Utilising our significant experience in procurement and contract management, Cambridge MC delivered £10m of savings on an addressable budget of £80m A large UK online retailer went through a downsizing exercise in the early part of 2023. This caused significant changes in demand, meaning that expenditure in many areas was far more than the business requirement. There were also instances where certain technologies were no longer required, but long-term contracts were in place that needed to be negotiated out. The goal of the project was to review all current vendor and supplier contracts, identify where savings could potentially be made, and then work with the procurement department to reduce the current level of expenditure to meet current business requirements. Our team was given a three-month deadline to make savings to the bottom line. Project Overview Cambridge MC was engaged on a three-month project to perform the following: Perform a deep dive on all vendor contracts against the current business. Establish priority saving areas and launch projects. Challenge demand and specification requirements. Build a cost reduction report. Engage in supplier negotiations in conjunction with the client's own procurement team. Produce weekly reports on cost savings achieved. Our experience in procurement, contract, and vendor management enabled us to completely meet the brief set out by the client which was to deliver significant bottom-line savings in a three-month turnaround. Specific Challenges Client had lost control of spend across the business. They had no awareness of what contracts had auto-renewed. They had signed long-term contracts. Some contracts had recently been extended for 24 months or longer. Due to downsizing, the volume of licenses for certain technologies were way above the actual requirement. Client had an inexperienced procurement team. Recent staff turnover meant that contract owners were no longer in the company. They had no contract management platform in place, resulting in contracts not being readily available. Most vendors were reluctant to renegotiate contracts at a lower cost to the business. Procurement had a process—not price—focus. Solutions Cambridge MC employed a data-driven analytical approach which prioritised target spend and volume data. All existing agreements and contracts were 'fair game'. We challenged what was the actual demand and specification, questioning whether what they have today is still relevant to what is needed now and in the future. After performing a deep analysis of all contracts, we entered into negotiations with vendors where the existing contracts did not meet the business requirement due to downsizing. Approach Vendors were allocated across the Cambridge MC team. Weekly all-day meetings at client's offices. Regular video conference calls to update progress. Engaged department heads as required. Outcomes & Results 1. Cost Savings In excess of £10m savings achieved off the bottom line. 2. Knowledge License requirements reduced to the correct level for the business. 3. Diligence Contracts managed far more closely. 4. Efficiency Procurement team coached to function more efficiently. 5. Commitment All contractual obligations were met.

Ensuring that University of Bristol remains the university of choice for students, academics and partners in a globally competitive market The University of Bristol is a Russell Group University and a leader in many global league tables, including the QS World University Rankings where in 2023 it ranked 9th in the UK. To strengthen its competitive position, the University is undertaking an ambitious digital transformation strategy. As a foundation of this strategy, the Modern Network will deliver a significant increase in capacity, flexibility, automation, resilience, security and experience for all users. Cambridge Management Consulting was selected as the consulting firm to help the University establish and refine the requirements, design the network in collaboration with University of Bristol experts and lead the technical procurement for a Modern Network. Cambridge MC’s technical and commercial expertise helped University of Bristol navigate a complex procurement exercise and deliver the first stages of the transformation programme. The Challenge The current University of Bristol campus network requires significant modernisation to support the University’s Digital Strategy. All staff, students and visitors interact with the University's network every day, whether it's connecting a device to Wi-Fi, emailing a colleague, or running a session on the University’s Digital Learning Platform. The University of Bristol recognised that improving their global competitiveness requires a step change in the digital experience offered to all users and so it launched its Modern Network programme. Key objectives of the Modern Network are to introduce a high-performance network that gives users access to comprehensive teaching and learning resources, as well as specialist equipment, data, and scalable fibre for innovative research. The Modern Network programme also aims to enable students to connect with friends