Supply Chain
Technology Podcast

SUMMARY KEYWORDS

IoT devices, government support, security risks, supply chain, AI integration, cybersecurity, visibility, predictive maintenance, cost challenges, integration complexity, stakeholder involvement, government policies, common requirements, trust in AI, practical solutions.

SPEAKERS

Scott Mears, Steve Orrin

Scott Mears  00:00

Do you think IoT devices will become a standard requirement for all businesses within the next five years? Thumbs up. Do you believe the government is doing enough to support the adoption of new technologies in the private sector? Thumbs down. Should the governments prioritize security over innovation when it comes to regulating new technologies?

Steve Orrin  00:21

No, I think they should be equal. So thumb in the middle.

Scott Mears  00:25

Thumb in the middle. Oh, breaking the system. I like it. Welcome to the Supply Chain Tech Podcast with Roambee. Scott Mears here, Senior Marketing Manager at Roambee, and your host, we thank you for joining us today. In this episode, we speak with Steve Orrin. Steve is the Federal Chief Technology Officer and Senior Principal Engineer at Intel Corporation. This episode gives us insights into the government’s role in advancing technology and how they can influence widespread adoption. We also discuss the security risks from digitizing physical assets, the impact of price crises on security innovations, the role of security in integrating AI. And finally, Steve shares how companies can differentiate between AI hype and practical solutions. Welcome to the podcast, Steve, it’s great to have you on the podcast today.

Steve Orrin  01:25

It’s pleasure to be here. Thank you.

Scott Mears  01:27

Fantastic. We have a really interesting episode today, because we’re going to be able to really get a chance to get real insight into the government’s role in advancing technology and how they can influence widespread technology adoption, and we’ll also discuss a lot of high level, you know, security, how security is evolving to deal with the increasing threats around the world. And I cannot wait to get into this, because this is a topic we’ve not been able to dive into as much on this podcast. So I’m very excited, you know, to have someone that you’re with your caliber on today. But before we do dive into that, we always like to start a fun icebreaker. It get lets us know a little bit more about the person in front of us. So I would love to kick off with, what would you say is the most surprising thing you’ve learned about cyber security that maybe most people wouldn’t know about?

Steve Orrin  02:20

So Scott it’s really good question. I think there are probably two things that sort of come to mind. One is something that I’ve learned later in my career, which is that oftentimes organizations don’t leverage the full extent of the Security offers, offerings that they’ve acquired or they have. They just don’t turn on the features or deploy the security capabilities that they’ve already acquired, or that are already built into many of the platforms and technologies that they’re leveraging today, every piece of hardware, every cloud service, most of your software apps and enterprise applications have a variety of security controls built in, and they just don’t leverage them, or to the full extent they could, or they flip on the minimum to get them up and running. And I think we’ve seen in some of the major attacks that oftentimes they had the right tools, they just weren’t monitoring them correctly, or they hadn’t deployed the sensors to the right place. I think that’s one of the things I’ve learned over the course of many years working in cybersecurity, that oftentimes just organizations aren’t fully leveraging what they have. And I think it connects to the other one that actually learned very early in my career. And it’s really that, you know, complexity is the bane of security. And one of my early mentors, Dan Gere, mentioned to me as I was building one of my first security products, my startups back in the day, he said, for every button that you require a user to click, you lose half your users when it comes to security, anything. Every step you ask them to do, above, beyond what they’re trying to do, you’re going to lose. You know, his maxim was half, and what he was hinting at is the more steps, the more complexity you introduce to someone as you’re trying to secure their application or secure the process while they’re trying to do, their business, their job, whatever they’re trying to accomplish, significantly reduces the effectiveness, because people are just not going to do it, or a vast majority of them. And those two things are actually interestingly connected. And so I think that lesson I learned as I was building security products, about the complexity, really comes to full circle when you look at how organizations are deploying it. It holds true. They’re just not leveraging all the features, and oftentimes it’s because it’s too complex, takes too much time. It’s not well integrated, takes too much work. And so one of the key learnings that I’ve learned over my career that really is enlightening is that we as a total industry, both the organizations using security products and the vendors delivering them have to do a better job of making them more seamlessly integrate into the existing environment.

Scott Mears  04:48

That’s an interesting one to hear, because I feel your answer relates to so much as well. You know, not just with solutions, but even with you know, within marketing, you, like you said, you. And trying to drive submissions, you know, drive people to your events, you know. And I’m finding user experience of platforms is coming up again and again. I think with the drive of you know, these tools like the chatGPT and the other AI tools, people are seeing the ease this can bring and how quickly things can just give you those answers without having to go through 6,7,8, you know, 9 clicks or hours of research. So I think what you’re saying really rings true right now. People are starting to, I think people are starting to wake up to that now as well.

Steve Orrin  05:35

Absolutely, of course, the flip side is, is that, you know, the easy button doesn’t always give you reality. And so that’s one of the challenges with AI is that you can get an answer, but how do you know that that is the correct answer? And that’s oftentimes the balance. When you look at it in a correlated security, the simplest solutions often don’t give you the more complete security. So it’s that balance of, how do I get the maximum amount of security with the least amount of investment or the minimum amount necessary to be successful, and that balance is really the ongoing challenge as an industry that we continue to have.

Scott Mears  06:07

Interesting I feel we’re gonna dive back into that throughout the episode as well. That’s I feel like that might be a mainstay throughout the episode. So definitely listeners keeping a year out for that. And I’m actually gonna dive straight into security. You know, we’ve broken this episode up a little bit into different sections. But really security, I want to dive, you know, we’re there. I want to dive in there. And I want to understand, you know, with, you know, what do you feel are the main security risks you see from more physical assets becoming digitized in supply chains?

