S p i n e
cio & leader.com
A question of Answers
Best of Breed
Viewpoint
Point Solutions are Passé Pg 12
The Amazon Cloud and PCI Compliance Pg 16
Size Matters Pg 68
Volume 01 Issue 11 November 2012 150
11 T r a c k t e c h n o lo g y
B u i ld b usi n ess
Shape self
Panalpina’s “World Wide Web” | New Techs Raise Doubts on Privacy & Security
A special section on leadership designed keeping in mind the evolving information needs of CIOs Page 38A to 51
In a career spanning close to three decades, Prashun Dutta, CIO, Tata Power, has blazed new trails with IT by transforming business processes. Page 26
Volume 01 | Issue 11
A 9.9 Media Publication
CTO_Forum_161112 Size:213x283(bleed) 210x280 (Trim) 200x270 (Type)
Now with
‘Server Class’ Drives
` 4,99,000 for 36TB* * Taxes extra.
Network Storage for Business NVR for IP Surveillance - up to 48 cameras
- Built on world-class EMC® storage technology - Advanced storage, security, and content sharing that is easy and affordable - PC, Mac® and Linux®; 4TB to 36TB in a single array - Certified for Vmware®, Windows® Server, Citrix® XenServer - Protect and share your data from anywhere with Iomega Personal Cloud - Server class drives for higher reliabilty and performance - Video Surveillance ready - connects upto 48 cameras.
StorCenter ix2 2TB/4TB/6TB RAID 1, JBOD 1 x GbE Starts at ` 18,000/-
StorCenter ix4 4TB/8TB/12TB RAID 1, JBOD 2 x GbE Starts at ` 45,000/-
StorCenter Px4-300d 0TB/2TB/4TB/8TB/12TB RAID 0, 1, 5, 10 5+1 Hot Spare, 2 x GbE, USB 3.0, Starts at ` 59,000/-
StorCenter Px6 0TB/2TB/6TB/12TB/18TB RAID 0, 1, 5, 6, 10 5+1 Hot Spare, 2 x GbE, USB 3.0 Starts at ` 69,000/-
StorCenter Px4-300r 0TB/4TB/8TB/12TB RAID 5, 10, JBOD 2 x GbE, Starts at ` 1,49,000/-
editorial yashvendra singh | yashvendra.singh@9dot9.in
Leading the Change
Transformational leadership has come to be the most important leadership style today.
T
ransformational leaders radiate a steely determination. Despite challenges and obstacles in their path, they don’t stray from their plans and directions. Individuals such as Winston Churchill, Mahatma Gandhi, and Martin Luther King are all examples of transformational leaders. They egg others to be more and do more. History has shown what impact such leaders, in their respective fields, can have on others. Investor, philanthropist and business magnate, Warren Buffet, has successfully transformed Berkshire Hathaway
from being a clothing manufacturer to becoming a stock market behemoth that constantly outperforms competition. Such leaders don’t shy away from taking tough measures to sustain growth. Jack Welch, for instance, became the CEO of General Electric (GE) in the 1980s. He began the transformation of GE from a non-lean and bureaucratic enterprise into a nimble corporate. Co-founder of Apple, Steve Jobs, goaded his team to become the best, and they acted in response. Jobs was able to transform business by
editors pick 26
2
November 2012
The Transformer
In a career spanning close to three decades, Prashun Dutta, CIO, Tata Power, has blazed new trails with IT by transforming business processes
leveraging hi-speed processors and applications. I feel Mahendra Singh Dhoni is yet another example of a transformational leader. In moments of high pressure, Dhoni remains confident, focused and calm – traits that rub on to other players eventually translating into success for the team. Under his leadership, Indian cricket has gone from being good to becoming great. According to experts, transformational leadership has come to be the most important leadership style today. The ability of such leaders to inspire, motivate and band people together to achieve higher performance levels has become extremely relevant in the present times. While most of us will never be called to lead the country or the national cricket team, we can emerge as transformational leaders in our own spheres
– as parents, friends, in office, or even as spouses. In the area of enterprise technology, such leaders transform business processes by leveraging IT. In this issue’s cover story, we have featured one such transformational leader. Prashun Dutta, the CIO of Tata Power has been a transformational leader throughout his professional journey. He has enabled a positive change in not only the various organisations he has worked in but also in those who have worked alongside him. So, would you like to become a transformational leader? Maybe you are one already. Do write to us about your leadership style.
YOUR CLOUD PRIVATE, PUBLIC OR HYBRID. OPTIMIZED FOR PERFORMANCE. With Riverbed, you’ll get breakthrough performance –whether yours is a private, public or a hybrid cloud environment. You’ll have greater flexibility to implement your cloud strategy and business goals. And you’ll have resilience when you need it the most. You’ll have your cloud on your terms. Go to: riverbed.com/hybridcloud For any queries, please contact marketingindia@riverbed.com
november 2012 26
Cover Story
RegulArs
26 | The Transformer
November 2012
besT of breed
vieWPoinT
The Amazon Cloud and PCI Compliance Pg 16
Size Matters Pg 68
T r a c k T e c h n o lo g y
Volume 01 | Issue 11
4
Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Anuradha Das Mathur for Nine Dot Nine Interactive Pvt Ltd, Bungalow No. 725, Sector - 1, Shirvane, Nerul, Navi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301
a quesTion of ansWers
Point Solutions are Passé Pg 12
Volume 01 Issue 11 November 2012 150
11
PanalPina’s “World Wide Web” | neW Techs raise doubTs on Privacy & securiTy
Please Recycle This Magazine And Remove Inserts Before Recycling
s p i n e
cio & leader.com
In a career spanning close to three decades, Prashun Dutta, CIO, Tata Power, has blazed new trails with IT
02 | Editorial 08 | Enterprise Roundup 68 | viewpoint B u i ld B usi n ess
shape self
A special section on leadership designed keeping in mind the evolving information needs of CIOs Page 38A to 51
In a career spannIng close to three decades, Prashun Dutta, CIO, tata POwer, has blazed new traIls wIth It by transformIng busIness processes. page 26
A 9.9 Media Publication
Cover Design by: shokeen saifi imaging by: anil t photos by: jiten gandhi
Special leadership section Page 38A to 51
my story
40 | No Room for Error for Today’s CIOs Ashish Pachory,
CIO, Tata Teleservices, shares his perspective on various aspects of becoming a successful xx CIO
39 | Top Down IT in Education Max Gabriel, Senior VP and CTO, Pearson India, believes that digitising content will go a long way in helping the education sector
49 | opinion Common Negotiating Mistakes Losing Thousands on the Bargaining Table
48 | The best advice I ever got Never Give Up on Anyone Vishwajeet Singh, CIO, Epitome Travel Solutions shares his leadership mantra
42 | Leading edge Elevating Technology on the Boardroom Boards are starting to guide management by asking the right questions about technology
45 | ME & MY MENTEE Leading by Example Mentoring is all about leading by example
51 | SHELF LIFE Leadership 2.0 In today’s fast-paced world everyone is searching for tools that can help them to rise above the rest
November 2012
5
www.cioandleader.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Anuradha Das Mathur Editorial Executive Editor: Yashvendra Singh Consulting Editor: Atanu Kumar Das Assistant Editor: Varun Aggarwal & Akhilesh Shukla DEsign Sr. Creative Director: Jayan K Narayanan Sr. Art Director: Anil VK Associate Art Directors: Atul Deshmukh & Anil T Sr. Visualisers: Manav Sachdev & Shokeen Saifi Visualiser: NV Baiju Sr. Designers: Raj Kishore Verma, Shigil Narayanan Suneesh K & Haridas Balan Designers: Charu Dwivedi, Peterson PJ & Midhun Mohan MARCOM Associate Art Director: Prasanth Ramakrishnan Designer: Rahul Babu STUDIO Chief Photographer: Subhojit Paul Sr. Photographer: Jiten Gandhi
12 A Question of Answers
12 | “Point Solutions are Passé”
Sundar Ram Gopalakrishnan, VP, APAC, Oracle talks about the importance of an integrated security approach
60 | tech for governance: Panalpina’s “World Wide Web” It is important to include contractual language
16 | Best of breed: The Amazon Cloud And PCI Compliance An organisation needs to subscribe to EC2, VPC and S3 in order to build a basic platform capable of computing
6
53 | Next Horizons: Israel vs Iran The strategic importance of 5° domain,the cyberspace
November 2012
advertisers’ index Iomega IFC Riverbed 3 Symantec 7 IBM 1, IBC Schneider 24-25 Microsoft BC This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.
advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IT, ICICI Bank Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Sr Consultant, NMEICT (National Mission on Education through Information and Communication Technology) Vijay Sethi, CIO, Hero MotoCorp Vishal Salvi, CISO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay NEXT100 ADVISORY PANEL Manish Pal, Deputy Vice President, Information Security Group (ISG), HDFC Bank Shiju George, Sr Manager (IT Infrastructure), Shoppers Stop Farhan Khan, Associate Vice President – IT, Radico Khaitan Berjes Eric Shroff, Senior Manager – IT, Tata Services Sharat M Airani, Chief – IT (Systems & Security), Forbes Marshall Ashish Khanna, Corporate Manager, IT Infrastructure, The Oberoi Group Sales & Marketing National Manager – Events and Special Projects: Mahantesh Godi (+91 98804 36623) National Sales Manager: Vinodh K (+91 97407 14817) Assistant General Manager Sales (South): Ashish Kumar Singh (+91 97407 61921) Senior Sales Manager (North): Aveek Bhose (+91 98998 86986) Product Manager - CSO Forum and Strategic Sales: Seema Menon (+91 97403 94000) Brand Manager: Jigyasa Kishore (+91 98107 70298) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Manager Operations: Rakesh Upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Anuradha Das Mathur. Published at Bungalow No. 725, Sector - 1, Shirvane, Nerul, Navi Mumbai - 400706. Printed at Tara Art Printers Pvt Ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301 For any customer queries and assistance please contact help@9dot9.in This issue of CIO&Leader includes 12 pages of CSO Forum free with the magazine
The ultimate backup appliance.
It’s not the best in class, it’s the only one in its class. In the future, all backup will look like this. But until then, there’s the NetBackup 5220 appliance from Symantec— the only fully integrated backup, deduplication, and storage appliance with industry-leading, factory-installed Symantec software. So it’s practically ready to go right out of the box. It’s hard to believe anything this simple can be so technologically advanced. But it is. See for yourself at www.symantec.com/in/nbu Interested in an NBU appliance demo? Just email sheraz_hasan@symantec.com, or call +91-22-30671526
Confidence in a connected world.
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and NetBackup are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.
scm.487_backup_appliance 9dot9.indd 1
11/20/12 3:57 PM
Enterprise
EMEA IT Spending Will Grow 1.4% Pg 08
image by photos.com
Round-up
story Inside
How Will the Future CIO Role Look Like? Gartner identifies four roles
for IT and CIOs of the future Gartner observes that the changing shape of IT is causing CIOs to question the role of IT in the organization and the part they will play in it. As businesses confront global economic uncertainty, changing market dynamics and cultural discontinuities created by technological innovation, their different parts require different ways of interacting with IT. "We are witnessing the emergence of a new generation of CIOs, one that aims not so much to 'run' IT as to ensure that the business achieves strategic value from the use of technology," said John Mahoney, VP and distinguished analyst at Gartner. "Although this isn't an entirely new develop-
8
November 2012
ment, the extent of the change is growing and a tipping point will be reached in the next five years,� he added. Gartner has identified four dominant futures for IT in the organization. They are not mutually exclusive and may exist in combination: IT as a Global Service Provider: In this scenario, the IT organization is an expanded and integrated shared-service unit that runs like a business, delivering IT services and enterprise business processes. It is virtually or fully centralised that focuses on business areas and business value, adopts a marketing perspective, capitalizes on its internal position and delivers competitive services.
Data Briefing
8%
Growth in It spending in Asia Pacific in 2013 over 2012
Enterprise Round-up
They Azim Said it Premji
illustration by photos.com
The Wipro Chairman said that the demand for IT services in the US is persisting although the mood in terms of economic and employment growth remains muted.
Tablets' Growth to Triple by 2016 Gartner expects 821 million smart devices to be sold in 2012
“What is distinct from the overall economy in the US is that the IT demand is still holding out, though not a bumper demand we have seen two-three years ago.” —Azim Premji, Chairman, Wipro
The consumerization trend has hit IT as an unstoppable force, as 821 million smart devices (smartphones and tablets) will be purchased worldwide in 2012 and pass the billion mark in 2013, according to Gartner, Inc. Smart devices will account for 70 percent of total devices sold in 2012. “For most businesses smartphones and tablets will not entirely replace PCs, but the ubiquity of smartphones and the increasing popularity of tablets are changing the way businesses look at their device strategies and the way consumers embrace devices,” said Carolina Milanesi, research vice president at Gartner. “In 2016, two-thirds of the mobile workforce will own a smartphone, and 40 percent of the workforce will be mobile,” said Milanesi. Tablets will be the key accelerator to mobility. Gartner estimates that in 2012 purchases of tablets by businesses will reach 13 million units and will more than triple by 2016, to reach 53 million units. Smartphones have become truly pervasive in every aspect of an employee’s life. Gartner estimates that 56 percent of smartphones purchased by businesses in North America and Europe will be Android devices in 2016, up from 34 percent in 2012 and virtually no penetration in 2010.