and family, and socialise online from wherever they are on campus, at any time, day or night. The new network will enhance the Wi-Fi coverage and capacity to give users the best digital experience round the clock. The University realises that a significant increase in network performance is needed to support data intensive activities, including centralised and de-centralised computing, large scale sensor networks, media rich applications like augmented and virtual reality, data intensive instrumentation and modelling. The architecture designed is going to be more flexible, highly scalable, adaptable and evergreen. Security will be improved to cope with the continuously evolving threat landscape and to enable Modern Network users to safely perform their activities from any location in the world, with a consistent, hassle-free experience. The Modern Network will deliver a reliable platform with world-class operational capabilities, making the services easy to consume, monitor and manage. The Strategy Cambridge Management Consulting used its expertise and knowledge to quickly establish a comprehensive set of requirements and to test market appetite to deliver a Modern Network via an RFI. Requirements Management used a structured approach based on a Cambridge MC requirements catalogue. This accelerated the process of engaging University of Bristol stakeholders to validate requirements and helped to shape the University’s procurement process. An efficient and comprehensive stakeholder engagement process also saw the development of multiple personas that were used to explain how the Modern Network would deliver capabilities for students, academics, researchers and professional services colleagues. Cambridge MC, in conjunction with the university, then helped to shape a structured procurement approach. Modern Network capabilities were put into 3 main procurement categories to provide purchasing and transformation flexibility. Cambridge MC led the Procurement technical dialogue. Working in partnership with experts from the University of Bristol, a highly scalable, flexible, secure and resilient target state network was designed. The design is modular and makes use of multiple technical patterns. This provides a repeatable, standardised way for the University to deliver capabilities that can have customised performance service and levels. To assist the Procurement activities, Cambridge MC also created a Model Modern Network. The Model allowed a consistent financial assessment to be made at each stage of the Procurement, including providing a detailed estimate of the transformation milestones and payments. The Cambridge MC team also shaped the Modern Network programme. It was broadly shaped into mobilisation, discovery, design, prove, pilot and deploy phases. Cambridge MC are providing support in the early transformation phase to help the University of Bristol deliver the ambitious programme. The resulting Modern Network will be a high performance, flexible, resilient and secure platform. It will introduce self-service and automation, such as zero touch deployments and autonomous networks for research activities. It will leverage programmatic control and AIOps to improve the digital experience and inclusiveness, sustainability and the global competitiveness of the University. A technical modernisation like this requires a similar shift to a world-class operating model. Cambridge MC supported the service management redesign throughout the procurement phase. Using comprehensive requirements structured around ITIL, the team co-designed the enhanced set of service capabilities and are now helping University of Bristol to introduce these services. The new service management approach will provide full end-to-end visibility of the network, formal SLAs and SLA management and enhanced fault, change, configuration and knowledge management. This will complement the new technical capabilities and provide significant benefits to the University. The Team Cambridge Management Consulting provided procurement, commercial, technical business analysis and service management expertise. Cambridge MC also provided expertise for the procurement and post-procurement implementation activity. Cambridge MC worked exceptionally well with the University's digital and procurement teams to ensure end-to-end success for the University. Not only did the Cambridge MC team help support, but they also provided extensive knowledge transfer to, the University to minimise the future need for external support, minimise future costs for external consultants and help further develop the in-house ICT and procurement capabilities. Outcomes & Results 1. Cambridge Management Consulting's attention to detail ensured there were clear winners of the Procurement lots, with no challenges or disaffected potential suppliers. The winners of the three lots were all world-class organisations with a desire to support the University with its ambition to deliver a first-class service. 2. Cambridge MC have since assisted the University with other aspects of their Digital Strategy and continue to be engaged to help University of Bristol transform.

