Digital-First Leadership
Digital-First Leadership
Ep. 21- Vendors and Partnerships with David Reilly
In this episode, Richard Bliss and his guest, David Reilly, discuss what goes into forming partnerships between companies. They dive into what it takes for a vendor to become a partner and what companies look for when deciding which vendors will turn that corner to become partners.
Host: Richard Bliss
Guest: David Reilly
Podcast Manager: Kimberly Smith
Follow Richard Bliss on LinkedIn: https://www.linkedin.com/in/bliss/
Find David Reilly on LinkedIn: https://www.linkedin.com/in/reillydavid1/
Speaker 1:
Welcome to Digital First Leadership. The podcast that focuses on helping leaders and teams understand how to master the language of social media in today's digital-first world.
Richard Bliss:
Welcome to the show. I'm Richard Bliss, the host. You're listening to Digital First Leadership Podcast. My guest today is someone who comes to us with a deep background in Finance and Security. David Reilly is the former CTO and CIO of Bank of America where he oversaw technology for both the global banking and global markets business as well as supporting the office of the CFO and the Risk Division. David, thanks for joining me.
David Reilly:
Thank you, Richard. I'm looking forward to the conversation.
Richard Bliss:
As am I. David, you and I have had some fascinating conversations in the time that we've known each other and I am thrilled that you're here on this episode of the show because there are so many things I want to talk about. But before we do that, let's talk just a little bit about your background because I mentioned Bank of America but formerly you also had some time with Morgan Stanley, Credit Suisse. Help the audience understand your role and what you did in that and the perspective you bring to the industry in that area.
David Reilly:
Sure. Thank you, Richard. I've been fortunate enough to work for a number of the world's largest financial services institutions, Bank of America as you outlined, before that, I was CTO at Morgan Stanley and at Credit Suisse and before that, I spent some time at Goldman Sachs. So my career has been within the global, highly regulated financial services industry. Everything from the consumer lending businesses to high net worth management businesses as well as sales and trading and investment banking and corporate banking. And my role has typically been to serve all of those businesses. So for example, as CTO, my responsibility was for the infrastructure and the technical services that all of the businesses around the world used. And for a period at Bank of America that included responsibility for the cyber team.
Richard Bliss:
It's one thing to be in that role but in the position at the Bank of America, Morgan Stanley, Credit Suisse, these are all global brands of an intense importance in the finance markets. So it's not just that you had an important role but you also played an important role in the entire ecosystem of security and data and technology in the world at large. Because you're talking to vendors who are coming to you to deliver solutions, solve problems but you're also providing feedback to them as well, wasn't that the case?
David Reilly:
Very much so. It's not possible for companies of that scale to do and nor easy to appropriate for them to deliver all of the services they need directly. And so the partner ecosystem is incredibly important, figuring out those partnerships where you are truly strategically aligned, where your interest and the interest that the partner are aligned, those were the ones that worked the best. That may be for the delivery of data center services, network services, some cyber protection, data analysis, data security. So figuring out where that partner ecosystem plays across your strategy is key.
David Reilly:
And I always found Richard, when a vendor became a partner, it was when those interests became truly aligned and for that to happen, I had to ensure that I'd done a good job of explaining the strategic drivers that I had to support my business. And they had to go do a decent job of listening and figuring out where they could. And perhaps, even more importantly, Richard, where they couldn't play. So we could figure out how to get the best from each other and so the whole becoming greater than some of those two parts.
Richard Bliss:
You bring up an interesting issue here and that is for most salespeople or companies, they're going to be hesitant or loathe to even expose the things they can't do. So how would you, and I know that you've probably, faced that a lot, like, "Oh, yeah. We can do that." What are you looking for in that partnership? You've said, you're aligned, how do you measure that alignment and what indicators are you using to see that? And then also the other question is, how do you know when somebody's calling BS that you know they can't do what they're promising they can do?