Steve Orrin  06:42

So Scott, I think the best way to answer that is really there are three aspects to that, to the types of risks. One is from their own supply chains. As we’ve seen over the past five years, the supply chains of the technologies and products that organizations are adopting have their own risks, whether you want to mention solar winds or log 4j are any of the major ones, as well as 1000s of smaller incidents. Understanding the supply chain of those digital assets, those physical assets that are being digitized the technologies that manage them, is a key risk, and it’s one that hasn’t been well addressed for a long time, and that requires visibility into the supply chain of those parts. It requires visibility into your organization of what products you have under under management, and what the vulnerabilities are at any given time. And so the supply chain of those digitized assets is the is the first major risk that I would highlight as a key growing one. The other is, as we find more things becoming digitized, is the lack of segmentation. Everything is all running on the same network, and therefore you have the same security policy, the same controls, the same monitoring for everything. And the problem is, is that not everything requires the same level of diligence, and not everything has the same value. Oftentimes you’ll have assets that have less security capabilities running on the same systems that are highly sensitive. And so segmentation is one of the key controls that organization is looking at today to help minimize the risk by being able to segment the high security assets from the low security or the ones that they can’t secure as well, and minimize access, minimize the network connectivity, and then when something goes wrong, which eventually it will, you can minimize the impact by keeping it contained within those segments and then the last one. And this is something we’re seeing a lot in the IoT space, as physical assets be either digitize themselves or get overlays of things that can sort of digitize the outputs is a lack of basic security controls. You think about IoT devices and the myriad of those, even in the space of when you’re taking industrial systems and controls and trying to digitize or provide management access to them, you often find that they lack some of the basic things, basic hygiene, whether that be authentication, secure protocols for the network, being able to do firmware assigning, management, logging, auditing, all the sort of basics of IT security are oftentimes not available in these constrained devices and these IoT. I give you a great example when when my first born was, I was born, we were looking for a baby monitor to put in his room, to connect over the internet, over our local Wi Fi, to be able to monitor like everyone else does. And of course, I wanted one that was secure. And I thought, oh, I’ll just go find one, and it will, it will have no it didn’t have any secure I spent the first four or five months of his life, looking for the right security camera that had basic Wi Fi authentication allowed me to create a custom password or authentication token use security for its communications, simple, basic stuff. Finally, I found one, but it took, like I said, four to five months of research, and it was actually a CCTV company and one that made industrial cameras for surveillance that had decided to, you know, take a step into the internal monitoring in the household. So they took one of their industrial grade ones and sort package it up as a friendly version for inside the house, and it had all the security features. Now that company’s got a whole line of them for baby monitoring and at home surveillance, but it took a lot of effort. I think that was indicative of when you look at a lot of these devices, they’re just not being built for security or with the basic security capabilities that you would need to properly integrate them into a security posture in our organization.

Scott Mears  10:37

I love that example that was, I can’t believe it took you that long as well, that it does, you know, that really does give you insight into into the problem. And it’s, you know, it’s one that we need to be aware of. You know, it’s one that I think we’re going to realize is a much more serious one than maybe some of us realize throughout this episode, and I want to understand as well with with past crises, you know, even going back to, you know, post 911 you know, and the crisis you see even happening now is, how do you feel? This accelerates security innovations, and what parallels do you see today?

Steve Orrin  11:23

So I think one of the things, and whether it be the post 911 era or any of the major crises we’ve had, even during COVID, when we looked at the change in supply chain access the remote work and work from home, and all the changes in our and how we access our systems have spawned a variety of security innovations, and really that that is married to, or really tied to, the increase in the threat landscape. So every time we look at the growth of security innovations, the number of products and vendors and technologies, oftentimes it matches to a significant increase in the threat, and whether that threat is from a set of adversaries that have started targeting systems and networks or grown in their targeting or in a new surface area of attack that wasn’t well addressed before. So before IoT was a big thing. You didn’t have that threat to your organization before you had, you know, even before you had Wi Fi or web, those weren’t major threats. As those new technologies came online, they introduced a whole new category of the threats and potential impacts to organizations. So as the risk goes up, we see security innovation go up. Of course, the challenge is with the rapid growth of the number of products and vendors that we have to that are addressing those risks is the complexity, like we said earlier, in managing and integrating those into our enterprise applications, into our enterprise environment and our security controls. And so we see this, this balance of, you know, an increase in a certain threat, whether it be the surface area or the kind of threat, rapid innovation, and then we, when you get over that hype curve, then it’s, well, how do we get to scale? How do we get to operationalization? And that’s the, you know, I we often going back to the chasm of death, of crossing that valley. It’s the products and technologies that have thought about, how do I go from a point solution to being integrated into basic operations of addressing risk the what the CIO and CISO need is linking those worlds, those worlds together, are what we see as successful implementations that you know, cross the valley and get into rapid deployment. And we’ll see that constants are up and down of innovation as every technology revolution we’re living through. One right now, with the introduction of AI G Iots, we have these multiple forces that are driving new threats, increased landscape for attack and the integration of these parts, where one of the maxims in security is that you can have really secure things, but when you integrate them together, everything falls apart. It’s security at the seams, which is really one of the challenges. And so that is where, you know, we need more innovation, I think, is, how do I protect from the integration of these different technology regimes and the security that each one needs, which often is very different of how it’s applied.

