by Alessandro Di Fiore

September 13, 2018

Summary. Planning was one of the cornerstones of management, but it’s now fallen out of fashion. It seems rigid, bureaucratic, and ill-suited to a volatile, unpredictable world. However, organizations still need some form of planning. And so, universally valuable, but desperately unfashionable, planning waits like a spinster in a Jane Austen novel for someone to recognize her worth. The answer is agile planning, a process that can coordinate and align with today’s agile-based teams. Agile planning also helps to resolve the tension between traditional planning’s focus on hard numbers, and the need for “soft data,” or human judgment.

Planning has long been one of the cornerstones of management. Early in the twentieth century Henri Fayol identified the job of managers as to plan, organize, command, coordinate, and control. The capacity and willingness of managers to plan developed throughout the century. Management by Objectives (MBO) became the height of corporate fashion in the late 1950s. The world appeared predictable. The future could be planned. It seemed sensible, therefore, for executives to identify their objectives. They could then focus on managing in such a way that these objectives were achieved.

This was the capitalist equivalent of the Communist system’s five-year plans. In fact, one management theorist of the 1960s suggested that the best managed organizations in the world were the Standard Oil Company of New Jersey, the Roman Catholic Church and the Communist Party. The belief was that if the future was mapped out, it would happen.

Later, MBO evolved into strategic planning. Corporations developed large corporate units dedicated to it. They were deliberately detached from the day-to-day realities of the business and emphasized formal procedures around numbers. Henry Mintzberg defined strategic planning as “a formalized system for codifying, elaborating and operationalizing the strategies which companies already have.” The fundamental belief was still that the future could largely be predicted.

Now, strategic planning has fallen out of favor. In the face of relentless technological change, disruptive forces in industry after industry, global competition, and so on, planning seems like pointless wishful thinking.

And yet, planning is clearly essential for any company of any size. Look around your own organization. The fact that you have a place to work which is equipped for the job, and you and your colleagues are working on a particular project at a particular time and place, requires some sort of planning. The reality is that plans have to be made about the use of a company’s resources all of the time. Some are short-term, others stretch into an imagined future.

Universally valuable, but desperately unfashionable, planning waits like a spinster in a Jane Austen novel for someone to recognize her worth.

But executives are wary of planning because it feels rigid, slow, and bureaucratic. The Fayol legacy lingers. A 2016 HBR Analytics survey of 385 managers revealed that most executives were frustrated with planning because they believed that speed was important and that plans frequently changed anyway. Why engage in a slow, painful planning exercise when you’re not even going to follow the plan?

The frustrations with current planning practices intersect with another fundamental managerial trend: organizational agility. Reorganizing around small self-managing teams — enhanced by agility methods like Scrum and LeSS — is emerging as the route to the organizational agility required to compete in the fast-changing business reality. One of the key principles underpinning team-based agility is that teams autonomously decide their priorities and where to allocate their own resources.

The logic of centralized long-term strategic planning (done once a year at a fixed time) is the antithesis of an organization redesigned around teams who define their own priorities and resources allocation on a weekly basis.

But if planning and agility are both necessary, organizations have to make them work. They have to create a Venn diagram with planning on one side, agility on the other, and a practical and workable sweet-spot in the middle.  This is why the quest to rethink strategic planning has never been more urgent and critical. Planning twenty-first century style should be reconceived as agile planning.

Agile planning has a number of characteristics:

• frameworks and tools able to deal with a future that will be different;
• the ability to cope with more frequent and dynamic changes;
• the need for quality time to be invested for a true strategic conversation rather than simply being a numbers game;
• resources and funds are available in a flexible way for emerging opportunities.

The intersection of planning with organizational agility generates two other paramount requirements:

A process able to coordinate and align with agile teams

Agile organizations face the challenge of managing the local autonomy of squads (bottom-up input) consistently with a bigger picture represented by the tribe’s goals and by cross-tribe interdependencies and the strategic priorities of the organization (top-down view). Governing this tension requires new processes and routines for planning and coordination.

Consider the Dutch financial services firm ING Bank. It restructured its operations in the Netherlands by reorganizing 3,500 employees into agile squads. These are autonomous multidisciplinary teams (up to nine people per team) able to define their work and make business decisions quickly and flexibly. Squads are organized into a Tribe (of no more than 150 people), a collection of squads working on related areas.

ING Bank revisited its process and introduced routine meetings and formats to create alignment between and within tribes. Each tribe develops a QBR (Quarterly Business Review), a six-page document outlining tribe-level priorities, objectives and key results.   This is then discussed in a large alignment meeting (labelled the QBR Marketplace) attended by tribe leads and other relevant leaders. At this meeting one fundamental question is addressed: when we add up everything, does this contribute to our company’s strategic goals?

The alignment within a tribe happens at what is called a Portfolio Marketplace event: representatives of each of the squads which make up the tribe come together to agree on how the set goals are going to be achieved and to address opportunities for synergies.

The ING Bank example shows how the planning process is still necessary and essential to an agile company although in a different fashion with different processes, mechanisms and routines.

As more and more companies transform into agile organizations, agile planning will likely become the new normal replacing the traditional centralized planning approach.

A process that makes use of both limitless hard data and human judgment

Planners have traditionally been obsessed with gathering hard data on their industry, markets, competitors. Soft data — networks of contacts, talking with customers, suppliers and employees, using intuition and using the grapevine — have all but been ignored.

From the 1960s onwards, planning was built around analysis.  Now, thanks to Big Data, the ability to generate data is pretty well limitless.  This does not necessarily allow us to create better plans for the future.

Soft data is also vital. “While hard data may inform the intellect, it is largely soft data that generate wisdom. They may be difficult to ‘analyze’, but they are indispensable for synthesis — the key to strategy making,” saysHenry Mintzberg.

Companies need first to imagine possibilities and second, pick the one for which the most compelling argument can be made.  In deciding which is backed by the most compelling argument, they should indeed take into account all data that can be crunched. But in addition, they should use qualitative judgment.

In an agile organization, teams use design thinking and other exploratory techniques (plus data) to make rapid decisions and change the course on a weekly basis. Decision making is done by a team of people, offsetting in this way the potential biases of a single person making a decision based on her individual judgement. To some extent, an agile team-based organization enables the possibility to leverage qualitative data and judgement — combined today with infinite hard data — for better decisions.

Relying solely on hard data has unquestionably killed many potential great businesses. Take Nespresso, the coffee pod pioneer developed by Nestle.  Nespresso took off when it stopped targeting offices and started marketing itself to households. There was little data on how households would respond to the concept and whatever information was available suggested a perceived consumer value of just 25 Swiss centimes versus a company-wide threshold requirement of 40 centimes. The Nespresso team had to interpret the data skillfully to present a better case to top management. Because it believed strongly in the idea, it forced the company to take a bigger-than-usual risk. If Nestle had been guided solely by quantitative market research the concept would never have gotten off the ground.