Our Procurement as a Service allows your internal resources to focus on what they do best essensys is a leading global software and technology company designed to solve the complex operational challenges faced by landlords and flexible workspace operators. essensys was using its sales & delivery teams to additionally procure services for their clients. This took resources away from what they do best: getting requests, chasing quotes and managing ordering & termination processes. As the inventory of services grew the client was missing out on the cost opportunities of procuring at scale. Rather than recruiting an in-house team, essensys turned to Cambridge Management Consulting for help with the procurement of their connectivity services from quotation to inventory management. The Challenge The initial contract was to help essensys meet pricing requests for ‘last mile’ connectivity enquiries from their Sales teams. To date this had been done through their Technical Delivery team and pre-sales engineers. The problem was that this took those specialised resources away from important core duties performed by the sales teams. Our pricing analysts took over quoting, originally for the UK and then for the US, supporting the essensys sales team and comparing the costs from suppliers with pricing from other clients. Pricing for essensys customer sites requires two diverse lines with different suppliers, providing as much resilience as possible to ensure a maximum uptime for essensys’ customers. Our team’s knowledge of suppliers and their networks ensures that maximum resilience is offered with each pair of quotes provided to the essensys team. Scope As essensys looked to expand their operations into the APA Region, we were asked to provide regulatory support establishing their operations in Hong Kong, Singapore and Australia. Once their PoPs were built, we supported these new markets by developing the supplier strategy for data centre space, access and IP Transit. We then helped the quote team expand their scope to include supporting sales enquiries for these new markets. When Sales started enquiring about connectivity in markets other than where essensys had operations, our PaaS practice located and introduced essensys to a partner organisation that would operate as their virtual PoPs, rapidly increasing the number of markets that essensys could cover while maintaining internet quality and client experience of the essensys platform. In 2023, essensys' relationship with our PaaS practice increased its scope again, supporting essensys in all elements of the procurement life cycle including all elements of inventory management (raising orders, submitting cancellations and ensuring that the inventory data is up-to-date) as well as supporting essensys in meeting their cost management targets. All of these services are supplemented with our PaaS contract management and end-to-end procurement strategy across their telecoms and data centre spend. The Team The team is led by Eric Green (Senior Partner) and Elisabeth Simao (Partner) who between them have over 60 years of experience in running telecoms procurement teams for some of the largest names in the industry including AT&T, Level 3 (now Lumen), COLT and SITA/Equant (now Orange Business) Backed by a team of analysts and calling on a roster of procurement specialists, the team is able to scale up and down to meet the changing needs of essensys as the project grew How Paas Works Our Procurement-as-a-Service team shares resources and knowledge with the Carrier Club (part of the Cambridge MC family of companies and focussed on telecoms operators). The team uses its view of aggregated spend across all clients to calculate what the right market price should be and then leverages this when negotiating new pricing We also benchmark suppliers and can manage all aspects of our clients' inventory management, proactive cost management and supplier management requirements Our clients effectively share a team of procurement specialists with decades of experience. This improves the decision-making process and gives you the edge over a traditional in-house procurement model

"Is it Snowing in Space?!" “Is it snowing in space?!” Asks a disgruntled Bill Murray in the film Groundhog Day when he is told that he cannot call out from the snowbound town of Punxsutawney, Pennsylvania. If there is a remake, Bill might not have to worry: signal dead zones may soon be a thing of the past due to recent advancements in satellite technology. Whereas the old picture of satellite communications was a scientist in the wilderness with a big clunky antenna, these days the technological payload is all in space. Recent advancements such as Low Earth Orbit (LEO) satellites, advanced beamforming, and the use of mobile spectrum bands means that any phone supporting 4G LTE can potentially receive satellite data directly. This integration of satellite and terrestrial networks is set to reshape the mobile industry, creating both opportunities and challenges for traditional mobile network operators (MNOs) and mobile virtual network operators (MVNOs). In this article we give an overview of the technological advancements, the major players in the market, and then consider the effects this will have on traditional wholesale mobile market structures; concluding with the emerging opportunities for new revenue and growth. The Evolution of Satellite Connectivity Historically, satellite communications operated independently from terrestrial networks, serving specialised