QUICK BYTE iN IT
Religion-driven IT is estimated to generate more than $40 billion in software and service opportunities by 2017. The dynamic of IT and religion will create a new industry, generating software and service opportunities., according to Gartner analysts November 2012
9
image by photos.com
Enterprise Round-up
EMEA IT Spending Will Grow 1.4% By 2015, Big Data will create 1.3
million IT jobs in EMEA IT spending in Europe, the Middle East and Africa (EMEA) will reach $1.154 trillion in 2013, a 1.4 percent increase from 2012 projected spending of $1.138 trillion, according to Gartner, Inc. Despite the ongoing economic malaise, Gartner sees pockets of growth in IT in Europe, mainly driven by devices and software. Big data will also change the landscape of IT – creating new jobs.
“This year is a pessimistic year for IT spending in Europe,” said Peter Sondergaard, senior vice president at Gartner and global head of Research. “In 2012, we estimate that IT spending will decline 3.6 percent in EMEA and 5.9 percent in Western Europe. However, the EMEA region will return to growth in 2013 and continue to grow through 2016 when spending will reach $1.247 trillion.”
Global Tracker
Google's Android operating system will be used on more computing devices than Microsoft's Windows within four years
10
November 2012
Source: gartner
Android on the Rise
“The mobile device market is currently the bright spot of the IT industry,” said Mr. Sondergaard. “We are seeing tablets and smartphones significantly outpace purchases of traditional PCs.” Gartner estimates that spending on mobile devices in EMEA will amount to $136 billion in 2012, reaching $188 billion in 2016. In Western Europe, both consumers and businesses are adding tablets to their portfolio of mobile devices - increasing the total mobile device market growth by 8 percent in 2012. This contrasts with a decline of 5 percent in the mobile PC market in Western Europe. In Eastern Europe and the Middle East and Africa, mobile phone shipments will dominate the market, with tablet adoption increasing through to 2016. By 2016, two-thirds of the workforce will have a smartphone or tablet device. This will change the way consumers buy software and transform the market. Traditional software providers will have to rewrite their applications for these tablet-based environments, and there will be a strong increase in software spending. Gartner estimates that EMEA IT spending in software will grow 3.1 percent in 2013, nearly reaching the $100 billion mark in 2016. Consumers and workers becoming more mobile will lead to a complete change of architecture. Information will expand and accelerate driven by the Nexus of Forces, becoming a higher strategic priority for businesses. “The Nexus of Forces are the confluence and integration of cloud, mobile, social and information that will transform IT architecture and create a new information layer in our economy that will create new jobs, new revenue, and require new skills,” said Sondergaard. Over the next three years, together with the North America and Japan, EMEA will be the most active region in using big data. By 2015, 4.4 million IT jobs will be created globally to support big data, creating 1.3 million IT jobs in EMEA, including 1.2 million IT jobs in Western Europe alone. However, public education systems, as well as training within companies, are not sufficient to satisfy that demand. “We expect that organizations will be unable to fill out these positions, and we estimate that only 31 percent of the IT jobs will be filled in Western Europe,” said Sondergaard.
image by photos.com
Banks Should Bank on APIs and Apps Use of APIs and Apps will enable flexibility
Current application portfolios are preventing banks from making the transformation they need to re-engage with customers and stakeholders, according to Gartner. Gartner said that apps enable a new style of engagement with customers--one that is focused on providing context-aware services. “The banking industry has lost its way, both in the services it provides to customers and its future profitability to stockholders.” said Kristin Moyer, research director at Gartner. “Banks need to transform both their delivery models and architectures
to remain profitable and relevant in the financial services’ value chain. Applications are preventing transformation in the banking industry because they are rigid and reactive.” Gartner said banks need to stop relying on reactive product delivery and start providing a delivery model transformation that uses public and private Web application programming interfaces (APIs) and apps. This new approach will enable banks to deliver needs-based services that are relevant to the context, location and technology customers are using, which will lead to proactive delivery that either anticipates a customer need or improves their financials. It will also allow banks to respond quickly to new opportunities, and third-party developers to build the banking solutions they need. For example, a mortgage refinance app that can indicate whether it makes sense to refinance a mortgage, given current interest rates. With a few more clicks, the customer could apply and then view the process steps required for the bank to complete the transaction. “This would be an entirely new way of banking, and if banks ignore this trends they will quickly find themselves relegated to low-margin, low-growth market segments and products that will no longer be profitable,” said Moyer. Retiring redundant, monolithic applications is necessary to improve agility and efficiency, but also to prevent out-of-control complexity. The proliferation of apps will increase complexity, and if a bank already has substantial application redundancy, it will not be able to improve agility or efficiency by adding apps and APIs into the mix. However, APIs and apps can replace an application, or an app can call an application through an API or middleware layer.
Fact ticker
4.4 Million IT jobs globally to support Big Data by 2015 1.9
million IT jobs will be in the US Worldwide IT spending is forecast to surpass $3.7 trillion in 2013, a 3.8 percent increase from 2012 projected spending of $3.6 trillion, but it’s the outlook for big data that is creating much excitement, according to Gartner. “By 2015, 4.4 million IT jobs globally will be created to support big data, generating 1.9 million
IT jobs in the US,” said Peter Sondergaard, senior vice president at Gartner and global head of Research. “In addition, every big datarelated role in the US will create employment for three people outside of IT, so over the next four years a total of 6 million jobs in the US will be generated by the
information economy.“ “But there is a challenge. There is not enough talent in the industry. Our public and private education systems are failing us. Therefore, only one-third of the IT jobs will be filled. Data experts will be a scarce, valuable commodity,” Sondergaard said. “IT leaders will need immediate focus on how their organisation develops and attracts the skills required. These jobs will be needed to grow your business. These jobs are the future of the new information economy.”
Tablets
M
AIT, the apex body representing India’s IT hardware, training and R&D services sectors, has announced the findings of its first-ever Tablet Study in the Indian market. The tablet market, pioneered by the launch of the iPad in 2010, has been growing rapidly and the study puts the growth rate at 40 percent over the next 5 years, compounded annually. Commenting on this new opportunity, Alok Bharadwaj, President, MAIT, said, “The tablet market is the new blue-eyed growth opportunity in India. It is fast becoming one of the drivers of rapid growth in the IT content consumption and hardware sector in India. With the introduction of several national and international brands of tablets in India, the market is witnessing a revolution of sorts with these devices changing the way services are delivered in various other sectors such as education, healthcare and governance. We expect the market to touch 1.6 million units in the current financial year and grow to touch 7.3 million units by 2015-16.” According to Bharadwaj, a key factor in the growth of tablets has been the encouragement from the government in adopting and developing low-cost options for use in our villages and other rural areas.
November 2012
11
Need of the Hour: Organisations need to develop and implement a comprehensive security strategy
Sundar R am Gopal ak rishnan | A Ques tion of answers
Sundar Ram Gopalakrishnan | VP, Oracle
“Point Solutions are Passé”
Sundar Ram Gopalakrishnan, VP- Technology, APAC, Oracle Corporation, in an interview with Varun Aggarwal, talks about the importance of an integrated security approach The Advanced Persistent Threats often abuse various security loopholes at different layers to get into an organisation. In such situations where a single solution can’t detect an intrusion, how do you think an organisation can protect itself? Organisations today, while recogniing the need for an end-to-end security solution, fail to look at security comprehensively until they’ve had a security breach. It is only at such time that they realize the importance of having a security strategy in place. Oracle helps organizations develop and implement a comprehensive security strategy that can protect them against internal and external threats and help them address the changing compliance requirements. Point solutions are hard to integrate and scale, eventually making
it an expensive proposition. These also often leave security gaps since there is no centralised management or reporting, with independent owners for every solution. End-to-end Oracle security solutions offer the lowest TCO and comprehensive security. Organizations can leverage Oracle solutions to not only meet their compliance needs but also to securely centralize and streamline IT infrastructure, data, applications and identity management. Data breach investigations have shown that security controls must be multi-layered to protect against threats that range from account misuse to SQL injection attacks. In addition, the ever changing regulatory landscape and renewed focus on privacy demonstrates the need for solutions to be transparent and cost effective to deploy.
What is the state of security you see in India? What are the sectors you’re focused at right now? In India, we are focusing on sectors like Telecom, BFSI and Government as these sectors own extensive classified or confidential data and are more prone to security threats. These sectors are also guided by strong regulatory compliances. Oracle with its full spectrum of security solutions is in a strong position to address the needs of these demanding industries. Industry leading organizations globally rely on Oracle’s security solutions. Some of the Indian customers using Oracle security solutions include Hindustan Petroleum Corporation Limited (HPCL), TVS Motor Company and Aircel Limited. Oracle’s innovative range of security solutions is sophisticated to adapt
November 2012
13
A Q u e s t i o n o f a n s w e r s | S u n d a r Ra m G o p a l a k r i s h n a n
to external threats as well as provide protection against internal threats. The portfolio includes Oracle Identity Management, Oracle Privileged Account Manager, Oracle Database Security, Oracle Advanced Security, Oracle Database Vault, Audit Vault and Database Firewall. Information ranging from trade secrets to financial and confidential data has become the target of sophisticated attacks both in India and around the world. While most organizations have deployed perimeter firewalls, intrusion detection, and anti-spam technologies, they lack an in-depth, inside-out data protection security strategy. According to the recent Independent Oracle Users Group (IOUG) Data Security Survey undertaken amongst database and information security professionals, organizations are inadequately protecting sensitive data and database infrastructure. The results are disturbing with 60% of respondents saying they are either likely or somewhat likely to have, a data breach over the next 12 months. Similarly, a recent study revealed 48% of breaches were caused by insiders – so with all the monitoring 48% of breaches were caused by people who had either excessive access or even legitimate access to the data. 92% of stolen records are from database servers, 89% of records were stolen with simple SQL injection attacks and a whopping 86% of attacks were due to lost or stolen credentials. Can you elaborate more on the study findings? The new survey from the Independent Oracle Users Group (IOUG) titled "Closing the Security Gap: 2012 IOUG Enterprise Data Security Survey," uncovers some interesting trends in IT security among IOUG members and offers recommendations for securing data stored in enterprise databases. Produced by Unisphere Research and underwritten by Oracle, the
14
November 2012
“Securing data requires not just the ability to monitor and detect suspicious activity, but also to prevent the activity” report is based on responses from 350 IOUG members representing a variety of job roles, organization sizes, and industry verticals. Some of the key findings include: Corporate budgets increase, but trailing. Though corporate data security budgets are increasing this year, they still have room to grow to reach the previous year’s spending. Additionally, more than half of respondents say their organizations still do not have, or are unaware of, data security plans to help address contingencies as they arise. Danger of unauthorized access. Less than a third of respondents encrypt data that is either stored or in motion, and at the same time, more than three-fifths say they send actual copies of enterprise production data to other sites inside and outside the enterprise. Privileged user misuse. Only about a third of respondents say they
things I Believe in A recent study revealed 48% of breaches were caused by insiders Corporates fail to look at security comprehensively until they’ve had a security breach Though corporate data security budgets are increasing this year, they still have room to grow to reach the previous year’s spending
are able to prevent privileged users from abusing data, and most do not have, or are not aware of, ways to prevent access to sensitive data using spreadsheets or other ad hoc tools. Lack of consistent auditing. A majority of respondents actively collect native database audits, but there has not been an appreciable increase in the implementation of automated tools for comprehensive auditing and reporting across databases in the enterprise. What are your recommendations for CIOs and CISOs given the state of affairs? We believe that securing data requires not just the ability to monitor and detect suspicious activity, but also to prevent the activity in the first place. To achieve this comprehensive approach, we recommend CIOs to apply an enterprisewide security strategy.
How can you effectively manage cybersecurity, mobile security and cloud security?
How can you make sure the technology supply chain is secure?
How can you establish leadership in aligning security to the business?
How to adapt Enterprise Security to the new realities ?
What are the best approaches to maintaining effective GRC initiatives?
FIND ALL YOUR ANSWERS AT THE
Join India's Leading Security practitioners in their quest to understand the security trends and challenges, and indeed, develop a road-map to secure your organisations
Date:
Register Now !
