CIO East Africa July 2011 by CIO East Africa

Innovation for Business Value Symposium & Expo | 23-24 November, 2011

Apply and stand a chance to win an Ipad 2!

Applications open Visit: www.cio.co.ke/cio100 *Apply online

Deadline: 26th August 2011 For more information; contact info@cio.co.ke Office: +254 020 4041646/7 | Cell: +254 717 535 307

CONTENTS CONTENTS E A S T

Cover Story

A F R I C A

EDITORIAL DIRECTOR Harry Hare CHIEF EDITOR Louisa Kadzo TECHNICAL STAFF WRITERS Dennis Mbuvi Peter Nalika EDITORIAL CONTRIBUTORS Rebecca Wanjiku Michael Malakata Michael Odinga COLUMNISTS Bobby Yawe Sam Mwangi James Wire Lunghabo Ruth Kang’ong’oi HEAD OF SALES & MARKETING Andrew Karanja BUSINESS DEVELOPMENT MANAGER Nicholle Myles ACCOUNT MANAGER Ivy Njerenga Samuel Jumba LAYOUT & DESIGN Navtej Dhadialla

When defending information security at the policy level to the board, the CIO has to speak the language of the CFO – money talks – that pegs the value of information security to ROI (Return on Investment). When justifying the cost of expenditure on security to the management, benchmarks include the increased confidentiality, increased integrity of the company and the reduced risks, increased trust by the organisations shareholders

and so on. Tangible benefits that are directly connected to information security.

Published By:

Green friendly

Printed By:

Contacts eDevelopment House : : 604 Limuru Road Old Muthaiga : : P O Box 49475 00100 Nairobi : : Kenya +254 20 374 16 46/7 Email: info@cio.co.ke

Disclaimer ALL RIGHTS RESERVED The content of CIO East Africa is protected by copyright law, full details of which are available from the publisher. While great care has been taken in the receipt and handling of material, production and accuracy of content in this magazine, the publisher will not accept any responsility for any errors, loss or ommisions which may occur. ©CIO East Africa 2011

FROM US

4 Editors Viewpoint www.

.co.ke

6 From the Publisher

48 Last Word BUSINESS TECHNOLOGY LEADERSHIP

TRENDS

TOP TOPSTORIES STORIES 9

Trendlines

12 13 14 15

Policy response to cyber attacks Tigo turns up heat in mobile money Airtel joins mobile money fray Uganda U-turns on price directive

International Trends

16 18 19

CIOs: Polish up governance Qualifications hinder IT workers New cloud security architecture

Trend Analysis

20 22 23

Leveraging on technology Info security must underlie ERP

TECHNOLOGY Security

The bulletproof cloud

Opinion

42 43

Cloud based business applications

The about turn on a free market? Rwandaâ&#x20AC;&#x2122;s ICT plan3

New Products

iFlashDrive

Technology

Oracle upgrades JDeveloper IDE

Business Tips

9 ways the iPad goes to work

July 2011 | Vol 3 | Issue 4

Innovation for business value

ou may or may not have noticed that we have star ted receiving applications for the CIO100 Awards completion. This is the only competition that awards excellence in the execution of IT projects and recognizes the organisations and the people behind those projects. Now in the second year, CIO 100 Awards recognize East African organizations that have taken risks on emerging technology or deployed the tried-and-true in a new way. CIO 100 is an opportunity for CIOs and senior IT executives to share with their peers the technology innovations that have enabled or led the way to greater success for their organisation.

Editor’s Viewpoint

Last year’s CIO100 Award winning projects reflected important characteristics in East African enterprises – maturity and strategy. The applicants showed how IT is evolving into a strategic investment and is pushing organisations to seek out new ways to benefit business and their customers. The applications received last year had a diverse representation from all sectors of the economy. In many of the winning organisations, we saw projects that were inspired by real demand, efficiency and cost saving leading to the deployment of sustainable innovation. New revenue generation was coming straight out of IT groups. East African CIOs showed that their thinking is strategic, and they were pushing their organizations to seek out new ways to engage customers.

Overall, companies showed that there is a growing impact and value from the IT function in businesses. From this showing it is mostly likely that in the next few years, more investment in IT, infrastructure consolidation will take place and the relationship between IT and business value will be evident. This year, CIO100 Awards recognizes that the role of IT has gone beyond that of enablement to one that creates synergy with all business functions to achieve a common goal. The Awards will, therefore, seeks to honour 100 organisation within the region that are committed to innovation of all kinds. Some are product innovators; some have changed the terms of competition by innovating new processes; others are breaking new ground in the relationships they’ve forged. We will celebrate their excellence and share with you how they did it. Teams of CIO judges will review the applications and make initial recommendations about each entrant. We will debate how each company stacks up against the others in terms of the depth and breadth of their practices, their creativity and the specific measurable results of their achievements. Three reasons why we carry out these awards: First, CIO’s readers believe that developing the next generation of IT leaders is essential to IT’s ability to add real and sustained value to the enterprise. Yet research shows that CIOs do not spend enough time and attention on this. Through this award, we honor those who do and showcase how they do it. Second, this award will ensure that we stay in touch with the people who are leading the profession as they advance in their careers. Finally, it is a way for us to serve our readers and members by helping them recognize their key staff in a positive and public way. Lets see what you have, go on and apply (www.cio.co.ke/ cio100 ) and be recognized.

Louisa Kadzo

Louisa Kadzo CHIEF EDITOR

louisa.kadzo@cio.co.ke www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

End of road for software dealers?

ast month I requested the office to take a stock of the software we use in our organization. The idea was to know who is using what and try to harmonise the many tools that we use to be more efficient and effective. The result astounded me. More than 50% of the software we use is cloud-based, these are our everyday operational tools that we depend on to deliver to our clients – you our readers and our advertisers.

From the Publisher

Here is a sample. We do periodic surveys – these include the state-of -the CIO and the CIO 100. For this we use SurveyMonkey, which is an easy to use very effective survey tool, in the cloud. Most of you would have attended our events, for events management, that is registration, confirmation and marketing, we use EventBrite, again from the cloud. For out collaboration and shared calendar, we depend on Google Apps where we can have real-time collaboration of articles generation using Google Docs within the editorial team and real-time status updates on subscriptions and other list services. The shared calendar is an invaluable tool for us, first, due to the crazy deadlines that we operate in and also to make sure that we don’t miss any ICT event that we need to report on. And second, of course email. Then we have our own corporate social media tools that we use to do all sorts of things with – discussions on strategies, fun stuff on how Tej (Our Chief Design Officer) spent his weekend chasing the rally to launching new products. We use issuu for digital publishing and Seesmic for Twitter, Facebook and Linkedin interaction. All these are cloud-based tools. What is interesting is that most of these tools are free and some have very competitive usage-based pricing plans, but that’s besides the point.

This exercise, confirmed two things to me. That software as a service is not a passing cloud as critics of the same keep on saying. Organisations are getting confortable with cloudbased solutions for their day-to-day operations. First with the less critical, low risk apps, but slowly moving pieces of their critical apps on the cloud too. The second thing is that there is a quiet revolution in the software industry. It appears to me that the days of buying software in nicely printed boxes in a series of CDs or DVDs are numbered. Software distribution is now largely happening online and this is not just for small pieces of software tools like the ones we use but even for enterprise applications. This trend started with updates and upgrades, where software houses required that you do updates on certain modules or security patches and such. Apple moved in further when they launched the iPhone, which came with the App Store. This further openned up to other iDevices including the iPad and iPod. Last year, Apple pushed this trend further when they included the App Store in their Operating System for the Mac. This means you can now download any application directly from the App Store for the Mac. There are rumours circulating that Microsoft is coming up with its own App Store, may be with a different name due to IP issues. Then of course Google with its Market Place addition to Google Apps, and not to forget Nokia’s Ovi Store for Nokia mobile phone apps. To me, the writing is on the wall, the traditional software development and distribution business model is on its deathbed, and this calls for CIOs to have that presence of mind that some of your favourite applications wont be seen at your favourite dealer soon. If you start missing them there, they will either be a cloud offering or available on an App Store on your browser or OS. Yet another disruption caused by technology innovation. How will the software dealers handle this? Is this the end of the road for them? Drop me a line if you have answers.

Harry Hare EDITORIAL DIRECTOR harry.hare@cio.co.ke www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

i-FlashDrive By Lucas Mearian

The PhotoFast device that links the iOS, Mac and PC.

pple accessory manufacturer PhotoFast Global have announced a new flash drive that can transfer files between Apple iOS products, such as the iPhone and iPad, and OS X products.

Just in case the iOS device might get lost some day,” PhotoFast said in a statement. “The new features from iCloud API will be included in later updates of the App, making all sorts of storage possible.”

PhotoFast’s new flash drive, the i-FlashDrive, comes in 8GB, 16GB and 32GB capacities and sports a USB connector on one end and an Apple 30-pin connector on the other. The drive is expected to ship in July.

The i-FlashDrive also comes with an automatic prompt feature when it connects to iOS devices.

The i-FlashDrive connected to an iPhone

PhotoFast is targeting the device for use when there are no networks available, such as on an airplane, in a place where there’s no wireless signal, or when no Mac computer or PC is available to make a file transfer directly.

The drive measures 2-in. x .80-in. x 3.6-in. in size. It is compatible with iOS 4.2 or above, Windows XP, Windows 7, Linux and Mac OS X. The device includes file management, music play features and contact backup. “With built-in contact backup, importing photos from camera roll, we can always keep a copy somewhere else.

The i-FlashDrive connected to MacBook Pro

The i-FlashDrive has a retail price of USD 95 for the 8GB model, USD115 for the 16GB model and USD 185 for the 32GB model.

New Products

www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

The Nokia E7: redefining success

We are the Wings

that unite East Africa

With our excellent inflight service, online booking, on-time & direct flights & with 30 minutes check-in time before departure for passengers with hand luggage only, you are sure of an unbeatable flying experience with us.

The wings of East Africa Call +254 (0) 20 313 933/4 • E-mail: infoke@air-uganda.com • www.air-uganda.com

Entebbe • Nairobi • Mombasa • Juba • Dar es Salaam • Zanzibar

BUSINESS TECHNOLOGY LEADERSHIP

www.

.co.ke

IN BRIEF July 2011 | Vol 3 | Issue 4

The full articles are available on the CIO East Africa Web site (www.cio.co.ke)

AROUND AFRICA

Ghana’s rLG communications steps into Nigerian market

New Angola computer law could have effect on social media

Ghanaian mobile-phone assembling company rLG Communications has signed a memorandum of understanding with the Osun State government in western Nigeria, marking the company’s first step into the region’s largest market.

In the face of an upsurge in African cybercrime targeting the financial sector and uprisings meant to force regime change in many African countries, the Angolan government has approved a computer crime law that gives security forces powers to search and confiscate data without a court order and creates penalties of up 12 years imprisonment for any crime committed using a computer.

Under this agreement, rLG will replicate its Applied ICT Module of National Youth Employment Programme (NYEP), which was implemented in Ghana and Gambia last year, to benefit more than 20,000 youth from the Nigerian state. Apart from developing youth skills in mobile telephony and thus creating several jobs, rLG will also use the opportunity to expand the market for its mobile phones.

