Ep. 21- Vendors and Partnerships with David Reilly

Speaker 1: 

Welcome to Digital First Leadership. The podcast that focuses on helping leaders and teams understand how to master the language of social media in today's digital-first world. 

Richard Bliss: 

Welcome to the show. I'm Richard Bliss, the host. You're listening to Digital First Leadership Podcast. My guest today is someone who comes to us with a deep background in Finance and Security. David Reilly is the former CTO and CIO of Bank of America where he oversaw technology for both the global banking and global markets business as well as supporting the office of the CFO and the Risk Division. David,  thanks for joining me. 

David Reilly: 

Thank you, Richard. I'm looking forward to the conversation. 

Richard Bliss: 

As am I. David, you and I have had some fascinating conversations in the time that we've known each other and I am thrilled that you're here on this episode of the show because there are so many things I  want to talk about. But before we do that, let's talk just a little bit about your background because I  mentioned Bank of America but formerly you also had some time with Morgan Stanley, Credit Suisse.  Help the audience understand your role and what you did in that and the perspective you bring to the industry in that area. 

David Reilly: 

Sure. Thank you, Richard. I've been fortunate enough to work for a number of the world's largest financial services institutions, Bank of America as you outlined, before that, I was CTO at Morgan Stanley and at Credit Suisse and before that, I spent some time at Goldman Sachs. So my career has been within the global, highly regulated financial services industry. Everything from the consumer lending businesses to high net worth management businesses as well as sales and trading and investment banking and corporate banking. And my role has typically been to serve all of those businesses. So for example, as  CTO, my responsibility was for the infrastructure and the technical services that all of the businesses around the world used. And for a period at Bank of America that included responsibility for the cyber team. 

Richard Bliss: 

It's one thing to be in that role but in the position at the Bank of America, Morgan Stanley, Credit Suisse,  these are all global brands of an intense importance in the finance markets. So it's not just that you had  an important role but you also played an important role in the entire ecosystem of security and data and technology in the world at large. Because you're talking to vendors who are coming to you to deliver solutions, solve problems but you're also providing feedback to them as well, wasn't that the case? 

David Reilly: 

Very much so. It's not possible for companies of that scale to do and nor easy to appropriate for them to deliver all of the services they need directly. And so the partner ecosystem is incredibly important,  figuring out those partnerships where you are truly strategically aligned, where your interest and the interest that the partner are aligned, those were the ones that worked the best. That may be for the delivery of data center services, network services, some cyber protection, data analysis, data security. So  figuring out where that partner ecosystem plays across your strategy is key. 

David Reilly: 

And I always found Richard, when a vendor became a partner, it was when those interests became truly  aligned and for that to happen, I had to ensure that I'd done a good job of explaining the strategic  drivers that I had to support my business. And they had to go do a decent job of listening and figuring  out where they could. And perhaps, even more importantly, Richard, where they couldn't play. So we  could figure out how to get the best from each other and so the whole becoming greater than some of  those two parts. 

Richard Bliss: 

You bring up an interesting issue here and that is for most salespeople or companies, they're going to be  hesitant or loathe to even expose the things they can't do. So how would you, and I know that you've  probably, faced that a lot, like, "Oh, yeah. We can do that." What are you looking for in that  partnership? You've said, you're aligned, how do you measure that alignment and what indicators are  you using to see that? And then also the other question is, how do you know when somebody's calling  BS that you know they can't do what they're promising they can do? 

David Reilly: 

As a general rule of thumb when a partner or before they became a partner, a vendor focused on doing  one or two things really well and didn't try to overreach, as a general rule of thumb that was somebody  we pulled closer. Because we knew we could not do everything on our own partners that were similarly  aligned, meant we could figure out where the synergy would really be. But similarly, the other side of  

that rule of thumb is vendors that told us they could do that and that, "And we can also help you there,"  generally, that dialogue didn't last very long and they never crossed that line between vendor and  partner. The best examples I can come up with Richard, they all shared a couple of attributes in addition,  to being very clear about what they did well in the areas where they felt they would be over their skis,  they weren't ashamed about that, they didn't try to sugarcoat that, they were very direct about that. 

