 Mr. Andresh Sakal is a chair of our trusted technology forum, so we've heard a bit about the security forum. We have another forum which is focused on supply chain security, which Andresh will talk about. A little bit about Andresh. He's a recognized expert on supply chain security, cloud architecture, and cyber security. Widely recognized as the driving force behind ISOIEC 2243, better known in the open world as the open trusted technology provider standard. He holds professional certifications in security, solutions architecture, and supply chain security, and his experience spans over 30 years of research, telecommunications, global standards contribution, and public sector executive leadership. Today Andresh will be talking on the topic of compatibility of the OTTPS, that I refer to the open trusted technology provider standard, and digital transformation. So a warm welcome from the open group, please. Welcome back, I should say to Andresh Sakal over to you, Andresh. All right, you know, this this session is entitled Trusted Technology for the Digital Transformation Error. And in this session, we're going to talk about why and how digital transformation has accentuated and accelerated the importance of establishing a trustworthy relationship with your technology provider. So the open group has published a couple of recent documents, standards that speak directly to the business benefits of digital transformation, both the digital practitioner's body of knowledge, as well as the recently published open agile framework, defined digital transformation as the use of digital practices supported by digital technologies to achieve a shift in the business model, value proposition, operating system or distribution system to, and this is important, radically improve the customer relationship, profitability, internal process, performance, accessibility, market, reach and enterprise, the business. So a couple of great quotes from two of our preeminent CEOs of this era, Mark Benhoff of Salesforce and Jeff Bezos, the Amazon founder. So Benhoff really hits the mark here. He says basically that digital transformation has to be customer centric, reimagining your business practices to better engage customers. And he's thinking about change from the customer's point of view. In other words, customer centric design thinking. And Bezos of Amazon really touches on a key theme in his quote. He's talking about being agile by constantly, continuously evolving. So relentless reinvention. So to put it all together, we can say that digital transformation is the practice of applying agile customer centric design techniques to relentlessly reinvent the business using modern digital technologies. Underscoring the last part there about technologies. So to be fair, this digital transformation of business capabilities has been happening for quite some time and has been referred to in the literature, even as far back as the 1960s. And there's been many different perspectives on digital transformation. There is one constant in the definition of digital transformation, and that is the constantly changing shifts in technology and techniques used to apply those capabilities. You probably seen different historical transformation cycles depicted in many different ways. In this slide here is one of the members, our members, Fujitsu, representing it as historical shifts of technological change as digital waves. So is this the third platform or the fourth wave? Who knows? It's all been depicted in disgust now for more than 30 years. And who was that guy that suggested the third platform? Anyway, and of course, some folks are calling this this generation of digital transformation the fourth industrial age or evolution, primarily because of the adoption of AI. Now, through all of this, this has been one consistent theme. The continuous evolution of standards focus on customer engagement, product construction and business process transformation. And, you know, in 2016, Forster had yet another blog backed by a CIO survey that suggested that by 2020 this year that 47 47 percent of sales would be influenced by digital. It's certainly a bit amusing how far off this number probably really is now. And it's not unrealistic to suggest it was closer to maybe even 100 percent at some point during this year. I mean, really, who could have predicted a pandemic where everybody is working from home online using something called Zoom with little to do for leisure but pedal on a peloton, ordered dinner from DoorDash and hope that Amazon Prime is able to fulfill your order of TP before that last roll runs out. I mean, really, you could not make this year up, but it's it's happened and it's not over yet. Well, the one thing for sure that we know that we will continue to evolve our understanding of is what it means to digitally transform our business practices. Why? Because change is inevitable. Technological change is relentless and and our business or just our life is quite unpredictable. Whatever wave or revolution we're in, there's one thing for sure. We're facing an almost dizzying array of technological shifts. This includes the reduction in cost of powerful but cheap sensors and platforms coupled with analytics that are becoming integrated into every business process. Just take the professional sport of tennis, you know, my love, my passion. I mean, it has changed tremendously. LiDAR radar analytics. I mean, who would have known a few years ago? You can't even watch a tennis game from the 70s because you're just like, how far off the, you know, service line does he have to hit that serve? You know, what is the consistent percentage of of returns? I mean, you know, it just makes a viewing so much more interesting when you know all this information. And businesses, you know, very much the same. And of course, cheap access to powerful cloud based compute storage and platform services is the plate from which we are able to rapidly serve digital transformation. And as a result, we have spawned a whole new approach to development. DevOps and sec DevOps and even a new operations professions called profession called reliability engineers, which didn't even exist a couple of years ago. More and more, you're using serverless computing to automate powerful business processes. And of course, AI and analytics are making it possible for self driving cars. I got one of those. Tesla, thank you. Real time language transition, image recognition, which is turning, you know, business processes and accelerate them even further. But all