Jan 29, 2021

NTT DATA: Vaccine Distribution, Taking a Starbucks Approach

Laura V. Garcia
8 min
Sylvie Thompson from NTT speaks to Supply Chain Digital about how taking a ‘Starbucks approach’ to COVID-19 vaccine distribution could save lives...

President Joe Biden and his advisers have inherited, or rather, not inherited, a Covid-19 vaccine distribution plan. However, President Biden has committed to turning around the pandemic and picking up the pace on vaccinating Americans. The question is, how?

I had the pleasure of sitting down with Sylvie Thompson, VP of Transformation at NTT DATA Services, a $4B global technology services company, and supply chain expert with 25 years' experience to discuss just that. 

Thompson's vast experience in the "back-end" of the supply chain and working with Fortune 100 companies has prepared her well for this moment – the most crucial and critical moment for every link in the vaccine supply chain to work harmoniously in saving lives.

Frankly stated, Sylvie Thompson knows what she's talking about when it comes to supply chain, and she believes the White House should follow a Starbucks, rather than a stadium or mega-site like approach.

To ensure optimal execution, minimise wastage and mitigate risks, we must take a more holistic approach. The needs of our most vulnerable and the complexities that lay within the supply chain must be carefully considered and planned for. If ignored, these complexities will lead to increased waste, lowered efficiencies, and deleterious outcomes.

Sylvie thinks that we need vaccination locations on every other corner in order set-up a defined number of appointments, establish daily delivery routes, track vaccines by dose, and ensure follow-up procedures for second doses are completed including receiving the second dose from the same manufacturer. 

The current operation of mega vaccination sites create mega-confusion and can disrupt the flow of resources.

"There are immense logistical differences between managing a small local corner store v.s a mega stadium. And from a supply chain perspective, I think if you understand the workings behind the scene, you come to the belief that although it may make for a good storyline and great PR to say, 'Dodgers Stadium is open, and 20,000 people are going to get vaccinated every day.' because it makes people feel like you're doing something, in the end, the question should be, are you achieving anything? And in actuality, you may just be complicating the supply chain even more," said Thompson.

She continues, "We have constrained supply, a core group of high-risk people we need to not only prioritise in terms of putting them at the front of the line but ensuring a safe environment and systematic process with limited barriers so as to not impede them from getting the vaccine. We also have healthcare workers who we need to rely on to perform the vaccines that also must be vaccinated. "

"We must remember, we have spent months telling people to stay away from large crowds, to stay home, and not hug their grandchildren or loved ones. And now we're saying, 'Get in line. Stand in line with 10,000 other people for hours and hours at a mega-site.' So I think, one, that the inconsistency in communication is a fundamental issue, but also, from a supply chain perspective, it creates way too many variables."


West Virginia's Vaccine Distribution Plan, "Save our Wisdom" 

West Virginia stands as a prime example of how a "Starbucks like" approach, as Sylvie calls it, could increase the efficacy of the rollout. 

West Virginia has successfully administered the vaccine to roughly 9 per cent of West Virginians, more than every other state other than Alaska, and double the number of some. Crucially, they also currently lead in the number of second doses that have been given.

Dr Paul Offit, director of the Vaccine Education Center and professor of paediatrics at Children's Hospital of Philadelphia warns that receiving only one dose of the two-dose vaccine could eventually drive the virus to mutate away from the vaccine and render it less effective.

When it came to the vaccine distribution plan, West Virginia officials decided to take matters into their own hands. Rather than follow the federal plan that partnered with Walgreens and CVS, they set their own strategy, focused on distributing through local independently owned pharmacies and about 200 long-term care facilities. 

"Why? Right now, you have a group of people who are fearful of leaving their house. They're fearful of going into crowds, and they're also fearful about getting vaccinated." Thompson says.

"So you have to get them into a small group where they feel they can ask their questions, it's somebody they trust, and they don't have to go far from home. And by doing that in small clusters, you can also follow up with them and make sure they get the second vaccine dosage by the same manufacturer. And I think sometimes we forget that complexity."

"Let's be clear; I'm not against mega sites in their entirety. I just think that at this junction, they're probably not the optimal path. Later, when you are dealing with healthy people, when you start vaccinating people in their 30s, 40s and 50s maybe, then it may work. But at this point in time, you're dealing with a group of high-risk people and a limited supply."


The Supply Chain Complexities of Vaccine Distribution

"The other thing if you look at it purely from a supply chain perspective, it's somewhat counterintuitive, setting up last-mile delivery, for example. The hardest thing in last-mile delivery is your routes and understanding the volume that you have to give. And when the shipments change every day, the human brain just isn't capable of making the necessary calculations. You have to have software technology. But if you can set up a static route, like your postman for example; he's just got his route, and it's easy to calculate exactly how many to drop off to him every day, and it becomes extremely efficient."