David Reilly: 

And that meant we could get to where they could add truly strategic value, true partnership value much  faster. In addition to that, they all took the time to figure out what were the strategic drivers that we  had in the team. Generally, speaking when we made a decision to buy something, to build something, to  decommission something, to deploy something, there were five drivers that we were thinking through.  And in almost every decision, all five of these drivers played a part. The very best partners were the ones  that took the time to understand these five. And they were not particularly prioritized one through five,  they were situational so for example, reducing expenses and ensuring that we were being as efficient as  we can was one of those five, many partners came and led with that but that's never enough. 

David Reilly: 

If a cost of a service is competitive, if it isn't reliable then it isn't worth buying and that's the second  driver. Costs have to be where you want them to be but services have to work. They have to perform at  speed and they have to be consistent. All of that's great but not enough if that service isn't delivering  capability, that's going to mean that my business could be armed with competitive weaponry in the  marketplace. So the costs of where they should be, the service is reliable and I'm delivering some differentiating capability so my business could win. And even when all of that was true, the fourth one  was risk, none of that works. If I can't manage and control all of the risks and not just cyber risk, digital  risk, talent risk, switching risk, third and fourth party risk. 

David Reilly: 

I may be across the table from that partner, Richard, who does the partner rely on? And increasingly  understanding fourth party and even fifth party risk is becoming crucial not just for CTOs and CIOs but I  think for the entire executive team and increasingly the board, to really understand where the edges of  that service delivery are. And then if all four of those things work great, the fifth was talent. Was I doing  everything I could to develop and retain the technical talent that we needed inside the company? It's  never been tougher to hire and retain great technical talent. When I entered the industry, Richard, if you  could marry technology and financial services, that was really the pinnacle, fast forward to where we are  today that's not the case. If you're a truly excellent technician, you have so many choices. You can go to  the startup route, you can go to the venture route, you can go the pure play technical route. And so  pulling you into financial services, we have to work even harder today to find, develop and retain the  very best talent. 

David Reilly: 

And that lens was when we'd always look through, great we found a partner here, the cost to where  they need to be, the service's reliable, its great capability, risks are understood. Am I going to be able to  use this to free up resources so that my really high end talent can be focused on other problems which  really require the internal team to be 100% focused. And it's the balance across all five, as I think back of  the very best partners I had, it was the ones that figured out, first understood that and then figured out  where they played and they never needed to play in all five to the earlier part of the conversation, you'd  be highly skeptical if someone said they could. But there were examples, NetApp is a really good  example where they were always terrific on the cost front and always terrific on the capability front and  that's where they excelled. 

David Reilly: 

And that was their sweet spot and that's why we grew the account over the years because they knew  how to align to our strategy and they knew what they did well and where they didn't play. And there are  many other partners that went down that same journey. Now, that dialogue can often lead with one of  those things, "We can help you reduce risk or we can help you save money," but you're a vendor if  you're only doing one of those five. If you play in more than one of those spaces, Richard, I think that's  how you turn that corner to become a partner and the partners are the ones you pull closer. The  partners are the ones that you say, "Listen, I've got this other problem I'm trying to solve. I don't even  know where to start, have you got any ideas?" And it opens up the aperture of the dialogue to do so  much more with those partners. 

Richard Bliss: 

And as you're speaking, I'm thinking to our listening audience, to the customers and partners I work  with, you were dealing with some of the largest financial institutions in the world but those five  elements go all the way down to a small organization that's looking to hire or work with some type of  technology partner because almost all companies today are becoming digital software companies. They  have some aspect of software that's impacting their business no matter their size.