of these technologies have one thing in common and that most companies have yet to realize that they have seeded control of their business to their technology partners. Yeah. And just a decade ago, most companies were developing their solutions within the confines of their own data centers. Now you probably cannot even tell me fully where your business operates. You know, and most customers and that's what, you know, business has become a customer to technology providers. Don't really employ any sort of risk management or analysis to their digital transformation. So first and foremost, our businesses have become icy product centric and our own solutions built on these capabilities within a cloud have no choice but to constantly evolve, sometimes hundreds of times a day. So because digital transformation becomes critical infrastructure, your technology partners must be trustworthy because your technology partner plays a critical role today. The relationship must be addressed from the point of view of a joint venture or investment model. And as such, risks must be mitigated. Your critical infrastructure is some other product companies product. Therefore, the product must do what it's intended to do it must. And if it fails, the provider must remediate within days, not months. The product must be developed and engineered to provide certain levels of expected security controls and protections based on advertised risk profiles. And integrators and solution providers must protect customer confidential information. This is the concept behind some of the U.S. national standards like eight hundred one seven one in the upcoming CMMC. And finally, operators and outsourcing organizations must ensure the security and integrity during operations. For example, cloud providers are responsible for the operational integrity of the platform itself. We would not be having this discussion if every country and every company played by a global set of immutable fair rules. And we know it's not feasible. And there are significant bad actors out there looking to undermine your business or the government. The facts are that commercial ICT dominates the landscape, but it's sourced and operated from outside of your control and cuts products often rely on components that are sourced from open market by many different sub suppliers. So sometimes even the manufacturer doesn't even understand the full supply chain and more and more, those cuts products are key ingredients within critical infrastructure, government systems, commercial solutions and our driving digital transformation. And some of the threats include counterfeit components, maliciously tainted, you know, capabilities which are used then off to obvious to basically pull information from your environment. This new concept of cyber supply chain to protect your customer information because that's important as well. Insider threat, obsolescence and, you know, many more. So products or certifications, you know, ICT providers need to provide and that's information, computer technology, communications technology providers just to make ICT clear for those who may not know. They need a way to make the case for why they are trustworthy. And, you know, product certifications and product level marking markings are insufficient to cover the threat landscape. So there has to be a set of practices which are required to be followed through the end to end of the life cycle from the beginning to the end, from design to disposal. And risk management must cover the entire landscape from sourcing to disposal, including the protection of sensitive customer information. So technology partners must build with integrity so that the business consumer can buy with confidence. And, you know, it should be self-evident now that there are still the need for a certification program to validate that these practices within an ICT provider are valid. And so here are some of their challenges that we've discussed and some of the implications. What we need to do is we need customers to reward trusted or certified constituents, you know, vendors, providers through some sort of program. Well, in comes the OVEN group and the work that we've been doing. The OVEN trusted technology provider standard. Well, we embarked on a 10-year journey to develop the OTTPS. And it's associated certification program. And it's really hard to believe, Fathom, that it's been a 10-plus year journey. And, you know, the whole idea is to ensure that OTTPS was internationally recognized. So we submitted it as an ISO standard. So it's also known as ISO IDC20243 and very well recognized. So this is the standard by which, you know, now we're operating our certification program. And almost five years ago, the OVEN group launched the OTTPS ISO 20243 certification program. And this is included a robust program for validating and testing labs and the back-end systems for the certification program. We had to develop those. So, you know, those are all, you know, big, difficult lifts in the end. Creating an international certification program is not something you do lightly. And today we have more than 45 major technology vendors that have certified against ISO 20243. And we have more in the works. We have a major government program in NASA, which, you know, also prefers ISO 20243, as well as best practice indications in multiple NIST and DHS policies and standards. About three years ago, with the help and support of our member Seagate, we developed and launched the Open Certified Trusted Technology Practitioner Standard and Certification Program. It's a professional certification and credential for individuals. And it's, you know, an effort that, you know, we recognize that we need to grow the practice and profession of supply chain risk management. So we need more professionals to be able to support, you know, capabilities like OTTPS and ISO 20243 and all the other policies that are, you know, arising both governmentally and within the standards arena. So we successfully launched and certified our first round of Open CTTP professionals in the middle of this year. And we're about to actually launch level three and celebrate this new Open Professions Certification Program soon. Well, the next chapter of the standard is, you know, almost upon us. And every three years as part of the normal standards development refresh cycle, we update standards, especially those with supporting certification standards. Now that we had a significant number of companies and organizations achieve OTTPS or ISO 20243 certification, we