other area of the company—and not just work in their silo.
They also need to focus on knowing what’s important to employees. An engaged employee is 20 percent more productive. So the question becomes, ‘How do I keep my people motivated?’
I focus on the same things Steve Jobs did at Apple: eliminating politics and bureaucracy, helping people deliver results, and rewarding high performance precociously.
Q: Shifting to a larger issue, what’s your view of the current state of the U.S. economy and its prognosis for the future?
A: We lost our manufacturing base, and we need to get it back. The economy is in this state because we made a few big mistakes. One of them was outsourcing production overseas. That experiment has failed. Because of it, there are whole areas of technology development that no longer exist in the United States.
It makes me fighting mad that the United States is the only country in the world that doesn’t offer a federal incentive package to locate a business here. If I locate a business in Russia, Ireland, Eastern Europe, Costa Rica—anywhere—I get a tax abatement. Countries offer a menu of incentives at the federal level. The United States only does that at the state, local, or possibly regional level.
India has double-digit attrition, double-digit inflation, and an awful power structure. In contrast, we have Class A factory space in Detroit sitting idle that we should offer for lease, with the first five years rent-free. When you factor in India’s attrition rate—replacing 100 percent of employees every four years—the United States is less expensive.
Why not learn from countries such as Germany and make it economically appealing to build a business here? After all, BMW and Mercedes have some of the highest labor rates anywhere, yet Germany is a world net exporter of two great cars. Same thing in Japan. These companies benefit from federal business and tax incentives.
I say, make it a fair playing field on a global scale. The U.S. government should offer federal incentives to attract business. Whether it’s the European Union, Russia, or South America, we need to match their business incentives at the federal, state, and municipal level. We need to use those incentives to bring production back to the United States.
Dennis Omanoff is senior vice president, chief supply chain officer, chief procurement officer, corporate facilities and real estate, McAfee Inc. [Editor’s note: Omanoff left McAfee in November 2011, following this interview, to join Seagate Technology as senior vice president, supply chain and procurement.]
Anatomy of a Hack: How the Night Dragon Attacks Work
Starting in November 2009, coordinated covert and targeted cyber attacks such as Night Dragon have been conducted against global oil, energy, and petrochemical companies. These attacks, which originate primarily in China, involve social engineering, spear-phishing attacks, exploiting Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools. The goal is to target and harvest sensitive competitive proprietary operations and project-financing information concerning oil and gas field bids and operations.
- Night Dragon. Global energy cyberattacks launched
- Remote Command Execution. Extranet web servers compromised
- Hacker Tools Uploaded to Servers. Gained access to sensitive internal desktops and servers
- Further Access to Sensitive Documents. Accessed additional usernames and passwords
- Disabled IE Proxy Settings.Enabled direct communication from infected machines to the Internet
- Executives’ Computers Compromised. Exfiltrated e-mail archives and other sensitive documents