The EXA Consulting Group sponsored a cybersecurity conference at the Telfer School of Management on March 3, 2020 to facilitate a timely conversation about the current and future state of Canada’s defence procurement. Canadian Defence Procurement, and its approach to cybersecurity, was center stage as a high-profile expert panel weighed in on the challenges faced not only by our country, but also by industry and governments worldwide. The ability to survive and continue business processes in a cyberattack rich environment, and the Canadian government’s procurement process were the key topics of discussion in this event.

Experts in cybersecurity and defence procurement painted a sobering reality that national security is inescapably dependent on agile cyber systems, and the Canadian defence procurement system is not ideally suited to address these challenges. The esteemed panel included:

1. Alex McPhail, President and CEO of the EXA Consulting Group
2. Telfer Alumnus Alkarim Amlani, Director of Cyber Operations at General Dynamics Mission Systems-Canada‍‍
3. ‍Retired Brigadier General Paul Rutherford, former Director General Information Management Operations and Joint Force Cyber Component Commander, Canadian Armed Forces‍
4. Bob Gordon, Executive Director of the Canadian Cyber Threat Exchange (CCTX)
5. ‍Stephanie Carvin, Assistant Professor of International Affairs, Norman Paterson School of International Affairs‍
6. Professor Greg Richards, Executive MBA Director at the Telfer School of Management, University of Ottawa, opened the event and welcomed the participants

EXA President Alex McPhail next provided a broad overview of complex government procurement process and how that process faces challenges as industries, governments, and militaries broaden their awareness and practices to include cyber-resilience. The expert panel then addressed several key issues surrounding this topic of increasing importance.

Over 50 government, industry, and academic attendees participated in the event, and engaged the panel with many questions until the allotted time forced the closure of the Q&A period.

The conference was organized by Samuel Associates on behalf of EXA Consulting Group.

The EXA Consulting Group, represented by its President, Alex McPhail, hosted and moderated its second annual cybersecurity conference on May 12, 2021. This year, the event focused on Agile Procurement and Cyber Space and included expert speakers from government, industry, and the NGO sectors to discuss this challenge.

Mr.McPhail’s opening remarks set the stage for the urgent need for Agile Procurement. Traditional procurements determine requirements before the procurement and development processes. They are output-based, meaning the client measures success based on what the contractor delivers. Traditional procurement risks delivering cyber solutions that become obsolete years before they go into service.

Agile Procurement is an iterative process that incrementally specifies and designs the solution in each cycle. It is outcomes-based, meaning the client measures success based on what he can do with what the contractor delivered. Agile Procurement addresses obsolescence at each cycle, ensuring the client receives a relevant and usable capability.

He concluded his opening remarks by asking what the cost of doing nothing is in an era where cyber threat obsolescence is measured in days, not years. "How long," he challenged, "can governments sustain traditional procurement in the Era of Cyber?"

"Agile Procurement is not new," asserted Syed Hasan, Acting Director of theInnovation and Agile Procurement Directorate at Public Services and Procurement Canada. From a government perspective, Agile Procurement consists of four factors:

·      an iterative approach for deliverables,

·      a focus on outcomes,

·      cross-functional teams, and

·      collaboration with suppliers.

While Agile is successful, it may not be suitable for every product or procurement case.

Mr.Hasan dispelled several myths about Agile Procurement:

Myth:   Agile Procurement is fast.

Fact:     Agile is more responsive to changes during the process, but it may not be faster overall.

Myth:   You do not need to plan.

Fact:     Agile requires careful, detailed planning, both in advance and during the process.

Myth:   Agile eliminates risks.

Fact:     Agile breaks bigger risks into smaller risks that you can address more easily.

Myth:   Agile prevents failure.

Fact:     Agile lets you fail faster on a smaller scale and then learn, adapt, and move forward.

Historically, Agile Procurement existed but without its current name. In the United States Military, many programs and weapons were developed in such a manner, outside of the conventional-traditional system, as Eric Lofgren, Senior Fellow at George Mason University Center for Government Contracting, explained. The threats we face are continuously increasing, and there is a need to change the existing processes. "The good news is that we have already done it before. We have to reprioritize what we really want," John Scott, President of Ion Channel and Fellow in New America's Cybersecurity Initiative, reassured.

For Shared Services Canada (SSC), the goal is to achieve outcomes through a collaborative and secure ecosystem. Chris Wharram, Director of Infrastructure Security Planning and Capability Development at SSC, went further by adding that it helps "to incentivize meaningful feedback from industry, to encourage competition." He asserted that it also gives the ability to focus more on technical superiority rather than just focusing on the budget itself. The general goal added Gary Cooper, Cyber Security Procurement at SSC, was to create a cybersecurity vehicle. The idea behind it was to "create a secure supplier ecosystem," as Mr. Cooper worded it. With the use of agate-type mechanism, they now have a pool of 89 trustworthy vendors. "Cyber threat actors are real," he stressed. Therefore, it is essential to focus on collaboration. There is still room for improvement.

Bob Gordon, Executive Director of the Canadian Cyber Threat Exchange, offered a different but equally relevant perspective. "If you are connected, you are vulnerable."  Cyber attackers are rapidly evolving and opportunistic. There is a different range of these threat actors such as state espionage, criminals stealing intellectual property, committing fraud, and holding networks for ransom.  For Mr.Gordon, the way to overcome these threats is through collaboration and the institutionalization of sharing information regarding cyberthreat through sectors and various groups of people.

Marc Duchesne, Vice President of Bell Canada, offered a different but critically relevant perspective: you are only as secure as your weakest link.  Deep investment and trust in supplier relationships lie at the heart of Agile Procurement. You need trusted suppliers with the knowledge, speed, and accuracy to take the appropriate measures swiftly to protect the community of enterprises, Mr. Duchesne explained.  

Jen O’Donoughue, RCMP Chief Financial Officer, explained that, while Agile Procurement works, outcomes are harder to define than you might think.  The process starts with careful and complex trade-off analyses before stakeholders can agree upon a set of outcomes. She further explained that solid risk management is pivotal to Agile Procurement success, both at the outset and at every stage. Finally, relationships with suppliers are a key success factor.

In his closing remarks, Mr. McPhail observed how different each person’s perspective was and how valuable and critical they were to synthesizing a coherent understanding of Agile Procurement in the era of cyber. Successful Agile Procurement requires a collaborative approach among many stakeholders across a wide range of disciplines and responsibilities.