Vendor Management

The Latest

23 November 2021: SoftIron is developing an Australian facility to manufacture it’s high-performance data processing appliance. This is the company’s second facility after its California factory and they have plans to develop another centre in Berlin in the coming years. The planned edge manufacturing facility is expected to be the first component level computer manufacturing hub in Australia for several decades.

SoftIron’s New South Wales manufacturing facility is supported by a AU$1.5 million grant from the Department of Defence. The hardware provided by SoftIron will include open-source appliances for high performance data processing.

The vendor will leverage smaller-scale, automated ‘edge manufacturing’ systems and effectively side-step global supply chain bottlenecks.  

SoftIron claims that security-minded clients, such as the Australian Government, are increasingly concerned about the risks of supply chains that include foriegn entities suspected to have inserted spyware. Governments are already applying bans on foreign providers of communications and data processing hardware that power modern data centres. SoftIron claims the ability for clients to verify every aspect of a product - from the open source code to the supply chain of components and manufacturing cycle - is critical for trust in data centre appliance.

Why it’s Important

SoftIron’s entry into Australian tech manufacturing is welcome. Australia’s technology tech manufacturing was decimated by large-scale overseas production capabilities in the mid to late 80s, despite having some extraordinary world-leading products. For example, the world’s first battery-powered laptop, the Dulmont Magnum (aka the Kookaburra) designed and manufactured in Australia in 1984. Hartley Computers developed hardware and software locally in the same decade, before concentrating on supporting imported Wang minicomputers.

The SoftIron announcement raises several important considerations:

Supply Chain Risk

Procuring hardware from an foriegn manufacturing plants (such as POS and telecommunication systems) is now being flagged as a possible point of exposure to business espionage and spying. The complexity of international supply chains combined with the opaqueness of the firmware and code running on tech products, opens up many avenues for criminal and state actors to inject malware into products sold overseas. While China is a target of US suspicions, it should be noted that Australia's allies have engaged in similar activities in the past: in particular the US and Germany with encryption technologies, and the recent use of the ANoM phone app used to ensnare criminals.  

For Australian enterprises, the lack of visibility into the supply chain should be a growing concern. The only way to address this concern is to adopt a risk assessment policy that includes verifiability of the supply chain, and the firmware and code of products.

Support Chain

Edge manufacturing (aka micro-manufacturing) leverages the ever lowering costs of robotic manufacturing systems and (importantly) the lowering cost of programming such robots, to compete against the cost-efficiencies of huge factories in lower labor-cost countries. 

Technology manufacturing firms have traditionally driven costs down through economies of scale and labor savings. However, the global supply chain crunch due to the pandemic and slow-moving trade wars, coupled with rising labor costs globally, is causing a change in the equilibrium of manufacturing. 

Edge manufacturing employs robotic technologies and short-run production automation to deliver specialised products at a faster rate, at costs that are within the realm of those offered by large scale manufacturing, when transport, warehousing and related global supply chain costs are considered.  Edge manufacturing is less susceptible (though not immune) to global supply chain disruptions. 

Most importantly, edge manufacturing is highly agile and their entire manufacturing process is verifiable, making the model attractive for security conscious buyers. Finally, firms that locate their facilities here are covered by Australian laws and are therefore required to be certified to a compliance standard to ensure the level of data security is being met.

Who’s impacted

  • CIO
  • CFO
  • Procurement managers

What’s Next?

IBRS believes that the national economy has a solid potential to benefit from edge manufacturing.  Recent economic modelling by IBRS and Insight Economics noted a 10% increase in organisations buying Australian software (as opposed to US and European solutions) would return close to a $1.5 billion uplift in the economy within a decade. This economic benefit would be significantly magnified if hardware was added.

Organisations can examine the premium put on closer collaboration with suppliers and vendors through this business model by:

  • Running a hypothetical stress tests on their current supply chain to understand how it affects their financial standing
  • Utilising local vendors while considering a third party risk assessment and compliance program that will fit their cyber security strategy
  • Assessing a vendor’s governance framework using the IBRS Vendor Governance Maturity Model

Related IBRS Advisory

  1. How does your organisation manage cyber supply chain risk?
  2. Vendor governance framework (VGF): Evaluate maturity to manage growth and risks
  3. Strategic vendor management in government
  4. Challenges when conducting business impact analysis

Conclusion: In today’s marketplace, a successful business needs to position itself strategically to be a leader in the market by either delivering services better and cheaper than the competition, or by disrupting the status quo to deliver services in a different way that empowers the consumer. To achieve this, organisations need to ensure their procurement plans are aligned with the business strategy and, where appropriate, identify in the ICT sphere where procurement is important strategically.

Organisations therefore need to identify the value a supply chain delivers to the business strategy. In doing so, the executive needs to understand the procurement activities that provide an advantage to the business in the marketplace, and which procurements may lead to a broader alliance with the supplier where mutual gain is possible to all parties involved.

Conclusion: All organisations need to identify the value of their procurement portfolio. That is, to document and regularly review the portfolio to understand both the criticality of the contracts to business and the triggers that decide whether the technology is meeting the need and when actions need to be put in place to limit the risk to the business in the acquisition process.

With an improved situational awareness of the procurement portfolio, organisations then need to ensure alignment with the business strategy. The alignment can only be achieved with regular independent reviews, and by effective governance processes to ensure that the risk associated with procurement planning is contained.

Conclusion: In the modern world, no organisation has ICT entirely in-sourced. As a result, procurement, contract and vendor management have become strategic processes that allow organisations to align their ICT capability with the business strategy to achieve the desired outcomes, both now and into the future.

It is often the case that effective planning for the procurement of technology capability is compressed or constrained such that procurement is not able to effect ‘big step’ change. Or the commercial approach means the agreement is based on a fixed term, which results in the procurement not being a strategic exercise. More often than not, the procurement delivers constraints that limit the business’s ability to achieve the desired outcomes. These constraints limit the business’s ability to be agile in terms of elasticity, or how well it can respond to disruption in the market.

The technology options to meet business demand are not the same today as they were yesterday, and they will undoubtedly differ tomorrow. The challenge is to ensure ICT procurement is responsive to the business strategy, and that vendors share in the advantage a strategic alliance brings to the business. Procurement needs to be effectively planned and clearly aligned to the business strategy to ensure the strategy is delivered effectively.

This paper is the first in a four-part series on how to ensure procurement meets the business need, gain an understanding of strategic versus tactical procurement, and will define the steps necessary to avoid the pitfalls that cause procurements to under-deliver.

 IBRSiQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.


Security concerns within enterprise hybrid Cloud environments continue to challenge many organisations despite the consistent innovation in security tools to manage vulnerabilities. By putting in place shared responsibility between the Cloud service provider and the client organisation, efforts to secure the entire Cloud architecture are possible through more holistic visibility, governance, and compliance. This enables workload to be moved more freely between public and private Cloud environments, and helps better protect data, infrastructure, and applications.