The traditional planning approach needs to be revisited to better serve the purposes of the agile enterprise of the twenty-first century. Agile planning is the future of planning. This new approach will require two fundamental elements. First, replacing the traditional obsessions on hard data and playing the numbers-game with a more balanced co-existence of hard and soft data where judgment also plays an important role. Second, introducing new mechanisms and routines to ensure alignment between the hundreds of self-organizing autonomous local teams and the overarching goals and directions of the company.

Article link: https://hbr.org/2018/09/planning-doesnt-have-to-be-the-enemy-of-agile?

Alessandro Di Fiore is the founder and CEO of the European Centre for Strategic Innovation (ECSI) and ECSI Consulting. He is based in Boston and Milan. He can be reached at adifiore@ecsi-consulting.com. Follow him on twitter @alexdifiore.

By Jeffrey M. Stefan II and M. Alexander Monahan of Varnum LLP

May 9, 2022

Making the decision to engage your business in government contracting at the local, state or national level can admittedly be overwhelming, particularly for those new to the process. However, the potential benefits should outweigh the hesitations. According to an American Express OPEN survey, 57 percent of businesses noted their revenue grew significantly because of government contracting, at an average rate of 61 percent. This advisory provides a high-level overview of the process with a focus on federal government contracting, which is far and away the largest source of government contracting.

United States federal government contracting is an enormous business both nationwide and internationally, with total contract spending value in the hundreds of billions annually. In fact, the U.S. government is the single largest procurer of goods and services in the world. While the Department of Defense (DOD) accounts for most of the federal service and product acquisitions, there are myriad industries that are engaged in contracting with the U.S. government, providing products and services that range from paper clips to missile defense systems. Nevertheless, to take part in this seemingly endless source of opportunity, your business will want to make sure it is well prepared prior to embarking.

Complete Regulatory Basics

Any business legitimately (and legally) capable of doing business with the federal government must have a few basic regulatory tasks initially completed. To start, the government requires any potential contractor register its business with Dun & Bradstreet (D&B) and the System for Award Management (SAM). 

The D&B system utilizes a nine-digit unique identifier number to manage a company’s credit profile so lenders and potential customers or business partners can better ascertain a company’s reliability and financial stability.

The SAM is the government’s central registration repository for all businesses, both large and small. However, before a business begins completing the D&B or SAM registrations, a business needs to be aware of its North American Industrial Classification System (NAICS) code. The purpose of the NAICS is to provide the government with a uniform method of classifying its purchases so it can track spending for reporting, funding and budgeting. Prior to tendering a bid or proposal, a prospective contractor must register with the SAM.

Broadly speaking, the SAM will require a contractor to:

• Register under the company’s Data Universal Numbering System (DUNS) number;
• List the NAICS Code applicable to the type of work the contractor performs;
• Complete representations and certifications contained in the Federal Acquisition Regulation (FAR);
• Identify the contractor’s bank account; and
• Provide background information regarding the contractor. 

Notably, a company’s information included on the SAM must be updated annually or when previously provided information deviates.

Furthermore, any contracts awarded by the federal government must first be approved by the federal government’s Contracting Officer (CO). A CO will only approve, in its discretion, what it determines to be responsible contractors. Specifically, the government will not enter into a contract with any business that:

• owes back taxes
• has a current or pending legal judgment with the government
• does not have a checking account
• is on the government’s excluded parties list
• hasn’t completed the basic regulatory requirements for doing business with the government

Before moving on to the next step, potential contractors will want to ensure they have completed the above-mentioned registrations and completed a self-diagnostic on their business to identify and address any potential hindrances, including those listed above, that may currently exist.

Finding an Opportunity

The process for seeking business from the federal government is largely comparable to the process of obtaining business in the private sector. As in the private sector, marketing a service or product to the government depends on identifying relevant markets and potential government customers suited to your businesses capabilities.

In the realm of federal government contracting, there are numerous sources available to help pinpoint opportunities suited for your business. Below are some of the main portals of entry into federal government contracting opportunities.

GSA Schedule
Obtaining a General Services Administration (GSA) schedule contract is perhaps the most common form of federal government contract. The GSA is the “acquisition arm” of the federal government, playing a key role in connecting the private sector with the relevant federal agency seeking a fulfillment need. Any person/entity interested in selling their products and services to the federal government should prepare by making sure they have satisfied the applicable requirements and registering in the appropriate systems. Any prospective vendor who wishes to be included on a GSA Schedule can find more information here. The primary contract vehicle is the GSA Schedules, or Multiple Award Schedules, program. Additionally, any prospective vendor should develop a sales and marketing strategy for how that vendor will be targeting specific government contracts.

To be eligible for a GSA Schedule contract, a vendor must have been in business for at least two years and be able to provide two years’ worth of financial statements. In this regard, a company must be able to demonstrate it has measurable past performance. If a company does not have previous federal contracting experience, it may use federal and non-federal references from six or more previous customers, in part to obtain a past performance and evaluation Open Ratings report through Dun & Bradstreet.

FedBizOpps
Federal Business Opportunities (FedBizOpps) is a point of entry for business to seek out federal government contracting opportunities with a value of over $25,000.

GWACs
The federal government is a massive purchaser of hardware, software and related services through Governmentwide Acquisition Contracts (GWAC).

Subcontracting
Another way to get involved in federal government contracting, albeit indirectly, is to serve as a subcontractor for a company that has been awarded a government contract (known as the “prime contractor”). Agencies may provide information on their websites about firms to which they have awarded contracts. As an example, the GSA and SBA maintain subcontracting directories and databases. Subnet is another database of subcontracting opportunities. Other potentially useful sources of information include trade and business publications, the SAM website, company websites, and the Federal Procurement Data System (FPDS). Information obtained from these resources might indicate which companies have received, or plan to receive, government contracts.

One note before moving ahead: take the time to thoroughly research a potential contract opportunity and plan your “elevator pitch” and capability statement for said opportunity before making an offer. It will pay off in the long run.

Offering on a Contract

After you have completed the necessary registrations and found an opportunity that fits your business, you are ready to jump into the offer pool. There are two types of offers when it comes to government contracts – bids and proposals. Bids are generally used in sealed bidding purchases, while proposals usually involve contract awards to be made following a negotiation process. Three of the main offer types are briefly described below:

• Request for Quotation (RFQ): An RFQ is generally used for proposed contracts with a value of less than $150,000. The benefit is that this method is usually relatively simple and focuses mainly on price and delivery capabilities.
• Request for Proposal (RFP): Typically for acquisitions sought with larger values than an RFQ, a potential contractor will be required to provide additional details about how they would be able to complete a specific project or develop a specific product.
• Invitation for Bid (IFB): In a similar vein to an RFP, an IFB is generally used for projects with a value of over $100,000. Potential contractors submit a sealed solicitation/bid for government procurement. This process typically does not involve any outside negotiation between a potential contractor and the government vendor seeking the acquisition.

It is crucial that the information provided in an offer (whether it is for an RFQ, RFP, IFB, or otherwise) is factually sound and inclusive of any pertinent material a CO would need to make its evaluation. A company will want to provide as much information as possible without overwhelming the CO. However, make sure not to overpromise on any proposal, particularly related to technical specifications (if required), as this will become part of the contract in the event your proposal is selected.