markets with limited scalability and high entry barriers. However, recent advancements, particularly in Low Earth Orbit (LEO) satellite technology, have dramatically altered this scenario. The most well-known example is obviously SpaceX, which has played a pivotal role in democratising space: reducing barriers to entry and making satellite connectivity more scalable, performant, and accessible. SpaceX and other companies have found innovative ways to dramatically reduce costs. Since Sputnik 1 in 1957, launching payloads into space has been prohibitively expensive, with costs exceeding $100,000 per kilogram in the 1960s and averaging $16,000/kg for heavy payloads from 1970 to 2010. SpaceX’s innovations have brought these costs down through reusable rockets, vertical integration, economies of scale, and advancements in materials and manufacturing processes: leading to price points as low as $100 per kilogram in recent years. However, cost is just one of the barriers. The real gambit has been provided by Low Earth Orbit (LEO) satellites, which typically orbit at altitudes ranging from approximately 160 to 2,000 km and offer low-latency, high-speed connectivity — making them ideal for real-time applications and direct-to-device communications. The latest generation of technologies now enable LTE mobile phones to connect directly to satellites without specialised hardware, marking a significant milestone in mobile communications. The Major Satellite-to-Cell Players While SpaceX's Starlink has garnered the most attention, several other major companies are actively developing satellite-to-cell technologies and forming strategic partnerships with terrestrial mobile operators. As of April 2024, Starlink had established 15 partnerships with mobile carriers globally — including T-Mobile in the US. T-Mobile has structured its beta program to begin with text messaging capabilities, gradually expanding to include picture messages, data connectivity, and eventually voice calls. As of February 2025, it is reported that 7,086 Starlink satellites are in orbit, with 7,052 being operational. AST SpaceMobile has emerged as a significant innovator, achieving a historic milestone in April 2023 with the first-ever two-way voice call directly with an unmodified smartphone, via their BlueWalker 3 satellite. AST SpaceMobile launched its first five commercial satellites, the BlueBird 1-5 mission, on September 12, 2024, aboard a SpaceX Falcon 9 rocket. Lynk Global represents another significant player. In a recent expense report, it revealed that each satellite costs around $400,000 to build and up to $815,000 to launch into space. They hope to have up to 1000 satellites (for full continuous broadband coverage) in orbit by 2025 and 32 mobile network operator (MNO) partnerships by the end of 2025. The company has successfully demonstrated text messaging capabilities from satellites to standard cellular devices and continues to expand its constellation and service offerings. Huawei has partnered with China Telecom to demonstrate satellite-to-phone messaging capabilities, while Apple has worked with Globalstar to implement emergency satellite messaging features in recent iPhone models. Implications for Traditional Wholesale Mobile Market Structures Traditionally, the wholesale mobile market has been structured around MNOs, MVNOs, and wholesale aggregators. Revenue streams have typically included MVNO wholesale pricing, and IoT and machine-to-machine (M2M) solutions. However, the rise of satellite-to-cell technology poses potential threats to this established model. Disintermediation of MNOs and MVNOs Satellite-to-cell connectivity introduces the potential for disintermediation, where control traditionally held by MNOs could become fragmented across multiple parties in the value chain. As satellite providers increasingly offer direct-to-device services, traditional operators risk losing their central role in network management and customer relationships. Pricing Pressure on Wholesale Markets The increased availability and competition from satellite connectivity providers could exert downward pressure on wholesale pricing. As satellite services become more affordable and accessible, traditional wholesale providers may face challenges in maintaining their pricing structures and profitability. Competitive Pressure in IoT and Enterprise Applications Satellite connectivity is particularly well-suited for IoT and enterprise applications, especially in remote or challenging environments. As satellite-to-cell technology matures, traditional wholesale providers may face intensified competition in these segments, necessitating strategic adjustments to remain competitive. Emerging Opportunities in Satellite-to-Cell Connectivity Despite these challenges, the integration of satellite connectivity into mobile networks also presents substantial opportunities for innovation and growth. Forward-thinking operators can leverage satellite-to-cell technology to develop new business models and revenue streams. Hybrid Terrestrial-Satellite Subscription Models Providing Ubiquitous Connectivity Operators can offer hybrid subscription plans that seamlessly integrate terrestrial and satellite connectivity. Such models provide customers with uninterrupted coverage, enhancing user experience and creating differentiated service offerings. Wholesale Satellite Resale for MVNOs Satellite-to-cell technology opens new avenues for MVNOs to expand their service portfolios. By reselling satellite connectivity, MVNOs