December 6 - 7, 2012
http://tinyurl.com/csosummit
Venue: J aypee Greens Golf and Spa Resort, Greater Noida Event by
Presenting Sponsor
Associate Sponsors
Knowledge Partners
Security Partners
Category Sponsor Awards
For any queries, please contact: Astha Nagrath Khanna , astha.nagrath@9dot9.in, Ph: 9902093002
Best of
Breed Features Inside
Security & Admin Cost May Offset BYOD Savings Pg 19
Face it: Employees Rule IT Pg 20
The Amazon Cloud and PCI Compliance A company needs to subscribe to EC2, VPC and S3 in order to build a basic platform capable of computing
I
f there ever was a hot topic these days it would be “The Cloud� and, in particular, the Amazon cloud. And that discussion inevitably leads to how are the Amazon cloud offerings are PCI compliant? A lot of this discussion has to do with the very limited amount of information regarding the Amazon service offerings. For some very bizarre reason, Amazon puts organisations interested in their PCI compliant services in a Catch-22 situation. Unless you sign up for one or more of the services, you cannot obtain the information on how the Amazon
16
November 2012
Illustration by photos..com
Unlocking Big Data in Social Technologies Pg 21 More
compliance | Best of breed
service offerings are PCI compliant. As a result, there is a lot of mis-information running around regarding the Amazon cloud. So to debunk all of the myths running around, I thought I would explain what the Amazon cloud is and is not and how it ends up PCI compliant and what you need to understand when deciding to use the Amazon cloud. And before I get calls from someone at AWS about the fact that I am somehow singling them out or I am being unfair. I do not have a problem with AWs or anyone organizations’ cloud service offerings. What I have an issue with is how some service providers use obfuscation and confusion about their services in ways that make customers unsure of whether they are getting something that is PCI compliant. As I see it, the AWS service offerings seem to be PCI compliant, but there are things that possibly should be further explained so that everyone understands how that compliance is achieved. The first part of the mythology revolves around what PCI compliant services Amazon Web Services, LLC (AWS) is actually providing. According to AWS’s Attestation Of Compliance (AOC), AWS is a Hosting Provider for Web and Hardware. The AOC calls out that the following services have been assessed PCI compliant. Amazon Elastic Compute Cloud (EC2); Amazon Virtual Private Cloud (VPC); Amazon Simple Storage Services (S3); Amazon Elastic Block Store (EBS); Amazon Relational Database Service (RDS); Amazon Elastic Load Balancing (ELB); Amazon Identity and Access Management (IAM). The AOC lists nothing for software provided through any of their services. As a result, a big myth that gets busted right off the bat is that AWS is providing software. At the end of the day, all AWS’s services are offering is Infrastructure as a Service (IaaS). As a result, how AWS is PCI compliant is fairly easy to figure out. They have totally minimized their responsibility on the PCI compliance front. In addition to the AOC, AWS provides customers with a document entitled “AWS PCI DSS Controls Responsibility Summary” (CRS). This document explains the various
“AWS indicates that they are responsible for ensuring the security of their environment including ensuring wireless security.” services and the responsibilities a customer organisation has when using these services. The first piece of infrastructure used by AWS is virtualisation in the form of Xen as their hypervisor. Because of the way AWS has implemented Xen, every virtual instances created by EC2 acts like an individual physical server in that there are no connections to any other server unless the organisation defines such connections. This is referred to in the CRS as instance isolation. Finally comes the firewall. EC2 includes a firewall that is managed by the customer. Access to the firewall is controlled by an X.509 certification and access credentials provided through IAM. In addition to utilities to manage the cloud environment, AWS provides various application programming interfaces (API) to manage the AWS cloud environment. The bottom line is that, at a minimum, an organisation needs to subscribe to EC2, VPC and S3 in order to build a basic platform capable of computing (i.e., server, connectivity and storage). The need for other services outside of these will depend on what the organisation is attempting to accomplish, whether or not they need the flexibility and scalability provided by AWS and other business factors. From a PCI compliance perspective, the CRS categorises the 12 PCI requirements into those that are AWS’s responsibility, shared responsibility between AWS and their customer and those requirements that are solely the customer’s responsibility. In the AWS is responsible category falls requirement 9 or physical security and environment controls. Since AWS is providing the facilities to operating the underlying physical hardware, it is solely responsible for this requirement.
In the shared responsibility category falls requirements 1, 10 and 11. For requirement 1, AWS acknowledges that this is a shared compliance responsibility between AWS and their customer. However, AWS’s responsibility is only to provide a firewall and ensure that it segregates their customers from one another. The remainder of the responsibility for complying with requirement 1 is left to the customer. For requirement 10, AWS indicates that they are responsible for: Maintaining log files for EC2 and S3 customer management operations (e.g. creation, modifications and deletion of these environments) for at least a year. Maintaining logs for the underlying software that provides the various services for at least a year. This log information is monitored at least daily and is available to customers for their particular environment should it be necessary. All other parts of requirement 10 are the responsibility of the customer. For requirement 11, AWS indicates that they are responsible for ensuring the security of their environment including ensuring wireless security. Customers are responsible for ensuring the security of the environments they construct using AWS’s services. All of the remaining requirements, 2, 3, 4, 5, 6, 7, 8 and 12 are solely the responsibility of the customer. So after all of this rigmarole, what is the advantage to be gained? Not much near as I can tell. The bulk of responsibility for PCI compliance still falls on the organisation using the AWS services. So organisations looking to offload as much of their PCI compliance responsibilities as they can to AWS are looking in the wrong place. But it does not end there. We are seeing
November 2012
17
B EST OF B REED | c o m p l i a n c e
more and more startup service providers that are using AWS services to avoid the capital costs of hardware and software of a 24/7/365 operation. Where this becomes tricky is when you have a service provider providing PCI compliant services effectively using AWS for their “data center.” In some cases, these service providers are trading on the fact that because AWS is PCI compliant, then their services must also be compliant. However, what these service providers forget on any one customer’s network is remote is that once they start going beyond the IaaS at best. . However, the PCI assessment promodel and offer services in the Platform as cess is all about verifying such statements, a Service (PaaS) and Software as a Service not just accepting them at face value as fact. (SaaS) realm, they are now responsible for As a result, I am concerned that what is portions of PCI compliant that Amazon is supplied as evidence for complying with not. As a result, organisations need to conthis test leaves much to be desired. What duct due diligence on vendors using other should be documented here are the procloud providers to provide their services to cedures the QSA used to confirm that the ensure that everyone is PCI compliant. controls AWS has in place are adequate to So do I think your organisation should ensure that rogue wireless does not end up rush right out and sign up for AWS? Maybe in their data centers. if you have the right business case. But I do Related to requirement 1.2.3 is requirehave some concerns regarding AWS’s serment 11.1. As with 1.2.3, 11.1 is also not vice offerings and the statements surroundallowed to be marked as ‘Not Applicable’ ing how they are PCI compliant. regardless of whether wireless is impleMy first concern is in regards to requiremented or not. For all of the tests under ment 1.2.3. This requirement is one of the 11.1, the following statement is made. few that is not allowed to be marked ‘Not “[AWS] maintain[s] this control internally.” Applicable’. As such, the QSA is required to So what exactly does AWS do to ensure that document what procedures they conducted their data centers remain wireless free or that to ensure that any existing wireless is either wireless does not end up on the customer not in-scope or that there is wireless inside of the network? No idea. I would like to scope and how it is secured. To document assume that AWS is doing the right things in this, AWS’s QSA has written: this regard, but, again, the PCI assessment “[AWS] maintain this control for all interprocess does not allow for assumptions, they nal and external services that it provides. In require proof and this just does not pass EC2 and VPC environments, this includes muster. At a minimum, there should be a the network at the hardware and managediscussion of the procedures used by AWS to ment level networks, which are not exposed ensure wireless is not an issue. to customers.” While we are discussing requirement 11, This statement says nothing of what we should cover vulnerability scanning, procedures were conducted to ensure that penetration testing, intruwireless was not visible to cussion detection and critical file tomers as well as the controls monitoring. All of which are the AWS maintains to ensure wirecustomer’s responsibility, not less stays out of scope. EssenAWS’s. Again, AWS is providing tially, we are asked to trust AWS IaaS and nothing else, so any that wireless is not on any cusincrease in the such controls will need to be tomer networks. Now, to be fair, worldwide sales of provided by the customer. AWS is operating secured data smartphones in Q3, When reviewing the detailed centers comprised with racks of 2012 responses in requirement 9, it hardware all virtualised, so the was interesting to see that AWS likelihood that wireless would is responsible for ensuring that exist in such an environment
Organisations need to conduct due diligence on vendors using other cloud providers to provide their services to ensure that everyone is PCI compliant
47%
18
November 2012
for the portion of any customer’s cardholder data environment (CDE) that exists in AWS, AWS ensures that destruction of hardcopy materials are properly destroyed so to be unrecoverable. This begs the question, “Why would AWS have any hardcopy to destroy in the first place if they do not have access to customers’ environments?” No further explanation is given, but one would guess it was their lawyer’s idea just in case AWS might somehow come into contact with CHD on hardcopy. The next area I have issue with is not related to the service, but related to how an organisation contracts for the service. In an effort to fully automate things, unless you are a Fortune 50 looking to put your entire computing environment in AWS’s data centers, you can forget about negotiating a contract. When you sign up for any AWS service, you either accept their contractual terms and conditions by checking the ‘Accept’ box and clicking Okay, or you don’t get to use AWS. I know of a number of organisations that had real issues with that approach and, as a result, backed away from a more aggressive use of the AWS environment or decided they just could not accept the terms and did not go to the cloud at all. While the AWS contract does cover PCI compliance, but it essentially makes the customer the one legally responsible for compliance with AWS providing support when necessary. So that is AWS in a nutshell. Not a bad thing, but something an organisation needs to go into with their eyes wide open and understanding that they still have significant responsibilities even though they are now in “The Cloud.” — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
B Y OD | B EST OF B REED
Security & Admin Cost May Offset BYOD Savings Security can also be a dangerous and costly concern for companies implementing BYOD By Rainer Enders
image by photos.com
T
here is a difference between enabling a mobile workforce and enabling a BYOD (bring-your-own-device) workforce. Companies need to mobilise, that is without question -- but for too long BYOD has become nearly synonymous with this effort. In reality, BYOD is just one of the ways enterprises can mobilise, and in many cases, it is not the most secure, or necessarily the most cost-efficient way to do so. The Aberdeen Group found that BYOD, on average, costs companies 33 percent more than adopting a company-owned device policy. This is particularly surprising because, at first glance, BYOD seems to be the ultimate cost saver. Your employees buy their own devices, equipping themselves with the resources needed to be mobile. The ROI seems incredibly high because there is very little initial investment. But the problem comes in when companies jump on the BYOD bandwagon without properly assessing the associated costs and coinciding risks. After all, it's foolish to believe BYOD, a drastic departure from typical corporate protocol, comes without costs. For one, BYOD requires significant crossdepartmental overhead to ensure that everyone involved in employee administration is on the same page. This includes executives
from IT, human resources, finance and other different departments. If an enterprise has a particularly mobile sales force, which many companies do, then the head of that division needs to be on board, as well. Accordingly, rules and protocols need to be developed, refined and then implemented in order to educate employees
on the proper use of their now hybrid personal/professional devices that will be with them at all times. In order to coordinate and execute these protocols, time must be taken from all departments -- time that could be devoted elsewhere. Security can also be a dangerous and costly concern for companies implementing
November 2012
19
B EST OF B REED | B Y OD
a BYOD culture. Enterprises need to protect themselves from employees unwittingly exposing company data to insecure networks and people outside their organisations. Because so many individuals own multiple mobile devices these days, a single employee could conceivably access an employer's corporate network from upward of a half-dozen different devices. This makes developing the protocols around BYOD exceedingly complicated. If security is a priority, then VPN software will be an absolute necessity. This requires locating a VPN that can work properly across a wide range of devices and operating systems. Then, depending on the type of software used, this could involve installing software on every device an employee plans to use, from an iPhone to a home desktop. Bear in mind, even under these most stringent of security circumstances, particularly in BYOD cultures, employees may believe it is acceptable to access sensitive information from, say, a friend's computer or a public terminal, in the process leaving the network particularly vulnerable. This begs some essential questions: Who is responsible for the damage that might be incurred when company security is compromised via employee-owned devices? Who determines who is responsible? What
If security is a priority, then VPN software will be an absolute necessity. This requires locating a VPN that can work properly across a wide range of devices and OSs is proper punishment? These need to be answered, especially if the compromised information has legal ramifications. Then, of course, there is the issue of employees leaving the company. Where does a CIO draw the line between respecting the former employee's privacy, and mandating that personal devices be scanned so that he or she does not leave while still being able to access the company network and documents? For companies that embrace mobility through employer-issued devices, these types of questions do not require exploration. This is not to say that BYOD should be
outright banned or wholly discouraged. Rather, at companies, particularly those with high-risk profiles, CIOs should consider investing in company-owned mobile devices for employee issuance. Doing so would allow for greater oversight of the entire network and ensure higher security. Unlike in BYOD environments, the CIOs could dictate which devices and operating systems are used across the company, in addition to standardising applications installed for remote access. There would certainly be an initial investment in devices, but this might be offset by fewer hours spent on security implementation and coordination between departments. And the bottom line is, eschewing BYOD leaves enterprises with more control over what happens with—and on—the devices rightfully owned by them. Mobility is no longer an option. It is a requisite for survival. And with the incredible advances made in handheld devices over the last decade, there is an undeniable pull toward employees using their own resources to work from home or the road—and an even stronger pull to indulge in these perceived cost savings. — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
Face it: Employees Rule IT
Sooner or later, you will eventually be forced to adopt BYOD anyway By Samuel Greengard
I
t's remarkable that some CIOs still question and debate the value of the bring-your- own-device (BYOD) movement. At this point, the train has already left the station, and any organisation that isn't riding this express is rap-
20
November 2012
idly heading toward obsolescence. The issue isn't only about giving employees the choice to use their own devices; it's about embracing the opportunities these devices provide. Once upon a time, running an IT department was a lot simpler. You installed enter-
prise systems, made sure they were running smoothly and forced everyone to use them as the business saw fit. BYOD has turned this paradigm upside down and inside out. Essentially, the inmates run the asylum and dictate the terms.