Scott Mears  14:19

It’s really interesting, you note that I think people would look at it more siloed with it’s the security of the individual innovations, whereas you’re saying, no, you’re missing the seams. That’s that’s a really interesting takeaway there. Yeah, it seems to be, you know, something that we’re missing and and, you know, naturally, we’re wanting to integrate these systems companies are wanting to, you know, become more integrated, to make everything more seamless. So it’s going to happen, and it is happening. So it really needs to be identified. And actually, my next question is on integration, I would really want to know is, what role do you feel security play in the successful integration of new technologies, like AI in supply chains and the other technologies you mentioned.

Steve Orrin  15:08

So I think the role is, as always, needs to be there. I think one of the challenges is that we often think about security way late in the process, we’ve adopted a technology, we’ve tested it out, we start to deploy it, and then somebody somewhere says, oh, wait a second, we’re accessing secure data. I need to protect it, or this is going on our live website. What is the security? And by that point, it is way too late. A, you’ve already built the application. B, you’re already trying to get it out in the market, and security becomes a bottleneck. And so one of the key roles of security is to be there at the start. It’s an old time Maxim. Bruce Schneier, one of my other early mentors, beat this into me. You’ve got to build security in from the get go, and that’s at the developer stage. It’s even earlier. It’s in the requirements definition. And there’s been a lot of really good reports over the last 10 years, miter had one called deliver on compromise, which was a good report that really talks to the need of having security as a requirement is the way to success on getting it integrated into these technologies. And the reason is, is that, as we know, in the security industry, time to market will trump security 100% of the time. But if security is a requirement and there’s like it, the button needs to work when I push it on the screen, the data has to flow and it needs to be secured. It’s built into the requirements document. Then the developers, the testers, the deployment, the SecDevOps, ops can work together, has a requirement to make it secure, to implement the security features to turn on whatever is necessary to encrypt the data, to have authentication and have logging. If it’s part of the requirements, it will drive the process more naturally, because just like making sure the button pushes, making sure you have encryption turn on, will be a feature designed in and so the real role of security is to be a part of the process from the very beginning, and the path to success there is when you’re building out your new or adopting these new technologies, is having a diverse group of people part of that process. Oftentimes we have the developers. Maybe the business unit is providing their input on what they want the outcome to be. But having security and compliance part of the conversation, having legal, having finance, so everyone is number one has their ability to provide their requirements or their needs or the outcomes they’re looking for, to help guide the overall integration and deployment of that new technology. And what that will mean is downstream, you have a product that’s more ready to go and more ready to scale, because you’ve already addressed the concerns of the key stakeholders, and security is one of those key stakeholders, whether it’s directly from a security perspective or, more often not, it’s a compliance and business reliability perspective that security ultimately is the building block for so again, building it in from the start is The role and have security part of the process.

Scott Mears  18:03

I like that, you know, the the solution is very straightforward. You know, like you said at the start, don’t make it complex. It’s very straightforward. It’s just being a diverse team, you know, integrating all the stakeholders in, in the build of of the solution. And, you know, but, but we do see this. This doesn’t happen in security. Isn’t, you know, taken as priority, because maybe the speed to market. They just want to get this to market. They want to get it in hands. What do you feel will drive that? Want to have it in these solutions? Do we have to have more events like, you know, like 911 or why do you think there’s other ways that can drive that?

Steve Orrin  18:46

So I think there are a couple of key pressures or things that are going to drive better security for these applications and integrations of new technologies. And it’s going to come from a couple angles. There are going to need to be more cyber events. I mean, the SolarWinds was a wake up call for the entire industry about supply chain security, and shortly thereafter, log 4j sort of put the nail in the coffin that we’ve got to do something here. And so sometimes it takes an event. The ransomware that we’ve seen in the last several years are opening the eyes, not of the security people, they already knew, and not even the developer. It’s the board, it’s the C suite that’s really come to understand the impact to their business when a hospital can’t operate because of a ransomware attack, when a meat packing company in Australia shuts down processing because of a digital attack, that is something that’s a wake up call for the C suite. You know, interesting. I’ll pick on on some of the these ransomwares. There’s a really good learnings from that. We saw capital pipeline happen a number of a few years ago, which where the East Coast of the US gas distribution was shut down because of ransomware. But the. One that was more interesting, I thought, was the JBS attack, the one on the meat packing, because it’s taught us two interesting things. Number one, the notion that, well, I’m not a target because I’m not in a high value application. I don’t have financial data. No one is immune. That’s what we learned, that even the most unsexy of business meat packing can be a target of ransomware. The other is the complete reliance of even the most basic industries on digital technology. You think of financial services and healthcare being really digitized organizations and really advanced. You don’t really think of meat packing as being the digital Vanguard, but yet we could. We saw there that a ransomware attack took out meat packing lines, so they had to shut down the line because of it. And that highlighted how reliant we are on these technologies. And so one of the things about those events is that it’s a wake up call for the C suite that they can’t hide from it, and that no matter what organization, what vertical you’re in, you are reliant on it and OT and digital technologies, it is the foundation about which your business has. Very few businesses can claim they’re not relying on digital technologies to drive their bottom line or to drive their revenue. And so I think that is one of the key learnings, that the key triggers that we’re going to see. The other is, and I don’t wanna say regulation from purely a government perspective, but industry regulation. We’ve seen this over the years with PCI for payment card, HIPAA for healthcare, GDPR in the EU, these kind of privacy and security regulations, some are better than others, but they’re driving the conversation less about security and more about accountability at the executive level, as an organization that’s processing PII, or that’s doing healthcare, or that’s in a critical infrastructure, there’s, you know, specific regulations for each of those industries that drive a level of hygiene and requirement in order to be, you know, what they call industry due care, to be able to do good enough to say I’m compliant with the regulations, I’m doing a good job. And what it does is it highlights that you can’t just sort of take security as an afterthought. You have to invest in it, and you have to monitor it. And so when I look at what are the things that are going to keep changing, it’s going to be events that are high profile, and the associated both government and industry specific regulations that are going to help the organizations figure out what is that bar? Because one of the questions that often gets asked is, great, I need to do security. I have assets, how much? Where’s the line? And so some of the regulations help them at least achieve what they need to do to get that check box. It’s not the it’s not the best, because the best, because the check box doesn’t mean security. It just means you’ve done whatever you said you would do. But the last piece, which I think goes back to my original point around complexity, is both in multiple governments as well as industry, organizations are putting out guidance and recommendations and baselines that are helping organizations figure out, how do I implement security for these various different domains. The National Institute of Standards and Technologies, NIST, in the US is putting out, has put out guidelines for best practices and security controls for a variety of different industries, for IoT, for industrial for medical devices, for mobile devices, and puts them out freely for everyone to see. Has vendors and government and foreign governments all collaborating together of what would be that baseline recommendation. And then more, the more interesting things they’ve done over the last five years is put out what they call practice guides. They call it the 1800s series. And what the practice guide is, they take one of those guidance documents and they actually go implement it. They say, we’re gonna take this product from vendor, a this hardware stack, this software stack, we’re gonna put it in a lab, we’re gonna document how you turn on the security features to achieve the guidance, and they publish it, and they do it for a variety of vendors. And what that does is not only tells you what your guidance is of what controls to turn on, but it shows you actionable product examples of how to do it. And once you figure out how to do it with VMware version 7.2 you can then figure it out for VMware seven dot x, and you can also apply that to Kubernetes or any other environment. So it gives you the tools to help achieve that goal.