can offer enhanced coverage and reliability, particularly in underserved or remote regions, thereby attracting new customer segments. IoT and Enterprise-Focused Applications Satellite connectivity is a natural fit for IoT and enterprise applications, such as remote monitoring, asset tracking, and industrial automation. Mobile operators can forge strategic partnerships with satellite providers to deliver specialised solutions for these markets, tapping into new revenue opportunities. Emergency-Only and Disaster Recovery Plans Satellite-to-cell technology can play a crucial role in emergency and disaster recovery scenarios, providing a reliable backup to terrestrial networks when they are unavailable or overwhelmed. Operators can develop emergency-only plans that leverage satellite connectivity to ensure critical communications during crises. Conclusion Satellite-to-cell technology represents a convergence of space and terrestrial communications systems that promises to fundamentally alter global connectivity markets and players. The dramatic reduction in launch costs by a factor of 20 has enabled the deployment of massive satellite constellations that were previously economically unfeasible. The competitive landscape continues to evolve rapidly, with SpaceX, AST SpaceMobile, and Lynk, and traditional telecommunications companies all pursuing various technological approaches and business models. Commercial text messaging services are already becoming available through beta programs, with video calling capabilities demonstrated and voice calls progressing toward wider availability. The integration of 5G standards with satellite networks continues to advance through collaborative industry initiatives, with projections of a $50 billion market by 2032. As this technology continues to mature throughout 2025 and beyond, it promises to eliminate mobile dead zones and create new application possibilities that were previously unimaginable. The future of mobile communications is undoubtably hybrid: blending terrestrial and non-terrestrial networks into seamless connectivity solutions that follow users wherever they go. This has wide reaching implications for connectivity in remote and isolated regions, and offers perhaps the fastest and most cost-efficient route to bridging the digital divide. It will also transform how we respond in disaster zones and hazardous areas — increasing the ability to protect and save lives with faster and safer humanitarian and emergency services.

What Problem do Too Many SaaS Providers Have in Common? Many SaaS security providers have a history of treating important safety and security features as something to upsell. This raises the important question of whether a software vendor has a moral responsibility for the secure operation of their solution. In this article, we explore the implications of treating important security and safety features as an upsell, using Boeing as a test case of where this can go wrong. The Case of Boeing and the Aviation Industry The case against Boeing is emblematic of a more systemic issue across the aviation industry, and many other industries. The public became aware of this issue under tragic circumstances when the Lion Air and Ethiopian Air Boeing 737 Max airliners crashed in 2018 and 2019 respectively. According to the widely quoted New York Times article , the crash could have been avoided if the pilots had access to two safety features that were sold by Boeing as optional extras. According to the incident reports, at the root of the incident were the angle-of-attack sensors. These mechanical sensors operate in a similar fashion to a weathervane to measure whether the aircraft’s nose is pointing above or below the direction of airflow. Being mechanical, they may be prone to malfunction, perhaps jamming after having been installed incorrectly — as was believed to be the case for the Lion Air aircraft . The system that led to the aircraft’s demise, which identifies the risk of the aircraft stalling, only listened to one of the sensors. A difference in the signal being sent by the two sensors was not recognised by the anti-stall system; and the instruments that would have alerted the pilots to the conflicting signals were upsell items. This wasn’t a fancy, nice-to-have bell or whistle that makes the flight more comfortable, efficient, or profitable. It is an underlying safety feature of the aircraft. If there was no safety requirement for the redundancy of two sensors, it is difficult to see why there would ever be more than one. Boeing has now addressed the issue, and the anti-stall system listens to both sensors, responding safely in the event of conflicting signals. It should also be noted that the investigation identified pilot error and deficiencies in the training that contributed to the disasters (and this will be relevant to our points regarding many SaaS product decisions as well). The SaaS Parallels Cloud-delivered Software as a Service (SaaS) has revolutionised the tech industry, and catalysed a phenomenal level of innovation and growth. It has enabled new software capabilities to be brought to market faster than ever before, and facilitated the ability to reach a scale with costs defrayed across multiple customers that would have been unimaginable 30 years ago. However, the benefits of being able to access a service from anywhere, at any time, by anyone also presents significant risks. The ‘anyone’ can be a malicious party operating outside of the reach of law enforcement or extradition. As