Suggestion: Get used to it. It's the new normal. What's ironic about this scenario is that BYOD has fueled the consumerisation of IT, which, in turn, has unleashed productivity gains that were unimaginable only a few years ago. Suddenly, it's easier to connect dots—and data—by connecting to people instantaneously, wherever they're at and whatever device they're using. In a post-PC world, it's the digital equivalent of a wormhole through the IT universe. Most CIOs wouldn't have thought of anything as brilliant as BYOD and IT consumerisation. Employees, particularly younger workers, figured it out for them and then forced it on the enterprise. Capgemini Consulting and MIT Sloan Management recently reported that the digital leaders of the business world outperform the digital laggards in a number of ways. Those in the digital elite category achieve 26 percent higher profitability and 12 percent higher market valuations than their counterparts. There are no longer any valid excuses for fighting BYOD. Yes, security and compliance issues exist, but it's critical to view these within the framework of overall enterprise security and to extend solutions and strategies to the mobile arena. Many employees will use their own devices regardless of corporate policies, and you will merely increase the security threats and reduce potential productivity returns. You
Illustration by photos..com
m a n a g e m e n t | B EST OF B REED
There are no longer any valid excuses for fighting BYOD will also alienate a lot of workers. You will eventually be forced to adopt BYOD anyway, perhaps a few months or a year or two down the line. By then, you will be choking on the exhaust of a digital revo-
lution that has passed you by. — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
Unlocking Big Data in Social Technologies Big data was the real story at Oracle's OpenWorld By Tony Kontzer
T
he display at EMC Corp.'s booth at this week's Oracle OpenWorld show in San Francisco featured a famous quote uttered by a British entrepreneur in 2006: "Data is the new oil."
The quote was being bandied about to promote an ambitious global project called "The Human Face of Big Data," an effort commissioned by EMC, and sponsored by the likes of Cisco Systems and VMware, that
aims to use crowdsourcing to get a handle on humanity's increasing need to generate and crunch data. For example, a widely distributed smartphone application collected data, between Sept. 25 and Oct. 2, that indi-
November 2012
21
Illustration by photos..com
B EST OF B REED | bi g d a t a
Twitter data consists of much more than the posts themselves—it includes timestamps, geotags and more cated that the reason people can't find a cab when it rains in Singapore is that drivers looking to avoid having their pay withheld for accidents simply pull over to wait out rainstorms. They don't pick up new fares. While such findings may not hold much value for the average IT executive, the implications of big data certainly do. And
22
November 2012
although the news from OpenWorld centered on Oracle's slew of new cloud services and a new platform that socially enables all of the company's applications, big data was clearly the dominant theme. Oracle CEO Larry Ellison's anticipated keynote address, which was entitled "The Oracle Cloud: Where Social is Built In,"
focused instead on how the company's venerable database and analytics technologies can crunch the big data inherent in social network streams. Ellison began his keynote touting Oracle's cloud—which now features new services such as planning and budgeting, financial reporting, and data and insight—as having the broadest set of applications in the industry. He then quickly introduced Oracle's new social platform, which he characterised as being far preferable to stand-alone social applications. But what he clearly wanted to demonstrate was the kind of insight that can be gleaned from social data when the right analytical tools are used. Specifically, he showed the packed hall how two products—Oracle's Exadata database and its Exalytics in-memory analytics appliance—were used to analyse nearly 5 billion Twitter posts to determine what celebrity would be the best spokesperson to promote a new Lexus sedan. Ellison made it clear that Twitter data, in particular, consists of much more than the posts themselves—it includes timestamps, geotags, device types, and more, and the data is of both the structured and unstructured variety. In the end, Oracle ended up analysing 27 billion relationships, nearly a billion retweets and hashtags, 2.8 billion mentions and another 1.3 billion replies. And as Ellison pointed out, the conclusion itself—that gold-medal Olympic gymnast Gabby Douglas was the best fit to promote the new Lexus—wasn't nearly as significant as the process by which that conclusion was reached, which included drilling down into the data to find out whose posts most frequently mentioned cars, for instance. "This was a very simple question that required an enormous amount of data processing to get the data," Ellison said. "This is something we would have had to guess at before." Now that sophisticated data crunching tools from Oracle, EMC and the like are making it possible to extract the value of big data, companies have no choice but to try and use that data to change their business. "Otherwise," said EMC CEO Joe Tucci during a morning OpenWorld keynote Oct. 2, "they'll be out of business." — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
s e c u r i t y | B EST OF B REED
“No known exploits in the wild...�
The detection mechanisms we have available to us, by nature, necessitate a patient zero By Rafal Los
Illustration by photos..com
T
hese days you can't open your email box or scroll through Twitter without reading of some new exploit against a system or platform you depend on. You'd think that when I read that there are "no known exploits circulating in the wild" I'd be excited or at least relieved, right? Not so much. Here's why. Any time I see someone write, or hear someone say that there are "no known exploits in the wild" I cringe a little. While on the one hand it's good that the people who are doing the detecting haven't found anything or anyone out there actively exploiting your Java install with today's sandbox bypass, it gives me pause to ask whether it's because there isn't anything out there ...or if it's simply not being found. Outside the ring of seasoned security professionals the phrase "not known to be exploited in the wild" is dangerous. Why? Simple - people who don't know to think past the word known may assume that it's OK not to take precaution against this exploit du'jour. It's been said before many times, but the good attacks you catch when someone becomes patient zero, while the best attacks are the ones where no one figures it out until much, much later. So should you take precaution against the exploit du'jour? Of course. The detection mechanisms we have available to us, by nature, necessitate a patient zero. Like in medicine, someone has to be the first to get sick so we can detect and
respond otherwise the bug is just floating around in the air being menacing. The problem in cyber space, and much like in real life illness, it seems that if it's out of sight it's out of mind. Defensive security professionals are busy worrying about *active threats* so a potential threat isn't much bother until someone can tell them there is reason for alarm. Phrases like "not known to be exploited in the wild" can have the unfortunate consequence of allowing people who are already overloaded on 'security' worry to put it out of their mind and get back to more relevant "right now" risks.
It's human nature, and just the way we are wired... I know I can feel some of that on myself when I hear that phrase. I guess I would change it to be slightly more effective by adding "at this time" at the end of the sentence - although I doubt it would make too much of a different. This is just something to think about, as you read the newswires, talk to your colleagues and leadership - keep this bit of psychology in the back of your mind. I'd love to hear how it impacts you, and whether you feel that it has the same effect on you that it does on me?
November 2012
23
DATA CENTER CORNER energy efficiency
Implementing Energy Efficient Data Centers
Electricity usage costs have become an increasing fraction of the TCO for data centers. It is possible to dramatically reduce the electrical consumption of typical data centers. Summary
The cost of electricity for data centers is a substantial operating cost that can and should be managed. The electrical power consumption is typically shared evenly between the IT loads and DCPI devices. Any rational approach to reduction in electrical usage must treat the combined IT / DCPI design as a system in order to maximize the benefit.
E
lectrical power usage is not a typical design criterion for data centers, nor is it effectively managed as an expense. This is true despite the fact that the electrical power costs over the life of a data center may exceed the costs of the electrical power system including the UPS, and also may exceed the cost of the IT equipment. The greatest advantage can be gained in the design of new facilities, but some savings are possible for existing and evolving facilities as well. Simple nocost decisions made in the design of a new data center can result in savings of up to 30% of the electrical bill, and with systematic effort up to 50% of the electrical bill can be avoided.
Energy consumption reduction in IT equipment Operational: retiring IT systems – Most data centers have old technology platforms that remain operational for archival or research purposes. In fact,
24
November 2012
most data centers actually have application servers which are operating but have no users. It is useful to inventory these systems and create a retirement plan. In many cases, systems can be taken off line and powered down, even if they are not physically retired. A power consumption reduction of up to 20% is possible in typical cases. Even if the floor space is not recovered, the power capacity recovered can be very valuable as users deploy higher density IT equipment. Operational: operating existing systems in an efficient manner – Today, most new servers have power management features. That is, they are able to reduce power consumption at times of reduced computational load. This was not true a few years ago, when the power consumption of virtually all IT equipment was constant and independent of computational load. Users should be aware of this change in IT technology, and be aware of the status of the power management features on their IT systems.
data center corner
CUSTOM PUBLISHING
For a typical system that is loaded at 30% of rating, the electrical cost of IT load is approximately $2,300 per kW per year. Operational: migration to energy efficient computing platforms – Most data centers have so-called “low density servers” that are 3-5 years old. Typically these servers draw the same or less power per server than today’s blade servers and are physically much larger per server. Migration to modern blade servers from legacy servers on a server-by-server basis typically does NOT reduce the total power consumption and may even raise it. However, such migration will permit much higher packing densities for servers. Blades do not create more heat than equivalent 1U servers, but they do create heat in a smaller area which gives rise to heat removal problems that create the perception that blades create excess heat.
Energy consumption reduction in DCPI equipment Right-sizing – Of all of the techniques available to users, right-sizing the DCPI system to the load has the most impact on DCPI electrical consumption. Most users do not understand that there are fixed losses in the power and cooling systems that are present whether the IT load is present or not, and that these losses are proportional to the overall power rating of the system. These fixed losses are the dominant form of DCPI electrical consumption in typical installations. In installations that have light IT loads, the fixed losses of the DCPI equipment commonly exceed the IT load. Whenever the DCPI system is oversized, the fixed losses become a larger percentage of the total electrical bill. For a typical system that is loaded at 30% of rating, the electrical cost of IT load is approximately $2,300 per kW per year. If the system were right-sized to the load, the electrical cost of IT load falls to approximately $1,440 per kW per year which is a 38% savings in electrical costs. Energy-efficient system design – The system design has an enormous effect on the electrical consumption of data centers, and two data centers comprised of the same devices may have considerably different electrical bills. For this reason, the system design is even more important
90 %
of the electrical bill can be avoided through systematic effort.
than the selection of power and cooling devices in determining the efficiency of a data center. Using efficient DCPI devices – Although the selection of DCPI devices such as power and cooling equipment has less effect on the overall system electrical consumption than does IT architecture, DCPI rightsizing or DCPI system design, device selection is nevertheless is an important element in designing a power-efficient data center. There is a substantial variation in the electrical losses between DCPI devices of the same type operated under the same conditions. For example, in a December, 2005 paper by the U.S. Electric Power Research Institute, it was found that different UPS systems operated at 30% of load rating varied in losses from 4% to 22%, which is a 500% variation. It is important to note that this variation cannot be ascertained from the specification sheets for these products. Schneider Electric clearly demonstrates that the electrical losses in real applications can only be correctly predicted if the appropriate models are used and that typical manufacturer’s data is inadequate to make quantitative predictions of the electrical consumption of data centers.
Conclusion A data center designed for reduced power consumption also saves other costs such as capital and operating costs associated with power and cooling systems, as well as saving space.The electrical power consumption is typically shared evenly between the IT loads and DCPI devices. Any rational approach to reduction in electrical usage must treat the combined IT/DCPI design as a system in order to maximize the benefit. The cost savings opportunities have been shown to be very large yet the investment required to achieve them is small or even zero in some cases, when compared with legacy approaches to data center design.
BROUGHT to YOU BY
November 2012
25
C O V E R S T O R Y | t h e tr a n s f or m er
A Technology Leader: Prashun Dutta, CIO, Tata Power, has what it takes to be a true tech leader
t h e t r a n s f o r m e r | C O V ER STOR y
inside
Man with a Vision page 28 “Prashun's Style is Truly Democratic” page 34
“Dutta is a Great Boss to Work With” page 36
In a career spanning close to three decades, Prashun Dutta, CIO, Tata Power, has blazed new trails with IT by transforming business processes. by atanu kumar das design shokeen saifi imaging Anil T & Haridas Balan photos jiten gandhi
C O V E R S T O R Y | t h e tr a n s f or m er
Man with A Vision Prashun Dutta, CIO, Tata Power, has been associated with IT for almost two decades. His appreciation of business realities has always helped him use IT in transforming the way his organisations work
28
November 2012
“I was very happy with management consultancy as it allowed me to think, analyse and come up with solutions that would eventually help the company” Prashun Dutta
P
rashun Dutta, CIO, Tata Power boasts of a career span that many would envy. An Electrical Engineer from Banaras Hindu University, with a post graduation in Industrial Engineering from National Productivity Council (NPC) and having done a fellowship from IIM Calcutta, Dutta wanted to be anything but an IT professional. Starting his career with the NPC, Dutta soon relaised the importance of adding value to his qualification. After completeting three years at NPC, he decided to pursue a fellowship programme from IIM, Calcutta. Armed with the fellowship, Dutta joined TCS in 1985. Going down memory lane, Dutta recalls, “My journey from management consultancy to IT is rather interesting as I never wanted to be in IT. When I was in TCS, I made a conscious decision to stay from away from IT because IT those days was all about programming and I used to detest it." "Many of my colleagues would advice me to take up IT because in those days that was the best way to land up a foreign posting. But I was very happy with management consultancy as it allowed me to think, analyse and come up with solutions that would eventually help the company to grow. I worked in TCS for almost 10 years and then moved to Reliance," he says. During the selection interview at Reliance, Dutta specifically asked not to be assigned a role involving IT. However fate had some-
thing else in store for him. In September 1994, Dutta joined Reliance in the polyester business and within two months, was handed over the responsibility of IT for that business. There was nobody heading IT at that point in time and coming from TCS, Dutta had a better understanding of IT. Dutta took up the job reluctantly. During the tenure, he implemented several IT projects successfully that earned him accolades. “Even though I was not hands-on with IT, my understanding of it was pretty good. The polyester business of Reliance is large and there was plenty to do. I started off with one thought in mind, let me try and do new things using IT in a way which would ensure better productivity for the organisation," he says. In the first couple of months, whatever Dutta touched, turned to gold. While an IT manager joined Dutta's department, he left soon leaving Dutta with no option but to manage IT for the long-term at Reliance.