Submit an Offer

Once you have identified an opportunity, double-checked everything included in your bid and/or proposal and have satisfied all the rules for the submission process, you are ready to submit your offer. As a parting word of advice, do not make the mistake of assuming offering the lowest price is the key to winning a government contract. A company’s experience and history of providing excellent service in its respected field is as important, if not more important, than the actual offer value.

The evaluation and award process begin when a government procurer receives bids/offers. This process can vary greatly regarding timing (often between 30 and 120 days) and ultimate acceptance of a bid. Stay patient, be prepared to provide any necessary follow-up information, keep in regular contact with the assigned CO (without being too pushy), and continue to set your business up for success should your offer be accepted.

The information provided in this advisory is a starting point to prepare your business for contracting with the federal government.

Article link: https://www-natlawreview-com.cdn.ampproject.org/c/s/www.natlawreview.com/article/what-you-need-to-know-contracting-federal-government?

© 2022 Varnum LLP

National Law Review, Volume XII, Number 129

by David B. Yoffie, Annabelle Gawer, Michael A. Cusumano

Summary.   

May 29, 2019

Platforms have become one of the most important business models of the 21^st century. The problem is that platforms fail at an alarming rate. By identifying the sources of failure, managers can avoid the obvious mistakes. To understand why and how platforms fail, we tried to identify as many failed American platforms as possible over the last twenty years that competed with the 43 successful platforms. The 209 failures allowed us to extract some general lessons about why platforms struggle. In general, platforms fail for four reasons: (1) mispricing on one side of the market, (2) failure to develop trust with users and partners, (3) prematurely dismissing the competition, and (4) entering too late.

Platforms have become one of the most important business models of the 21^st century. In our newly-published book, we divide all platforms into two types: Innovation platforms enable third-party firms to add complementary products and services to a core product or technology. Prominent examples include Google Android and Apple iPhone operating systems as well as Amazon Web Services. The other type, transaction platforms, enable the exchange of information, goods, or services. Examples include Amazon Marketplace, Airbnb, or Uber.

Five of the six most valuable firms in the world are built around these types of platforms.  In our analysis of data going back 20 years, we also identified 43 publicly-listed platform companies in the Forbes Global 2000. These platforms generated the same level of annual revenues (about $4.5 billion) as their non-platform counterparts, but used half the number of employees. They also had twice the operating profits and much higher market values and growth rates.

However, creating a successful platform business is not so easy. What we call “platformania” has resembled a land grab, where companies feel they have to be the first mover to secure a new territory, exploit network effects, and raise barriers to entry.  Uber’s frenetic efforts to conquer every city in the world and Airbnb’s desire to enable room sharing on a global scale are the two most obvious recent examples.

The problem is that platforms fail at an alarming rate.  By identifying the sources of failure, managers can avoid the obvious mistakes.

To understand why and how platforms fail, we tried to identify as many failed American platforms as possible over the last twenty years that competed with the 43 successful platforms. The 209 failures allowed us to extract some general lessons about why platforms struggle.

The average life of the failed platforms is only 4.9 years. Many gig economy platforms collapsed within 2-3 years because they did not have enough users or funding. Given the need for deep pockets, it should not be surprising that standalone firms tended to have shorter lives than those that were acquired or launched as part of a larger firm or consortium of firms.  Standalone firms had an average duration of only 3.7 years. Acquired firms, which generally had stronger balance sheets, were capable of fighting longer (averaged 7.4 years), while firms that were part of larger entities were just average in length of survival.

We grouped the most common mistakes into four categories: (1) mispricing on one side of the market, (2) failure to develop trust with users and partners, (3) prematurely dismissing the competition, and (4) entering too late.

Researchers have extensively studied pricing decisions, yet managers still get them wrong. A platform often requires underwriting one side of the market to encourage the other side to participate.  But knowing which side should get charged and which side should get subsidized may be the single most important strategic decision for any platform.

Firms may have to throw commonsense pricing out the window when two or more platforms are racing to create a network effect. For example, Sidecar pioneered the peer-to-peer ridesharing model before Uber and Lyft, but it never became a household name. It deliberately pursued innovation and a conservative slow-growth strategy in order to be financially responsible. The fatal flaw was not recognizing the importance of attracting both sides of the platform.  Sidecar also raised much less venture capital than Uber and Lyft, and was unable to attract enough drivers and riders to survive much beyond the startup phase. Of course, Uber and Lyft have lost billions of dollars and, even though both have now gone public, they may never generate a profit or survive as viable businesses.

Getting the price right is necessary in any platform, though it is not sufficient for success. Platforms also require two or more parties, who may or may not know each other, to connect. Therefore, building trust is essential; this is typically done through rating systems, payment mechanisms, or insurance. In the absence of trust, the players on the platform have to make a leap of faith.  One of the biggest failures in this category was eBay in China. eBay was the first mover, with a dominant share in China in the early 2000s. But Alibaba took over the market. The biggest source of the failure, confided the CEO of eBay China in an interview, was that “eBay’s single biggest problem… was trust.” eBay relied on PayPal, which was designed as a payment system, much like a bank.  For Chinese consumers unfamiliar with ecommerce, that was not enough.  Alibaba’s Alipay used an escrow model (which did not release payment until the consumer was satisfied).  This neutralized eBay’s early mover advantage, and Alibaba quickly captured the bulk of the market.

A common misconception about platforms is that once the market tips in your favor, you will be the long-run winner.  Often this is true. But there is a better way to think about tipped markets:  it is the winner’s opportunity to lose.  Hubris, along with overconfidence and arrogance, to name a few misdirected traits, can produce spectacular failures. For example, browsers were a classic innovation platform: web masters had to optimize their websites to exploit key features in a browser. When Microsoft’s Internet Explorer captured close to 95% of the market by 2004, pundits proclaimed the browser wars were over, the market had tipped, and Microsoft had won. It would require a monumental screw up for Microsoft to lose, but this is exactly what happened. It took Microsoft almost a decade to lose its leading position: extremely poor product execution between 2004 and 2008 enabled the emergence of Firefox; and then inferior product innovation between 2008 and 2015 opened the door to Google’s Chrome.

Perhaps the most classic platform mistake is mistiming the market. The smartphone market illustrates how great products plus all the resources in the world can still lead to failure when entry is too late. Here again, Microsoft was the poster child for failure. Despite billions and billions of dollars of investments over a decade, Microsoft’s Windows phone died. Entering the business five years after Apple, and three years after Google, meant that Microsoft missed the platform window and never recovered.

Here are the key takeaways from our research into why platforms fail:

First, since many things can go wrong in a platform market, managers and entrepreneurs need to make concerted efforts to learn from failures.  Despite the huge upside opportunities that platforms offered, pursuing a platform strategy does not necessarily improve the odds of success as a business.