a result, there are clear commercial responsibilities placed on SaaS providers to secure their infrastructure from attack, and those that do not are unlikely to last long in the marketplace. But just like the aviation industry, there are different flavours of security, and different perceptions of what is considered essential. Taking due care and applying due diligence to ensure that the platform itself is adequately secured from a direct attack is clearly the vendor’s responsibility – but what about those elements of security that relate to risk owned by their customers? One key element of customer risk relates to the security of a user’s password. It is their responsibility to make sure they choose a long and random string drawn from upper case, lower case, numerical, and special characters (if allowed). It is also their responsibility to ensure that they do not ever use the same password for multiple applications or services. But, we know that compromised credentials is a common failure mode. Just because it is the user’s responsibility to mitigate this risk, this doesn’t mean that system developers do not also have some mutual responsibility to make it easier for the user to exercise that responsibility; controls have been developed specifically for that purpose. The most obvious ones are Multi Factor Authentication (MFA, or 2FA), and Single Sign On (SSO). With MFA, we improve the security of the credentials by also verifying that the user is in possession of their trusted device before we trust them at sign in. With SSO, we minimise the number of credentials and accounts to manage by federating with a single corporate account; we can then concentrate our effort to secure that corporate account rather than spreading our resources thinly. Both are relatively easily implemented these days, particularly in the case of SSO where the OAuth protocols are widely offered by Identity Providers. Once implemented, both are essentially free to operate, particularly if MFA uses an Authenticator app rather than SMS text messages. SaaS providers recognise that this security is important, and they will frequently implement MFA and SSO controls into their applications to meet that customer demand. But, too frequently, we see them only offered as part of the more expensive subscription options. This element of security is not enhancing the vendor’s core proposition; it is not making their offering more functional, better looking, or more efficient for their users. It is just making it more secure, and therefore to treat it as an item to upsell comes across as price-gouging rather than the responsible application of good security practice. It is almost as though these vendors have run out of innovative bells and whistles that their clients would value in their core product, so they have had to resort to undermining the security of their cheaper options in order to encourage their customers to pay for their more expensive ones. It is equivalent to a bank only using the CSC code on a card to secure transactions for customers who pay for their premium banking services, because, after all, it is the customer’s responsibility to protect their card details. Conclusion What we have described here is not universal, and probably is not even representative of the majority of SaaS providers. But, when you are reviewing a new service, we urge you to take a closer look at what security your provider is charging extra for. If low cost, high value security controls are being upsold, then you may want to consider what other security good practices are not being considered essential. For more information about our cyber security consulting services and Secure by Design principles in action, please contact Tom Burton, Partner for Cyber Security, using the form below.

As the UK's ageing copper landline network becomes increasingly unstable, Cambridge Management Consulting reports that BT is urging Critical National Infrastructure (CNI) providers to expedite their transition from analogue to digital voice. With the Public Switched Telephone Network (PSTN) nearing the end of its life, organisations face significant risks if they delay planning and execution for this essential upgrade. Recent data indicates that 60% of CNI providers in the UK still lack a strategic plan to migrate from the legacy analogue network. This statistic underscores an urgent need for action to safeguard essential public services, such as healthcare, water, energy, emergency services, and government operations. The transition is not merely a technological upgrade; it is a once-in-a-generation programme to future-proof communications and improve service reliability. The PSTN, our communications backbone for over a century, is becoming increasingly prone to faults and difficult to maintain, with recent reports showing a 45% increase in significant resilience incidents. The impact of this transition is wide-reaching, affecting critical systems such as telemetry monitoring sensors, emergency phone lines, telecare alarms in hospitals and care homes, CCTV, intruder and fire alarms and older EPOS machines.  As the below graphic shows, a broad spectrum of devices and services will be affected by the analogue switch off, including ISDN, ASDL and Fibre to the Cabinet (FTTC) broadband services. The majority of organisations are almost certainly in the dark when it comes to common knowledge of all of the devices affected, lacking the internal expertise and records to identify and audit complex, interrelated legacy systems.