have the opportunity to, you know, use that base and support, which is even larger than the number of members that develop it to optimize and evolve the program. So the first step that we're going to be involved with is to conduct design thinking workshops with vendors that have been certified, some of which are not members of the Open Group but have been certified through the program, either through ISO or through the Open Group. And then we'll translate their voices into actionable, prioritized recommendations. And of course, this will require that we update the best practice framework on which the standard is based, the OTTF. And that'll eventually lead us to an updated version of the standard. So our goal is to ensure that, you know, we start off by, you know, doing no harm. A lot of companies have invested a lot of money in order to get certified and to implement these practices, you know, this isn't a throw the old out for the new. This is optimization. So, you know, we're going to take this thriving certification standard and we're going to, you know, make it better and include some new SCRM protections and address customer expectations and some of our constituents' concerns in the development process, certification process. So this is the array of members, past and present, who have worked on ISO 20243, OTTPS. It's the list of members of the forum who participated and contributed. And we invite you, your organization, to become active members in the forum and the version two project. We really do need your help. It doesn't work without you. So on chart number 13, here is the Open Trusted Technology Forum roadmap. This is a roadmap for the development of the assets we're working on. As you can see, the OCTTP, the professional standard project is wrapping up and we're going to be celebrating level three certification here as part of the Open Professions Framework and the badges you go process that we'll launch soon. We just had the OTTF website presence. We kind of gave it a little base lift and are looking to publish some additional video content here soon. And of course, the V2 project, which will be consuming the primary focus over the next year. And over the last couple of years, we've updated the standard to 1111. And we've also updated the certification practices and processes as well as the ISO standard itself. So lots of activity here. I think that the other area from my point of view that we are neglecting because we focus very much on the provider is the customer point of view. What is the customer's risk mitigation approach to protecting themselves? And I do think there is an opportunity for a lifecycle here for us to be able to publish something of that nature that fits well with the work that's already been done. And I'd like to say special thanks to John Lindford, our forum director. If interested, he's listed here and contact him. And lastly, to mention a heartfelt recognition of the late Steve Warshardt contributions to OTTPS and all the certification programs. He was a huge driving force on the adoption of OTTPS and all the companies that have obtained certification. So thank you very much, team. And we're looking forward to seeing you in the forum. Steve, back to you. Thanks, Andres. Great, great overview. And thank you. Yes, thank you for mentioning our recently departed colleague, Steve Bortchart. Much, much missed. We are at time for the break, but I do want to put one question in here, which is something I've puzzled about myself. I've always seen the OTTPS as one of those standards that if I was an organization procuring, if I was in procurement, why wouldn't I look to that to prefer, at least prefer, if not mandate, that my suppliers went through that. And, you know, it's someone we both know well, Joanne Wojtek at NASASoup, you mentioned, has done some great work to encourage the federal ecosystem there. Suppliers to government to do that. But what do you think the value of the certification? I mean, you've been through it yourself as an individual, but from an organization point of view, what's the value of getting certified? And from the customer point of view, as I say, why wouldn't you pick this up and use it? What's so hard? So from a provider point of view, it's all about three different elements. We've divided up into three different segments of best practices. The product development or engineering lifecycle. So how you actually go about, you know, creating formal development practices that protect the integrity of the lifecycle of the product itself. You know, for example, being able to store and protect the source code, to be able to ensure that any open source is validated open source. We've seen just exactly what can happen when security components, for example, use open source that doesn't come from a validated organization. So there's the lifecycle, which protects the code, protects the integrity of the process, and then there's the supply chain security practices, more traditional SCRM practices. Do you know your sub-suppliers? Have you been able to, you know, flow down the contractual requirements for them as well? Do you understand where they get their components? How do you actually define the T's and C's for your environment? And are you scoring them effectively? So it's not okay just to know who it is that you're sourcing from, but it's also a continuous improvement opportunity for you to score how well they meet your T's and C's. And then, of course, there's the cyber supply chain, you know, elements of this whole thing. Can you protect customer, sensitive customer information, which can be quite valuable to adversaries. And that information is really important to both the customer, the government, as well as you. And unfortunately, sometimes it's not as well protected as you might think. So those are some of the areas that we focus on. Now, obviously, it's really important for a company to be able to implement those practices and get them validated. So if you talk to one of the vendors that have been certified, you'll find that actually it's a great way for a third party to come in and tell you where you really are on the bar of maturity. And that's the value to the trusted technology provider. Obviously, the value back to the consumer is you know that somebody was able to hurdle that bar and there's a consistent evolutionary approach to continuing to get better over a period of time. Great, great summary, thank you. So we do a break now, Andres, but a warm thank you from the open group to Andres Chacal.