David Reilly: 

And it's so true. When I got my first CTO role, I went and talked to over a dozen past CTOs about what  they had learned about doing their job and what they wish they had known when they began on that  CTO journey. And these are the five things that came out. The thing that determines your success or the  thing that will determine that you're not successful is the inability to control price, quality, capability,  risk and nurture the talent. Now, sometimes people use different words but those five, large company  or small company, are ones I've kept coming back to over the last 20 plus years. 

Richard Bliss: 

Now, you've mentioned a couple of times, and I want to dive a little bit deeper into the... Obviously, we  could go on for hours talking about this topic because there's so much to cover here. But you mentioned  one thing and that is, you've mentioned the term risk because in today's world, particularly digital risk,  particularly today, is becoming at the forefront of almost everything we're talking about whether it's the  data risk as you said, if it's cybersecurity risks, how do you as a leader address and deal with and  approach digital risk today? 

David Reilly: 

So I think you have a responsibility as a CIO or a CTO, a responsibility as a member of the executive team  at the company or a responsibility as a board member, Richard, to really explore the edges of where the  digital risk really is and how it's being mitigated. Cyber risk of all those is the best understood and gets,  as it should a tremendous amount of air time in those discussions but there are others, data risk is one.  As we embrace across all industries, more artificial intelligence and more machine learning, the models  that instantiate that AI and ML are trained using a vast amount of data. The more data you can pass  through a model, the better trained it will be, the more efficacy it will deliver to your business, the  better results you will get. How have we thought about data access as we train all of our models? 

David Reilly: 

Now, typically if we are inside a company Richard, you or I, we all have human access to that data.  Sometimes directly to a data store or a data warehouse or a database, sometimes via an application.  And the Enterprise IT teams know how to handle that and they know how to manage that, the ID to the  application, to the data. I'm not as convinced we are as lucid on the risk associated with model access to  data. Have we potentially, over granted those models with access to data? And so I think the risk to be  mindful of here as the teams all work hard and run fast to deliver new capability is to cause them to  pause a moment and think through risks like that. Did we over grant access to data to train the model?  Related to that, have we thought about bias in those models? Have we trained the model in a way to be  perhaps, bias in a certain direction, overly relying on historical data as opposed to new conditions that  could occur? It's really to try and understand where the edges of these digital risks are. 

David Reilly: 

Another would be that third party, fourth party, fifth party risk. How can you ensure that you have  thought through all the chain of software assurance to know where all of that software that you're  using, where all of that modeling you are using came from, what's its chain of custody if you like? And  increasingly I think answering what seems to be a really simple question, Richard, which is an extremely  difficult one to answer for the technical teams is what we might describe as software assurance. How do  you know when you made that change today that your software only did the things you wanted it to do?  A bad change didn't get implemented, the mistake wasn't made or God forbid an attack had occurred and now your software has been adjusted in a way that you hadn't planned to. I think that idea of  software assurance extends the data assurance. There are two of the risks I would say, Richard, that are  emerging, that whether you are a board member or an executive team member, you've increasingly got  to push the technical practitioners to explain how they're both understanding and then mitigating those  risks. 

Richard Bliss: 

Okay. I got to tell you that as I listen to you, it's great information but if I'm a board member or an  executive, I'm feeling helpless after just listening to what you just said because how do you even start  the process of that type of... Now, before I even go there, I think about people who have been on my  show, Peter McKay CEO of Snyk, a company that is at the developer code, finding vulnerabilities as they're introduced. I'm thinking about other companies that are doing cryptocurrency security and other ones. So I see this ecosystem seems to be expanding is that what we need to do is continue to bring in  innovation but be aware of the ecosystem itself that starts to become the protection and not try to fend  just those pinpoint solutions? Because it sounds a bit overwhelming in a leadership role to track down  and be aware of all of this. 

David Reilly: 

As companies become even more digital and the reliance on software is growing even more than it is  today. We've all said for a long time that almost every company is digital company or a data first  company or a software company, it's becoming more and more the case every day. But I think  fundamentally, if you haven't grown up in technology, there are a couple of things to keep in mind. I'm  from that community and one of the things that's true about me and my community in technology,  Richard, is we are gifted at making simple things sound extraordinarily complicated and almost  impossible for a regular human being to keep up. But there are some pretty basic principles I think that  you can employ and its core software isn't that clever. It's a set of instructions, it does what you tell it to  do, it's just ones and zeros. 