The law has been approved as part of a package of laws regulating information technology and data protection in Angola. The Angolan law is however also aimed at preventing unrest in Angola that is coordinated by social networks.

AfricaConnect to boost Africa-Europe connectivity The European Commission has approved €14.75 million (USD 20.9 million) in funding, under the aegis of the Delivery of Advanced Network Technology to Europe (DANTE) non-profit organization. The objective of the project is to overcome the current limitations of international research collaboration between sub-Saharan Africa and Europe. The infrastructure is expected to be operational by 2012. DANTE will work with regional organizations in Africa including the UbuntuNet Alliance, which covers Eastern and Southern Africa, and the Association of African Universities. The project is expected to last four years.

AROUND THE WORLD Green IT winning favour with CIOs

Organisations using ‘Green’ IT has increased 5 per cent during the second half of last year with nearly threequarters of CIOs having deployed more environmentally sustainable products and services, according to a new survey. Interest in Green IT is also continuing to grow with an additional 8 per cent planning to deploy some form of it by the end of 2012. Research firm Ovum surveyed 500 CIOs and IT decision makers during the second half of 2010 from Europe, the US, Middle East and Australia.

Phone calls still favored by adults for communicating with others Voice phone communication and email are still preferred by Americans over social networks, texting and other messaging modes for reaching out to family, friends and co-workers, according to a new survey of 2,300 adults. Email was the preferred mode (other than in-person communication) for reaching out to friends and colleagues. Meanwhile, voice via phone was the preferred mode for communicating with family members, such as a spouse or significant other, according to the survey.

The reasons for this include tight IT budgets and a sluggish economy forcing IT decision makers to scrutinise spending and realise any potential cost savings Green IT can deliver.

www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

Your business needs the right IT security skills Very few organizations in Kenya have adapted IT security strategies. We have had organizations websites taken over by hackers defaced and toyed around and the efforts to get assistance from trusted parties only offered meagre solutions that did not stand the test of time. Information security affects the whole organization and its ability to function effectively, a qualification in this of can be very beneficial in today’s security conscious world. Benefits of, need for, Information security skills A well developed business model clearly outlines the need for a security policy and supporting standards, guidelines and procedures, the relationship with corporate governance and other areas of risk management. It also brings out the role of information security in countering hi-tech crime – revitalized old crimes, new types of crime. There is need for information security managers to have good appreciation of associated physical security issues so they can make sure there is a seamless information security management system across the whole organization Skills on disaster recovery and business continuity management clear understanding of the legal framework, are an absolute necessity. There are several areas of specialty that one should consider in order to tackle IT security. • Information security management; this qualification proves that the holder has a good knowledge and basic understanding of the wide range of subject areas that make up information security management. It also provides the opportunity for those already within these roles to enhance or refresh their knowledge and in the process gain a qualification, recognized by industry, which demonstrates the level of knowledge gained. • Cisco Information Security Specialists focus on performing the basic tasks necessary to secure networks using the apprentice knowledge of networking gained by Cisco Certified Network Associate (CCNA) certification and the skills learned in Securing Cisco Network Devices (SND completion of the specialized certification.

Business Ready Security Faith Sila, Corporate Sales Manager

Visit: www.talk-it.co.ke

Microsoft Forefront is a family of line-of-business security software by Microsoft Corporation. Microsoft Forefront products protect computer networks, network servers (such as Microsoft Exchange Server and Microsoft SharePoint Server) and individual devices. It helps deliver end-to-end security and access to information through an integrated line of protection and access.

July 2011 | Vol 3 | Issue 4

Policy response to cyber threats

n international 2 day conference on cyber security was held in June, with more than one hundred experts and stakeholders pledging their energies and commitments to finding lasting and sustainable policies and practices to curbing cyber attacks and managing general social threats in cyber space.

cyber break-ins. He said Sierra Leone is aware of the importance of cyber security in operating an efficient and more effective national security programme and is working on a number of policy and legislative instruments to ensure cyber protection along its legislative bills for Freedom of Information.

The two-day forum, under the theme “Common Responses to a Global Challenge” was organised by the Commonwealth Telecommunications Organisation (CTO) in conjunction with the UK Cabinet Office of Cyber Security and Information Assurance (OCSIA), the Royal United Services Institute (RUSI), and the UK Department of Business Innovation & Skills (BIS).

Declaring the conference officially opened, Mr Stephen Cutts, Assistant Secretary General of the Commonwealth Secretariat stated that with a huge number of businesses and transactions taking place online, and with more and more consumers putting trust in the Internet it is also crucial that the proper mechanisms are instituted to ensure total

With representations from countries such as the UK, Sweden, Nigeria, Canada, Germany, USA, Latvia, Sierra Leone, Kenya, Cameroon, Trinidad and Tobago, Mauritius, Ghana, Sri Lanka, India among others, participants discussed cyber issues such as critical information infrastructure protection, security in mobile channels, international cooperation, child abuse, identity fraud and general privacy on the net.

Trendlines

In a welcome address, Dr Ekwow SpioGarbrah, CEO of the CTO, acknowledged the vast nature of the subject of cyber security, especially in relation to the fact that ICT growth is increasing by the minute and more online communities are being created daily. “We generally acknowledge that we live in an Information and Knowledge Age in which cyber societies are daily being created. And as ICT infrastructures and the use of ICT terminals and handsets penetrate deeper into rural populations, affecting all facets of human activity, Cybersecurity is increasingly becoming important,” said Dr. Spio-Garbrah. In a brief address, the Honourable Alhaji Ibrahim Ben Kargbo, Minister of Information and Communications from Sierra Leone, recalled some of the cyber attacks that have recently plagued some African governments where critical information has been siphoned through

www.

.co.ke

data protection and general web security. Mr Cutts mentioned some of the initiatives undertaken by the Commonwealth Secretariat and its sister entities are doing, including the formation of the Commonwealth Internet Governance Forum, to help make cyber space a safe place for all users. A discussion panel made up of Mr Neil Thompson, Director, Office of Cyber Security and Information Assurance; Mr Marnix Dekker, European Network and Information Agency; Mr John Crain, Chief Technical Officer, ICANN; and Mr John Bassett, Associate Fellow, RUSI examined the role of governments in enacting cyber security policies and legislations. There was a view during this panel discussion that although there were a range of technology solutions to cyber threats and cyber crime, the real teeth could only come from effective policies and legislation which would allow law enforcement officers a basis for taking quick action to fight cyber crime.

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

Tigo turns up heat in mobile money By Edris Kisambira

New service in Rwanda bulks up company’s offerings as it battles Vodafone, Safaricom and MTN

MTN MobileMoney and the M-Pesa service from Vodafone and Safaricom are the current leaders in the African mobile money arena. But mobile phones are spreading extremely fast across the continent and the market for mobile money services is expanding. Tigo Rwanda has a subscriber base of more than 670,000 users as of January 2011, according to information from the Rwanda Utilities Regulatory Authority (RURA). Mobile money transfer services on the continent have roots in Africa’s lack of infrastructure, particularly bank branches. Only one in five people have bank accounts in Rwanda, mainly because of the prohibitive cost of operating branches in rural areas. “Tigo Cash is basically a wallet on your mobile phone,” said Tigo Rwanda CEO Tom Gutjahr. “Basically you have your money in your pocket or on your mobile phone and you can send and receive money any time of the day or night,” he said.

new mobile money service from Millicom International Cellular, the operator of the Tigo brand, is turning up the heat in one of Africa’s booming technology markets. Tigo Rwanda subscibers have been signing up for the Tigo Cash service since May 13. Tigo has similar services in Ghana and Tanzania as well as in three Latin American markets. The company plans to integrate the Rwanda and Tanzania services, according to Tongai Maramba, product manager of Tigo Cash.

BUSINESS TECHNOLOGY LEADERSHIP

The service is available to any user who is above 18 years with a Tigo SIM card and a valid identification card for registration. Non-Tigo customers will be able to receive money from Tigo subscribers, but they cannot send money using the service. Mobile money services are slowly changing the face of payment systems on the continent. For example, in Uganda, the National Water and Sewerage Corporation (NWSC) has recently closed offices nationwide and launched an e-water payment system through which clients can settle bills via a mobile money application.

www.

.co.ke

July 2011 | Vol 3 | Issue 4

Airtel joins mobile money fray BY Michael Malakata

services has been caused by increased accessibility of mobile phones both in urban and rural areas. The partnering of Airtel and Ecobank in providing mobile financial services is expected to result in stiff competition that will significantly bring down the cost of mobile money services. Currently, Africa’s mobile money is dominated by Safaricom and MTN. Safaricom uses the M-pesa mobile money service to remit and receive money across the East African region and South Africa. Last year, MTN partnered with Western Union and introduced international remittance services in 21 countries in Africa and the Middle East where MTN has a presence. MTN subscribers registered for the service receives money through Western Union money transfer transactions in their mobile phones.

s stiff competition eats into voice revenue for Africa’s mobile operators, Bharti Airtel has moved to provide banking services in a bid to increase revenue.

In order to facilitate the development of innovative mobile financial services focused on customers who do not have full access to banks, Airtel has partnered with Ecobank Transnational in 14 African countries in which both companies have a presence.

Most Africans are now using mobile financial services to buy goods, pay utility bills, buy mobile airtime as well as receive funds from abroad. According to the World Bank, Uganda receives nearly USD 500 million in remittances every year, making up 3 percent of the country’s gross domestic product (GDP). Mobile banking has also considerably attracted low- income populations often residing in rural areas who may not be able to afford a traditional bank account. By launching the mobile money service, Airtel hopes it will be able to wrestle some customers from service providers already providing the service and to persuade Ecobank’s customers to use the mobile money service. But although Ecobank is well established in West Africa, in Southern Africa, the bank is relatively new with a presence only in Zambia and Zimbabwe, with a very small customer base.