some unknown facts Favourite Book: Autobiography of a Yogi: Yogananda Paramhansa Favourite Authors: Rabindranath Tagore, Charles Dickens, George Barnard Shaw, Fritjof Capra Favourite Wheels: BMW, Mercedes Favourite Movie: One Flew Over the Cuckoo’s Nest Favourite Sports: Badminton, Lawn Tennis, Table Tennis Favourite Music: Hindi, Bengali and English songs of 1960s and 1970s How do you spend free time: Reading and Listening to Music How do you balance work life: Never take work to my home If not a CIO, what would you be: I would be associated with either Economics, Sociology or History
November 2012
29
“I have always taken challenges hands-on and in fact I love to be in a situation where there appears to be no way out.� Prashun Dutta
t h e t r a n s f o r m e r | C O V ER STOR y
The Toughest Moments In 1998, Reliance decided to go in for SAP implementation. Dutta was assigned to integrate the sales and distribution of 15 different products, each with its peculiar market nuance, within ERP solution. Dutta feels that working on the project ignited an interest in IT. The project made him understand the real power of IT and how IT could transform business. “From being totally averse to computer programming, here at Reliance, I was doing something which was totally different. It was undoubtedly the biggest and complex SAP project at that time. We had to accommodate the differences in the various products within an overall framework laid out for the organisation," he recalls. Dutta over came the challenges (in the form of diverse products) by close and intimate interactions with end-users and real-time collaboration amongst his team members. Another interesting project that Dutta recalls was the integration of BSES's distribution network with that of Reliance. BSES was taken over by Reliance. Utilisation of IT in the distribution business throughout the country was marginal and primitive. BSES had a computerised billing system and a few customer facing applications while the entire work of operations and maintenance was executed manually. There was, obviously, enormous scope for IT enablement and with the support of the top management of Reliance, Dutta prepared a detailed road map for the distribution business. "The road map covered the entire gamut of activities in the distribution business and its integration with existing operations technology. The plan, provided a platform for knowledge management, training, collaboration and communication," avers Dutta. A foreign consultancy firm, engaged by Reliance at that stage, assessed the road map, in the light of their extensive experience, and commented that if implemented fully this would be really world-class systems for the distribution business. "The road map now stands implemented and has emerged as a de facto standard for the distribution business in the country," he says. Dutta feels he delivers his best in the toughest situations.
“I have always taken challenges handson and in fact I love to be in a situation where there appears to be no way out. It makes me think and come up with solutions that nobody could perceive would be possible. The BSES project was one of the high points in my career. I had no prior knowledge of IT systems in distribution but still came up with a road map which was truly world-class." Dutta carried these learnings (of starting from scratch and building world-class systems) when he later worked on Reliance Infra's Metro Rail and Roads' businesses. Coming out with flying colours when in a sticky situation is the trait of a leader --- a characteristic that Dutta has exhibited throughout his career.
The Democratic Manager When it comes to managing a team, leaders instil confidence in their team members, bestow trust in them and and give them work that is not only tough but also challenges their ability. “I believe in delegating work to my juniors and pushing the work down. I always encourage my people to do things and I tend not to be aggressive. This
some achivements 1998-2000: One of the biggest SAP implementation in India for 15 distinct products of Reliance each having its own market nuances 2003-05: Integration of BSES business after Reliance took over the company 2005-06: Implementation of GIS in Reliance for Distribution Business 2007-08: Power Generation project for Reliance 2009-11: Metro plus Road project for Reliance
may mean that I have to be patient with my team but that is the way I get the work done," says Dutta. "I also tend to give people different type of exposure. For example, if the position of a project manager is vacant in a particular project, I tend to push a person from my team who has not yet taken the position of a project manager to lead that project. The person may be reluctant to take up the job but I give him the confidence that I am with him and he doesn't have to worry if he does commit any mistakes. For instance one of my colleagues who was responsible for IT infrastructure was made responsible for IT for the Roads business, which was a much larger canvas to work upon. I always ensure that I handle the top management, create an ambience congenial for working and manage the same effectively,” he says.
High Points Low Points In a career of more than three decades, Dutta has had numerous high points and some low points. One of the most memorable moments of Dutta's career was when he was associated with TCS. "Mid-way through one of the largest management consulting projects, the client was extremely unhappy and was expressing his displeasure in a rather brazen manner creating a host of problems and it was getting increasingly difficult to make any progress on the project. The overbearing client was not only unhappy but had intimidated the entire team." says Dutta. Brought in as a consultant, Dutta volunteered to get the project done and asked for a month's time to salvage the situation. “Even though I was not directly involved in the project, I volunteered seeing the discomfiture of the team members to face the situation. I had the confidence of getting the project done," he says. "Exactly after a month of working on the project, we had to give the client a 'make-orbreak' presentation. I remember, we started the presentation at 10.30 in the morning and the presentation went on till 7 pm and at the end of the day the client was so happy that he gave us two more projects which were much bigger than the current one," recalls Dutta. "I really felt very good, not because I did the project but because I had the confidence
November 2012
31
“The role of the CIO is definitely changing and far transcending IT and going on to be a catalyst's role in technology enabling any organisation” Prashun Dutta
in me to take up what seemed a very difficult task and make a marked difference to what was an explosive situation,” reflects Dutta. In terms of low points, Dutta remembers when one of the project he was involved in was done in a hurry. As a result, there were glitches in the project, which eventually meant that the project had to be partially redone at a cost to the company. Dutta learnt an important lesson from this which was the need for greater involvement at the lower levels -- something that he did not focus on. “Everybody involved in the project had missed spotting the error, and it eventually led to costs for the company. But the management was very supportive as they had seen my team perform exceptionally well in other circumstances. But I still consider this as one of the low points of my career,” says Dutta.
Lessons learned On the important learnings that made him a better professional, Dutta remembers when he was working with Reliance in 1995 when he was asked by his boss to get in touch with a client on an urgent basis. When Dutta tried to contact him, he found out that the person was in the US and would be back only after a week. When Dutta apprised his boss of the situation, the boss asked Dutta, “Are there no phones in the US?” During those times, companies did not allow employees to make STD calls let alone ISD calls. This one line changed the way Dutta per-
32
November 2012
ceived things. He realised immediately that if a task has to be performed it has to be performed. One has just to figure out how and not why the task cannot be done. Eventually, they did get in touch with the client in the US and got the work done. “This incident changed me as a person and how I viewed things. From that moment, I started to look for solutions to solve problems rather than taking problems to the management,” says Dutta. Another learning that Dutta carried though his carrer was the ability to think big to achieve something big. “Once we needed leased lines in Reliance and I ordered for two leased lines. My boss called me up asked why had I ordered for two leased lines and I explained it to him. He then asked me why didn't I order four leased lines and constrained myself to only two. At that moment I realised that I had been focussing more on costs should not be too cost than was perhaps necessary rather than on things which would enable me to help the business to grow. This is also a very important learning,” sums up Dutta.
Being a successful leader Dutta feels that to be a successful leader one has to have the vision about where he wants the company to be at a specific time frame. "To be a good leader one has to have holistic vision of the future. The vision need not be large as it is the picture that will make the
vision large. A good leader must demonstrate confidence and needs to delegate work and should have the ability to lead from the front. A successful leader should have the ability to handle tough moments and should also have the ability to take the beatings be it from the top or from the juniors," he says. According to Dutta, a leader should always be fair and should not give undue advantage to anybody. He should have credibility and should be above controversy. Another important trait for leaderership is to be articulate and be a good listener. "There should be multiple channels which should be open to a leader from where he gets to know about numerous things but he should not be judgmental and should have the ability to make decisions based on his own thinking," says Dutta. “A leader should build consensus for any major issue and should have the ability to tell his team if he doesn't know anything. If you are the boss, you are not god. There will be times when you may not know a certain thing and if you share that with your team, it makes you more humane and the respect only grows with such interactions,” he says. In his present role at Tata Power, the highest priority Dutta accords is to ensure a much higher level of penetration and usage of IT at all levels, coupled with intelligent integration of operations and information technology. His overall vision is to ensure that IT is the first port of call for all decision makers within the organisation. On the changing role of the CIO, he says, "The role of the CIO is definitely changing and far transcending IT and going on to be a catalyst's role in technology enabling any organisation. Leadership, in that context, would imply carrying people, not only the IT team but large chunks of the business personnel as well."
What is in store for future Dutta feels that five years down the line, he will be busy in spreading the vision of holistic thinking be it through lectures, articles or any other medium. “I would like to work for another two to four years and then get involved with spreading the message of holistic thinking. I am an avid believer in holistic thinking and I would like to spread it to different avenues,” says Dutta.
C O V E R S T O R Y | t h e tr a n s f or m er
Rajeev Bhadauria |
Director (HR) Jindal Steel Pvt Ltd
“Prashun’s Style is Truly Democratic” Rajeev Bhadauria is the head of HR at Reliance infra. He has worked with Prashun Dutta for more than nine years. bhadauria speaks to Atanu Kumar Das on what makes dutta an efficient leader and a charming personality. How do you see Prashun Dutta as a person? Prashun is a true embodiment of modality. He is a very modern person and has a scientific temper. He is a very learned person and is very intellectual. Whenever you have a conversation with him, you understand the kind of knowledge he has on varied subjects and people are mesmerised by that. I have been associated with him at Reliance Infra for nine years and we have had several discussions where I got to learn a lot from him.
34
November 2012
What is Dutta's style of working? I must say that his style of working is very versatile and he encourages participation. He has always ensured that his team gets involved in each and every project and he takes inputs from every individual. I would say that his style of working is very democratic and this makes him different from any other boss. People can approach him without any inhibition and this quality is very important to have when one wants to lead from the front.
How do you rate him on the leadership scale? On a scale of 10, I would rate him at seven or eight. If we talk about the professional front, he has so much knowledge to share that anybody would love to have a discussion with him to know more. In terms of personal front, he brings in a lot of joy and motivation which are very important traits. He can transform the way people work and he has used IT to the best of use at Reliance and everybody lauds him for his efforts
t h e t r a n s f o r m e r | C O V ER STOR y
“Dutta has always ensured that his team gets involved in each and every project and he takes inputs from every individual.� Rajeev Bhadauria, Director (HR), Jindal Steel Pvt Ltd
in the company. He is very creative and has out of box thinking. Another important things about Prashun is that he doesn't carry a baggage and can react positively to any situation that comes in front of him. What are the things that you have learned from Dutta? I have the learned the concept of holistic thinking from Prashun. He really understands how to define vision for life and he has made me understand it be giving numerous examples. He knows the difference between forest and the trees and he ensures that he transfers his knowledge to the next generation. Any other things you would to share about him? Prashun sings very well and is an avid sportsperson. He likes to play badminton and is also associated with table tennis and lawn tennis. Moreover now a days he has started going to the gym regularly and I was one of the guys who has forced him to do so. In my eyes, Prashun is a true Bengali Bhandralok.
November 2012
35
C O V E R S T O R Y | t h e tr a n s f or m er
|
Shripad Zare Head-MIS and Process Automation, Corp IT, Tata Power
Dutta is a Great Boss to Work With
Shripad Zare is presently working with Prashun at Tata Power. in an interaction with atanu kumar das, Zare discusses the value add that dutta brings to the table and how he is transforming business at Tata Power
Prashun has recently joined Tata Power. How has your association been with him in the last six to seven months? In the last six to seven months, a plethora of changes have been initiated by him in Information & Communication Technology (ICT) area. He has initiated key strategies and structural changes for creating a business focus. To facilitate closer interaction and collaboration he has assigned dedicated account managers and deliv-
36
November 2012
ery teams to enable propagation of ICT in Tata Power. Prashun believes in inclusive growth in ICT and that is what is getting practiced in Tata Power since he has joined. He believes that ICT is not something which is different from business. He believes that key in transforming the business lies in bringing more and more areas not covered hitherto under the ambit of ICT systems thereby enhancing the penetration of systems in business.. Thus most of the data, information
and knowledge becomes available through ICT systems thereby making them “The first port of call� for business users. What are the new things that are being implemented in Tata Power? Enhancing existing & bringing new processes around ICT systems across the enterprise to handle both structured and unstructured data is the major thrust. State of the art ICT systems are being selected for
t h e t r a n s f o r m e r | C O V ER STOR y
“Prashun is a person who is not prejudiced, a good listener and open to learn. He is very friendly and approachable. He is also a great mentor� Shripad Zare, Head-MIS and Process Automation, Corp IT, Tata Power
the purpose. Extending ICT infrastructure to next level of maturity to ensure high availability and ease of operation continues to be another major focus area. Consolidation & Integration of technologies and ICT systems to ensure long term sustainability continues to be a priority agenda. How is Dutta as a boss? Prashun is a person who is not prejudiced, a good listener and
open to learn. He is very friendly and approachable. He brings in a rich experience (both professional and academic) to the company that there is a lot to learn from him. He is a great mentor on not just professional issues but on varied topics. He encourages everybody to do their bit thus improving the team work. In our short association I have learnt that to be a good boss, one needs to be patient and confident about his team.