Second, since platforms are ultimately driven by network effects, getting the prices right and identifying which sides to subsidize remain the biggest challenges. Uber’s great insight (and Sidecar’s great failure) was recognizing the power of network effects to drive volume by dramatically lowering prices and costs on both sides of the market. While Uber is still struggling to make the economics work (and it may yet fail as a business), Google, Facebook, eBay, Amazon, Alibaba, Tencent, and many other platforms started by aggressively subsidizing at least one side of the market and made the transition to high profits.

Third, it is important to put trust front and center. Asking customers or suppliers to take a leap of faith, without history and without prior connections to the other side of a market, is usually asking too much of any platform business. eBay’s failure to establish mechanisms for building trust in China, like Alibaba did with Taobao, is an error that platform managers can and should avoid.

Fourth, although it may sound obvious, timing is crucial. Being early is preferable, but no guarantee of success: remember Sidecar. Being late can be deadly. Microsoft’s catastrophic delay in building a competitor to iOS and Android is a case in point.

Finally, hubris can lead to disaster. Dismissing the competition, even when you have a formidable lead, is inexcusable. If you cannot stay competitive, no market position is safe. Microsoft’s terrible execution with Internet Explorer is an obvious example.

Article link: https://hbr.org/2019/05/a-study-of-more-than-250-platforms-reveals-why-most-fail

David B. Yoffie is the Max and Doris Starr Professor of International Business Administration at Harvard Business School. He is co-author of The Business of Platforms: Strategy in the Age of Digital Competition, Innovation and Power (2019).

Annabelle Gawer is chaired professor in digital economy and the director of the Centre of Digital Economy at the University of Surrey, UK. She is co-author of The Business of Platforms: Strategy in the Age of Digital Competition, Innovation and Power (2019).

Michael A. Cusumano is the Sloan Distinguished Professor of Management at the MIT Sloan School of Management in Cambridge. He is co-author of The Business of Platforms: Strategy in the Age of Digital Competition, Innovation and Power (2019).

Dan Goodin 05/6/2022 2:33 pm

For more than a decade, we’ve been promised that a world without passwords is just around the corner, and yet year after year, this security nirvana proves out of reach. Now, for the first time, a workable form of passwordless authentication is about to become available to the masses in the form of a standard adopted by Apple, Google, and Microsoft that allows for cross-platform and cross-service passkeys.

Password-killing schemes pushed in the past suffered from a host of problems. A key shortcoming was the lack of a viable recovery mechanism when someone lost control of phone numbers or physical tokens and phones tied to an account. Another limitation was that most solutions ultimately failed to be, in fact, truly passwordless. Instead, they gave users options to log in with a face scan or fingerprint, but these systems ultimately fell back on a password, and that meant that phishing, password reuse, and forgotten passcodes—all the reasons we hated passwords to begin with—didn’t go away.

A new approach

What’s different this time is that Apple, Google, and Microsoft all seem to be on board with the same well-defined solution. Not only that, but the solution is easier than ever for users, and it’s less costly for big services like Github and Facebook to roll out. It has also been painstakingly devised and peer-reviewed by experts in authentication and security.

The current multifactor authentication (MFA) methods have made important strides over the past five years. Google, for instance, allows me to download an iOS or Android app that I use as a second factor when logging in to my Google account from a new device. Based on CTAP—short for client to authenticator protocol—this system uses Bluetooth to ensure that the phone is in proximity to the new device and that the new device is, in fact, connected to Google and not a site masquerading as Google. That means it’s unphishable. The standard ensures that the cryptographic secret stored on the phone can’t be extracted.

Google also provides an Advanced Protection Program that requires physical keys in the form of standalone dongles or end-user phones to authenticate logins from new devices.

The big limitation right now is that MFA and passwordless authentication get rolled out differently—if at all—by each service provider. Some providers, like most banks and financial services, still send one-time passwords through SMS or email. Recognizing that those aren’t secure means for transporting security-sensitive secrets, many services have moved on to a method known as TOTP—short for time-based one-time password—to allow the addition of a second factor, which effectively augments the password with the “something I have” factor.

Physical security keys, TOTPs, and to a lesser extent two-factor authentication through SMS and email represent an important step forward, but there remain three key limitations. First, TOTPs generated through authenticator apps and sent by text or email are phishable, the same way regular passwords are. Second, each service has its own closed MFA platform. That means that even when using unphishable forms of MFA—such as standalone physical keys or phone-based keys—a user needs a separate key for Google, Microsoft, and every other Internet property. To make matters worse, each OS platform has differing mechanisms for implementing MFA.

These problems give way to a third one: the sheer unusability for most end users and the nontrivial cost and complexity each service faces when trying to offer MFA.

Taming the MFA beast

The program that Apple, Google, and Microsoft are rolling out will finally organize the current disarray of MFA services in some significant ways. Once it’s fully implemented, I’ll be able to use my iPhone to store a single token that will authenticate me on any of those three companies’ services (and, one expects, many more follow-on services). The same credential can also be stored on a device running Android or Windows.

By presenting a facial scan or fingerprint to the device, I’ll be able to log in without having to type a password, which is faster and much more convenient. Equally important, the credential can be stored online so that it’s available when I replace or lose my current phone, solving another problem that has plagued some MFA users—the risk of being locked out of accounts when phones are lost or stolen. The recovery processes works by using an already authenticated device to download the credential, with no password required.

“That’s really the whole point here—there’s no recovery process as the private key is immediately available across a user’s devices,” Andrew Shikiar, executive director of the FIDO Alliance, wrote in an email. “They just need to verify themselves to their device to log into their previously enrolled accounts.”

He added: “If the question is about device cloud recovery (e.g., how do I get back into my iCloud account?)—that is something that is managed by each platform provider, all of whom have highly secure methods to ensure that recovery is possible for authentic users.”

Besides giving end users a much more usable process for logging in, the program also offers robust security protections that go beyond what’s available from most online services today.

“While any MFA is better than no MFA, only FIDO authentication is phishing-resistant and is the MFA gold standard,” Bob Lord, a senior technical advisor in the Cybersecurity Division at the Cybersecurity and Infrastructure Security Agency, told me. Previously, Lord was the chief security officer for the Democratic National Committee and chief information security officer at Yahoo. “We finally have a cryptographically strong MFA that is based on open standards and is built into the browsers and phones we already use. That drives costs down and reduces complexity for organizations that want to remove credential theft from the attacker’s toolkit.”

The linchpin to this scheme is something called “multi-device credentials” or, more colloquially, “passkeys,” introduced in updates to the existing FIDO, WebAuthn, and CTAP standards for authentication. As the name suggests, the credential works across all devices, whether you’re running iOS, Android, or Windows, and across all Apple, Google, or Microsoft services.

To make passkey authentications immune to phishing and other common forms of credential theft, the phone or other device storing the credential must be in proximity to the device the user is using to log in. A Bluetooth connection allows the two devices to exchange information that ensures the device logging in is near the end user rather than a remote threat actor. It also allows the authenticating device to ensure that the machine logging in is connected to the legitimate URL rather than an imposter attempting to gain unauthorized access.

So even if a remote attacker attempts to log in, account owners will be unable to use their passkeys to authenticate the transaction. Since the phone or other authenticating device must be physically close to a user’s computer before it will display a “do you want to login” dialog, a phisher in another city, state, or country can’t initiate a login and perform a technique known as MFA prompt bombing.