David Reilly:
As a general rule of thumb when a partner or before they became a partner, a vendor focused on doing one or two things really well and didn't try to overreach, as a general rule of thumb that was somebody we pulled closer. Because we knew we could not do everything on our own partners that were similarly aligned, meant we could figure out where the synergy would really be. But similarly, the other side of
that rule of thumb is vendors that told us they could do that and that, "And we can also help you there," generally, that dialogue didn't last very long and they never crossed that line between vendor and partner. The best examples I can come up with Richard, they all shared a couple of attributes in addition, to being very clear about what they did well in the areas where they felt they would be over their skis, they weren't ashamed about that, they didn't try to sugarcoat that, they were very direct about that.
David Reilly:
And that meant we could get to where they could add truly strategic value, true partnership value much faster. In addition to that, they all took the time to figure out what were the strategic drivers that we had in the team. Generally, speaking when we made a decision to buy something, to build something, to decommission something, to deploy something, there were five drivers that we were thinking through. And in almost every decision, all five of these drivers played a part. The very best partners were the ones that took the time to understand these five. And they were not particularly prioritized one through five, they were situational so for example, reducing expenses and ensuring that we were being as efficient as we can was one of those five, many partners came and led with that but that's never enough.
David Reilly:
If a cost of a service is competitive, if it isn't reliable then it isn't worth buying and that's the second driver. Costs have to be where you want them to be but services have to work. They have to perform at speed and they have to be consistent. All of that's great but not enough if that service isn't delivering capability, that's going to mean that my business could be armed with competitive weaponry in the marketplace. So the costs of where they should be, the service is reliable and I'm delivering some differentiating capability so my business could win. And even when all of that was true, the fourth one was risk, none of that works. If I can't manage and control all of the risks and not just cyber risk, digital risk, talent risk, switching risk, third and fourth party risk.
David Reilly:
I may be across the table from that partner, Richard, who does the partner rely on? And increasingly understanding fourth party and even fifth party risk is becoming crucial not just for CTOs and CIOs but I think for the entire executive team and increasingly the board, to really understand where the edges of that service delivery are. And then if all four of those things work great, the fifth was talent. Was I doing everything I could to develop and retain the technical talent that we needed inside the company? It's never been tougher to hire and retain great technical talent. When I entered the industry, Richard, if you could marry technology and financial services, that was really the pinnacle, fast forward to where we are today that's not the case. If you're a truly excellent technician, you have so many choices. You can go to the startup route, you can go to the venture route, you can go the pure play technical route. And so pulling you into financial services, we have to work even harder today to find, develop and retain the very best talent.
David Reilly:
And that lens was when we'd always look through, great we found a partner here, the cost to where they need to be, the service's reliable, its great capability, risks are understood. Am I going to be able to use this to free up resources so that my really high end talent can be focused on other problems which really require the internal team to be 100% focused. And it's the balance across all five, as I think back of the very best partners I had, it was the ones that figured out, first understood that and then figured out where they played and they never needed to play in all five to the earlier part of the conversation, you'd be highly skeptical if someone said they could. But there were examples, NetApp is a really good example where they were always terrific on the cost front and always terrific on the capability front and that's where they excelled.
David Reilly:
And that was their sweet spot and that's why we grew the account over the years because they knew how to align to our strategy and they knew what they did well and where they didn't play. And there are many other partners that went down that same journey. Now, that dialogue can often lead with one of those things, "We can help you reduce risk or we can help you save money," but you're a vendor if you're only doing one of those five. If you play in more than one of those spaces, Richard, I think that's how you turn that corner to become a partner and the partners are the ones you pull closer. The partners are the ones that you say, "Listen, I've got this other problem I'm trying to solve. I don't even know where to start, have you got any ideas?" And it opens up the aperture of the dialogue to do so much more with those partners.
Richard Bliss:
And as you're speaking, I'm thinking to our listening audience, to the customers and partners I work with, you were dealing with some of the largest financial institutions in the world but those five elements go all the way down to a small organization that's looking to hire or work with some type of technology partner because almost all companies today are becoming digital software companies. They have some aspect of software that's impacting their business no matter their size.