What Sylvie is describing is what is known as a pull system. The most easily recognisable of which is the cans on the grocery store shelf. Once only a certain number of cans remain a card signals the need to restock. The main differentiator between a pull system and push, its counterpart, is that instead of the supply chain pushing inventory up based on assumptions of what is needed, you draw, based on actual usage.

"I know I have 1200 locations in the state of Virginia. Each one of them needs 100 every day. I have a defined schedule. It's easy math. That same information then feeds requirements downwards to inform all other requirements. The fulfilment centre filling those trucks each day knows how many they need to ship and where. You can peel it back to know exactly how much you need to pull from stockpiles, from manufacturers." Sylvie explains.

"The problem with mega-sites is they introduce too much variability. Am I going to get 10,000 people today or 20,000 people? Am I going to run out at 9,000 and send 7,000 people home?" As those in supply chain well know, variability is a nemesis, compounds complexities and increases the likelihood of disruptions. 

Of course, with increased volume comes less control and increased waste, whether from damage or loss. "You're going to have stuff that's accidentally going to sit out, not through anybody's intentional behaviour. It's just the sheer size of the site is going to force you to end up with higher waste than what you would have if you were managing it in a smaller, more controlled setting."

"Unfortunately, whether we like it or not, we can't just open the flood gates, so we do need to pick. When you have supply constraints, you have to pick those groups of most vulnerable people who need it the most. Going to the small sites gives you that, which is why I say, I think when there's no supply constraints and six months from now when everybody's feeling much more comfortable, can you go to mega-sites? Yes. But is that really the answer right now?"

An added piece to an already complex puzzle is the need to phase in capacity to allow the room to administer second doses. "So if I only have 1000 appointments, and I max out 1000 on day one, on day 22, my 1000 appointments are already taken because of all the people from day one. So then I'll spend X number of days not vaccinating anybody new if I don't add more capacity. So there's this whole planning cycle that has to take place. We have to ramp this up in a way that we're constantly vaccinating new people but allocate the capacity to give that second dose and are holding that inventory for them."

Add to this the fact that Pfizer and Moderna require different interval windows (21 days for the Pfizer vaccine or 28 days for the Moderna vaccine), experts can't seem to agree on how big of a risk a long delay between doses poses, and the FDA has already reminded us about the importance of receiving the vaccine according to how the FDA has authorised them.

A methodical, people-minded and safety-focused 'Starbucks-like' approach may not make for splashy headlines, but in the end, it could save lives, and get us further, faster in this fight to find our way back to a new 'normal'.

Sylvie is Canadian, born, raised, and educated and now lives in northern Virginia. She started her career at the 'front-end' of supply chain in aerospace and defence procurement and is passionate about Supply Chain. 

NTT DATA Services. is a leading global technology services company that works with organisations worldwide to achieve their desired business outcomes by leveraging intelligent, data-driven and securely connected technology solutions. For more on NTT DATA, click here

Share article

May 10, 2021

Biden’s Supply Chain Intentions Depend on Cybersecurity

Oliver Freeman
6 min
President Biden’s supply chain executive order is heavily dependent on the lessons learned by cybersecurity leaders in recent years but will he take note?
President Biden’s supply chain executive order is heavily dependent on the lessons learned by cyber security leaders in recent years but will he take...

In recent years, the United States’ supply chain network has faced an onslaught of cyberattacks. The attacks have left the global superpower a shaking nation with a whole portfolio of challenges, risks, and vulnerabilities exposed to the masses. From the SolarWinds attack to the dependency confusion attack that breached companies like Apple, Microsoft, Uber, and Tesla, to the most recent US pipeline ransomware hit, it’s evident that, in an increasingly digital age, cybercriminals fear no traditional governmental powers, and supply chain networks need to hunker down on cybersecurity. 

Looking back at the height of the COVID-19 pandemic, western nations found themselves ill-equipped to deal with the novel Coronavirus; not due to lack of knowledge or medical inability but because supply chains were in a chokehold and supplies like personal protective equipment (PPE) for frontline workers weren’t being manufactured fast enough. 

To address this problem and mitigate future risks, Biden signed Executive Order 14017, aptly titled “America’s Supply Chains”, in February 2021. 

The Executive Order (EO) called for a comprehensive review of US supply chains to figure out exactly where the vulnerabilities and risks are, to help institutions and organisations manage any future disruption caused by COVID-like events. 

The EO focuses on six primary sectors:

  • Agriculture
  • Communications and information technology
  • Defence industrial base (DIB)
  • Energy and power
  • Public health
  • Transportation

The listed sectors, as you might expect, are increasingly dependent on digital products and services to maintain daily operations, which increases their vulnerability to potential attacks ─ so they need cybersecurity. In fact, cybersecurity should be front-and-centre as a critical facet of the EO if the federal government truly intends to create a more robust and resilient supply chain in the face of rising criminal adversity.

Digitisation Dangers The Nation

When it comes to a globally interconnected supply chain, the ambitions of Biden’s administration are potentially a little far-fetched and off-the-mark, in reality. I say that because an overwhelming number of industry-leading organisations ─ even in the tech realm ─ still do not feel confident in their ability to deal with the vulnerabilities in their supply chain. Most of which come not from internal operations but from externals ones in the form of third parties and suppliers that they collaborate with. 