Lord and other security experts say that passkeys also eliminate the need to enter a password without degrading security assurances provided by most current forms of MFA. Most MFA has consisted of a password and a security token—that is, something I know and something I have. The new system provides another, easier form of MFA—specifically, something I have (my phone) and something I am (my fingerprint or face scan).

In an email, Andrew Shikiar, executive director of the FIDO Alliance, said that he expects rollouts to start by the end of this year and early into the next year.

“Each platform provider has their own timelines for initial deployment over the coming year,” he wrote. Once all three services have fully implemented the system, “users will be able to leverage the ‘passkey’ functionality for passwordless logins across devices on a device platform and also can bootstrap from one platform to another that also has support. This latter action is done via a local Bluetooth pairing in a new protocol being built into the FIDO specs.”

The FIDO Alliance, Google, and Microsoft have more details here, here, and here.

Given the decade of empty promises announcing the demise of the password, people have good reason to greet this week’s announcement with skepticism. It won’t be a done deal until all the pieces are in place and passkeys are rolled out on a mass scale. That said, with the support of Google, Microsoft, and especially Apple—a company famous for its “not invented here” bias—we’re for the first time within spitting distance of this key landmark.

Article link: https://arstechnica.com/information-technology/2022/05/how-apple-google-and-microsoft-will-kill-passwords-and-phishing-in-1-stroke/?

This post has been updated to add comment from FIDO explaining how the recovery process works.

By Justin Katz on May 03, 2022 at 4:27 PM

CORRECTION 5/5/2022 at 9:34 a.m. ET: This report has been updated to remove a chart and accompanying text that misidentified information about aircraft production figures.

WASHINGTON: The Marine Corps today published its first aviation plansince 2019, in which it stressed a need to ensure the service’s aviation fleet maintains “digital interoperability” among the Joint Force and foreign partners.

“The future [Marine Air Ground Task Force] is increasingly characterized by its ability to sense, share, and fuse information at tactically relevant speeds with the Joint Force, as well as partners and allies,” reads the document, signed by the service’s top aviator, Lt. Gen. Mark Wise. “Information, and the speed at which it can be shared, is a driving force in the MAGTF’s ability to create tempo in a future operating environment.”

The service’s aviation plan is akin to the Navy’s 30-year shipbuilding plan in that it projects what the Marine Corps envisions the future aviation fleet will look like, what capabilities will be most important and the overall strategic vision laid out by the deputy commandant for aviation. Also similar to the shipbuilding plan, the service has failed to produce the document on a routine basis.

The document’s focus on “digital interoperability,” also referred to as “DI,” echoes the Pentagon’s larger goals for Joint All Domain Command and Control as well as the Navy’s portion of that effort, Project Overmatch.

“The goal of MAGTF DI is to provide the required information to the right participants at the right time, to overcome an adversary, while improving efficiency and effectiveness,” according to the document. “MAGTF DI aims to provide greater situational awareness, accelerate the kill chain, and enhance survivability to outmaneuver and defeat the threat.”

The aviation plan describes the “MAGTF Agile Network Gateway Link,” dubbed MANGL, as the foundation of the service’s efforts to digitally connect its aircraft. The service’s plan uses a “hubs” and “spokes” analogy to describe MANGL.

“Hubs have a comprehensive gateway and spectrum agile radio to handle the message translation and network management of present and future tactical data links (TDL),” according to the document. “Spokes have the same interfaces, but less capable gateways and legacy radios.”

The service anticipates that by fiscal 2024 that every Marine Corps aviation platform will have “a way to transmit and receive multiple standardized links” to meet the service’s missions.

Article link: https://breakingdefense-com.cdn.ampproject.org/c/s/breakingdefense.com/2022/05/new-marine-corps-aviation-plan-makes-digital-interoperability-a-top-priority/amp/

by Tony Schwartz

June 25, 2018

Summary.   So why is business transformation so difficult to achieve? One reason is the invisible fears and insecurities that keep us locked into behaviors even when we know rationally that they don’t serve us well. Leaders can change processes, policies, seating arrangements, and other external factors, but until they change people’s internal feelings, assumptions, blind spots, and fears, they’ll struggle to make change stick. This kind of transformation should start with the leaders themselves, since its their personalities that often shape corporate culture. close

Not long ago, I asked 100 CEOs attending a conference how many of them were currently involved in a significant business transformation. Nearly all of them raised their hands, which was no surprise. According to a study by BCG, 85% of companies have undertaken a transformation during the past decade.

The same research found that nearly 75% of those transformations fail to improve business performance, either short-term or long-term.

So why is transformation so difficult to achieve?

Among many potential explanations, one that gets very little attention may be the most fundamental: the invisible fears and insecurities that keep us locked into behaviors even when we know rationally that they don’t serve us well. Add to that the anxiety that nearly all human beings experience in the face of change. Nonetheless, most organizations pay far more attention to strategy and execution than they do to what their people are feeling and thinking when they’re asked to embrace a transformation. Resistance, especially when it is passive, invisible, and unconscious, can derail even the best strategy.

Business transformations are typically built around new structural elements, including policies, processes, facilities, and technology. Some companies also focus on behaviors — defining new practices, training new skills, or asking employees for new deliverables.

What most organizations typically overlook is the internal shift — what people think and feel — which has to occur in order to bring the strategy to life. This is where resistance tends to arise — cognitively in the form of fixed beliefs, deeply held assumptions and blind spots; and emotionally, in the form of the fear and insecurity that change engenders. All of this rolls up into our mindset, which reflects how we see the world, what we believe and how that makes us feel.

The result is that transforming a business also depends on transforming individuals — beginning with the most senior leaders and influencers. Few of them, in our experience, have spent much time observing and understanding their own motivations, challenging their assumptions, or pushing beyond their intellectual and emotional comfort zones. The result is something that the psychologists Lisa Lahey and Robert Kegan have termed “immunity to change.”

We first ran up against the power of mindset two decades ago when we began to make a case inside organizations that rest and renewal are essential for sustaining high performance. The scientific evidence we presented to clients was compelling. Nearly all of them found the concept persuasive and appealing, both logically and intuitively. We taught them very simple strategies to build renewal into their lives, and they left our workshops eager to change the way they worked.

Nonetheless, most of them struggled with changing their behavior when they got back to their jobs. They continued to equate continuous work and long hours with success. Taking time to renew during work days made them feel as if they were slacking. Even when organizations built nap rooms, they often went unused. People worried that if they rested at all, they wouldn’t get their work done, and above all, they feared failing. Despite their best intentions, many of them eventually defaulted back to their habitual patterns.

More recently, we worked with the senior team of a large consumer product company which had been severely disrupted by smaller, more agile online competitors selling their services directly to consumers. On its face, the team was aligned, focused, and committed to a new multi-faceted strategy with a strong digital component. But when we looked at the team’s mindset more deeply, we discovered that they shared several underlying beliefs including, “Everything we do is equally important,” “More is always better,” and “It has to be perfect or we don’t do it.” They summarized these beliefs in a single sentence: “If we don’t keep running as hard as we can, and attend to every detail, everything will fall apart.”