Airtel and Ecobank have agreed to launch a wide range of mobile financial services including person to person (P2P), Business to Business (B2B) under the brand names of “Ecobank Mobile” and “Airtel Money.” So far not service provider is providing B2B mobile financial services targeted at small businesses and enterprises. Airtel is however joining a market that is already heavily contested with service providers including MTN, Safaricom and Vodacom. The increase in mobile money

www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

Uganda U-turns on price directive By Edris Kisambira

he Uga nda Com mu n icat ions Commission (UCC) has gone back on a directive made on June 10 requiring operators not to price rates, especially off-net call tariffs, below 70 percent of the interconnection rates. Uganda’s highly competitive telecommunications market is made up of five GSM (Global System for Mobile Communications) operators who have been engaged in a tough price war dating back to 2009, when Warid Telecom introduced near-free calls for users after they paid for a low-denomination recharge voucher. In a public notice that was issued on June 10 the UCC said, “following a consultation process involving relevant stakeholders from the communications industry, the Uganda Communications Commission hereby announces the issuance of new tariff guidelines for Retail Voice Telephone Services in Uganda.” The notice went on to say the guidelines, draft of which are publicly available, are based on recent trends in the voice market and are aimed at promoting fair, efficient and competitive market conduct in the telecommunications sector. Days after, David Ogong, the UCC director of competition and corporate affairs, said the regulator was continuing with a consultation process that started in January this year, even though the Friday public notice seemed to suggest the process had been complete. The guidelines are aimed at curbing anticompetitive pricing practices that may be to the detriment of new market entrants. Ogong said that a series of below-cost tariff offerings have undermined long-term competition, sustainability and quality of service. He said some of the offerings border on predatory pricing or price cannibalism, which jeopardizes long-term consumer choice, affordability and overall economic growth. In addition, according to the UCC, if the situation is left as is, it will lead to consumer confusion due to the frequency of change in the rates. The guidelines, which the UCC said are still a draft, stipulate that there will be a distinction between promotional and

BUSINESS TECHNOLOGY LEADERSHIP

standard tariffs. Standard tariffs in this case shall be costbased, transparent and non-discriminatory. Off-net calls should not be priced below the UCC reference interconnection rate. On-net calls on the other hand will not be charged a rate below 70 percent of the interconnection charge. This is also below the current average on-net charge. Further, promotional tariffs shall not be in the market for more than 90 consecutive calendar days. Failure to comply could lead to, among other measures, a penalty of up to 10 percent of annual turnover. The biggest player in the market, MTN Uganda, with 7 million subscribers, welcomed the move, saying the effect of the directive is to introduce a price floor. “This would appear to be consistent with similar Government action taken in the region (specifically Kenya), to control the price wars in the telecoms sector,” Anthony Katamba, MTN Uganda’s general manager, legal and corporate services, said in an e-mail response. Katamba said the government is reacting to the raging price wars that are not based on any significant changes in market dynamics such as supply exceeding demand. Katamba said the price wars not only threatened the viability of most of the operators but have also negatively impacted government revenue and the long-term sustainability of the sector.

www.

.co.ke

July 2011 | Vol 3 | Issue 4

CIOs: polish up governance By Antony Savvas

Create competitive advantage by taking calculated risk

International Trends

IOs require both leadership and execution to successfully implement IT governance, according to analyst Gartner.

priorities, and how the organisation intends to achieve them. Second, are governance processes that cover the structures and methods the organisation uses to execute and institutionalize the governance framework.

At an IT governance summit in London held in June, the analyst is outlining how CIOs can improve their credentials. “Great IT leaders master process, and they understand that executing governance programmes involves process, discipline and creativity,” says Gartner.

Gartner said the framework is what the organisation has decided, while the process is how the organisation will institutionalize those decisions.

While most organisations limit governance to gaining control and “eliminating bad risks”, the highestperforming organisations also use it to “take good risks and gain competitive advantage”, Gartner said.

If an effective governance framework is implemented effectively “it reduces conflict between stakeholders, finance can easily track organisation spending against framework priority categories, business performance significantly improves and the organisation reacts better to competitive threats”, said Nunno.

Tina Nunno, a Gartner analyst, said, “Good governance is about control while great governance is about guidance and competitive advantage. Organisations with good IT governance enjoy benefits such as increased business value of IT-related assets, and strongly governed organisations receive a 20 percent higher return on assets.” Nunno added, “CIOs with great governance create competitive advantage by embracing emerging technologies, innovation and, most important, the concept of calculated risk.”

Failing to communicate is a common governance pitfall. Governance bodies struggle with decision making when they lack appropriate information. Stakeholders, in turn, struggle to comply with poorly communicated decisions. CIOs need to check their communication tools when they notice lack of compliance with governance decisions or excessive revisiting of established decisions, said Gartner.

Gartner said that organisations that do governance well have fewer governance mechanisms and lighter processes because key staff have learned to work together well and have a shared understanding of the business pr ior it ies. L ess mat u re organisations need more controls to create focus and deliver business results. CIOs needed to manage two dimensions of governance. First, is governance as a decisionmaking framework that reflects the organisation’s goals and

www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

Donâ&#x20AC;&#x2122;t be Anti-Social. Click with your online audience today!

Differentiate your business from competition Build an online presence to create a competitive edge for your business. We have helped several organisations within East Africa achieve this. Talk to us today.

+254 732 353 355 Pamoja Media East Africa Limited 4 Kindaruma Road near St. Nicholas Primary School P. O. Box 68151-00200, Nairobi, Kenya

media

www.pamojamedia.com/cio

July 2011 | Vol 3 | Issue 4

Qualifications hinder IT workers By Jennifer Baker

CIOs want a Europe-wide competency framework IOs would hire more foreign IT workers if they could more easily compare qualifications, according to a new survey.

Senior IT professionals in Europe are worried that the mobility of IT workers among member states is hampered by a lack of transparency in IT certifications and qualifications. More than 370 IT professionals -- mostly CIOs -- were interviewed for a European Commission survey published in June. The Innovation Value Institute (IVI), which carried out the research, found that there are more than 1,300 ICT certification courses currently available across Europe, leading to confusion about qualifications. 18

Almost 60 percent of respondents said that the number of practitioners working outside of their native country

was growing, but that there were still obstacles to workers looking to move. Three-quarters of the respondents said that being able to compare academic qualifications and certification across national boundaries is essential to job mobility. The CIOs said a Europe-wide competency framework could help to resolve confusion and misunderstandings arising from certification comparisons. In terms of preparing the next generation of CIOs, only 12 percent thought education providers were meeting this need. “This is a significant initiative in identifying how we can best support the training needs of future ICT managers,” said IVI founder and director of Intel Labs Europe, Martin Curley. “Mobility for ICT professionals as well as the strengthening of the CIO role in enterprises are two of the most important requirements for business today, particularly as ICT becomes more important and more central to the business value of organizations.”

DO M N’T IS S

Get more on: www.cio.co.ke

• In our COVER STORY • The future of ERPs

• Feature • Open source software

www.

.co.ke

All this in your

AUGUST edition of

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

New cloud security architecture By Bob Violino

The work the group is doing compliments what the Cloud Security Alliance (CSA) has been working on with regard to cloud security, Arasaratnam says. “The Cloud Security Alliance has published a number of excellent documents regarding various aspects of securing cloud computing,” he says. “We fully agree with many of them, in fact in our recent white paper we even cite some of their latest thinking regarding identity and access management.”

embers of the Open Group’s Security for the Cloud and SOA Project have launched a new security architecture for the cloud, to help security organizations better understand the unique security aspects of cloud computing. The group has published a guide called “An Architectural View of Security for Cloud,” the first in a forthcoming series on security that will cover multiple areas beyond the cloud. Together, the guide and architecture are designed to help IT and security executives gain a more comprehensive view of complex cloud infrastructures and as a result make more informed decisions regarding the risks and opportunities. The group’s intent is to produce “a set of whitepapers which will examine each of our architectural building blocks in greater detail through the use of business scenarios,” says Omkhar Arasaratnam, a certified senior security architect at IBM and co-chairman of the Open Group’s Cloud Work Group Steering Committee. “The reality is that security in the cloud is not black or white, but really many shades of gray,” Arasaratnam says. “IT and security executives need to understand the impact which these shades of gray have on their overall risk posture, and take appropriate mitigating steps.”

BUSINESS TECHNOLOGY LEADERSHIP

The group’s work is more focused on the architectural concerns of cloud security, Arasaratnam says, “where we find that the CSA work mainly [focuses] on technical controls such as device settings. Consideration of both are required to [secure] your cloud.” CSA agrees that the work is complimentary. “The Open Group’s policy-based cloud security architecture white paper effectively leverages and aligns with CSA identity management principles for the cloud,” says Subra Kumaraswamy, co-chairman of the Identity and Access Management, Encryption & Key Management working group at the CSA. “It is articulating the key security issues in the cloud: identity, entitlement and access management in the cloud,” Kumaraswamy says. “CSA’s current effort in the area of identity reference architecture will address all aspects of identity and access lifecycle including provisioning, authentication, authorization, federation and auditing and will be complementary to the Open Group’s efforts.” The Security for the Cloud and SOA Project will host an “architectural decisions rodeo” at the Open Group Conference in Austin, Texas, July 18-22, to discuss key architectural decisions regarding cloud security.

www.

.co.ke

July 2011 | Vol 3 | Issue 4

Leveraging on technology By Dennis Mbuvi

Accenture’s name has cropped up time and again in the ICT sector, especially when it comes to the government sector in areas such as shared services. CIO East Africa talks to Jessica Long, Accenture Development Partnership’s client group leader for donors and emerging governments, to find out who Accenture are. “Accenture is a global management consulting, technology services and outsourcing company that is involved in transforming clients’ businesses into high performance organizations,” says Long. “We help our business and government clients envision, architect, design, build and operate solutions to their most complex and mission critical issues to improve performance.” According to Long, the company has more than 215,000 employees serving clients in more than 120 countries.

on Accenture’s cross-industry expertise. It is a way we can take the best of Accenture development skills and capacity and deploy them in a way that makes a positive change,” she says.

Accenture Development Partnerships (ADP) is the notfor-profit arm of Accenture that provides business and technology services to the international development

“We see Africa overall as a strong growth market that is increasingly seen as an investment destination by many of our global clients,” says Long.

sector, operating on a non-profit basis. It is a unique business model where Accenture employees voluntarily take up to a 50% pay cut with the clients, who pay the remaining amount at a much reduced rate. Accenture also makes a huge contribution by foregoing profit margins and reducing overheads. This is kind of a give back to the development sector, developing countries, non-governmental organisations (NGOs) and other non profits organization.

In East Africa, ADP works with many NGO clients such as Africa Medical Research Foundation (AMREF), World Vision, Oxfam, amongst others. The firm also works with the government of Kenya especially the Kenya ICT Board, the Ministry of Information and Communication, Ministry of Finance and the eGovernment Secretariat. The partnership with the government of Kenya has a focus on helping the country achieve a middle income economy under its vision 2030 strategy. This is done by working closely with the government in development activities and capacity development.

ADP has had its presence in the continent for quite a while with offices in South Africa, Nigeria, Morocco, Angola, Botswana and Mauritius. Accenture East Africa is ADP’s legal entity in Kenya, supporting the East African region.

Trend Analysis

“We also look at it as a great way to build our presence and help build high performance organisations leveraging

www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

In microfinance, Accenture is working on mobile banking and mobile insurance products. This uses technology to target people who have limited access to such services. The WIND (weather information for development) project leverages weather information from the government’s meteorology department to provide better information to farmers to help them in decision making. The information would be provided via mobile phones and radio, along with other forms of communication. The company is also offering supply chain solutions to different sectors of the economy. Long says that East Africa provides a central place for ADP’s work. Kenya has a strong research and academic sectors, development community (NGO sector) which includes working with the United Nations’ institutions. In Tanzania, Accenture deals with a lot of market assessment and supply chain solutions especially in the Agricultural sector. There is also an ongoing medical supply chain programme which will boost the government’s ability to improve medical supply.

Jessica Long, Accenture Development Partnership’s client group leader, with the award at the Connected Kenya summit

Long says that at the end of the day, Accenture’s objective is to help organizations achieve high performance in whatever they do. Long views Kenya as a sweet-spot for mobile technology. This has especially been buoyed by the arrival of undersea fiber cables which enhances the ability to access and provide services to the rest of the world. This makes Kenya part of a knowledge based economy in ways which were not possible before the landing of the cables. In addition to connecting Kenya to the rest of the world, the cables also reduce the cost of doing business and boost the country’s capability to provide services such as business process outsourcing.