Scott Mears  24:14

I really appreciate this answer. It’s, you know, it’s very insightful what you’re bringing here. And I feel, again, it’s good to know that, you know, there are, you know, like NIST and the many other bodies that are bringing the actionable, you know, the action on what to do. Because I think a lot of companies fear, you know, fear the where the government can come in, you know, with, with policies. And, you know, I like the way you’re looking at it with, you know, there is support there, and we should be looking at it as keeping accountable versus, you know, affecting the bottom line. So I think that’s, it’s really refreshing to hear, you know, hear this.

Steve Orrin  24:52

I would say, you know, and I picked on this, because that’s when I work with cos. But in the UK, the NCSC, the. National Cyber Security Center there has been putting out guidance for a number of years for specific industries as well specific technologies. Here’s how you secure DMARC, here’s how you do DNS security and the recommendations. So while they have policies, they are also putting out guidance for the UK. We’ve seen the EU with through Anisa, do the same thing, and then other governments, India and others, are all putting out guidance. So we’ve all recognized, as a global industry that we need to do a better job of helping organizations adopt these technologies and implement the controls. And sometimes it’s collaborative across government, sometimes it’s within governments, sharing with the larger world. But we’re seeing that that work happen in a lot of these places. And the good news is it’s all free. You can get it, you can download it, you can implement it. And having worked with many of these organizations over the years, they welcome additional members and parties to come and collaborate. NIST is an open environment. You can come and join the NCS, the National Cyber center of center of excellence, and help out and be a part of the next big wave of technology guidance. Similarly, we I found that the UK government and other governments around the world are actually open to working with both, not just big companies, but even small businesses, and some of them are creating guidance specifically for small business, because small business doesn’t have the budget of a big organization, and often doesn’t have all the technology in house. They’re using managed service providers, and so there’s specific guidance crafted for the small business as well as large. And again, it’s really about we’ve recognized that information sharing is a key capability that’s going to help us address those threats that we were talking about earlier.

Scott Mears  26:40

Yeah, I really appreciate these examples. You’ve got so much knowledge there, and I feel like this is going to be so tangible for our listeners to really be hearing this, and hear the the many examples out there and and really places that they can go. So it’s very insightful for our listeners to hear this. So I appreciate that, and I want to, I’m really enjoying this security conversation. I feel like I’ve, we’ve got so much out of this from just a few questions, we’ve really dived into a lot. But I’m just going to slightly shift into IoT and dive a little bit more into IoT. And, you know, because I know the solution providers out there will want to learn more about the IoT side and also the tech adoption of their solutions. And you know, we’ve mentioned AI and IoT already in the episode, and I want to now guage a feel for how do you envision IoT and AI transforming Supply Chain Management in the next 10 years?