Well Intended Guidance Leaves more Questions than Answers The UK Government Digital Services – part of the Department for Science, Innovation and Technology – has recently published guidance for how the public sector should adopt a multi-region approach to cloud technology. At first sight this appears encouraging. Any unnecessary constraints on hosting arrangements (or any other non-functional requirements) reduce the available market of providers, constrain competition, and therefore inevitably reduce value for money. If parts of Government, whether central, regional or local, have felt that everything must be hosted in the UK then it makes sense to produce guidance that clarifies this perception and helps to open their options up. But for guidance to be useful it should guide. It should make it easier for people to take actions that they previously would have discounted. The guidance in this case, which at 1420 words is almost as short as this article, probably leaves the reader with more questions than answers. It may reveal some unknowns, but without increasing certainty. The Guidance in a Nutshell A summary of the guidance is as follows: Look wider than UK: Many cloud solutions may not offer UK hosting, particularly new innovative solutions that haven’t scaled up yet. Irrespective, their staff are likely to be distributed around the world if the service is supported 24/7. There may also be other benefits in looking wider than UK hosting, such as enabling better business continuity and disaster recovery options if the vendor only has one UK site. Get legal advice: Before you even consider a non-UK option you need to seek advice from your own legal advisors and your Data Protection Officer (DPO). Ensure compliance with ICO guidance: Before you even consider a non-UK option you need to check and make sure that any international transfer of personal data will be compliant with the Information Commissioner’s Office (ICO) guidance, and you should get further guidance from your own legal advice and DPO. Do a full review of vendor security: Before you even consider a non-UK option you need to make sure the vendor and solution are compliant with your own security policies. In a nutshell, it says: 'you should consider options outside of the UK but only if you have checked everything is legal and secure'. This seems to be verging on a statement of the obvious; the real difficulty in going offshore is covering all of the legal, regulatory and security compliance aspects. Adequacy is a Moment in Time On point 3, the guidance points out data protection compliance is easier if the country in question is considered by the ICO to be adequate – having equivalent regulations for data protection to the UK. Sound advice. But even this is not that simple. For instance, the USA is not considered adequate unless it is under an extension of the EU-US Data Privacy Framework. This framework is dependent on an Executive Order that the Biden administration put in place, and it is entirely possible that it will be revoked by the current administration. If such an action was taken, or if for any other reason the EU decides that adequacy is no longer met (also not unlikely given Herr Schrems has achieved this twice already and has stated he plans to challenge the DPF), then the vendor will no longer be considered compliant. Consideration is Far Wider than Residency Security is far wider than data residency though. This is where point 4 both states the obvious and understates the complexity. Managing risk in the supply chain is inherently difficult. Cloud providers, and particularly SaaS solutions, aggravate this challenge by an order of magnitude. By their nature they are solutions designed for a broad and varied range of customers. This means they will always involve compromise. If they tried to meet the most demanding requirements, they would price themselves out of the scale marketplace. If they went for the lowest common denominator, they would be unable to meet the requirements of the majority. An individual customer can rarely dictate a specific security requirement for themselves. They are also highly opaque. The vendor presents their service as a black box. The features delivered to the customer are defined, but much of the underlying design and the means the vendor uses to manage it in operation are hidden. This makes assessing the risk far more of a judgement call than when the design and delivery is conducted under your control. Depending on the supplier, and the leverage that the customer has over them, it may be possible to get some information and assurances; but the right questions need to be asked, and the answers need to be interpreted correctly. Third party certifications and audits, such as the ISO27000 series of standards or the SOC1, SOC2 and SOC3 reports, can also provide some additional assurances. But only the customer will be able to decide the extent to which they can mitigate the risk, and the confidence they have in the supplier to manage their own. This is a business decision informed by the specifics and nuances of the risks being considered. Summary It is important to minimise the non-functional requirements and keep an open mind about potential solutions and vendors. This includes looking wider than just the UK when national security requirements are not paramount. But this is not something that can be distilled onto a single sheet of A4 in any meaningful way. Yes, there are legal and regulatory