According to the dated but increasingly relevant Marsh Microsoft 2019 Global Cyber Risk Perception Survey introduction, “cyber risk has moved beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations, costing the economy billions of dollars and affecting companies in every sector. The hard truth organisations must face is that cyber risk can be mitigated, managed, and recovered from, but it cannot be eliminated.” 

Taking a look at the survey results reveals a telling tale: that third-party providers and supply chain operations external to an organisation are most likely to be the victim of cyberattacks and potential infiltration. 

The survey found a wide discrepancy in many organisations’ view of the cyber risk faced by supply chain partners, compared to the level of perceived risk they themselves pose:


This variance is consistent across industry sectors and geographic regions, and the largest organisations exhibited the largest dissonance: 61% of companies with revenues of US$5bn or more suggested that their supply chain partners pose a risk, whereas only 19% say they themselves pose a risk to the third-parties involved:


Low Confidence in 3rd-Party Risk Mitigation Capabilities

The above paints a pretty poor picture of the overall supply chain security ─ a disconnect between large organisations and their suppliers, which could be driven by companies’ low confidence in their ability to mitigate cyber risks posed by their commercial partners. The number of companies that considered themselves “highly confident” in that area is few and far between, with only 5-15% of respondents feeling prepared to deal with the cyber risks caused by certain types of third-party providers. 


So due to the very obvious lack of knowledge, it’s clear that supply chain professionals and organisations, as well as the Biden administration, should call upon their cybersecurity industry peers ─ white hat professionals ─ to take the fight to black hat cybercriminals.

How Cybersecurity Professionals Can Help

According to Padraic O’Reilly, CPO and Co-Founder of CyberSaint, the success of Biden’s Executive Order is heavily dependent on its stakeholders taking note of lessons from cybersecurity’s supply chain risk management initiatives, including: 

  1. Identifying the main weaknesses along the chain of production before determining which ones can be fixed cost-effectively. Then, compare that with the cost of the potential impact ─ discover where the holes are and what’s worth prioritising. 
  2. Thinking about the supply chain as a cybersecurity practitioner does. Cyber-risk is all about making sense of multiple data sources, and supply chain risk is the same. Don’t think about the supply chain as a single entity; rather, consider it as many entities that produce data ripe for deep risk analysis. 
  3. Standardisation across the globally interconnected supply chain is hard, and communication is key. Cyber experts are hot on the topic, as managing risk is exactly what they do. Vulnerabilities and risk is the language that they speak in. They’ve been dealing with supply chain security for years before disruptions at the scale of COVID-19 came about. 

Cross-sector collaboration with a strong focus on communication across hierarchical levels is at the very core of the cybersecurity function. If Biden hopes to see his supply chain initiative reign triumphant, his administration must ensure that efforts are coordinated across agencies, public entities, and the private sector industry. The administration must also carefully consider the potential impact of increased regulation that should be put in place following the year-long project ─ it could make or break the initiative across various sectors. 

According to O’Reilly: 

“The best choice is to rely on standards, measurement, and cross-industry collaboration to make this happen. Other supply chain standards, such as the Cybersecurity Maturity Model Certification (CMMC), can serve as models for a data-driven approach.

Without these considerations, we risk a lot of duplicative time, effort, and analysis, only to fail to mitigate cyber-risks and possibly result in yet another supply chain attack. We hope stakeholders will engage the information security community to bolster this project. Leveraging existing analysis by the information security community will matter to its success.”

Adapting To The Unknown 

The fact of the matter is, when it comes to the US supply chain, we mostly haven’t got a clue. It’s a massively interconnected network that represents an ecosystem ─ one with risks coming from all angles and multiple points of failure. It’d be almost impossible to figure out all of the potential risks, as Biden’s initiative intends, so, according to O’Reilly, it’d be beneficial to focus not on sniffing out every single supply chain vulnerability but on advanced persistent threat (APT) incentives:

  • What are the low-hanging targets?
  • What do criminals want?
  • What are they capable of? 

“Doing some scenario modelling and talking in probabilities could lead to more informed decisions regarding mitigating risk. NIST 800-30 and the FAIR model are examples of risk-quantification methods that aim to translate cybersecurity risk into dollars and cents. Understanding supply chain risk requires measurement, strong governance, input from security experts, information sharing, and advances in cyber and IT risk-management software. Instead of logging an APT's activity, start getting a fact pattern about where they may be going”, O’Reilly adds. 

So the final point to the Biden administration and organisations that are working on Executive Order 14017 is clear: cybersecurity professionals have an advantage over their peers because they already live to standardise data; they view risk through a lense of complexity and costliness of failure, and if the two parties can collaborate effectively, there’s a chance that security professionals can finally understand the full extent of the supply chain ecosystem and, with any luck, secure it from future attacks. 

Share article