In the ICT sector, Accenture’s most notable project is the development of the master plan for government IT shared services. Accenture was engaged by the Kenya ICT Board through the World Bank TCP/IP project. Over the last year, Accenture has done a full assessment of the current state of technology across the 42 ministries in government and 175 local authorities. The assessment included the actual systems and hardware infrastructure in use, people skills and requirements. This was followed by several workshops and meetings which resulted in the development of targets, blue prints and a multiyear roadmap, all finalized in February Other notable efforts in the ICT sector include Accenture’s 2011. The project is currently in its implementation phase. recent cash sponsorship of all the 11 categories of the Vision 2030 Innovation in ICT Awards. Long says that Accenture is also working closely with the Ministry of the innovators need help and hand-holding to help them Finance and the Treasury on the Integrated Finance scale up their applications. Management Information System (IFMIS), helping them from a management support perspective. The firm is also Automation of the government makes it efficient and involved with the eGovernment Secretariat in end-to-end effective. It has a huge impact that improves people’s lives. The national fiber optic backbone infrastructure (NOFBI) Government process design. greatly improves people’s access to information. Other ongoing projects includes an eLearning project with AMREF which has been ongoing for over five years. “The New technologies and ways of delivering technology such project helps train and register nurses through e-learning as cloud computing, tablets, services on demand are as opposed to the paper and classroom based learning they coming up at the same time that the region is getting used to do which was not nearly as efficient,” says Long. globally connected.

BUSINESS TECHNOLOGY LEADERSHIP

www.

.co.ke

July 2011 | Vol 3 | Issue 4

Info security must underlie ERP By Tirus Kamau

he Enter pr ise Resource Planning (ERP) world requires a new way of thinking about security. Security ceases to be just about the bits and bytes of network traffic, firewalls and so on, but about company transactions that inf lict financial losses from systemsbased fraud, neglect and errors. While most information security initiatives focus on perimeter security such as firewalls to keep outsiders from gaining access to the internal network, the potential for real financial loss comes from the risk of outsiders acting as authorized users to initiate damaging transactions within business systems. There has been increasing cases of an enterprise internal staff intentionally or unintentionally leaking out confidential information. According to some of the latest IT security survey reports, internal staff carelessness is by far the biggest threat to corporate data leaks.

It is regrettable that very few companies are able to realize that the threat from within the enterprise could be bigger than risk posed by the new productivity features such as mobile access for workers in the field and the ability to more easily share information with industry partners and vendors that expose your system to increased risk of unauthorized intrusion. All is not lost There are many controls that CIO’s can be able to put in place that will give Chief Executives’ peace of mind. These basic universal principals will also assist in making sure your ERP implementation results in a secure deployment that will mitigate most of the risks discussed above:- • Evaluate and build up ERP access control policies and measures for on-going sustainability

www.

.co.ke

• Make use of field-tested methodologies and tools, facilitate the process of designing/re-designing appropriate data security • Analyze access to sensitive application objects, transactions and windows as applicable • Carry out segregation of duties analysis in all modules of a given ERP system • Be involved with the construction, deployment and testing of proper security user roles and access authorizations • Assist with the deployment of appropriate security configuration settings and procedures. The benefits of implementing world class respected ERP’s such as A1 ERP, SAP and Oracle, are negated unless they have robust application level security built in to the design from the word go. Subtle balance between data availability and a well-secured ERP implementation is not easy to achieve. It’s advisable to have penetration tests done by a reputable firm on your ERP implementation as they help to realize the potential system breaches which may allow hackers gain access to business’ critical data, for reasons related to espionage, fraud and sabotage. Never trust your staff too much! It is risky having one person access rights to alter your ERP system however they want. This is especially true when you have your IT staff given administrator rights to the database. As a basic rule; the ERP system should be configured in a way one needs an activation code to manipulate some key processes within the system. Audit logs and alerts should be able to capture and report any change effected on the system and by whom. The access rights ought to be distributed across several persons in such a way that even if one decides to sabotage the firm, the access rights held by another will restrict the act. Security credentials for system accessibility should be guarded with vigor. Act before It’s too late to act! Kamau Tirus heads the Innovation Arm of Alliance Technologies and is responsible for driving and providing Leadership for the Research & Development (R&D) activities.

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

Cloud based business applications Eric Mujera

usiness organizations the world over are driven by, among many key indicators, the quest to grow revenues and curtail costs in an effort to make profits and appease both employees and shareholders. Typical business application projects face challenges including high software support costs, expensive license fees, long project implementation timelines, regular software upgrades and complex systems integration that inhibit growth in the sector. For the IT department to provide strategic value to the organisation, simple technology management should be outsourced wherever possible. We believe that it is counterproductive to have IT staff spending a significant amount of time handling routine application maintenance and upgrades. In fact, previous analysis has estimated that between 18-25% of total software license fees is spent annually on in-house software maintenance. In the backdrop of this kind of operating landscape, the solution for companies’ lies in the adoption of SaaS (Software as a Service) cloud based business applications.

Eric Mujera, Business Development Manager, Seven Seas Technologies Group

therefore encourages focus to shift from control to end user empowerment. While this may be challenging for some managers, the benefits to be derived far outweigh and short term problems.

SaaS is a model of software deployment where an application is hosted as a service provided to customers across the Internet. It is a deployment delivery model hosted and managed by vendor delivered across the Internet.

One of the key criteria which businesses should consider before moving their operations to the cloud is interoperability. Cloud computing products generally include application programming interfaces. These normally allow customers integrate several discrete applications without having to manually move data between applications

Usage-based pricing (vs. perpetual license model of on premise software) is normally calculated in terms of per user per month, per transaction per month or per (GB) of storage per month.

In order to ensure the highest standards of security for their customer data, cloud providers employ world standard security professionals and they follow industry best practices to keep this data safe.

The main advantage of SaaS solutions is the total cost of ownership (TCO) that is lower than traditional on premise applications. SaaS solutions also include the cost of any upgrades and maintenance in their subscription pricing, whereas with traditional on-premise software, maintenance is an extra cost borne by clients. SaaS solutions provide businesses with the agility to meet the demands of a rapidly changing business environment. Typical SaaS based solutions take a much shorter implementation period to go live.

Seven Seas Technologies is focused on providing cloud computing solutions to our existing and potential business partners. Mr Mujera is a Business Development Manager with Seven Seas Technologies Group

Cloud based applications are aligned with the demand of a mobile workforce. They present a focus from softwarecentric technology deployments to user-centric ones. Effective cloud computing provides a higher degree of flexibility and user centricity than traditional software and

BUSINESS TECHNOLOGY LEADERSHIP

www.

.co.ke

July 2011 | Vol 3 | Issue 4

Desktop virtualization costs By Eric Burgener

technology. Therefore, you will need to factor in the necessary additional costs when budgeting for your VDI storage platform. Problem 2: How VDI increases your need for storage

f you are about to start considering a virtual desktop infrastructure (VDI) project, be advised: You need to really understand what your storage costs will be up front. Unexpectedly high storage costs have delayed or derailed VDI projects more than any other single issue. To avoid that problem, and accurately understand the ROI value of your project before you begin, make sure you understand the implications of these three storage issues: Problem 1: Evolution of your cost/GB for storage When you move from physical to virtual desktops, you are at the same time moving from a distributed to a centralized storage environment. Chances are very good that most of the storage devices attached to your current physical desktops are IDE-based storage. Your centralized storage, however, will be based on enterprise-class storage, not only because you will need that to support the scalability you require, but for a number of other operational reasons that have to do with performance, high availability, recoverability, and manageability. IDE-based storage is widely available through retail outlets and is the cheapest. You can also deploy SATA based storage or FC-based storage that supports critical centralized storage functionality like high performance caches, sharing, multi-path I/O, and disk-based snapshots. You can’t create the centralized data store you need for VDI projects without using enterprise-class storage

www.

.co.ke

As if paying a lot more per GB for your storage isn’t bad enough, you are also going to need more of it. If your administrators use their experience configuring storage on physical servers to estimate their requirements in VDI environments, you will generally be surprised to find that you need to purchase 30-50 percent more storage to meet your performance requirements. Why does this happen? Basically, the I/O patterns generated in VDI environments, where you may have 50-70 virtual desktops, each with their own individual I/O streams, running on a single physical server, end up being significantly more random and significantly more write-intensive than they are in physical environments as you write them down through the hypervisor and out to disk. Spinning disk performs at its worst in very random, very write- intensive environments, with the slowdown being worse the more random and write-intensive they are. For a given performance requirement (e.g. I/O’s per second or IOPS), the storage configuration that met your needs on a dedicated application server will appear to run at least 50 percent slower in a VDI environment, and often much more. As administrators add more hardware (e.g. more disk spindles, solid state disk, etc.) to get back to their original performance target, the costs mount. You may meet your performance goals before you run out of storage budget, or you may not, but either way, you end up spending a lot more on storage than you probably originally planned. Problem 3: More storage increases your storage administration costs If you’re like most IT shops, at least part of the reason you’re looking at VDI is to decrease the management and administrative costs associated with tasks like patch

BUSINESS TECHNOLOGY LEADERSHIP

management, upgrades, and enforcing some level of standardization in the desktop tool sets. Moving to a centrally-managed environment where virtual desktops are served out on demand can make a huge impact here, but storage administration is almost always an area where costs increase. Realize that you’re moving from a physical desktop environment where you probably weren’t managing storage much (if at all) to one where you now have IT resources in a centralized location managing that same capacity on enterprise-class storage. There is no doubt that there are benefits to that in terms of meeting performance requirements, enforcing security, and providing recovery for perhaps critical corporate assets, but there is clearly an additional cost here where there may have been none before. On top of this, you will be incurring additional management overhead against a baseline storage capacity that can easily be 30-50 percent larger than it was before (when you weren’t managing it). Backup is a case in point. You probably weren’t backing up your desktop storage before, and it’s unlikely that end users were backing it up either. By centralizing it, you can ensure that it is regularly backed up by skilled administrators. You might have had 10TB that you weren’t backing up before, and now may have 13-15TB being backed

up. You’ll need to factor in the additional costs of this secondary storage required to support data protection operations. How can I afford VDI? At this point it should be pretty clear that you are going to have to do some significant thinking about how you manage storage in your VDI environments if you are going to keep costs under control. Once you have storage under the central control of skilled administrators, there are a number of technologies you can bring to bear to reduce your overall storage requirements. These include, but are not limited to, virtual storage architectures that increase the IOPS per disk spindle by 3x - 10x, storage capacity optimization technologies like thin provisioning and data deduplication that can save up to 90 percent on capacity requirements, scalable snapshots technologies that enable the high performance sharing of common data, and the use of storage tiering to craft the most cost-effective combination of storage technologies to meet performance requirements. Understanding how best to leverage these storage technologies to minimize the size of the storage configurations needed to meet your VDI performance requirements is the best way to keep your overall storage costs down. And that can go a long way to re-balancing the cost structure so that VDI projects can return a positive ROI.