November 2012
37
C&L SECTION
ecial section Sp ship r de lea
“Earn your leadership every day.” —Michael Jordan
November 2012
38A
I nt r o d u ction
CIO&LEADER This special section
C&L SECTION
on leadership has been designed keeping in mind the evolving role of CIOs. The objective is to provide an eclectic mix of leadership articles and opinions from top consultants and gurus as well as create a platform for peer learning. Here is a brief description of each sub-section that will give you an idea of what to expect each month from CIO&Leader:
40 My Story
The article/interview will track the leadership journey of a CIO/CXO to the top. It will also provide insights into how top leaders think about leadership
49
top down
This feature focusses on how CIOs run IT organisations in their company as if they were CEOs. It will comment on whether IT should have a separate P&L, expectation management of different LoB heads, HR policies within IT, operational issues, etc. This section will provide insights into the challenges of putting a price on IT services, issues of changing user mindset, squeezing more value out of IT, justifying RoI on IT, attracting and retaining talent, and competing against external vendors
45
42
Leading edge An opinion piece on leadership penned by leadership gurus. Plus, an insightful article from a leading consulting firm
ME & MY MENTEE
Cross leveraging our strong traction in the IT Manager community, this section will have interviews/features about IT Managers and CIOs talking about their expectations, working styles and aspirations. In this section, a Mentor and a Mentee will identify each other’s strengths and weaknesses, opine on each other’s style of functioning, discuss the biggest lessons learnt from each other, talk about memorable projects and shared interests
51
SHELF LIFE
A one-page review of a book on leadership
38B
November 2012
48
The best advice I ever got Featuring a top CIO/Technology Company Head and the best guidance/ recommendation he received with respect to his personal or professional growth. The advice could relate to dealing with people, managing personal finance, and balancing work and life
Top Down
Max Gabriel
Senior VP and CTO Pearson India
IT in Education
Max Gabriel, Senior VP and CTO, Pearson India, believes that digitising content will go a long way in helping the education sector One of the biggest challenge facing the education industry today is digitising the content and making it available for educational purposes. Pearson, one of the largest and oldest educational publication globally is now working towards digitising most of the content that will be useful for educational institutes in India. When I came to India about a year back, I had a clear mandate that we need to use IT to the fullest so that it can benefit the schooling fraternity in the country. We have recently tied up with Micromax and are offering useful educational content in tablets to many educational institutes in the country. We have already covered 15,000 schools and the number is only going to increase in the coming years. Learning today has become very social and teachers are using many social mediums to educate the students. Pearson also wants to cash on this and invest more time and create tools that can help students to interact with
the educational fraternity and get the most out of it. I have been working with the IT team to develop the necessary tools that would enable us to tap the varied schooling environment in the country. The education market in India is huge and we would witness more digitisation in the coming years and Pearson is gearing up to meet the challenges. My prerogative at Pearson is to ensure that I provide the right IT infrastructure for the organisation. In the last 12 months I have done a lot of travelling to understand the needs of the schools in the country and help develop tools which can be readily used by the educational institutes. Another important factor which I notice is that since we have so much to do, we always need to be focussed otherwise we will end up doing things which are not required. As a CIO I always believe that we should identify the things that are not important as this would help us in only doing this which would yield results in the future. I am hopeful that in the coming years there will be lots of challenges that we would be facing and I am all geared up to tap this ever growing education market in the country. — As told to Atanu Kumar Das
November 2012
39
My Story Ashish Pachory
No Room for Error for Today’s CIOs In an interaction with Atanu Kumar Das, Ashish Pachory, CIO, Tata Teleservices, shares his perspective on various aspects of becoming a successful CIO Ashish Pachory is the Chief Information Officer at Tata Teleservices. Pachori has extensive experience in aligning IT solutions to an enterprise's business needs.
As a CIO, how have you ensured that IT acts as a profit making department for the organisation? I began by defining a clear statement of purpose, which was simply this: IT exists to make the business succeed. Period. If this is demonstrated in the day-to-day behaviour of the entire IT workforce, you have already taken a major first step towards integration of IT with business. A major part of the difficulty in settling down into a senior role is overcoming perceptions built about you. This gets compounded if you try to establish yourself by asserting your superiority. I was always keen to learn from everyone, regardless of their function or level in the organization. I also never had a problem about consulting much younger colleagues about a problem I was grappling with. Even if it was not in their function or domain. I do not believe that only seniority and experience bestows wisdom. This has helped me not just to build knowledge but also in bonding with people. What traits do you look for in a leader? It may sound bookish, but the one trait that leaders, CIO or not, must have is a burning passion to achieve their mission. No one wants to work for, or with, a listless leader. I discovered early that in the CIO role it’s not so much about what I do, but what I inspire. Being passionate about your goals is the best form of inspiration you can provide. I was very conscious of this right from the start and am very
40
November 2012
proud today to have a very energised team, driven by extraordinary commitment. It always works from the top down. It was also imperative to achieve strong integration with the business, given that IT plays such a key role in enabling business processes and influencing business outcomes. This led me to derive the goals and priorities for the IT leadership team directly from the business goals. Next, we regularly share with business where we are through a set of business facing metrics and are perfectly flexible in our processes to adapt to changing business climate. The IT leadership team is measured – among other things – on the time they spend with the business teams, including joining the teams in meetings with end-customer. This helps us attain a common perspective and a first-hand feel of the pain points that can then be ingrained better into the IT strategy and delivery methodology. What motivates you on a day-to-day basis? At Tata Teleservices, the core IT team is not a very large team. It was therefore not difficult for me to make sure that every person in the team is an empowered stakeholder in the business outcome. This in itself becomes a very strong motivator, that keeps the team energized and focused. And I know it works, because I have the same involvement and empowerment from my superiors in the company, and it makes me feel very good about what I do.
As h i s h P a c h o r y | I n t e r v i e w
5points 1
Achieve strong integration between IT and business
2
A CIO should have a burning passion to achieve his mission
3
Every person in the team should be an empowered stakeholder in the business outcome
4
A CIO should begin any project with a clear statement of purpose
5
A CIO can play a constructive role in shaping the future of business as well as the larger community
What has been the biggest challenge for you professionally? My big challenge professionally was to find my bearings while making a tough transition. I had to hit the ground running with zero margin for error. It cannot be described as one single incident. Each day came with its ‘incidents’, and every such incident posed threats. There were mistakes made and lessons learnt – as it continues to happen even today. But look-
ing back, this also made me fuller and richer in experience, and better prepared to handle the future. My advice to aspiring CIOs would be to expand their horizons beyond technology. It is not easy as that’s our comfort zone with most of our lives spent in it. It is important to relate to people, feel their pain and be a trustworthy partner in their own missions. Technology is just a tool to sculpt your masterpiece, not the masterpiece itself.
Any word of advice you have for CIOs? As a final word, I would like to assert my belief that the present is the best time ever to be a CIO. Look around yourself. There is so much riding on technology, particularly information technology. Hence as CIO you can play a very constructive role in shaping the future of your business as well as the larger community. I find that to be a great feeling, and it’s what keeps me going.
November 2012
41
Leading Michael Bloch, Brad Brown, edge and Johnson Sikes
Elevating Tech on the Boardroom Agenda
Boards are starting to guide management by asking the right questions about technology By Michael Bloch, Brad Brown, and Johnson Sikes
Businesses are becoming increasingly digital and it’s not just a matter of process automation or resource-planning systems. Technology trends such as big data, cloud computing, mobility, and social media are giving rise to new marketing and operational capabilities. Indeed, technology has become too embedded in the fabric of the business—and too critical for competitive performance—to be left to the IT function alone. MoAs a result, many senior-executive teams have been called upon to get involved in technology issues. Boards are also beginning to take a strategic view of how technology trends are shaping their companies’ future. More boards than ever before are asking questions that ensure executives
42
November 2012
focus on the right issues. Deeper board involvement is also serving as a mechanism to cut through company politics and achieve endorsement of larger, integrated technology investments. The value at stake from getting technology right is typically quite large. Recent research indicates that about half of M&A synergies depend on IT, which makes it a core driver of deal success.1 The risk of cyberattacks is another area that can directly affect both operations and the broader brand or business reputation. In fact, some boards are beginning to direct their risk committees to oversee cybersecurity issues.2 There are also many other competitive opportunities and threats that are driven
by technology trends, such as new entrants causing industry disruptions with radically different cost structures or game-changing innovations. What’s more, major corporate investments or transformations, such as supply-chain or operating-model transformations, often have a major IT component that can imperil delivery if anything goes wrong.
A constructive IT role for boards It’s not surprising that many corporate directors and senior executives would like boards to have a more frequent and more constructive role in IT strategy. In a McKinsey survey of corporate directors, more than half said their boards had one technology-related discussion a year or none
illustration BY photos.com
M i c h a e l B l o c h , B r a d B r o w n , a n d J o h n s o n S i k e s | L e a d i n g e dg e
at all. Almost half of the survey respondents indicated that this level of attention was insufficient (Exhibit 1). Moreover, a separate McKinsey survey of executives suggested a significant gap exists between the conversations their boards ideally should be having and the ones the boards actually were having. For example, more than half of the respondents said their boards should discuss forward-looking views of technology’s impact on their companies’ industries. Less than 30 percent reported that their boards had these discussions (Exhibit 2). Given the importance of technology, many companies are considering a more structured approach to board engagement. In our experience, this involves new forums, new thinking about board organization and
about interfaces with management, and, when needed, an infusion of talent so that the board includes people with better knowledge of technology.
How CIOs can raise their board game Indeed, some national governance bodies agree. South Africa’s code of company governance, for instance, now mandates regular interactions between boards and executive management on technology topics,3 making the country one of the most advanced in this regard. Boards can take a number of measures to engage management on technology issues: Sponsor periodic reviews of technology’s long-term role in the industry. Some boards
are taking responsibility for the big picture by engaging in forward-looking conversations about how technology affects the industry and what the implications are for their companies. Some companies may have a CIO or other senior executive who can facilitate such a discussion. Those that don’t, and those that prefer an outside view, involve external experts who can help generate a discussion about technology trends and topics that can inform current and future strategies. Given the rapid pace of change, such big-picture discussions should take place every 12 to 18 months—or more frequently if necessary. The CIO of one financial institution, for example, requested substantial investment to modernize legacy software platforms and develop new capabilities in advanced risk analytics across the business. In response, the board looked for an outside perspective and arranged a presentation and discussion rooted in the company’s industry context. The presentation, which looked at recent trends, found that while a new type of player—large, highly tech-enabled and data-driven companies—was emerging in the commercial market, there would still be room for a sizable number of smaller players with varying technology capabilities. The presentation also highlighted leading practices applied by other companies and drew on developments from other sectors in using data and analytics to improve customer segmentation and risk assessment. By engaging the board with these perspectives and then discussing the implications, the company gained a better understanding of its business-technology gaps and the investments that would be required to close the most critical gaps. As a result, the CIO received funding for substantial expenditures in the next corporate-investment cycle. Establish board reviews of the IT portfolio and major projects. Some boards are also beginning to introduce an annual “state of the union” report on the company’s wideranging IT capabilities and infrastructure and how they support corporate strategy and operations. This is essentially a review of the entire IT portfolio’s alignment with corporate and business unit strategy, focusing on major IT systems and components. These often include core business systems (for example, enterprise resource plan-
November 2012
43
L e a d i n g e dg e | M i c h a e l B l o c h , B r a d B r o w n , a n d J o h n s o n S i k e s
Board priorities appear to be misaligned. What technology - or IT- related issues, if any, are the most important ones addressed by your organzation's board of directors? % of respondents, n = 927
Current
Forward-looking discussion of how technology will affect your industry
28
Approval or review of very large IT projects
28
Ideal
53
39 34
Yearly discussion on how IT enables broader business strategy
26 14
Security- and risk- related issues
22 41
IT talent, succession, and mentoring
19
The board does not address technology or IT issues
12 4 4 4
Do'not know Source: Dec 2011 McKinsey survey of executives
ning, customer relationship management, and industry-specific systems), as well as the company’s IT operating model and resource strategy. The review should also look at ongoing issues and projects, like cybersecurity and major transformational efforts, which often have a substantial IT component. Moreover, the review should include discussion about IT talent and CIO succession plans. For greatest impact, this report should feature joint presentations by IT executives and corporate and businessunit managers. Boards also need to more frequently review major business projects that have a significant technology component. One company, for example, is rolling out a massive systems-transformation project, estimated to cost several hundred million dollars and representing the company’s largest investment over a five- to ten-year period. Given the importance of this effort, the board conducts regular progress reviews with the project leader, who is supported at these reviews by the CIO and the head of the business area. Leverage technology-savvy board members. Greater board involvement in technology matters means that corporate directors,
44
November 2012
just like CIOs, have to raise their game. Many more boards are seeking to better understand technology issues and their business implications than they have in the past. For boards that are lacking in this regard, there are ways to build the expertise that will enable them to have constructive dialogues with IT. One approach is to bring on, over time, more board members with technology backgrounds who can help start these conversations more organically during the course of board meetings. A recent report from Spencer Stuart4 indicated that 20 percent of boards are actively looking for directors who have this expertise. Finding the right board member can pay significant dividends. This is borne out by survey results (Exhibit 3) and our client experience. Some boards are also considering their own “technology boot camp” training sessions, much like the risk or accounting training that some boards conduct for committee members. Although this will not turn board members into experts, it would give them a chance to become familiar with the core issues. Strengthen the technology governance
structure. While boards often need to improve their technology expertise, there are also structural steps that can make them more effective stewards. One is to create a technology-focused committee to ensure more frequent and directed discussions on these topics. Twenty-two percent of survey respondents reported that their companies’ boards had a committee responsible for technology oversight. It is important to remember, however, that delegating this work to a committee does not relieve the full board of broader responsibilities, such as discussing technology trends. Another way to strengthen technology governance is to delegate risk-related technology issues to the board committee that oversees company risk. Many boards already consider some technology topics in their audit reviews. However, they could expand oversight to conduct risk reviews of systems and review the operational risk from business processes dependent on those systems. They could also review how company data are used and how these data are safeguarded, as well as discuss concerns about broader cybersecurity issues. A UK group has tasked its board’s audit committee with overseeing technology risks. The group COO reports regularly to this committee. In addition, the audit committee regularly asks the company’s internal audit department to examine the IT-security strategy and report on its findings. The committee then mandates the group COO to report on the measures being taken to fill existing gaps. Technology is becoming increasingly important to corporate strategy, and boards have a crucial role to play as trusted advisers. That means engaging continuously in discussions about technology trends and the company’s technology portfolio, as well as building the expertise of corporate directors and creating structures that strengthen IT governance. Now is the time to act.