Not surprisingly, the leaders found they were spreading themselves too thin, struggling to pull the trigger on new initiatives, and feeling exhausted. Simply surfacing these costs and their consequences proved highly valuable and motivating. We also launched several initiatives to address these issues individually and collectively.

One of the most successful began with a simple exercise aimed at helping the leaders to define their three highest priorities. Then we took them through a structured exercise including delving into their calendars to assess whether they were using their time to best advantage, including setting aside time for renewal. This process prompted them to examine more consciously why they were working in self-defeating ways.

We also developed an online site where leaders agreed to regularly share their progress on prioritizing, as well as any feelings of resistance that were arising, and how they managed them. Their work is ongoing, but among the most common feelings people reported were liberation and relief. Their worst fears failed to materialize.

Several factors typically hold mindset in place. The first is that much of it gets deeply rooted early in our lives. Over time we tend to develop confirmation bias, forever seeking evidence that reinforces what we already believe, and downplaying or dismissing what doesn’t. We’re also designed, both genetically and instinctively, to put our own safety first, and to avoid taking too much risk. Rather than using our capacity for critical thinking to assess new possibilities, we often co-opt our prefrontal cortex to rationalize choices that were actually driven by our emotions.

All this explains why the most effective transformation begins with what’s going on inside people — and especially the most senior leaders, given their disproportionate authority and influence.  Their challenge is to deliberately turn attention inward in order to begin noticing the fixed patterns in their thinking, how they’re feeing in any given moment, and how quickly the instinct for self-preservation can overwhelm rationality and a longer term perspective, especially when the stakes are high.

Leaders also have an outsize impact on the collective mindset — meaning the organizational culture. As they begin to change the way they think and feel, they’re more able to model new behaviors and communicate to others more authentically and persuasively. Even employees highly resistant to change tend to follow their leaders, simply because most people prefer to fit in, rather than stick out.

Ultimately, personal transformation requires the courage to challenge one’s current comfort zone, and to tolerate that discomfort without overreacting. One of the most effective tools, we’ve found is a series of provocative questions we ask leaders and their teams to build a practice around asking themselves:

“What am I not seeing?

“What else is true?”

“What is my responsibility in this situation?”

“How is my perspective being influenced by my fears?”

Great strategy remains foundational to transformation, but successful execution also requires surfacing and continuously addressing the invisible reasons that people and cultures so often resist changing, even when the way they’re working isn’t working.

Article link: https://hbr.org/2018/06/leaders-focus-too-much-on-changing-policies-and-not-enough-on-changing-minds?

Tony Schwartz is the CEO of The Energy Project and the author of The Way We’re Working Isn’t Working. Become a fan of The Energy Project on Facebook.

Cloud resources are now incredibly varied and accessible, with a large ecosystem of industry-specific cloud-based managed services specializing in these complexities. Which means the average healthcare organization can, indeed, afford to tap into supercloud power — they just get it as a service.

By GERRY MILLER May 3, 2022 at 5:54 P

When it comes to information technology (IT), the “whether and why” discussion about cloud use is pretty much over. As noted in some recent analysis from Accenture, “The last two years have laid bare the power and agility of cloud…and a new understanding that cloud at scale is essential for operations maturity, and ultimately, value.”

Even in the slow-to-digitize healthcare sector, contemporary estimates indicate around 90% of the industry has leveled-up to using some degree of cloud computing for some functions and in various incarnations (private-, public-, hybrid-, multi-cloud).

Supercharging IT with cloud power may now be essential, but that doesn’t necessarily mean it’s simple. Despite an accelerated cloud adoption curve over the past couple of years, a huge swath of healthcare organizations still rely on infrastructure predating the advent of the iPhone. And as everyone knows, hordes of valuable data remain confined to countless racks of servers siloed in hospital basements and assorted colocation data centers far and wide.

Working with assemblages of those very old systems and very new cloud deployments can get very, very complicated.

It’s difficult to rectify the sheer magnitude of differences in both fundamental operation and capability between legacy on-premise infrastructure and cloud infrastructure. Picture someone from the horse-and-buggy age being presented with access to a rocket ship and trying to conceptualize whether it will fit in the barn or what to feed it. That’s kind of where healthcare finds itself.

The world of technology moves at lightning speed. For a host of reasons, the healthcare sector hasstruggled to keep pace. What lies between is a gulf of IT complexitythat stymies even the most sophisticated organizations. Thus a host of promising models and solutions are continually evolving to help bridge the gap. The latest of these is the supercloud.

Supercloud

The “supercloud” term dates back to a 2016 Cornell University project describing an “architecture that enables application migration as a service across different availability zones or cloud providers. The supercloud provides interfaces to allocate, migrate, and terminate resources such as virtual machines and storage and presents a homogeneous network to tie these resources together…[and] span across all major public cloud providers…as well as private clouds.”

Much of the current excitement about the concept is centered around making everything portable across existing hyperscalers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, and the big business potential in constructing specialized clouds on top of them. Trendy examples of this model can be found in Snowflake’s recently launched Healthcare & Life Sciences Data Cloud and Databricks’ new Lakehouse for Healthcare and Life Sciences.

The central value of the supercloud concept really hinges on provisioning the best cutting edge technology available while simplifying the way the organization interacts with it. The real magic of cloud power today isn’t really in portable IT workloads; it’s in the vendor-specific cloud-native services that the big hyperscalers supply. For example, Amazon Web Services has some really cool database and stream management technology. Microsoft Azure has some really cool storage technology. Google Cloud has some really cool machine learning technology. But your average healthcare business can’t afford to staff a huge IT department that:

The central value of the supercloud concept really hinges on provisioning the best cutting edge technology available while simplifying the way the organization interacts with it. The real magic of cloud power today isn’t really in portable IT workloads; it’s in the vendor-specific cloud-native services that the big hyperscalers supply. For example, Amazon Web Services has some really cool database and stream management technology. Microsoft Azure has some really cool storage technology. Google Cloud has some really cool machine learning technology. But your average healthcare business can’t afford to staff a huge IT department that:

1. Keeps up with all of those developing services;
2. Manages strict compliance and security requirements;
3. Keeps the proverbial lights on for all their internal systems; and
4. Finds innovative ways to utilize nifty new technologies for the business.

It’s just not feasible.

However, cloud resources are now incredibly varied and accessible, with a large ecosystem of industry-specific cloud-based managed services specializing in these complexities. Which means the average healthcare organization can, indeed, afford to tap into supercloud power — they just get it as a service.

Essentially, healthcare organizations can get a service layer designed for their industry with sets of application programming interfaces (APIs) that are called to implement best-of-breed cloud services in a hybrid fashion amongst the appropriate hyperscalers. The right cloud is picked for particular use cases, and a mesh service layer covers all of it. Unique compliance and security requirements are automated, and the underlying implementation complexities are hidden from the business users of those services. So the healthcare organization’s IT department can pretty much offload tasks 1 through 3 and focus entirely on innovating ways to help the business.