July 2011 | Vol 3 | Issue 4

IT too needs proper governance by Dennis Mbuvi

Does the IT department in the workplace need rules, or is its role relegated to the basement as portrayed in the UK sitcom, “The IT Crowd”? Dixon Karani, a consultant who also trains on IT governance frameworks, says that IT should be treated the same way as the rest of the organisation is treated. There is need for governance in life, starting with societal governance, all the way down to corporate governance. He says that organisations have been slowly rolling out governance, which has resulted in boards of directors as well as other cadres of management undergoing training and workshops on the same. The term “Corporate governance” refers to the way an organisation is manned and directed. “An owner investing in a new company would like to set up a structure so that their objectives are achieved,” says Karani. One of the objectives of corporate governance is accountability in an organisation in the use of assets, for example people and trucks. Corporate governance will also enable the organisation to comply with legislation and regulations such as the Kenya Communications Amendment Act (2008) and the UK Data Protection Act. The organisation also needs to manage its risks; it should not just consist of ambitious plans that do not address any risks that may arise. The business needs to plans for disasters such as IT failures, theft and hacking. An organisation also needs strategic planning to act as a guide for the organisation.

Feature

Karani says that the IT department is not an enterprise but a corporate organ. It therefore also needs a governance plan. Enter IT governance frameworks: “If a corporation has weak or immature governance, any objectives to achieve this will fail,’’ he says. IT governance determines how IT is managed and directed. “Corporate governance must be done in conjunction with IT. Without it, [there is a lack of] clear authority and accountability in the firm, coupled with asset and task duplication,” he adds. Setting up IT governance The first step in IT governance is setting up an IT governance framework. This includes defining a strategic plan that defines the organisation’s identity. The IT strategy must be aligned with the corporate strategy. www.

.co.ke

Policy plans, standards and procedures need to be defined since they guide people’s conduct on a daily basis. For example, no major project should start without a bailout or roll back plan. Roles and responsibilities also come into play during setup of a governance framework. Their purpose is to define an accountability framework - when servers are down, it should be known when they went down, how and why. System changes should also be detailed explanations, rather than a simple “it was a computer error.” Activities in IT governance The second step in IT governance comprises the various activities that result in IT governance. This includes strategy making and alignment. Karani says that most organisations are run in a ‘juakali’ manner where people just turn up and work. An organisation must define where it currently is and its future targets. IT should also be aligned with the business, “Management is usually frustrated with IT because IT normally operates in its own ‘cocoon’,’’ says Karani. Another activity is the management of resources such as infrastructure, servers, software and licenses. Asset management is an activity that deals with financial concepts, which is important given that organisations spend significant amounts of money on IT. Asset management includes tracking and keeping an inventory of IT assets from a financial perspective. This will also include operational expenditure, as well as hidden costs such as depreciation and the increased cost of electricity incurred by running more IT equipment. Accountability should give an idea of who is responsible for assets such as a laptop when it is upgraded or repaired. Performance measurements are activities for defining metrics that measure business plan adherence. “If you cannot measure it, you cannot manage it,” says Karani. Targets also help people meet organizational objectives - not IT metrics, but business metrics. The organisation should define what its customers get from IT services, the customer being the business. These can be defined as key performance indicators and critical success factors, amongst other definitions. Karani says such metrics offer visibility on how things are being done, but more importantly they highlight and enable correction of variances. To determine the value that customers get in the end, value BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

IT governance best practices can be obtained from industry best practices and guides such as the IT Infrastructure Library (ITIL), Control Objectives for Information and related Technology (COBIT) and the Committee of Sponsoring Organizations (COSO). COSO is a general-purpose corporate governance standard, but in this case also applies specifically to IT. COSO was formed in response to the UK corporate scandals of the 1980s. In response, several organisations formed a committee led by Sir Cadbury of Cadbury Chocolate. The report of the committee summarizes that governance should begin from the top and has to be managed.

Dixon Karani, IT management advisor and consultant

Karani advises that an organisation should carry out regular IT audits to determine its IT governance levels and whether structures are working. The audits can be carried out by either internal or external auditors.

delivery activities are put in place. Metrics here should Benefits of proper IT governance document business requirements and needs. Karani states that value delivery is a major challenge, with most Proper IT governance ensures that the business is in departments struggling to come up with a suitable definition. compliance with laws such as various data protection acts for instance the Health Insurance Portability and The business also needs to protect itself from legal exposure Accountability Act (HIPAA) in the USA. Regulatory by putting in place compliance activities. This ensures that bodies might also demand certain accountability the business is able to comply with IT specific regulations procedures and processes form the business, which IT and contractual obligations. governance will help in complying with. “IT governance is too important to be left to IT alone, it should be a corporate responsibility,” advises Karani. It should serve the business and help achieve the corporate objectives. Its implementation affects decision-making rights and responsibilities. Implementation of IT governance “In practice,” Karani says, “there should be several levels of governance.” This may start with an IT management team within the IT department which is then overseen by an IT steering committee - a body that he maintains is the most important organ in IT decision making. The steering committee should consist of both IT and non-IT business representatives, the latter to stand in for the customer. The best practice is that senior business representatives such as the chief marketing officer, the chief finance officer and the head of procurement should all be part of the committee and should constitute a majority over IT representatives. At the highest level of IT decision making is the board since they own or represent the organization’s owners. The board members make IT decisions that have huge implications on the business, such as those requiring significant capital investments. The IT department should have a top down structure. This structure should provide guidance on how work is done in IT with documented processes to act as a guide. Formal processes, roles and responsibilities, as well as putting in place metric guides. BUSINESS TECHNOLOGY LEADERSHIP

By putting proper policies in place, the organisation is able to convince customers and other businesses of its high level of trustworthiness. The business saves money since it operates in a controlled environment where there is minimal resource misuse and better risk management. There is a high likelihood of IT projects becoming successful when they are properly governed. Staff satisfaction is also high since individuals have clear roles and responsibilities and are aware of what they are accountable for. This can also result in low turnovers. Most importantly, value delivery for the business is achieved since customers’ expectations are known and met. Furthermore, the IT department clearly knows their roles and expectations, hence reducing the chances of their services being outsourced due to non-performance or value delivery. Dixon Karani is an IT management advisor and consultant as well as a trainer in ITIL and other best practices. He often conducts trainings for African eDevelopment Resource Centre in ITIL and COBBIT version 3.

www.

.co.ke

July 2011 | Vol 3 | Issue 4

Information Security By Louisa Kadzo

Cover Story

research we conducted earlier on this year on the emerging role of the CIO in East Africa showed that 65.9% of CIOs in East Africa play the role of improving security and IT risk management. What is striking is that risk management is the 4th most important role of a CIO after strategic management, administration and operations, and value service provision.

In Europe and USA, cases of company websites being hacked and networks compromised are on the increase. The hacking of the IMF website, Sony website, CIA website and some UK government sites are targeted attacks blamed on LulzSec – an internet based group that claims its main motivation is to hack for fun, causing mayhem and with focus on the comedic and entertainment value of attacking targets.

As an advocate for information security, a CIO must make a business case for security. In the business language, making a case for risk means prioritizing what constitutes an acceptable risk and what doesn’t.

The point being that a lot of company data is coming on the networks. With new technologies like cloud computing, and widespread internet access, as well as faster connections with the coming of fiber cables, many companies are gaining presence online. Data on the network becomes vulnerable to attacks from any geographical area that the internet reaches – which is worldwide.

Security solution providers state that there is no 100% security. This means risks cannot be avoided, they can only be managed. With risk management ranking fourth in a CIOs priority ladder, the fact that we have not heard many cases being reported of East African companies being hacked or compromised is just a matter of luck – or that companies in the region have successfully managed to cover up their tracks.

Information breaches can go either way: it can result in loss of valuable company information that can lead to millions of dollars in loss, and/or it can embarrass a company and make a sheer mockery of it.

www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

Managing IT risks on a wide scale should therefore be a CIOs top priority. With every arm of an organisation reliant on IT, managing risks is a crucial part of an organisations sustainability – both physical and information risks. “Security is a strategic concern because it has to be reflected in the overall IT budget for the department. Information security should also be included in the policy and cascaded downwards. Business owners must be sensitive to security,” says Abhilash Sonwane, Senior Vice President, Product Management, Cyberoam

like installing virus detection and eradication software, purchasing firewalls, implementing IT augmentations like virtualization, cloud computing and so on. The KPIs (Key Performance Indicators) CIOs set out to achieve will include the systems being operational, that the organisations IT infrastructure is stable and operational, all IT requirements are met and hardware available, and that there is a protection and a recovery plan in place.

Creating value between information security and the business

Paul Roy, Microsoft Technology Strategist East and Southern Africa says: “Information security is wider than keeping checks, measures and simple firewalls. It involves mapping the technology that you are using and how it achieves business results at the end.”

Information is an asset which should be sold as an enabler and not an IT cost. A risk-aware IT governance framework facilitates this broader business perspective by providing decision mak-ers across the organisation with a more complete picture of risk and the potential for return. Stakeholders of an organisations security include the board, executive management, IT staff, employees, auditors and external legal counsel.

The biggest component of this aspect is risk management. Risk management is purely a business language.” When defending information security at the policy level to the board, the CIO has to speak the language of the CFO – money talks – that pegs the value of information security to ROI (Return on Investment). When justifying the cost of expenditure on security to the management, emphasis must be put on the cost saving aspects of managing risks, with the value of the information data as the cost indicator.

“The main reason why people from an accounting background are heading IT functions is that they understand the language of money” A CIOs first duty is to advocate for the business importance of risk management for IT and the related infrastructure. “The main reason why people from an accounting background are heading IT functions is that they understand the language of money,” says Emmanuel Kimeu, Managing Director, Protec.

Benchmarks include the increased confidentiality, increased integrity of the company and the reduced risks, increased trust by the organisations shareholders and so on. Tangible benefits that are directly connected to information security. 33

User awareness Many CIOs adopt an asset focused approach to IT risk management where CIOs operate with a checklist of IT activities to be completed. They implement IT enhancements

Deploying successful Information Security needs the support of the people in the organisation, a good implementation process and accompanying infrastructure. People in the organisation need to be aware of the risks involved. Companies need to develop a risk-aware culture that is attuned to the wide range of potential threats facing the business as well as the risk-response strategy for mitigating them. “Security is a culture. To successful manage the information of an organisation needs to be in tune with the organisation culture,” says Emmanuel Kimeu.

Abhilash Sonwane, Senior Vice Presi-dent, Product Management, Cyberoam

BUSINESS TECHNOLOGY LEADERSHIP

The employee has yet been acknowledged as the most dangerous threats to an organisation. An analysis of the www.

.co.ke

July 2011 | Vol 3 | Issue 4

major hackings into the websites and systems of some internationally respected organisations reveals cases of either malicious or unknown sabotage by the organizations’ employees.

applications carrying malicious software. Some of the malware was designed to reveal the user’s private information to a third party, replicate itself on other devices, destroy user data or even impersonate the device owner.

“Website developers are a creative lot, they least think about some aspects like the software version used and whether it has security holes or not, or that the scripts that are used are not exploitable,” says Abhilash Sonwane.