Steve Orrin  27:35

So, Scott it’s a really good question. And I think a, it’s already happening, and B it may happen faster in 10 years. I think the convergence of both IoT and AI coming together around Supply Chain Management, and if you’re looking at it from two perspectives, IoT, at the end of the day, are going to be the sensors, the things that ultimately you’re going to have, they’re going to help you get better visibility into your supply chain, whether that be the actual asset that you’re trying to move around the world, the mechanism, the vehicles, the ships, the planes that are actually transporting them, and the systems that, you know, warehouses and robots that are moving things around, all of those are going to be digitized and sending out information about location you know, reading in information from the assets and giving you that data. And what is the one thing that’s really hungry for data, AI? And so when you pair those two worlds together, what you start to get to is, number one, huge efficiencies in the supply chain management is the baseline. So just getting better visibility into where your things are, getting better predictability of when they’ll show up. And you know, some of the benefits to when you’re tracking a package, all the AI that goes into predicting when that package will show up helps you as a consumer, know when your thing is going to show or if you’re building a if you’re building a ship, or you’re building a robot, or whatever you’re building, knowing when your parts will be there are absolutely critical to your overall process. But I think it goes a step further when we start seeing AI start to take off in these environments. Number one, it will help you build better reliability into your supply chains by understanding the logistics and the flows and real world events when you start bringing multi domain information, so weather prediction, understanding geopolitical situations, understanding you know the flows on, on maritime traffic, and be able to not only predict when there could be disruptions, but also build better resiliency into your supply chains. Again, goes back to the efficiency. So step one is, we’ll get better efficiency. Step two is when you start to take the AI and have a train on what has happened in the past, and all these different tracking information that you can get, you can start to look at predictability and getting beyond that. And let me give you an example. You’ve got trucks that you’ve got out in your fleets, and you need to be able to have maintenance when you need them. Having IoT since on the engines and on the mileage that they’re doing, and on the weights of the loads, and on the gas prices and everything else that goes into understanding your fleet, and then being able to predict when a truck needs to be put in for service before it’s catastrophic. So predictive maintenance, or being able to have the routing specified to get the optimal efficiency of your gas reduce your costs, and so there are a lot of benefits to using AI to get either reduced costs or get increased revenues in your supply chain management, when you have that deep visibility. A great example we talk about, sometimes in the government space with logistics and supply chain management, I need to get Jeeps all over the world for whatever event is currently going on. And not only do I need to keep the jeeps there, but I also need to know, when do I need to have gas into certain environments? When do I need to be able to supply parts? You know, though, being able to have the assets not where the truck is, but where the truck will be, where the Jeep will be at a moment time. And so getting having AI, be able to look at your supply chain, but also your logistics. In the case of military, Battlefield management, if you’re looking at medical looking at not just what are the devices themselves, but what are the understanding, what are the procedures being done? What is the, you know, the rate of birth in a given area? Do I need more sonograms a certain area of the of the country, because we’re having a birth spurt in Seattle, for instance. And so that multi domain AI is really going to help you get better at delivering whatever your goods and services are by making your supply chain and your supply chain management more dynamic. And that’s really the vision that I see, you know, over the next, whether it be you know, five years or 10 years, is moving from a prescriptive supply chain management where we can get efficiencies in what we’re doing today to a more dynamic, predictive, and even maybe prescriptive supply chain, where I have the right resources, or I’m delivering my right services and goods at the time they’re needed or in advance of when they’re needed, knowing that that’s going to be a need, and that’s going to make you much more efficient. It’s also going to increase revenue for organizations. It’s going to decrease costs, and it’s going to give better customer experience, whether that customer is, you know, end users, like you and I, or your business partners, because you’re going to have a dynamic and one of the really powerful things about having a dynamic supply chain is that becomes much more resilient to change or to upsets or to anything that could go, you know, whether it be a global event or a specific location that’s no longer viable to ship through certain shipping lanes. By having this collaboration between the sensors and the IoT and the AI that’s understanding your overall supply chain and logistics, it allows you to be to respond to events much more quickly, without downtime or without disruption. And that is the vision I think of when these two worlds go together.

Scott Mears  32:53

It’s so exciting to hear this. You know, we we’ve already seen bits of it, and I know, you know, I mean, even at Roambee with integrating AI and all the other solutions out there, it’s really exciting to see what it’s assuming. To hear your vision for it. It is, you know, what this can do for us is really quite interesting and really exciting to see, and to make sure we really hit this home and make sure we really leverage the value AI can bring to IoT and all the other technology out there. You know, I want to get into the adoption piece. When do you feel IoT will become ubiquitous in parcel tracking, and what do you see as the current biggest hurdles preventing the widespread adoption in supply chain?

Steve Orrin  33:46

So I think there are two answers to that, Scott. One, cost, and I think when you’re looking at large scale supply chains and logistics, it’s one thing. If you have a couple of high value assets, you’re sending a huge Cummins engine between places. It’s a very valuable asset. You know, it doesn’t matter, you know, buying couple of tracking and IoT systems for that, or do, enabling a small fleet those, those, you know, you can make the cost benefit analysis for it. But when you’re looking at sort of parcel tracking at scale, it’s really reducing the cost of those devices, getting down to sort of, whether it be that RFID tag that I can scale. But it’s not just the cost, because RFID tags are cheap and that we are getting there. It’s also the integration and complexity, because there are a myriad of vendors and a myriad of standards. And not only do you have to have the the vendor of choice for whatever that tracker is, but then you need to have the reader. You need to have both manual and automated readers, and then you have to have the management systems that can read that data. And so you start to get this complex set of system of systems that all have to play nice with each other. And so I think one of the things that is really a challenge for the ubiquitous parcel tracking to overcome is that complexity and the integration of those different. Parts to work seamlessly together at scale. They work great in a lab or small, you know, proof of concept demonstration. But then when you go from five five trucks to 5000 trucks, when you go to from 50 packages in a small town to 5 million packages globally, that’s where you know, oftentimes the integration and complexity really, really hits you. And the answer to that is, when you start building those solutions or trying them out, is always to have in the back of your mind that this isn’t going to stop here. How do I scale this? How do I build APIs in so that the data can be easily extracted? How do I standardize my formats so that they can be consumed by a variety of products throughout the life cycle. And ultimately, one of the key things is not a technology problem at all, it’s the cultural organizational How do I make sure that the people who will benefit are seeing the value? How do I get the stakeholders, the business unit leaders, to understand the value of these new technologies, to their bottom line? Yes, it’s a really cool technology. And look at all the cool things I can do. But if the business unit that owns the parcel, you know, the delivery service, or the one that’s receiving that doesn’t recognize the value, doesn’t see it, they’re not going to get behind it, and they’re not going to fund the transition from lab to scale. And so one of the key things of, how do we really take get to help organizations take this off. Is like I said the beginning, have the stakeholders involved from the get go, let them provide the requirements, and then they get a sense of ownership on the outcome. And again, it’s not about the technology at that point. It’s the cultural change that really helps these technologies transition into the real world.