issues that need to be reviewed. And geopolitical risk needs to be factored in, considering how you would respond to future external changes that are outside of the UK’s control. But from experience, the greatest challenge is getting comfortable that the vendor’s organisation and their solution have adequate security – this applies equally whether the solution is hosted in the UK or overseas. The SaaS world is opaque, and balances priorities across a broad and varied customer base. The public sector needs to increase its adoption of cloud and SaaS solutions to remain efficient and relevant, in the same way that the private sector has had to. But the route to responsible adoption is more nuanced, requiring candid conversations with suppliers, and ultimately an informed but subjective judgement by the customer’s leadership. Sources/Links: DSIT Guidance for Multi-region cloud and software-as-a-service ↩︎ ICO Guide to International Transfers ↩︎ Executive Order (E.O.)14086 of October 7, 2022, on Enhancing Safeguards for United States Signals Intelligence Activities ↩︎ Note: This article originally appeared on Tom Burton's personal blog at https://digility.net/insights/

The Digital Communities All-Party Parliamentary Group (APPG) shared the ‘Care to connect: Public Switched Telephone Network (PSTN) Migration’ report with key parliamentarians on Monday at a launch meeting on Parliament Street. This report highlights key recommendations for managing the ongoing Public Switched Telephone Network (PSTN) migration, focusing on protecting vulnerable residents and ensuring effective solutions. Here are the major takeaways for local government and communication providers: Data-Sharing Agreements (DSAs) DSAs between communication providers (CPs), local authorities, and telecare providers are crucial for identifying vulnerable residents during the migration. Challenges include inconsistent responses from local authorities and fragmented approaches across CPs. The APPG recommends all local authorities and housing associations sign DSAs, regardless of progress in digital switchover, to promote uniformity and resident safety. Telecare Devices The sale of analogue telecare devices must end, as these can leave residents unsupported during the transition. The government, in collaboration with the TEC Services Association (TSA), should enforce higher standards (TEC Quality’s Quality Standards Framework) across the telecare industry to achieve robust digital migration practices. Financial support for local councils is critical to replace outdated telecare devices and prevent double costs. Battery Backup Solutions Existing guidance from Ofcom, requiring one-hour resilience for power cuts, is insufficient. The APPG recommends increasing power backup requirements to at least 4 hours in homes and 6 hours for fixed networks. Communication and energy providers must jointly create resilient power solutions, particularly for vulnerable residents reliant on telecare devices. A multi-sector priority service register should integrate communications and energy service protection for those at risk. Sunset of 2G and 3G Networks UK mobile network operators plan to stop supporting 2G and 3G networks by 2033, with some networks already switched off. There are cases where local authorities and residents have purchased telecare devices using 2G/3G SIM cards, as a lower-cost, interim solution — these devices will need to be replaced again, posing double replacement costs for local authorities and additional risks to residents. The government should stop the sale of analogue devices and accelerate efforts to prevent the redeployment of outdated telecare alarms. Summary We welcome these recommendations alongside the December 2023 PSTN Charter, the Telecare National Action Plan and the PSTN Non-voluntary Migration Checklist. The conclusions make it clear that coordination between local and central government, industry regulators (such as Ofcom and Ofgem), and communication providers (CPs), as well as significant investment in digital teams at a local level, are essential goals to ensure a safe and inclusive digital switchover for all vulnerable residents and telecare users. Read the full report here: https://digitalcommunities.inparliament.uk/care-to-connect-public-switch-telephone-network-migration-report About the APPG The Digital Communities APPG is a cross-party group of parliamentarians, with the aim to promote the delivery of digitally equipped places that support and foster a connected, healthy, and productive community. This includes the creation and maintenance of sustainable digital infrastructure, as well as providing residents with equal opportunity to thrive in a digital world. The LGA provides the secretariat to the APPG. Cambridge Management Consulting Our Public Sector and PSTN teams can help local councils and other public bodies by providing strategy, financial planning, procurement, and project management services to ensure that you have a comprehensive transition strategy and accurate financial costing for the PSTN switch-off. We can help you follow the recommendations in this report by completing a full audit, signing DSAs with CPs and most importantly, protecting vulnerable service users. Get in touch with Craig Cheney, Managing Partner and lead for Public & Education, to discuss a range of services which might suit your needs: ccheney@cambridgemc.com (or use the form below). Act now, before time and resources run out.