Employees in social networking sites have been known to fall prey to hacker’s trap of injecting malicious codes into social networking sites using tricks like shortened URLs (tinyurl or bit.ly) which are used to lead users to malicious sites that can extract personal and corporate information if accessed through a work computer. The hacking group LulzSec, said to be behind many of the ongoing hackings in the world, in June admitted that they have put malicious links in Twitter and anyone who has opened those sites is compromised.

The Sony, Citibank, Kenya Police website and many other websites that have been hacked this year were breached using simple SQL injections resulting in loss of company information, as well as embarrassment to these organisations. In many organisations in the region, the decision of whether or not to have a corporate website will be mainly driven by the marketing and communication department – the IT department will be called for design and development of the website. This process provides a serious challenge to the CIO as it opens up the corporate websites to the vast internet world. Sooner or later, we shall see a group of young savvy people playing ranks on these companies through hacking their websites. Another looming problem is the social media forums. Majority of employees in an organisation spend at least 30% of their time in the social media forums in a day. These employees can easily download dozens of applications into their devices, some harmful, others not. These applications can end up in the network, putting a company’s information at a high risk. It was reported in early March this year that Google removed from its Android Market more than 60

Cover Story

This means that knowingly or unknowingly, organisations in East Africa have also been breached. “The more sophisticated the hacker, the less likely you are to know what your machine has been compromised. Skillful hackers will cover their trails well, making it difficult to realize that they have made any changes, and they can hide the fact that they are on your machine even when you’re looking at it. By hiding processes, open connection, file access, and system resource use, hackers can make their actions almost entirely invisible. If they have hacked the root account, they can do pretty much anything they want at the kernel level to hide their presence,” says Paul Roy. According to Roy, good hackers are hard to capture. By the time a company realizes they have been hacked, it may be a year or more down the line. “When a hacker breaks into your website and announces their successful hack, this is a good thing because you can take precautive measures after that. The dangerous hackers are those who will not announce their presence. You can notice you have been hacked if you see suspicious actions like your disk space being eaten up quickly or your CPU speed is unexplainably slow, if you have higher than usual network activities, when you see interfaces in your networks which have promiscuous mode, when you see log files that are missing chunks of time or have been suspiciously erased, or if you notice truncated last results which can mean that a hacker compromised your systems. Some less experienced hackers use strange user names that are closely related to the existing user names, making them predictable if the IT admin is observant.” When employees jump ship

Emmanuel Kimeu, Managing Director, Protec

www.

.co.ke

Internal sabotage is not a strange occurrence in this region. We have seen recent cases of organisation restructuring that has seen the position of a CIO being done away with. These CIOs, senior executives with access to control systems, networks, databases, with knowledge of trade secrets and corporate dirt – these people are highly appealing to their employer’s closest competitor. When they are let go or they

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

Achieving a secure information policy entails taking IT staff for security trainings on a regular basis. Managing risks with shrinking IT budgets Good IT risk management is not possible without a strong governance framework. Governance provides the policies, controls and operational guidelines that enable IT leaders to manage risks and weigh their business value.

Paul Roy Owino, Technical Strategist, Microsoft East and Southern Africa

jump ship to another company, what they have goes away with them to either benefit your competitor or used for their personal gain to set up their own ventures. Whatever happens, the fate is no longer in the organisation’s hands. There are cases where the IT admin blocks passwords once he is dismissed to teach the company a lesson – you have access, you have the knowledge and you have the power to do whatever it is you want. Information security has to factor in what happens beyond the organisation, especially where it concerns to senior IT executives or employees with access to critical company passwords. Restrict access to proprietary company information on a need-to-know basis, and make employees who have access to sensitive data sign a confidentiality agreement that binds them even after they’ve left the company. Capacity build your IT department “Companies should put the right person in charge of security or use consulting services to man-age Information security risks,” says Paul Roy. Hackers are becoming more sophisticated these days. For example, the recent widespread reports of hacking around the world is not necessarily a sign that companies are being hacked now more than before, it is just a sign that hackers now have access to media channels and they can boast about their hackings without being traced. According to Emmanuel Kimeu, system administrators should receive security trainings on a frequent basis so that they keep abreast with changing technology. “All systems start secure, the problem comes when systems change and security measures remain constant,” he says.

BUSINESS TECHNOLOGY LEADERSHIP

“The security budget should be in such a manner whereby the cost of getting to the information for any person or any matter should be based on the information that is being protected. Security administrators should be aware of the value of what he is trying to protect. In this manner, he will try to defend his value,” says Abhilash Sonwane. A governance framework must be responsive to changing business conditions if it should prowvide benefit over the long term. IT governance best practices can be obtained from industry best practices, however, this alone is not enough to protect the company’s data. A case in point is Sony Corporation which recently admitted it has been using industry standards for security, and this has not been enough to protect the company from targeted attacks. The company now says it will adopt a group up approach to information security. A CIO’s guide to IT risk management CIOs need to take a lead role in executing the risk process. Abhilash Sonwane recommends that for CIOs to manage risks, they must first define the scope of their risk analysis by determine what value their information is to them, and what will be cost of loosing that information. Identifying the scope of the risk will mean identifying what business data, what supporting technologies and what infrastructure elements are available to be included in the Information security effort the CIO wants to undertake. To Emmanuel Kimeu, a CIO then needs to map each business activity to potential threats and what resources could be at risk. “Not every business data or process is of high risk,” he says. Paul says CIOs need to assess the likelihood of risk occurrence and level of impact. “For com-panies which take security very seriously, they may even allow chosen hackers to attempt to breach into its systems to assess its level of strength.” From this, a CIO can assess the risk and determine treatments and responses needed. By adopting the best security measures that can yield maximum results, a CIO should then provide ongoing monitoring and evaluation of its security policy and continuously adjust the plans as they progress.

www.

.co.ke

July 2011 | Vol 3 | Issue 4

Oracle upgrades JDeveloper IDE By Paul Krill

JDeveloper 11g, Release 2 features modular architecture and a visual editing environment for enterprise Java Web developers

racle in June released an upgrade to its JDeveloper Java IDE, making it modular and backing JSF ( JavaServer Faces) 2.0 technology for server-side Web UI development. With JDeveloper 11g Release 2, Oracle is adopting a modular architecture so that developers need only load the required parts of the IDE, thus boosting performance and startup time, said Duncan Mills, Oracle senior director of product management: “We’ve actually done a complete re-architecture of the IDE itself. We’ve moved it to an OSGi backbone.” The development experience, he said, “is much slicker.” Developers can more easily build OSGi-based extensions to the IDE. Backing for JSF 2.0 and Facelets page componentization technology in the IDE upgrade provides a visual editing environment for enterprise Java Web developers, Oracle said. “[ JSF 2.0] adds new componentization models and a simpler component development model,” said Mills. JSF 2.0 also enables use of annotations as a way of configuring a Web UI, as opposed to relying on XML configuration files. The IDE features improved support for RESTful Web services and the Apache Maven software project management tool and the Hudson

continuous integration server. Oracle recently donated Hudson to the Eclipse Foundation. Concurrent with upgrading the IDE, Oracle is releasing an upgrade to its Oracle ADF (Application Development Framework), which includes capabilities for hot reload and functions with JDeveloper. “As the developer is changing the code and metadata, that’s automatically loaded into the application server,” Mills said. An Oracle ADF Faces skin editor makes user interface customization easier via visual editor that leverages Cascading Style Sheets technology, Oracle said. Although Oracle is known for also backing two other Java IDEs -- the Eclipse IDE and the NetBeans IDE acquired when Oracle bought Sun Microsystems last year -- JDeveloper is geared toward working with existing Oracle technologies, such as Fusion middleware and the Oracle database. Customers can write extensions as modules in Java that will run in the database. “The focus of JDeveloper is very much on that Oracle developer community,” Mills said. JDeveloper is offered free but is not open source. Support services are available, as is free community support on the Oracle Technology Network.

Technology

www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

ICT Security Headaches? • • • • •

Intrusion Prevention Vulnerability Management Data Loss Prevention Endpoint Protection Forensics

Talk to us for pro-active ICT security solutions that will enable you manage the confidentiality, integrity and availability of your Core Business information

Do you know where your threats are ? 37

PROFESSIONAL TECHNOLOGIES LTD Geomaps Centre, Upperhill , Nairobi, Kenya. P.O. Box 63401 – 00619, Tel: (+254 20 ) 2722485 / 2729771 / 2729774 Email: sales@protec.co.ke, Web: www.protec.co.ke

ProTec is the cure for all your ICT Security Headaches BUSINESS TECHNOLOGY LEADERSHIP

www.

.co.ke

July 2011 | Vol 3 | Issue 4

The bulletproof cloud By Simon Crosby

end users do with it. Clouds, and the virtualization technologies on which they run, give you back that control, from data centers and to delivery to the endpoint.

W Security

orried about your data? If you’re not, you’re kidding yourself. It’s become clear over the past few months that the risk of security breaches has reached a new and frightening level—from sophisticated tools in the hands of national governments and organised crime alike, to spontaneous attacks harnessing the resources of thousands of loosely connected vigilantes. Add to that the dizzying array of devices now used to access, move and store data, and security strategies that seemed airtight only a few years ago now look so much like Swiss cheese. In this light, your first instinct might be to pull back from cloud computing, viewing it as less secure than keeping data and applications locked into hardware. After all, the word “cloud” itself implies that your precious assets are out there floating around somewhere, right? It’s an understandable reaction and one that couldn’t be more wrong. In fact, the cloud is now the safest place for your data. Think about it: data is lost when an organization loses control over it how it’s stored, how it is transmitted, what

www.

.co.ke

Deliver user experiences, not vulnerable data A key tenet of security is making sure data doesn’t go astray when it leaves the enterprise. What if it never leaves the enterprise at all? Desktop virtualization means that all data, applications, and state, remain centralized. Users can access an immersive experience indistinguishable from traditional computing (actually even better in some regards, like instant-on apps) using either a hosted desktop or application experience, or a rich client experience. IT gains precise, granular control over applications and data; everything is encrypted at rest, using keys that never leave the data center. Meanwhile, full back-end automation means less human involvement, and fact is, less human involvement means less chance of things going wrong. A locked-down data center is all well and good, but how are workers supposed to be anywhere-any device productive if they can’t move data around? Again, virtualization holds the key (no pun intended). Instead of data being mobile, it’s access itself that roams: because you can always log into your data and application state from any connected device, there’s never a reason to save anything to removable media (like the kinds that seem so often to fall into the wrong hands). A good desktop virtualization solution lets you set policies as to what kinds of client-side devices can be used, from thumb drives to printers. What about offline use? No problem, any data delivered to the desktop cache remains encrypted at all times, and IT holds the keys. Lost laptop? Disgruntled employee? Hotel room theft? Not to worry; the only thing you’ve lost control over is unusable gibberish. Forget everything you used to know about endpoint security A moment of silence, please! Traditional endpoint security is dead. It’s simply no longer possible to detect attackers

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

faster than they can mutate, and managing antivirus protection guest-by-guest can’t possibly scale. It’s also fundamentally incompatible with virtualization, since we can’t have every endpoint in the organization trying to update a centralized attack file and index its virtual hard disk at the same time. It’s time to rethink your business. Now, what if we take the flipside perspective: maybe we can’t hope to be invulnerable to attack—so how about if we make attacks less relevant by ensuring that each endpoint is in its best possible state? When a hypervisor is booted, one of the first things it does is to check that it hasn’t been modified since it was last signed by its creator; the same applies for each virtual machine. If it’s not, even if you don’t know whether, how, or by whom it’s been compromised, you can simply stop it and revert it to its pristine state. After each login, each VM is returned to its original state, so attackers have no way to gain a foothold in your environment. This approach essentially, moving from blacklisting to whitelisting, is a fundamental shift in endpoint security. And it’s already on the market and it’s now time to get up to speed on it. There’s still an important role for the security vendors to play in making virtual desktop security simpler and more

scalable for large enterprise deployments for example by integrating in-hypervisor threat detection intoboth clientside and server-side virtualization products. Some of the top security providers are already doing exactly this, working in tandem with virtualization solution vendors, and I’d expect more to follow suit—or find themselves stranded in an outdated and shrinking space. Deny DoS attackers Even the best data security can’t protect against a denialof-service attack. You know what can? Truly massive perimeter control. But don’t start pouring your own concrete yet; why do you think people started keeping their money in a bank instead of at home? Because the bank has a better safe. So does Amazon as we’ve seen, even better than PayPal and Visa. The largest cloud providers have defense resources far beyond anything you could match in your own datacenter—if you even wanted to try. But why would you? Any way you look at it, the bottom line is clear: the world may be getting more dangerous by the day—but the cloud is safer than ever. Simon Crosby is the CTO of the datacenter and cloud division, Citrix Systems, Inc.