David Reilly:
And it's so true. When I got my first CTO role, I went and talked to over a dozen past CTOs about what they had learned about doing their job and what they wish they had known when they began on that CTO journey. And these are the five things that came out. The thing that determines your success or the thing that will determine that you're not successful is the inability to control price, quality, capability, risk and nurture the talent. Now, sometimes people use different words but those five, large company or small company, are ones I've kept coming back to over the last 20 plus years.
Richard Bliss:
Now, you've mentioned a couple of times, and I want to dive a little bit deeper into the... Obviously, we could go on for hours talking about this topic because there's so much to cover here. But you mentioned one thing and that is, you've mentioned the term risk because in today's world, particularly digital risk, particularly today, is becoming at the forefront of almost everything we're talking about whether it's the data risk as you said, if it's cybersecurity risks, how do you as a leader address and deal with and approach digital risk today?
David Reilly:
So I think you have a responsibility as a CIO or a CTO, a responsibility as a member of the executive team at the company or a responsibility as a board member, Richard, to really explore the edges of where the digital risk really is and how it's being mitigated. Cyber risk of all those is the best understood and gets, as it should a tremendous amount of air time in those discussions but there are others, data risk is one. As we embrace across all industries, more artificial intelligence and more machine learning, the models that instantiate that AI and ML are trained using a vast amount of data. The more data you can pass through a model, the better trained it will be, the more efficacy it will deliver to your business, the better results you will get. How have we thought about data access as we train all of our models?
David Reilly:
Now, typically if we are inside a company Richard, you or I, we all have human access to that data. Sometimes directly to a data store or a data warehouse or a database, sometimes via an application. And the Enterprise IT teams know how to handle that and they know how to manage that, the ID to the application, to the data. I'm not as convinced we are as lucid on the risk associated with model access to data. Have we potentially, over granted those models with access to data? And so I think the risk to be mindful of here as the teams all work hard and run fast to deliver new capability is to cause them to pause a moment and think through risks like that. Did we over grant access to data to train the model? Related to that, have we thought about bias in those models? Have we trained the model in a way to be perhaps, bias in a certain direction, overly relying on historical data as opposed to new conditions that could occur? It's really to try and understand where the edges of these digital risks are.
David Reilly:
Another would be that third party, fourth party, fifth party risk. How can you ensure that you have thought through all the chain of software assurance to know where all of that software that you're using, where all of that modeling you are using came from, what's its chain of custody if you like? And increasingly I think answering what seems to be a really simple question, Richard, which is an extremely difficult one to answer for the technical teams is what we might describe as software assurance. How do you know when you made that change today that your software only did the things you wanted it to do? A bad change didn't get implemented, the mistake wasn't made or God forbid an attack had occurred and now your software has been adjusted in a way that you hadn't planned to. I think that idea of software assurance extends the data assurance. There are two of the risks I would say, Richard, that are emerging, that whether you are a board member or an executive team member, you've increasingly got to push the technical practitioners to explain how they're both understanding and then mitigating those risks.
Richard Bliss:
Okay. I got to tell you that as I listen to you, it's great information but if I'm a board member or an executive, I'm feeling helpless after just listening to what you just said because how do you even start the process of that type of... Now, before I even go there, I think about people who have been on my show, Peter McKay CEO of Snyk, a company that is at the developer code, finding vulnerabilities as they're introduced. I'm thinking about other companies that are doing cryptocurrency security and other ones. So I see this ecosystem seems to be expanding is that what we need to do is continue to bring in innovation but be aware of the ecosystem itself that starts to become the protection and not try to fend just those pinpoint solutions? Because it sounds a bit overwhelming in a leadership role to track down and be aware of all of this.