David Reilly: 

There isn't a two or a three, it's on or off. And so fundamentally, while the range of outcomes that an  application could deliver can be vast it is always finite. And so I think as a board member or as a non technical practitioner, individual or executive even the governance construct, you have a right to ask,  

"Prove to me that the ones and zeros only did the things it were supposed to do. How do you know that  it only did the things it was supposed to do? Show me how you tested for that. Show me that you  figured out all the way something could work and all the way something could break." I do think  sometimes those questions can be a little hard to ask because they seem almost too basic, they almost  seem, "Well, the team will have thought about that." I think they're helpful questions for the  practitioners to receive because we don't always fly at 30,000 feet, the practitioners will go down a  ground level very quickly in the pace they're working at to deliver capability. 

David Reilly: 

First principle questions about, "Show me that the software only did the things that it was supposed to  do. Show me what you do." If that partner that we've just spent 15 minutes talking about who's  delivering this unbelievable capability to you, what happens if they go away? There are a number of  reasons could go away. They could get bought by someone, we don't feel the same way about, they could experience a financial problem, they could hemorrhage talent. What are you going to do when  they go away? 

David Reilly: 

A good test is if the response you get from the practitioner team to either the question of show me that  the software only did the things it was supposed to do, or what do you do if the partner disappeared  overnight? If the response you get is, "Well, that will never happen, it's much more complicated than  that," You're onto something, keep pushing because there that is what I think from a governance  standpoint and as a practitioner, we increasingly need to ask those questions. I found increasingly in the  last decade that's what I was doing with my own team because they were driving hard around delivering  capability and all teams in all companies, large or small, delivering technology or are incredibly  stretched. These first principle questions, they're perfectly, fine ones to ask and if you don't get lucid  answer, keep going because you're onto something. 

Richard Bliss: 

And David, you remind me of an old movie, it's old not to you and I but to a younger generation, Jurassic  Park. And in the movie and in the book, it's when Malcolm, the chaos scientists, life will find a way when  they're convinced that they don't have a problem because they're measuring the reproduction, "Hey,  look, we have all of the dinosaurs accounted for," but what their software didn't do was account for  additional dinosaurs. It was only looking for, "Have we lost any? Not, did we add any?" Hence, they  weren't able to track and be aware that the dinosaurs... I mean, to use a really basic example, it jumps  to my mind, that was a perfect example of, very complex... It's a movie, it's fake, I realized that. But it  was a great example of being aware of what the software can or cannot do and then proving it to me. 

David Reilly: 

And I worked with a chief risk officer, a brilliant individual who distilled down what his team had to do  was to figure out all the ways that you could win and all the ways that you could lose and make sure that  you had mitigated those to the maximum possible extent and at its core whether it's commerce or IT, I  think that's our oversight responsibility. 

Richard Bliss: 

Yeah. It really is. This has been great for you to share this. It's been deeply insightful. I appreciate you  taking the time. David, thank you so much for spending some time with us today and diving deep into  this. How would people just stay in contact with you, how would they track you down? 

David Reilly: 

They'll find me on LinkedIn. David Reilly, R-E-I-L-L-Y and message me on there. And I'll get back to the  team on anybody that has any questions or would like to follow up after this podcast. 

Richard Bliss: 

This has been great. David, thank you so much for your time. I really appreciated it. 

David Reilly: 

Thank you, Richard. I really enjoyed it. Thanks so much.

Speaker 1: 

You've been listening to Digital First Leadership, the podcast where you learn to leverage and build your  expertise on digital platforms. For more valuable tips on mastering the language of social media,  subscribe to our newsletter at blisspointconsult.com. If you'd like to stay in touch, feel free to add  Richard on LinkedIn and join the conversation.