Citrix Distributor for East Africa contact: george.kariithi@ads-sas.com

BUSINESS TECHNOLOGY LEADERSHIP

www.

.co.ke

July 2011 | Vol 3 | Issue 4

Cyberoam CR25i UTM By Peter Nalika

The good: The Cyberoam CR25i UTM provides security across the seven layers of the network protocol. Using identity-based policies, it offers multiple security zone firewalls from the data link layer to Layer 8 where the user sits. It supports Gigabyte Ethernet and IPv6 standards, among other nice networking features. The UTM device also comes with a USB port for updating its firmware, which takes the form of an embedded Linux operating system.

Product Review

Its most interesting feature is its flexibility in managing web content. The CR25i offers fine-grained levels of control, for example it can restrict what websites a user visits by time of day. Alternatively, access can be controlled by using groups, for instance only allowing sales persons access at certain time of the day while giving fulltime access to managers. Website access may also be controlled depending on the site’s size. For instance an administrator may wish to restrict access to sites using IP addresses, and perhaps also limit user downloads to 100MB per day. The bad: The CR25i requires a working Internet connection during the initial setup. Although its interface program does offer content filters, there are some drawbacks to the device such as some efforts are not being as steady as they should be, as well as the response time being slow when more than 2000 users are simultaneously connected to the device. Despite it having the ability to carry out HTTP inspection by scanning traffic for malware, viruses and trojans using the existing database, the CR25i still offers little or no protection for new or unknown vulnerabilities like zero-day attacks.

greater capacities in terms of throughput for firewalls, antivirus, UTM and Intrusion Prevention System (IPS). It ensures link management with an automated load balancing feature that aids the distribution of traffic over multiple links. This feature alone greatly assists in optimizing the use of WAN links. Compared to its peers, the CR25i is not radically different, except for its extended performance and size. However, the built-in UTM firewall offers stateful deep-packet inspection for network inspection and user identity based security. This kind of feature protects organizations from increasingly common Denial of Service, (DoS) and IP spoofing attacks. Other devices in the huge Cyberoam network security family, for instance the CR50i, have built-in double ISP configurations. This allows two links such as Jambonet and Safaricom to be terminated to the device at the same time. This offers the advantage of accessing and utilizing both lines simultaneously. Design Unfortunately, the CR25i UTM device is no wallflower. It’s certainly not pretty, it’s not that compact, and its functions and inbuilt features- the WAN and LAN links and other multiple connections that should pass through it - all mean it is not the sort of device to sit on an office desk.

The bottom line: The CR25i is an advanced device from Cyberoam with excellent security features right from network security, to content and administrative security. In addition, it provides an abundance of network connections via the VPN & 3G/WIMAX connectivity. It also guarantees continuity for enterprises using its multiple link-management features. Being an improvement over the previous Cyberoam CR15i model, the CR25i has

www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

The device ships with a WAN port, which connects directly to the Internet. Now, this is usually not a trusted interface, and is therefore marked red. The LAN port connects to the local area network – it is trusted and therefore marked as a green interface. The CR25i also has a useful extra LAN port in addition to the marked one. The WAN and LAN ports are Gigabit–capable, meaning they support data throughput up to 1,000 Megabits per second (Mbps). At the back of the unit you will find the De-Militarized Zone (DMZ) port which connects to a server farm and helps segregate and stop devices that are directly Internet-accessible from intruding into the rest of the corporate LAN. The Cyberoam CR25i has a USB port and a console. Both can be used to update its firmware, though you first need to understand how to use the command prompt in case you use the console option.

Performance The Cyberoam CR25i is amazing in terms of setting up internet policies that can be defined and tweaked by administrators to suit their individual needs. This is one area it scores highly when compared to some other UTM devices from other companies, for example those from Cisco Systems and Juniper Networks that offer little flexibility in terms of controlling Internet usage. The Cyberoam CR25i performs very well in terms of content filtering and traffic inspection, especially when compared to products from Juniper Networks, which are more of enterprise solutions geared towards large ISP’s, telecommunication companies, and massive network installations.

At the front the new CR25i has the usual array of status LEDs. These are well labelled and light up in green when in full duplex mode, amber when in half duplex mode and solid red in case of a problem.

In terms of throughput, i.e. the number of packets that can be handled at any given time, the CR25i offers 225 Mbps firewall throughput and 50 Mbps UTM throughput - these metrics are fantastic for network connectivity. The device is thus up to the challenge of handling almost all traffic that may be thrown at it.

Like many other UTM devices, the CR25i supports a wide range of standards among them 3DES, AES, Two fish, Blow fish and Serpent. It also supports the MD5 and SHA-1 algorithms.

In this communication age where bandwidth is money, the Cyberoam CR25i achieves better control over which web protocols access the network and how they are allowed to do so. The CR25i’s forte is its load balancing capability.

Its interface is intelligent; it supports fusion technology by blending in security, connectivity, and productivity. Multiple features that control various security policies can be created through a single interface.

CIO East Africa gives this product a thumbs up

BUSINESS TECHNOLOGY LEADERSHIP

www.

.co.ke

July 2011 | Vol 3 | Issue 4

The about turn on a free market? James Wire Lunghabo | CIO Uganda Bureau

wo and a half decades ago when Uganda began its recovery from years of civil war, unrest and declining economic performance, the Government decided to adopt the free market economic policies in order to encourage competition and attract investors. The telecommunications sector has evolved from the time when a phone subscription meant that you had to pay for both incoming and outgoing calls plus a monthly service charge, to a time when the monthly service charges were dropped as a result of the entry of a third mobile operator in the market, and finally to a time when charges were altered from the per minute rate to a per second rate. In the process, this has seen the price of telephone calls tumble and in just one year, the rate dropped by over 45%. The Uganda Communications Commission (UCC) was being seen as having initiated good policies that have led to this consumer friendly tide in the telecoms sector in Uganda. The removal of limits on the number of players, the change from regulating technology and shifting focus to service regulation among others left the consumer happier than ever before.

Opinion

However, on the 13 of June 2011, the Monitor Newspaper broke the story of a new directive from the UCC requiring all Telecoms players to have a minimum price for both on and off network calls. This move stirred a lot of debate leaving many industry observers in shock. Despite the occasional gaffes that have been typically coming from the commission lately, this was the least expected of all. There was therefore a sigh of relief when two days later, a denial of this move emanated from the same commission leaving many perplexed but nevertheless relieved. A quick look at the guiding regulations for the UCC clearly shows that the decision to regulate the price floors was as stipulated by the Statutory Instrument 2005 No. 27 which states among others that; • Where a tariff is specified as a floor, no tariff shall be fixed below the floor. • The Commission shall determine whether the tariffs to be charged are just, reasonable and non- discriminatory.

www.

.co.ke

This move stirred a lot of debate leaving many industry observers in shock. The crux of the argument though at this point is who UCC is trying to protect. Is it the consumer that is more vulnerable or the service provider? It seems like the UCC is faced with a double edged sword scenario. While UCC wants to ensure that subscribers enjoy low calling rates, the commission also benefits from a 1% levy off the revenues of the Telecommunications Service providers. This fund facilitates a number of activities especially in line with the Rural Communications Development Fund. Not all Telecoms have been paying this levy though. Mr Simon Kaheru, a Media Analyst, says that over the years, only one network has consistently made profits and paid their due 1% levy off those profits to UCC. “Not only do the other networks NOT pay their 1% levy every year as they were supposed to, by the look of things with these lowered tariffs and margins, they will be unable to do so ever,” he says. According to Kyle Spencer, the government should not dictate the price of goods in a free market. This kind of move by the UCC will eliminate price competition which hurts everyone except the incumbents. The UCC should regulate Quality of Service, nothing more. The intense competition among the telecoms is not about to cease. Airtel is giving a clear indication that it is targeting that hitherto ignored customer whose ability is to spend utmost USD 4 per month on communication, while MTN are on record as being uncomfortable about the falling Average Revenue Per User (ARPU) which is a measure of how much money the company makes from the average user. As for the UCC, it is important that a clear and consistent message be passed across to the stakeholders in the industry to avoid the uncertainty of the proverbial drunkard’s cockerel which is never sure of being alive the following morning.

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

Rwanda’s ICT plan 3 Ruth Kang’ong’oi | CIO Rwanda Bureau

n the year 2000, Rwanda declared ICT a fundamental part of the country’s Vision 2020. To highlight the importance of ICT in its development, the government launched a National ICT plan (NICI) that was structured to be carried out over four five year cycles. The ICT plan cuts across five clusters identified to fuel continued growth: skills development, private sector development, community development, e-Government and cyber security.

According to the Rwanda Development Board (RDB), the third phase of the ICT plan will emphasize on the development and use of new services that were made possible by phases one and two. It has been reported before that the implementation of the ICT plan I and II was not a walk in the park due to a low level of understanding of the programs by the general public, as well as weak monitoring and evaluation.

Successful achievement of the third phase therefore will need participation by all citizens including those in the rural areas. This move will only be achieved through educating the citizens and making them understand the Rwanda has successfully rolled out two five-year plans national ICT planning concept. “Intensive training is whose focus was on policy and rollout of infrastructure. required to improve on the ICT skills of personnel within The first plan (NICI I) rolled out in the year 2000 – 2005. various institutions,” says Charles Murigande, Rwanda’s Education Minister. To address this challenge, cluster working groups It has been reported before that that comprise of planners and stakeholders have the implementation of the ICT plan been created – the main aim being to set goals and develop projects to be undertaken in each area, identifying the greatest needs and points of I and II was not a walk in the park intervention.

due to a low level of understanding of the programs by the general public, as well as weak monitoring and evaluation.