Scott Mears  36:41

It’s you know, with the I like that you mentioned about, you know, showing that value to each stakeholder. I think that a lot of the time is missed, you know, you know, because you’ll have the conversations with the head of logistics, with the head of supply chain, but the real person that’s going to be handling these devices is the person that’s not involved in any of those conversations, and they see it, and they just don’t, what on earth is this? What on earth is it? And yes, you know, we’ve seen challenges with that as well. So I think that that’s such a key one that that really is missed. And maybe, you know, people are missing in even knowing, how do we communicate that value? Because we just rely on, you know, the people that we’re communicating to in that company to communicate in it. A lot of the time, that’s missed. And I think it goes back to what you’re saying at the start. Don’t make things complex. Make it easy for people to apply and easy for people to digest and understand. So again, a lot of learning, not just for IoT providers, but actually a lot of solutions out there that are trying to break through at the moment. And I want to understand more the government side is, how do you feel government policies? And we’ve actually, we’ve already mentioned government policies earlier. And the last question, but I want to understand here, is, how do you feel government policies can influence the adoption of technologies like again, IoT and AI?

Steve Orrin  38:06

So I think there’s two answers to that. One is what we mentioned already, putting out the guidance and baselines, directing their standards organizations and their or and their government agencies to collaborate with industry on building out these baselines and guidance so that we can all do it correctly, do it the right way, or get some baseline security built in. But the other is really putting the you know, your money, money, money, where your mouth is, and that is government policies on the acquisition side, to enforce that when you want to do a government procurement that you build in that we need these level of security or where you want this kind of visibility into our logistics and supply chain, and ultimately this is in government is one. But even large organizations and small is when you build a requirement into your contract, into your SLA, whether it be for security or the SLA on your logistics and supply chain, when you make that part of the contract that drives and spurs organizations to innovate to meet that need. And so when we talked about earlier, about, you know, the integration of IoT and AI and getting that adopted for logistic and supply chain, why would I do that, other than maybe I can save some money. Well, when a contract says I need predictability into the parts that I’m receiving from my logistic Supply Chain Management, that when that becomes part of the contract, or part of the agreement that we have, it will drive the adoption of the right technologies to give them that predictability, to give them that quality, in the face of both, you know, normal operations as well as potential disruptions. So I think when it comes down to it’s the policies around standardization and guidance and baselines is a key standing building block. But the other is to, you know, to put that into procurement language to make the reliability, resiliency of the supply chain and the security baselines a requirement for these procurements and acquisitions, is it can go a long way without the government. Have to put undue regulation on any one organization or one vertical is, you. You know, the money will drive the innovation. And so when the government contracts say, I want this and its requirement, the companies that service the government also services the private sector. And so you build it once, you’re going to want to, you know, monetize that globally. And so I think we’ll see that, you know, the contracts will help drive a lot of that innovation or that adoption. Because, you know, ultimately, that’s good. The driver for organizations is, the bottom line is revenue.

Scott Mears  40:27

That’s really good. You know, that’s a much subtle approach. I feel that’s going to have a big impact. You know, it’s not the big, scary regulations that could come in tomorrow. It’s the sort of contracts. It’s the demand. And then naturally, you know, the innovators of the world are going to, you know, jump on that and innovate something to suit that. So that you know that, you know that’s really refreshing to and I want to stick with the government for a moment in understanding, you know, what do you see, or where do you see the next major government push in IoT and AI, particularly in the context of national security, where do you feel the next major push is for the government?