You’ll sometimes see a similar ideal touted as “industry cloud.” As recently noted by Brian Campbell of Deloitte Consulting in HealthITSecurity, “Industry clouds are a portfolio of business transformation-focused solutions, assets, and accelerators that ultimately help to reinvent and transform the business side of that specific industry,” supplying an excellent option for healthcare organizations looking to “keep pace with the changing digital landscape.”

Superpower

Regardless of how a healthcare organization goes about increasing IT agility, reducing complexity, and reinventing business processes, the cloud should be central to the effort. A simple fact has been established: Cloud power increases healthcare power.

To demonstrate, consider a recent six-month study where a team of researchers shattered the record for diagnosing rare genetic diseases with DNA sequencing, and set a new Guinness World Record of 5 hours and 2 minutes to sequence a patient’s genome. At Stanford Hospital, the team dedicated specialized flow cell sequencing hardware to try to speed sequencing a single patient’s genome. But the amount of data being produced overwhelmed the lab’s computational systems.

According to Stanford study team member Euan A. Ashley, “We weren’t able to process the data fast enough. We had to completely rethink and revamp our data pipelines and storage systems.” Team member Sneha Goenka “found a way to funnel the data straight to a cloud-based storage system where computational power could be amplified enough to sift through the data in real time.”

The results?

They were able to sequence and diagnose a genetic illness in 7 hours and 18 minutes, which is about twice as fast as the previous record. For one teenaged patient in their study, their sequencing data showed his condition was rooted in genetics within a matter of hours, and he was immediately placed on a heart transplant list. He received a new heart three weeks later, and as of January this year, his mom says he’s doing “exceptionally well.”

Super!

Article link: https://medcitynews.com/2022/05/supercharged-it-superclouds-and-superpowered-healthcare-what-they-can-deliver/

Gerry Miller

I am the Founder and CEO of Cloudticity. I spend my days thinking about how to help the healthcare industry best leverage cloud technology to enable them to help people live healthier lives. I have spent the last 30 years navigating the technology industry. Prior to Cloudticity, I was brought in as the chief operating officer at ePrize; I turned around a failing company that was eventually sold for a fourfold return on the initial private equity investment. Before ePrize, I spent eight years at Microsoft, first as chief technology officer for the US central region, then running the global business unit that oversaw General Motors (Microsoft’s second-largest customer), growing that account from $20MM to over $100MM in three years. Prior to Microsoft, I spent nearly a decade in the technology consulting and startup industry. I hold all the core five AWS certifications.

If you haven’t already, be sure to register to join us on May 19th for United States Marine Corps IT Day! You won’t want to miss out on this power house line up!

AFCEA Quantico-Potomac | Matthew Weaver | ♦️Amanda S. | Jonathan Payton | Joel Scharlat | Dr Aaron J Miller | Dr. Paul de Souza | Jeremy Rockett | Jonathan Mappin | Rich Leino |

USMC #AFCEA #IT #ITday #Networking #DoD

HAVE YOU REGISTERED FOR USMC IT DAY????
May 19th
At the Cyber Bytes Foundation in Stafford, VA.

Check out the JAM PACKED AGENDA and Click the link below for more info and to register! You don’t want to miss this spectacular lineup! Confirmed speakers from Marine Corps Systems Command, DON PEO Digital, U.S. Marine Corps Forces Cyberspace Command (MARFORCYBER), and many others!

Register: https://lnkd.in/gvzX6cKm

Spread the word! #USMCITDay

marinecorps #usmc #cyber #informationtechnology #IT

William S. Williford III, Keegan Mills, Robin Fortner, MA, RBLP-T, Carlos Urbina, Robert Bailey, USMC, PMP, Khoi Nguyen, CISSP-ISSAP, PMP, Luke Revell, Samuel Castro, Keith Bonnell
Jeremy Rockett, Rich Leino, Jay Storms, Jonathan Mappin, Matt Sladky, Grant Huckestein, Krista McKendree, ♦️Amanda S., Jonathan Payton, Joel Scharlat

Researchers with cybersecurity firm Cybereason briefed the FBI and Justice Department recently about Operation CuckooBees, an alleged espionage effort by Chinese state-sponsored hackers to steal proprietary information from dozens of global defense, energy, biotech, aerospace and pharmaceutical companies.

The organizations affected were not named in Cybereason’s report but allegedly include some of the largest companies in North America, Europe and Asia. Cybereason tied the campaign to the prolific Winnti Group, also known as APT 41.

Cybereason CEO Lior Div told The Record that the most alarming aspect of the investigation into Operation CuckooBees was the evasive and sophisticated measures used to hide inside the networks of dozens of the largest global manufacturing companies in North America, Europe and Asia as far back as 2019. 

“The group operates like a guided missile and once it locks in on its target, it attacks and doesn’t stop until it steals a company’s crown jewels,” Div said.

“Winnti pilfered thousands of gigabytes of data and to add insult to injury also made off with proprietary info on business units, customer and partner data, employee emails and other personal information for use in blackmail or extortions schemes at a time of their choosing.”

Cybereason said that throughout its 12-month investigation, it found the intruders took troves of intellectual property and sensitive proprietary data, including formulas, source code, R&D documents and blueprints, as well as diagrams of fighter jets, helicopters, missiles and more. 

The attackers also gained information that could be used for future cyberattacks, like details about a company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.

Most concerning, according to Div, was that the companies had no clue they were breached.

In two detailed reports, Cybereason attributes the attacks to Winnti based on an analysis of the digital artifacts the group seemed to have left behind after its intrusions. 

Several cybersecurity companies have been tracking Winnti since it emerged in 2010 and experts have noted the hackers to be operating on behalf of Chinese state interests, specializing in cyber-espionage and intellectual property theft.

The group used a previously undocumented malware strain called DEPLOYLOG as well as new versions of malware like Spyder Loader, PRIVATELOG, and WINNKIT.

The malware included digitally signed, kernel-level rootkits as well as an elaborate multi-stage infection chain that enabled the operation to remain undetected, Cybereason said.

The group also managed to abuse the Windows Common Log File System (CLFS) mechanism, which allowed the intruders to “conceal their payloads and evade detection by traditional security products.”

CLFS is a logging framework that was first introduced by Microsoft in Windows Server 2003 R2 and included in later Windows operating systems. 

“The attackers implemented a delicate ‘house of cards’ approach, meaning that each component depends on the others to execute properly, making it very difficult to analyze each component separately,” Div explained. 

Operation CuckooBees generally took advantage of existing weaknesses, Div said, such as “unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts and no use of multi-factor authentications products.”

Cybereason said that the attackers gained their initial foothold in the organizations through vulnerabilities in Enterprise Resource Planning platforms. 

Last month, FBI director Chris Wray told 60 Minutes that the “biggest” threat American law enforcement officials face is from Chinese hackers stealing proprietary information. The bureau opens a new China counterintelligence investigation about every 12 hours, he said.

“They are targeting our innovation, our trade secrets, our intellectual property on a scale that’s unprecedented in history. They have a bigger hacking program than that of every other major nation combined,” Wray said. 