The plan focused on the creation of an enabling environment Rwanda for ICTs initiatives to take hold. NICI II rolled out in the years 2006 – 2010 focusing on the development of key ICT infrastructure such as the laying of fiber optic cables. NICI III is set to begin this month (July 2011). The plan provides a platform for the Government of Rwanda to best plan the final stages of their vision 2020 by focusing on those sectors and businesses that stand to fully maximize ICT benefits. These will certainly fast track Rwanda’s transformation into a knowledge-based economy.

BUSINESS TECHNOLOGY LEADERSHIP

The Government of Rwanda is committed to improving the way it delivers ICT-enabled business change so that investments in ICT support meets business needs and delivers expected benefits. Business executives tend to benefit more from the NICI III plan. They will have the information required to plan and manage their ICT workforce now and into the future. For ICT professionals, the workforce plan will provide useful resources and information to assist with planning a satisfying ICT career. They will also get opportunities for better managing their ongoing learning and development needs. With adopting these new methods and policies and develop a skilled workforce in order to improve and exploit its ICT resources, Rwanda will level the business playing field in the country and in the region. karuthum@gmail.com

www.

.co.ke

July 2011 | Vol 3 | Issue 4

Out of site . . . HARD TALK | Bobby Yawe

was fortunate to attend a number of presentations on data centres by various providers including visiting the stands of some of the providers who had exhibited at the Aitec Banking Conference held in Nairobi earlier on in the year. The idea of outsourced data centre services is solid when looked at from arms length but due to the slow uptake of the service in the region it is clear that we have a missing link. For the few CIO’s out there the issue of moving their systems into a public data centre is a no brainer as they appreciate the bottom line, that is, creating a lean organisation that will be easier to manage when they move to the proverbial corner office as CEO or COO – I am made to understand that the term MD is no longer kosher.

Opinion

Up to today, still view ICT and treat IT as a support function to the rest of the organisation. Until we can change this perception within the organisation and own the process, we are not letting go of the data centre.

Asking these managers to virtualise their servers means that they will need to reduce the number of physical machines that appear on the maintenance agreement and that also occupy the rack that sits beside them in the ICT department. The reduced physical machines means reduced budgetary allocations for the department.

.co.ke

In addition, the management training will assist us in acquiring negotiating skills that are critical in surviving in ExCo, (I have attended such training, this is why I am using big words). ExCo simply means Executive Committee.

Every other day we (IT executives) are getting dropped from this very vital executive committee (an example is the recent KCB restructuring) and we watch as the finance fellows take over organisations – after the market ing g uys economic crisis hiccup. many organisations

Unfortunately, many of the custodians of the organisation’s information infrastructure are less open minded – the likes of the ICT Managers a.k.a IT Manager, a.k.a. Systems Administrator. Many of them strongly believe that the number of equipment they have in the fixed asset register and the number of staff they have running around is what defines them – and there begins our dilemma.

www.

We have only looked at virtual servers and the resistance is glaringly clear which is why, we as techies need to attend management school so as to get a better appreciation of the organisation as a single entity and be clear of where we fit.

Up to today, many organisations still view ICT and treat IT as a support function to the rest of the organisation. Until we can change this perception within the organisation and own the process, we are not letting go of the data centre.

You ask, what is the question? If I move my servers into a hosted data centre how do I walk around with my head up since I will have fewer people reporting to me, no more air conditioning equipment service requests, less office space for my department and no more “Authorised personnel only” signs. If the movement of the servers and routers creates such an emotional response, what about trying to move into the public cloud? As organisations spend millions in setting up public data centres and offering managed services, you need to look into the points of resistance from the current custodians. The sooner you can alleviate their fears and show them how they reduce the possibility of becoming redundant the sooner you will see a return on your investments.

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

Is your data really secure? SECOND OPINION | Sam Mwangi

ast month, Google said that it recently detected a security breach where perpetrators were using stolen passwords to change peoples’ forwarding and delegating settings. Hackers tried to steal the passwords of hundreds of Google email account holders, including those of senior U.S. government officials, Chinese activists and journalists. In April this year, the media covered a story on a cyber attack on Sony Corporation by a group of unknown cyber criminals who hacked into their servers and stole the data of over a 100 million users. The entire fiasco is reported to have cost Sony an estimated figure of over USD 171.2 million, and an invaluable loss of trust in the organization by its customers. Most often than not, we provide more and more information to the Internet about ourselves without considering how secure the data is. The recent cyber attack events have illustrated the critical role of data security for businesses. There are three categories of data that need to be secured: data at rest, data in motion and data in use. Bank account details, client information, payment information, personal files and so on are data we store, share or use for different purposes. Losing this information to cyber criminals or a malware infection can have disastrous consequences. Threats to data security can either be targeted or accidental. Targeted breaches include theft, cyber attacks or any form of malicious damage of data. Accidental breaches include natural disasters like fire, flooding, unintended disposal of data or erroneous input. How then can we secure our data? Data security starts with a strategic planning and risk assessment. Technically, it’s not possible to guarantee 100% security for data in any form; we can only avert cyber attacks and mitigate their impact. The key questions IT executives should reflect on include: What would happen if you lost your personal or organization’s data?;

BUSINESS TECHNOLOGY LEADERSHIP

What would happen if an organization lost your data?; Who has access to data at rest?; Who is allowed to move data?; Who uses the internet, email systems and how do they access it? Who will be allowed access and who will be restricted? Since data can be compromised in many ways, the best security against misuse or theft involves a combination of technical measures, physical security and a well educated staff. Simple checks like password allocation and management, as well as proper training of staff and enforcing data security, should be put in place. Areas of

Most often than not, we provide more and more information to the Internet about ourselves without considering how secure the data is. vulnerability can then be identified and strategies for securing your data and information systems developed. Given the unique nature of the mobile environment, mobile security is not a single security solution but rather a combination of solutions extending the existing security infrastructure to the location of the mobile devices. An administrator needs to create security policies specific to mobile device usage to minimize the impact in case of loss of a mobile device. Passwords-protect all devices, encrypt sensitive documents on the device, and don’t use automatic scripts for VPN login. Mobile device security policies should also include minimizing access to limited sources using firewalls. Likewise, it is important to protect the device from physical damage by using a casing. Internet access should be in needful and careful manner to prevent spyware from invading our mobile devices.

www.

.co.ke

July 2011 | Vol 3 | Issue 4

9 ways iPad goes to work By Tom Kaneshige

Apple’s iconic iPad reports for work in all sorts of strange places, from archaeological digs in Pompei to movie sets in Hollywood to cockpits in the sky.

Archaeologist: iPad for ancient times During a dig in the ancient ruins of Pompei, an archaeologist records notes and sketches on an iPad. The iPad 2 even lets you take pictures in the field. Could Indiana Jones have used an iPad? You bet. If the bad guys stole his 3G iPad, Dr. Jones would’ve been able to track them and it down with the Find iPhone app.

Retailer: a new cash register Retailers believe the iPad is the next cash register with the added bonus of computing cross-selling opportunities at the point of sale.

Business Tips

Policeman: nabbing iBad boys When a policeman pulls you over for speeding and then sits in his cruiser for a long time, what’s he doing? He’s playing some song on his iPad, of course. More likely he’s accessing background information, taking notes, checking maps, maybe even taking photos and video. The iPad is fastbecoming a policeman’s new partner. www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP

July 2011 | Vol 3 | Issue 4

Movie director: take one, scene one, action! Finally, movie directors have an answer to a prima donna actor’s age-old question: What’s my motivation? Just check out the scene notes on the iPad and read the damn lines! The iPad has become a movie director’s new 64GB clipboard.

Spiritual leader: a religious experience

Pilot: taking off with the iPad

Apple (AAPL) faithful follow Steve Jobs and his products like a religious movement. Now real spiritual leaders are tapping the power of the iPad. They’re reading and referring to important texts, maintaining schedules, taking notes for teaching and preaching.

Every so often, commercial airplane pilots need to consult bulky, perhaps out-of-date flight manuals or thumb through navigational charts. With iPads, pilots can find the most current information quickly and easily. The iPad is ready for takeoff!

Musician: an iPad jam session From jam sessions to late-night DJs to one-man street bands, the iPad has become a musical creation sensation. The most well-known musical iPad app is Apple’s own GarageBand ($5), which can record and play back multiple audio tracks.

Artist: the digital canvas The iPad has been called a piece of art, not a great content creation machine. But artists are proving otherwise by creating inspirational art on the iPad.

Politician: on the campaign trail It seems a big part of a politician’s job is to give speeches. The iPad’s slim form factor makes it perfect for public speakers to stay on point. “Four score and seven years ago” -- scroll down on the iPad -- “our fathers brought forth...” BUSINESS TECHNOLOGY LEADERSHIP

www.

.co.ke

July 2011 | Vol 3 | Issue 4

PPT apps & seed developers

he recently concluded Pivot 25 was a well organized affair. Jay Bhala and the iHub team really put in a lot of sweat to make an inaugural event such a success. Pivot 25 was showcasing the best of mobile applications, and rewarding the crème de la crème. This is not the first time we are seeing such events. There have been other mobile application centric initiatives such as Garage 48 all with the aim of coming up with the best, mobile application. It is now time to sit back and look at the lessons learnt with Pivot 25 providing the best case study. Blogs have already listed several lessons learnt, notably the controversial iddsalim.com blog. Bottom line is that the best application will rarely win. It’s an unfair world verified by Pivot 25 where the best PRESENTED application won.

Last Word

One problem with excellent applications is that people rarely understand them – these presentations are often buried deep in jargon and lack financial and user representations. We understand what problem the best applications are solving, but few understand how the problem is to be solved by the application, and even fewer understand how the applications plans to make money. In short, your solution is great, but how the heck does it work or make money? I am not saying that winning presentations are not good. What I mean is that although the applications that win also solve an existing problem, the winning element comes in how the application is presented – we clearly see the link between the application, the problem it is solving, and the business value of the application. The

developer makes the audience understand how he/she’s innovation generates income enough to be sustainable. From the above cases though arise two problems: one for the best presented application and the second for the best application that never won. The best presented application might remain what it is - a great application that runs, executes and is used within the single PowerPoint file it was presented in. After the developer pockets the funds, they present a great speech and it ends there. Not even a single line of code is ever written for the application after that. The second problem might even be worse. The whole system that results in winning applications is a pyramid. Many ideas by many developers – some good, some non-starters – sit at the bottom of the pyramid. Better ideas that are fewer in numbers sit closer to the tip of the pyramid. These ideas are excellent, but they don’t necessarily constitute the winners category. This is a target group for many investors who attend these events to find seed developers. The role of the seed developer is to provide a great idea for a great application. Innocent developers who showcase their innovations with a hope of winning have no idea that there are people scouting to copy their ideas and refine them for their own benefits. Unknowing, developers leave such competitions with hopes to sell their applications to interested investors, only to find the investors already have an idea similar to theirs. It also does not help that most of the developers are fresh off campus and high school. These chaps view the corporate world as a perfect and honest world. It will be a few years down the line before they pick the needed experience and secure funding to make any value from whichever innovation they will have. Luckily, the many incubation labs coming up should be in a position to assist them brush up their skills.

Dennis Mbuvi

dennis.mbuvi@cio.co.ke www.

.co.ke

BUSINESS TECHNOLOGY LEADERSHIP