Steve Orrin  41:06

So I think first and foremost, and we’ve seen this with the response to SolarWinds along for j is going to be visibility into supply chain. So the concept like software, Bill of Materials, or s bomb, and having ability to attest the supply chain and the current vulnerabilities and so that is going to be a key push over the next couple of years, as the governments start to mandate that their vendors and their suppliers and their integrators provide visibility into the downstream supply chain of where did this product come from? The acceptability of a black box has gone it’s, you know, right now it’s a matter of time of when that will become contract law, or when that will become a de rigor requirement for all future contracts. But that’s going to be the big push, is gaining that visibility. And of course, then the incumbency on got to do something with that visibility. So great. I have visibility. I got a document. What do I do with it? And there’s been guidance put out over the last two years of once we have those documents, like an S bomb and the and the vulnerability information, how do I consume it and operationalize it into my corporate risk structures? And so it’s the full life cycle of that, but I think number one is visibility, and then another that’s been around for a while, but I think we’re going to need more work here as things get more complex. Is common requirements. And this has been a challenge because both within individual industries and then across governments, there’s, you know, differences in the requirements for security, the requirements for privacy and the like. And I think one of the efforts that multiple organizations are starting to look at is the mapping, you know, how do I create a common requirement? Because any large vendor that’s doing global work has to do privacy for, you know, EU, UK, US and even some specific states and then India and other organizations. Everyone has their rules. And the reality is that there’s probably a good 80% or more overlap on the controls that are necessary to achieve that. But it’s a heavy lift to know what is, you know, control, a 143, over here. Mean for control 22 six over here. And so there’s work that’s being done to map these control regimes, to give you a common set of requirements. So you know that if I’ve achieved, you know, GDPR, I’ve conchieved 80% of that, say, the EU of the UK privacy requirements, and then I know what my 20% that I have to do as the delta. Now, hopefully someday we’ll get to a much closer so it would be more 95% overlap. But even if it’s 80% that means I’ve done a good amount of work for a particular domain, and then I can focus in on the on the stuff for the particular areas that I’m going into, it will reduce the friction of being able to support those regulations so and so. I think that is really where the next major push is, again, visibility on their supply chain, but also collaboration to try to get to some common requirements. Because ultimately, what we don’t want to have is I’m going to buy a product, but it’s going to cost me 10x and take me 12 times more time to get it because the requirements are too confusing or too complex to implement in order to be able to deliver that product. So the more that governments can do to create that baseline, that commonality, or at least provide guidance of how to jump from a financial services regulation to a government regulation and see that the you know, the reality is, they’re all sort of coming from the same vantage point that will help drive the technology adoption, and that’s where we’re seeing a lot of the push on governments today. One of the thing I would like to mention, though is, and I’m going to focus in on the AI side of it, but it also applies to IoT. I think the other big push is going to be trust. How do I trust that? Whether it be the AI that’s producing the results or the sensor that’s sending me the data, how do I trust that information? We’re seeing a lot of work today on trusted AI ethical use, but really it’s about how do I trust it? And it’s not that I’m secure it. Secure it is part of the story. Right, but it’s really about is the thing providing me the right data that I expect to come from it? Has it been compromised? Has it gotten faulty? Has something happened to it from a configuration perspective, and is that flow through and cause bias or cause deviations on the ultimate AI? So getting that level of trust and visibility are going to go hand to hand to us being able to rely on these, especially in a national security context, but even in things like medical and financial services, you need to have trust in the systems in order to be able to rely on them and then to scale them.

Scott Mears  45:35

No, I appreciate you adding that extra bit. You know, that’s definitely something that we’re finding. I mean, there’s been a number of times, if I was to simplify it into where I’ve asked questions to chat GBT, and it’s giving me many false answers. So I know that’s a simplified example, but it really does give you insight into, you know, the trust aspect and how, how quickly we may rely on these tools as you know, that is, that is the answer, and maybe we won’t question it. So it’s really good to hear that you’re identifying that as a challenge that we need to be aware of. And I want to finish off of AI, because, you know, AI is, you know, you can’t get away from it at the moment. And you know, I guess it’s a bit of good and bad, you know. So I really want to dissect the hype first the reality. So, you know, as children, we get excited by the best toy at Christmas and we want the best toy to play with. And then, you know, supply chain leaders, we get interested in the new innovations that can make our supply chains run more smoothly. So I want to know from you is, how can companies differentiate between AI hype and practical solutions for their supply chains.

Steve Orrin  46:48

So Scott, that is the million dollar question, isn’t it? Right now, AI’s hype curve could not be higher, and part of what’s driving it is the constant innovation, the constant chain. So just as we get used to one thing, there’s a new term, you know, generative AI, large language models. We’re starting to see the hype. It’s all great rag all that’s really cool and like, it’s constant. So the hype curve just keeps building on itself. And the real challenge for organizations is, okay, great. I, you know every CEO and see the sweet person wants to sprinkle AI pixie dust on everything. I want AI everywhere. I want to be an AI company, because that will make us valuable. And the real way to sort of to fuse the hype and really get at something real is to start from two perspectives. One is that it’s in your question, what are the practical solutions, what are the things we need to improve? And that comes back to the fundamental thing, where AI can have a value and where, and then differentiating from all the AI that won’t do you any good. And that is asking the right question of the what you want is the outcome? What is the problem you’re trying to solve? You can distill down, I need better visibility into predicting my supply chain disruptions. I need to be able to get better efficiency in the logistics of my fleet asking the right question, and then thinking about, what are the tools, what are the AI or machine learning, and keep it and sensors I need to achieve that goal? And so it really comes down to boiling down to, what are the things you’re trying to ask? And it’s a hard question, because a lot of times, everyone’s sort of thinking, Well, hey, I can solve everything. Absolutely not. It’s really about starting with the right questions that you want to get answered, and then the follow up question, which is probably the thing that kills a lot of these AI projects, is, do I have the data to drive that decision? Oftentimes, we want to use AI to get some benefit, and when we go try to implement we build a really cool solution, and we use synthetic AI, read open source AI, we use all these other open source data, I mean, and all these things. But when I get to apply to my real world, I realize I don’t have the visibility or the sensors generating the data I need to drive that decision. And so it’s really understanding what the application that you want to solve, what’s the problem, and do you have the data or at or can you get the data you need to drive that to? Because AI is a data consuming engine, that’s what it does. It eats data for lunch, breakfast and dinner, and so to be able to get to that outcome, you need to know that can you source the right AI, the right data to drive that AI, and that’s really the process that we find the successful deployments use is making sure they can ask the right questions. And it’s not trying to boil the ocean. It’s like, like you said in the supply chain, what is the first thing you want to go tackle, you know, is it getting, you know, better, better gas mileage out of my fleet? Well, then the question you want to ask is, you know, the the routes, are they most efficient? Then you ask, okay, what data can I collect about the routes and about the conditions and about the gas prices, to be able to train that AI, and then be able to do the inferencing, and from there, there’s a path to an outcome, and the outcome is you’re going to save $20 a mile, or whatever the metric is. And that’s another thing I would say is important, is make sure you have metrics, because when you’re done, you want to know what was the. Value of doing this. What did I achieve? You know, I want to get a percent increase in revenue, a percent increase in reliability, decreased my cost. Understand why this question val is valuable to the organization. Those steps are how you get the practical adoption. The other recommendation, and I’ve seen this happen a lot of times, is people look at when they look at AI, they take two tracks, either they want to solve the biggest problem in their organization first, or they’re super scared and they only want to tackle some small little thing. And the problem with those two scenarios is that you’re setting yourself up for failure every time. If you tackle the small little thing that no one cares about, when you’re super successful, no one cares, you haven’t actually achieved anything that anyone can value. So you have no, no chance of scaling if you go after the really big, the most critical problem for the organization. Guess what? Most AI projects fail the first two or three times. It takes a little bit of iteration to get it right. You don’t want to crater the business while you’re trying to figure out your AI solution. And so I call it the Goldilocks principle. You’ve got to fit. You got to pick that application that is both meaningful and impactful, but not mission critical to your organization, so that if you mess up what you will, it doesn’t hurt the business. But more importantly, when you’re successful, there is a meaningful impact that then you can build from and go after the next problem and then eventually get to the big mission critical ones, but start with that medium level one, the one that’s important, but not too important, and then you’ll have a better chance of both making sure you get it right, but also building on that success. And so I think those two things, number one, asking the right questions, getting the right data, but also picking the right application to start with, is critical to how companies can move from really cool lab experiments and the hype to getting to something that actually starts to provide value to the organization.