Michael Bloch is a director in McKinsey’s Tel Aviv office; Brad Brown is a director in the New York office, where Johnson Sikes is a consultant.
me & my Mentee
MENTOR
Anoop Handa
Executive VP/ CIO, Fullerton India
MENTEE
Karandeep Singh
Director - IT Management, Aon Hewitt
Mentoring is About Leading by Example
What exactly is mentoring? Anoop Handa Mentoring is about the mentor’s ability to demonstrate himself what he desires from the mentee. The mentor should be able to do what he preaches otherwise the mentor- mentee relationship would not be sustainable. The mentee should look upon you as a role model, only then will he take your feedback seriously. In his actions, work habits and daily behavior, the mentor should act as a role model for the skills he wants the mentee to imbibe. If the mentor is not demonstrating an experience which he wants the mentee to learn then this process won’t be successful. Secondly, the talking part is also important. The mentor should have an ongoing dialogue with the mentee on where does he want to excel and how. One can’t leave everything to the practical aspect with the assumption that the mentee will learn with experience. The talking part has to be in combination with action. But how does a mentor apply this rhetoric in practicality? I firmly believe he should keep a select group of employees (also mentee) with him when he is dealing with important stakeholders. This can be even if those employees have no direct correlation with the stakeholders. The mentee’s physical presence when the mentor (read CIO) is having a conversation with the vendors, supervisors will help him pick-up on the skills about how to discuss contractuals, pricing negotiations etc.
Karandeep Singh Talking is not mentoring; mentormentee is a guru-shishya kind of a relationship. It’s about the hands-on learning that you get in an office environment. To the best, the mentor should trust the mentee about the successful completion of the assignments. The trust on the mentee should be to such an extent that he takes it for granted that the job will be done. There are two types of reporting structures. One is restricted to doing live reporting in terms of what’s going on. The conventional one. The other relationship is of a different kind. It’s about a professional approach, but more about how two colleagues gel with each other and work together as a team for the growth of the organisation and of the two individuals involved. This is truly a mentor-mentee relationship.Mentoring is also about the charisma that the mentor carries with him. His persona makes employees follow him. It also depends on the mentee. To my experience, the mentor would be interested in providing guidance but how do you take things from him is a different situation for everybody. Leaders are everywhere and they like people to learn from them. But it is also on the mentee to catch the learnings on his side.
What are your expectations from the mentee/ mentor? Anoop Handa The readiness of the mentee to learn and accept feedback is the primary expectation. The
November 2012
45
me And my Mentee | Anoop Handa & K arandeep Singh
“The mentor should be a guide for your life. It can be about office related or outof-office matters.” CIO has to identify employees in the team who accepts and are open to feedback - positive or a consultative approach directing the mentee to work on areas of improvement. There are certain team members who are not comfortable about the feedback- exchange concept altogether. Karandeep Singh The mentor should be a guide for your life. It can be about office related or out-ofoffice matters. The decision taken by the mentee can be against the opinion of the mentor but he should always be ready to guide and give his version of the situation.
46
November 2012
How would you explain the working style of your mentor, Anoop Handa? Karandeep Singh He keenly listens and understands to what you are trying to do and communicate. After careful questioning, he will reach to the moot point and then arrive at a logical conclusion. It can be about a professional or a personal issue. Apart from IT and other cross functional teams, he keeps a good connect with the business leadership team too. As far as project work is concerned, he owns up and delegates responsibilities end to end and avoids any interference in the daily execution. He allows the mentee to take the lead and execute the task with his individual approach. Having said that, he will also ensure that, at any point of time in the execution stage, the situation is not going out of hand. Another unique part of his working style is sending proactive updates to the business. As an owner of the project he will make it a point to keep the business updated about the progress of the project at regular intervals and as per the requirement. Thus the business leadership appreciates his presence because he is the only person who would proactively send the updates to the business on what’s happening to the organisation on the IT front, what are the next steps and the timelines we are approaching without anybody asking him for it. This is the reason why the IT department is in the limelight because the business is aware about what’s happening in our department. So, it’s not only about updating on the progress but also about completing the task given. His work speaks for himself. Tell us about the experience of working on common projects? Karandeep Singh Within office, we jointly worked on setting up the entire datacenter. It was a three month project. Additionally, establishing the call centre, CRM, sales force automation and the integrating them to work seamlessly was a major challenge that we overturned. Anoop would listen to the issues faced on integration and try to decipher the root cause. When needed, he also brought in the vendor in the dialogue with the internal IT team and solve the issues. He aptly took the responsibility and resolved the problem in collaboration with us and the vendors. Anoop gave me the opportunity to represent the IT department and do the reporting in front of the top management about the ongoing and future activities. By doing this, his objective was to prepare the next line of IT leadership. One more trait of his that I highly admire is he always attributes the achievements to a person and accordingly acknowledges them in front of the CXOs at regular gatherings, meetings etc. For e.g. this person
Anoop Handa & K arandeep Singh | me & my Mentee
have to leave a successor. It helps both. In terms of people whom you are mentoring, they get the opportunity to grow and the CIO can also move forward in accepting bigger responsibilities.
“Mentoring is about the mentor’s ability to demonstrate himself what he desires from the mentee” solved the nagging issue during the datacenter set up or he was the one who should be credited for the successful completion of the XYZ project. On the personal front, he used to hear our side of the story and always suggest how his approach would have been had he been in our position. Still, he would ask us to take our independent decision. Where do you want your mentee to be and what are your aspirations about the career growth path of the mentee? Anoop Handa Link him to the succession plan. You
How to identify the strengths and weaknesses of your mentee? Anoop Handa I think the constant contact with the team, the keenness to observe, and the day to day experiences while he is working on a project, issue, challenge, strategic footprint etc goes a long way in identifying the strengths and weaknesses. The CIO has to observe where he is excelling, in which areas does he require coaching. I believe the day to day observations are important. It’s not only about what is he doing but how is he doing. The moment you focus on the ‘how’, you can easily find out where is he lacking. Karandeep was a very good technical resource. After doing all the ground work and research, he will find out the best possible solution from the market. What I found lacking in him was the ability to connect the technical knowledge with business implications and present & showcase the technology project proposals to the top management from a business parlance. The presentation skills, being in front of the senior team and asking for proposal approvals, based on the ground work was a kind of an improvement area. In many instances, he came back not getting a goahead for certain projects that he proposed. Also the CFO always wanted me to accompany him for meetings. They felt he was not comfortable discussing the financial aspects or about strategic initiatives. Even karandeep suggested I accompany him to the meeting because he knew I can plug in that gap where he lacked. I recommended him to go alone and if the need arises, I will join in. I asked him to focus on learning about the business benefits from a particular IT project, to understand the RoI, TCO fundamentals and present it before the CFO. Over a period of time, these incidents started reducing. He was really elated when he got the first project approval from the management single handedly. In this instance he proved the financials and rationale for managing the internal email to be handled internally with the domestic infrastructure rather than on a cloud model with the amount of users we have and also the kind of business we are in. Thus now, if I look back from when he joined, he has graduated his thought process linking technology with business. He is in position to make a business case about a technology project and also prove the financials in RoI, TCO terms and get it sanctioned. This has been possible due to his enhanced understanding of the business – technology linkage.
November 2012
47
The best advice I ever got
“Never Give Up on Anyone” There have been numerous advices that we receive from different quarters of life but some advices stick with us through our lifetime. One such advice that changed the way I perceived things is from my previous boss when he said that “never give up on anybody.” Let me share the experience, which I had couple of years back. There was one employee in the organisation who was not performing and I was fed up with him and I thought that there is no way I can keep this employee in the organisation and I had made up my mind to sack this employee. I went to the CEO of the company and said that I would like to sack an employee from my department as he was not performing and in the way I will also save some cost of the company. The reaction of the CEO took me my surprise. He told me that how will I feel if the CEO would want to sack me as an employee. I had never thought of that kind of reaction from my boss and I said that I would definitely feel bad. The CEO then explained to me that when we hire an employee it is our job to ensure that we get the best out of him/her. Every employee can give his share of expertise to the company and as a mentor and leader we should have to capacity to extract the best from the employee. I then realised that it is imperative for a leader to show true leadership quality and not give up on somebody and
48
November 2012
Vishwajeet Singh
CIO, Epitome Travel Solutions
try and understand that employee who is not being able to perform and come up with ways where he/she can give his best to the company. This experience really changed me as a person and I went back to my desk and started to think about what the CEO just told me. From that day onwards I started to look at handling manpower in a different way and I used to come up with innovative approach that would excite my team to work to their potential. If somebody was having any problem in performing, I would spend more time with
that person and try and understand what problem that person is facing. As a head of a particular department, it is our duty to ensure that every employee has a convenient environment to give his best and I started to ensure that in my work life. I am glad what the CEO told me that day because that has made me a better person and has enabled me to think in a different perspective and try and understand the problem of others. We should no run from the problem but try and come up with solutions even if that means going that extra mile to achieve it.
OPINION David Lim
Common Negotiating Mistakes Losing Thousands on
the Bargaining Table One of the quickest and best ways to increase your negotiating ability is to eliminate the common errors made by many of the most experienced negotiators. An examination and constant review of the common errors listed here will help you eliminate these errors from your negotiating style and help make you a more effective negotiator in Asia.
1) Underestimating your own power or strength in a negotiation Because of the complexity of most negotiations and the many factors which affect power in a negotiation, studies have indicated that most negotiators tend to underestimate their own power in a negotiation. You are aware of the limits to your power in a given negotiation situation, but are often unaware of the limits to power of the other party. There is a consistent tendency to underestimate your own power in a negotiation. In that sense, if you come from a non-Asian culture which insists on things being said all the time, you may miss calibrating the other side’s nuances. A Japanese executive may say “ this will be a bit difficult” when he actually means “this is not going to happen at all”. Sometimes silence after a prelimiinary position is taken is a wise move as both parties sit back momentarily to absorb the information. Sometimes, if the suspense is too great, the first party that proffers a concession, a sweetener, will be one losing money at the end of the meeting
2. Jumping to a conclusion One of the most common errors made in negotiations is jumping to a conclusion or making assumptions rather than getting the full facts involved. A good example here
ABOUT THE AUTHOR David Lim, Founder, Everest Motivation Team, is a leadership and negotiation coach, best-selling author and twotime Mt Everest expedition leader. He can be reached at his blog http:// theasiannegotiator. wordpress.com, or david@ everestmotivation. com
would be assuming what the other party’s needs and desires are, rather than skillfully probing with questions to determine precisely what they are. Rather than assuming, the skilled negotiator become more effective by asking probing questions which can sometimes determine the real needs and desires of the other party. In team negotiations, awareness of who are the more talkative members of the other party may allow you to engage them such that they may inadvertently reveal more than they had anticipated. For example, they admit that they are running short of time as an event for which the vendor was being assessed has been brought forward. If you are a vendor, and have already engaged them for some time, the other party may feel too invested to start the process all over again. This knowledge, if extracted can be immensely useful. The skilled negotiator avoids jumping to a conclusion.
3. Focusing on position, not interest One of the most significant findings to come out of the Harvard negotiation Project was the understanding that a very common error in negotiation was to focus on the other person’s position, without looking behind that position to the real needs and interests of the other party. The much-quoted example is the two daughters arguing over the last orange in the house. They each were concerned only about the other’s position. That is, “I want the orange.” A wise father, hearing the dispute, handed one of the daughters a knife and asked her to slice the orange in half, indicating that the other daughter would then select which half she wanted. On a global scale, some of the seemingly intractable problems in Arab-Israeli conflict have to do with parties
November 2012
49
o p inio n | D av id L im
image BY photos.com
in the first place is to arrive at a conclusion that is better than that which would be achieved without the negotiation. If we take the time to analyze our BATNA, we will then know clearly what our “best alternative” is. In the case of a business dispute, your BATNA might be a lawsuit and subsequent trial. In the case of negotiating the cost of a financial consulting project, your BATNA might be using another consultant. Don’t fall into the trap of cumulatively looking at all options and seeing the many different benefits inherent in all of them. You will not have the option of all of them and, therefore, it is necessary to weigh your current negotiation situation with the best alternative to a negotiated agreement. One of the major advantages of having a BATNA in every negotiation is that it helps you determine your negotiating philosophy; whether one is “hard” or “soft”, “firm” or “flexible” now becomes largely a consideration of how strong a BATNA you have. An extremely strong BATNA allows you to use the more risky tactics of “walkout” or “take-it-or-leave-it.”