“They have stolen more of Americans’ personal and corporate data than every nation combined. It affects everything from agriculture to aviation to high tech to healthcare, pretty much every sector of our economy. Anything that makes an industry tick, they target.”

The Justice Department issued indictments of several alleged members of APT 41 in 2020, noting that the group had hacked more than 100 companies across the world.

Article link: https://therecord-media.cdn.ampproject.org/c/s/therecord.media/operation-cuckoobees-apt41-cybereason-winnti-group/amp/

by John A. List

May 05, 2022

Summary.

Why do some products, companies, and social programs thrive as they grow while others peter out? According to the author, there are five causes: 1) False positives, or inaccurately interpreting a piece of evidence or data; 2) Biased representativeness of population, or not making sure your samples reflect the larger population at scale; 3) Non-negotiables that can’t grow or be replicated; 4) Negative spillovers, or unintended outcomes; and 5) Cost traps. Here, he explains and offers examples of each cause, as well as how to anticipate or avoid them.

For the last several years, I’ve been at the forefront of a movement known as implementation science, or the science of scaling. In this work, we are trying to understand why some products, companies, and social programs thrive as they grow, while others peter out.

When a seemingly promising idea loses efficacy or profitability as it expands, we call it a “voltage drop.” These failures to scale never happen because of one single reason.

Over the last 25 years as a behavioral economist, consultant to companies large and small, and former White House economic adviser, I’ve identified five causes, what I call “vital signs,” of voltage drops.

1. False Positives 

This occurs when you interpret a piece of evidence or data as proof that something is true, when in fact it isn’t — for example, as we’ve seen with inaccurate Covid test results. For scaling, a false positive is an erroneous sign that an idea has voltage when it really doesn’t.

Sometimes a false positive occurs because of a statistical error, as was the case with the famous drug abuse prevention program, D.A.R.E. After an independent study showed promising short-term results, the program received an influx of funding from the U.S. Department of Justice. However, there were several problems with the study: It excluded drugs like alcohol and marijuana, focusing on tobacco; it was based on a small sample size; and later studies and even metanalyses could not replicate the results.

In other cases, false positives result from intentional lying. Think of Elizabeth Holmes and the purportedly groundbreaking blood-testing technology of Theranos, which didn’t actually exist.

When possible, the solution for rooting out false positives is to have at least three independent replications of the idea that show early promise. In companies with confidential research, employees must be incentivized with financial rewards that encourage them to question results.

2. Biased Representativeness of Population

Once you’ve reliably demonstrated the efficacy of the endeavor you hope to scale, the next step is to answer the question “How broadly will the idea work?”

All ventures must understand their potential audience. The first way to do this is by making sure your test samples in the small scale reflect the larger population at scale. Otherwise, you’ll be like McDonald’s, which fell victim to selection bias when it launched the unsuccessful Arch Deluxe. Focus group participants loved the new product, but they weren’t representative of the majority of Americans, who simply wanted to keep eating their Big Macs.

To weed out such biases, make sure your early adopters are a random sample. You should also make sure that your survey respondents have appropriate incentives to tell you the truth. A focus group participant who says they would purchase a product if it was introduced could simply be saying, “I would love the option to consider that product in the future,” as opposed to “I will be purchasing the product in the future.”

3. Non-Negotiables That Can’t Grow or Be Replicated

For an idea or enterprise to hold strong at scale, you need to know whether your “non-negotiables” — the drivers of your success — can be replicated at scale.  In other words, is your secret sauce the “chef” or the “ingredients”? Since people don’t scale well (i.e., they can’t be cloned), talent-centric ventures often don’t either. You can’t afford all the talent you need as you grow, so you hire fewer high-performers and quality suffers at scale — a cruel voltage drop.

But, this vital sign is about much more than just people. As you scale, regulatory constraints, resource constraints, fidelity concerns, and a host of other issues might arise. In the end, we must bring these scaling constraints back to the petri dish and make sure the idea works with them in place.

4. Negative Spillovers

A spillover effect is the unintended impact one event or outcome can have on another event or outcome. A classic example is when a city opens a new factory, and the air pollution it produces impacts the health of nearby residents.

As you scale, the likelihood of spillovers increases dramatically. General equilibrium effects, or natural readjustments of the market, are one chief cause. I saw this firsthand when I was the chief economist at Uber. A coupon that led to more riders in one area of Seattle failed when we scaled it to the whole city because surge prices kicked in, and users found cheaper ways to get around that night.

Positive spillovers exist too, like network effects that make a social-media platform more valuable as more people join it. When designing your idea early on, you must anticipate negative spillovers and look for opportunities to engineer and benefit from positive ones.

5. The Cost Trap

To scale successfully, you need to determine not only how many people like your idea, but also what they’re willing to pay for it and, crucially, how much it will cost to provide.

When designing your enterprise, you must account for two types of costs: upfront fixed costs, like the one-time investment for the research and development to create a new product or service, and your ongoing operating expenses. Upfront costs can be recouped, but operating ones can bleed you and lead to a voltage drop, as happened to the innovative scientific wellness startup Arivale, which was poised to change preventative health care, only to go bankrupt a few years later, because it couldn’t find a viable price point for its services.

One strategy to escape the cost trap of scaling is to make sure you benefit from economies of scale, a skill Elon Musk excels at in all his ventures. Ever since he helped transform the world of online banking at PayPal, each major innovation he has undertaken thrives on scale economies. Consider Tesla. Its massive success can be traced to economies of scale of its two most important components: batteries and solar power generation cells, both of which can be manufactured significantly cheaper in higher numbers. In addition, everything at Tesla is geared toward increasing the efficiency of “the machine that makes the machines,” or what Musk affectionately calls his “Alien Dreadnought” — that is, a highly advanced, fully automated production facility.

Another strategy is to create models that don’t rely on top-tier talent. As you scale, finding and paying high-performers will become prohibitive. The solution is to create products that can give their full value to customers even with average performers delivering it.

When I give talks on this topic, I like to invoke the famous opening line of Leo Tolstoy’s novel Anna Karenina: “Happy families are all alike; every unhappy family is unhappy in its own way.” Similarly, scalable ideas are all alike; every unscalable idea is unscalable in its own way. The difference with scaling is there are only five main obstacles you face. And once you anticipate and avoid them, you can scale your idea for the highest voltage possible.

Article link: https://hbr.org/2022/05/why-its-so-hard-to-scale-a-great-idea?

John A. List is the Kenneth C. Griffin Distinguished Service Professor in Economics at the University of Chicago and Distinguished Professor of Economics at the Australian National University, as well as the chief economist at Lyft and, previously, at Uber. He has served on the Council of Economic Advisers and is the recipient of numerous awards and honors, in­cluding the AAEA’s Galbraith Award. His work has been featured in The New York Times, The Economist, Harvard Business Review, Fortune, Slate, and The Washington Post, and on NPR, NBC, and Bloomberg. List has authored over 250 peer-reviewed jour­nal articles, several academic books, including national bestseller The Voltage Effect.