Scott Mears  51:51

Well, you hear it here first, the Goldilocks principle. Everyone needs to go out and keep to this. This is how we understand, you know, navigate through the hype of AI. And, you know, don’t get I love AI pixie dust. That was awesome. I love the so many bites of, you know, it sounds like you should do my job, you know, marketing. You’ve got a lot of great marketing captions for the drive AI right now. And, you know, again, you say so many great things. It’s I know our listeners could be really interested in hearing all this and and also refreshed by a lot of the information. And I always like to finish off the episode with a fun segment. You know, we’ve learned a lot on this episode, but we always like to finish it off of a thumbs up, thumbs down segment. And it’s a very simple segment. It’s just a yes or no questions. There’s six of them. And if you just give me a big thumbs up or thumbs down and then say yes or no, sorry, thumbs up or thumbs down for the audio listeners as well, that’d be great. So I’m going to hit you with some interesting ones. That would be we’ll see where you go on these, Steve. Number one, do you think IoT devices will become a standard requirement for all businesses within the next five years.  Thumbs up.  Do you believe the government is doing enough to support the adoption of new technologies in the private sector? Thumbs down. Is the fear of AI taking over jobs and supply chain management exaggerated? Absolutely thumbs up. Interesting. Do you believe that the pace of technological advancement is outstripping the ability of governments to effectively regulate it?

Steve Orrin  53:34

Absolutely thumbs up.

Scott Mears  53:37

Should your governments prioritize security over innovation when it comes to regulating new technologies?

Steve Orrin  53:44

No, I think they should be equal. So thumb in the middle.

Scott Mears  53:48

Thumb in the middle. Oh, breaking the system. I like it. And final one is, Would you be okay with the security drone patrolling your neighborhood, even if it occasionally mistook you for your dog, for an intruder?

Steve Orrin  54:02

So it’s a thumbs up with a kind of pins who’s monitoring the drone. If it’s the local neighborhood watch, I’m fine with it. If it’s a government thumbs down.

Scott Mears  54:12

Yes, that’s a good response. Yes, that’s a good spot. I like that reply. So maybe we’ll go the neighborhood watch, but that’s, you know, it’s great to have you come on today, Steve. And you know, it’s really interesting. This is really interesting episode for us, because we’ve not been able to dive this level into the security side, and especially with the government influence as well within IoT. So I’ve really enjoyed this. Please do let listeners know where they can find you. And if there’s any projects you want to let these guys know about as well. Please do.

Steve Orrin  54:42

Absolutely and thank you for having me today. Scott, best way to reach me is on LinkedIn, at S O, R, R, I N, Sorrin. On LinkedIn is the best way to find me there to find out more about the projects I’m working on. Go to intel.com/publicsector, one word, public sector on intel.com, is best. way to see all the cool things we’re doing to help governments in IoT AI and cyber security.

Scott Mears  55:06

Wonderful. Please do go over and connect with Steve. If you’ve got any more questions. I just want to maybe, you know, connect with one to some of these projects, but we’ll leave it there. Thank you so much, Steve. Again, we’ll give the guests a little wave goodbye and say thank you very much.

Steve Orrin  55:19

Thank you very much.

Scott Mears  55:22

Hi. My name is Scott Mears, and I’m one of the hosts of the Supply Chain Tech Podcast with Roambee. On this podcast, we talk to supply chain heroes from around the world about everything, ranging from the disruptions related to supply chains, their personal experiences with tracking technologies, strategies to build resilience, and much, much more. We already have some recommended videos for you to the side of me, and if any of this sounds interesting to you, do subscribe to our Youtube channel and hit the bell icon so you don’t miss another Roambee video. I’ll see you next time you.