David Reilly:
As companies become even more digital and the reliance on software is growing even more than it is today. We've all said for a long time that almost every company is digital company or a data first company or a software company, it's becoming more and more the case every day. But I think fundamentally, if you haven't grown up in technology, there are a couple of things to keep in mind. I'm from that community and one of the things that's true about me and my community in technology, Richard, is we are gifted at making simple things sound extraordinarily complicated and almost impossible for a regular human being to keep up. But there are some pretty basic principles I think that you can employ and its core software isn't that clever. It's a set of instructions, it does what you tell it to do, it's just ones and zeros.
David Reilly:
There isn't a two or a three, it's on or off. And so fundamentally, while the range of outcomes that an application could deliver can be vast it is always finite. And so I think as a board member or as a non technical practitioner, individual or executive even the governance construct, you have a right to ask,
"Prove to me that the ones and zeros only did the things it were supposed to do. How do you know that it only did the things it was supposed to do? Show me how you tested for that. Show me that you figured out all the way something could work and all the way something could break." I do think sometimes those questions can be a little hard to ask because they seem almost too basic, they almost seem, "Well, the team will have thought about that." I think they're helpful questions for the practitioners to receive because we don't always fly at 30,000 feet, the practitioners will go down a ground level very quickly in the pace they're working at to deliver capability.
David Reilly:
First principle questions about, "Show me that the software only did the things that it was supposed to do. Show me what you do." If that partner that we've just spent 15 minutes talking about who's delivering this unbelievable capability to you, what happens if they go away? There are a number of reasons could go away. They could get bought by someone, we don't feel the same way about, they could experience a financial problem, they could hemorrhage talent. What are you going to do when they go away?
David Reilly:
A good test is if the response you get from the practitioner team to either the question of show me that the software only did the things it was supposed to do, or what do you do if the partner disappeared overnight? If the response you get is, "Well, that will never happen, it's much more complicated than that," You're onto something, keep pushing because there that is what I think from a governance standpoint and as a practitioner, we increasingly need to ask those questions. I found increasingly in the last decade that's what I was doing with my own team because they were driving hard around delivering capability and all teams in all companies, large or small, delivering technology or are incredibly stretched. These first principle questions, they're perfectly, fine ones to ask and if you don't get lucid answer, keep going because you're onto something.
Richard Bliss:
And David, you remind me of an old movie, it's old not to you and I but to a younger generation, Jurassic Park. And in the movie and in the book, it's when Malcolm, the chaos scientists, life will find a way when they're convinced that they don't have a problem because they're measuring the reproduction, "Hey, look, we have all of the dinosaurs accounted for," but what their software didn't do was account for additional dinosaurs. It was only looking for, "Have we lost any? Not, did we add any?" Hence, they weren't able to track and be aware that the dinosaurs... I mean, to use a really basic example, it jumps to my mind, that was a perfect example of, very complex... It's a movie, it's fake, I realized that. But it was a great example of being aware of what the software can or cannot do and then proving it to me.
David Reilly:
And I worked with a chief risk officer, a brilliant individual who distilled down what his team had to do was to figure out all the ways that you could win and all the ways that you could lose and make sure that you had mitigated those to the maximum possible extent and at its core whether it's commerce or IT, I think that's our oversight responsibility.
Richard Bliss:
Yeah. It really is. This has been great for you to share this. It's been deeply insightful. I appreciate you taking the time. David, thank you so much for spending some time with us today and diving deep into this. How would people just stay in contact with you, how would they track you down?
David Reilly:
They'll find me on LinkedIn. David Reilly, R-E-I-L-L-Y and message me on there. And I'll get back to the team on anybody that has any questions or would like to follow up after this podcast.
Richard Bliss:
This has been great. David, thank you so much for your time. I really appreciated it.
David Reilly:
Thank you, Richard. I really enjoyed it. Thanks so much.
Speaker 1:
You've been listening to Digital First Leadership, the podcast where you learn to leverage and build your expertise on digital platforms. For more valuable tips on mastering the language of social media, subscribe to our newsletter at blisspointconsult.com. If you'd like to stay in touch, feel free to add Richard on LinkedIn and join the conversation.