The only reason to negotiate in the first place is to arrive at a conclusion that is better than that which would be achieved without the negotiation adopting entrenched positions, rather than looking at mutual interests. Anwar Sadat’s historic break from this positional way of looking at issues led to the landmark Israel-Egypt peace deal, which has led to nearly 30 years of peace between the two countries. A brilliant solution? Not really. Because, you see, each of the daughters got only one-half of what they could have had, had they taken the time to look at the interest behind the position. One of the daughters wanted the orange for juice; the other needed the peels for baking. Now, you might suggest that this is a very simple example, and that most experienced business people would see through it and not make that mistake in the business-negotiating environment. However, in numerous business simulations, participants get caught up in positional arguments, and then may feel they have to continue behaving in a way consistent to that position, leading to a lack of clarity as to their interests.
4. Entering a negotiation without a BATNA Fisher and Ury, in the popular book, Getting to Yes, point out the extreme importance of determining a BATNA — Best Alternative to Negotiated Agreement — before entering any negotiation. The only reason to negotiate
50
November 2012
5. Getting hung up on a negotiated item In practically all negotiations, there is more than one item to be negotiated. Whenever this is the case, the skilled negotiator realizes that they need not be hung up on a single negotiated item. Price might be a good example. If price becomes a non-negotiable item for one side in the negotiation, the other side could concede price negotiations, if they got concessions that accomplished the same thing in the areas of interest rates, payment plans, quality and content specifications, etc. The experienced negotiator looks at the total package and is not hung up on a single negotiated item. In Asian societies which often value the relationship ahead of the transaction, sometimes being too tough over one single item can sour an otherwise profitable relationship.
6. Assuming a fixed pie Many negotiators view each negotiation as a fixed pie. Anything I gain, you lose, and vice versa. Actually, however, this is not the case because of the many variable factors in the negotiation and the relative value of each of those factors to the various negotiators. Someone may concede on price to the other party who holds price as perhaps the key item in the negotiation. However, that concession on price may have been achieved through the price-sensitve party conceding something that was not price related – for example, on the speed of delivery, exchange of documentation, and so on. DAVID LIM IS A LEADERSHIP AND NEGOTIATION COACH AND CAN BE FOUND ON HIS BLOG http:// theasiannegotiator.wordpress.com, OR subscribe to his free e-newsletter at david@everestmotivation.com
SHELF LIFE
“We stumbled upon a new way to understand great leadership and an innovative method for any leader to become great.” — Dr. Travis Bradberry
Leadership 2.0
In today’s fast-paced world everyone is searching for tools that can help them to rise above the rest Great leadership
is impulsive; it melts unique skills into an incorporated whole. But, still it is difficult to understand a great leadership. One might come face to face while working with a great leader, but sometime even he or she finds it difficult to explain what are the ingredients required to become a great leader. The recent published book by Drs. Travis Bradberry and Jean Greaves, authors of Emotional Intelligence 2.0, share discoveries based on an extensive study which separate result oriented leadership skills from inconsequential or harmful. The book introduces a new epitome of leadership. It help readers to understand leadership. Besides it could be a used as a guide for leaders to innovate methods to become great. The study pinpoints 22 critical leadership skills. After comparing each of the skills with other the authors discovered that all of them can be categorised into two parts. First are the skill sets that help people to get into a leadership place. These skills are called core leadership skills as they form the very basic of a productive and solid leadership.
Second are the skills that people use to rise above the rest. These skills, called adaptive leadership, create dynamic and agile leaders. Such leaders are effective in any environment. The book highlights that core leadership skills can ensure building blocks and help a people to get promoted into a leadership positions. Only these skills won’t make a great leader on its own, but one would not be able to do much without these skill sets. An experience leader will recognise the core leadership skills and take a fresh look at their day to day skills. On the other hand, core skill will help an aspiring leader to cast their own blade. Core leadership primarily includes strategy, action and results. Similarly, the adaptive leadership skills set great leaders apart from the rest. These skill sets represent unidentifiable skills that great leaders have often in common. Adaptive leadership enables true excellence by combining unique skills, perspective, and efforts. This includes emotional intelligence that capture awareness of self and others, and use it to manage and form quality relationships.
ABOUT THE AUTHORs Drs. Travis Bradberry and Jean Greaves are the awardwinning authors of Emotional Intelligence 2.0, and the cofounders of TalentSmart.
Leaders, in most cases, view themselves in a favorable light than other people do, like most the people do. The fact that great leaders’ often over estimates adaptive leadership skills highlights that these skills are tough to master. As a result only few have honed their skills adequately. Adaptive leadership skills present a good opportunity for leaders to set themselves aside and take themselves to the level next. Test is one the cool features of the book. It asks around 70 questions and takes 20-30 minutes of time. The feedback of the result is powerful in increasing self-awareness of ones leadership quality and helps to focus and fine tuning the key areas of leadership. The best part is that it guides through which skills to work on and point out the strategies that will help to improve in the required area. The book will definitely help aspiring leaders and common people, willing to take the ladder of leadership, to identify his skill levels and build it into strengths. After adopting the strategies highlighted in the book one can take his leadership skills to new heights.
November 2012
51
NEXT
image by photos.com
HORIZONS
Features Inside
Israel vs Iran The strategic importance of 5° domain,the cyberspace
By Pierluigi Paganini
DDoS Attacks on the Rise: Prolexic Report Pg 55 Digital Forensics for Handheld Devices Pg 57 More
T
ime passes and the di pute between Iran and Israel is becoming increasingly more complex to manage. Apparently everything seems crystallised waiting for one of the contenders make the first move, in fact, both states are boosting investment in the development of their cyber capabilities. The cyberspace is the domain in which both countries are trying to offend the adversaries, recently the Israel’s Channel 2 reports that the Israel Defense Forces is planning to double the number of actual
November 2012
53
N E X T H O R I Z O N S | se c u rit y
members of the well-recognised Unit 8200, Improve the cyber capabilities the Israeli Intelligence Corps unit responUpgrading the cyber defence capabilities and sible for collecting signal intelligence and enable the NATO computer Incident Response code decryption. The unit is responsible to NATO 2012 58M € Capability (NCIRC) to achieve full operational capaconduct both defensive and offensive operability by the end of 2012 tions in the cyberspace, a domain considWith a cyber budget of $ 1.54 billion from 2013 ered fundamental by Israel government. 2013USA to 2017, DARPA will focus increasingly on cyber1,548 $ 2017 The Israel cyber unit is considered one of offence to meet military needs the most active in the creation of offensive Extra investment to develop deterrents to hostile UK 2012 650M £ tools, majority of security experts blamed viruses and hackers it for the creation of Stuxnet virus in a joint venture with US. Stuxnet is not the From Expense of more than $13 million in the coming Israel 13M $ 2012 years to develop new technologies for cyber defence only malware designed to attack a foreign state through the cyberspace, let's remind Estimating actual PLA military expenditures is difin fact the recently analysis on Flame malficlt because of poor accoutning transparency and ware are demonstrated an intense activity China's still incomplete transition from a command of cyber espionage in Middle East area, and economy. Using 2011 prices and exchange rates, DOD estimates China's total related spending from also in this case appears high probable the China 2011 ranges between $120 billion and $180 billion. ? support of Israel cyber units. China's cyber security market will expand remarkA conflict in the cyberspace is very difably in the coming years, from a valuation of $1.8 ficult to engage, in many cases a country billion in 2011 to $50 billion by 2020, representing suffers continuous cyber attacks that appear a dramatic compound annual growth rate (CAGR) increase of 44.7% conducted by state-sponsored hackers but there is no certainty about their origin, we On December Tehran announced an ambitious plan to improve its cyber-warfare capabilities develmust also consider that it is possible to Iran 2012 18 $ oping new technologies and creating new team of intentionally make a series of offensives cyber experts. against a state so that the blame falls on nations not really involved, the strategy of misinformation is considerable one of the with articles appearing in Haaretz, the Jewprimary option in a case of conflict. the same things you’d do to him given ish Forward, Los Angeles Times and many When we speak of cyber war we must be half a chance." other important press agencies argues in an really careful, collect evidences of attacks is The recruiting of aspiring cyber experts article published on Tikun Olam with the hard. During the last Cyber Threat Summit is very effective, a network of head hunters propaganda of the Israeli government. in Dublin I presented my research "The in the country look for high school students The journalist remarks that a cyber attack rise of cyber weapons and relative impact that are following an educational path charcould cause the loss of human lives and on cyber space" highlighting the expense acterised by the predominance of IT mateserious damage, he is scared by the fact of main countries that we consider most rial. This is not the only way to recruit cyber that simply using a keyboard it is possible advanced in cyber warfare scenario. specialists, great relevance is taken by social to destroy a critical infrastructure, interrupt US, China, UK, Iran, and at least other media, IDF is searching for them also anatelecommunications or highjack defense 140 States all over the world are currently lysing forums and social networks. missiles against their owners. working to the creation of a new generation The initiative of IDF to increase the capaThe famous author writes: "As I’ve writof cyber weapons, despite the substantial bilities of its cyber units recruiting youngten, it’s only a matter of time before somecuts in military spending due the global sters is not new, just last week I've written one pushes a Send button and crisis these investments in of similar initiative of Britain’s Government unleashes code that derails cyber warfare are increasing in Communications Headquarters (GCHQ) a train, causes an explosion impressive way. intelligence agency and even before of Chiin a power plant, or poisons The Channel 2 presented an nese cyber army. a water supply. Even Leon advanced technological Israel But if Israel is recruiting new cyber units Panetta warned of this eventualthat has recruited expert hackwe cannot ignore the progresses of Tehran, States all over the of course, he warned ity. Only ers to aggregate the unit Unit the Iranian governments is intensifying its world are currently of someone doing it to us, 8200 with the slogan: cyber activities, in particular fearing a powworking on creation rather than us doing it to some“if you’re a computer genius, erful cyber attack it is trying to secure the of a new generation one else. We all know that the this is the place for you!”. infrastructures of the countries. of cyber weapons things you accuse your oppoRichard Silverstein, a famous I believe that Iran is making meaningful nent of wishing to do to you are author, journalist and blogger, progresses in cyber warfare and soon it will
140
54
November 2012
se c u rit y | N E X T H O R I Z O N S
be very dangerous also thanks to the support of cyber mercenaries. Iranian government is aware that the enemy is increasing cyber capabilities that it will use against vital components of the country. That's why Iran should adopt a smart civil and cyber defense strategy against this attackers according the declarations of Head of Iran's Civil Defense Organisation Brigadier General Gholam Reza Jalali. "So, threats determine the direction of our movement". "I think that utilising hi-tech is like playing in enemy's court because it has been developed based on the capabilities of the enemy." He then said the US and Israel own a major share of infrastructural companies and hi-tech firms to the very same end. "Thus, Iran is necessitated to design a new model for cyber defense." Iran is daily hit by a large number of cyber attacks, they are making a great experience in this sense and the experts of the government are learning on how to monitor foreign offensives and how to defend country's industrial systems.
Iranian government is aware that the enemy is increasing cyber capabilities that it will use against vital components of Iran Don't forget that country's experts were the first, such as Kaspersky Lab Team, to be able to neutralise "Flame" virus discovered last may using an indigenous anti-virus software. Let's remind also that last April 24 country's experts had limited the effects of a series of cyber attacks against the country's Oil Ministry, Hamdollah Mohammadnejad, deputy minister in engineering affairs, according the Fars News Agency declared: "Recently, a few number of National Iranian Oil Company (NIOC) servers were attacked by a malware, but the cyber security experts of oil industry contained it immediately." We all must be aware of the progress of Iran in cyber warfare scenario, at least on
the defense perspective but what will happen if similar progress have been obtained also on the offensive perspective? Are we ready to neutralise a cyber weapons, such as Stuxnet, created by its experts? It's quite strange, but this time we are observing more propaganda made by Western governments that objective results obtained from the improvement of cyber capabilities in countries such as Iran and North Korea must be monitored with great attention in cyber warfare scenario. — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
DDoS Attacks on the Rise: Prolexic Report The report reveals an increase in number of attacks with an average bitrate in excess of 20 Gbps, which is a worrying trend By Pierluigi Paganini
T
he second half of 2012 has started with a sensible increase of Distributed denial-of-service attacks against financial institutions and banking that caused several problems to the victims. To face such a dangerous menace, it’s fundament to analyse the phenomena start-
ing from the data provided by security firms that design solutions to protect companies from these kind of attacks. They have a privileged point of view because they are able to collect data directly from the field, acquiring information from the systems they installed at their customers. Prolexic is a well known vendor that peri-
odically publishes interesting statistics on DDoS attacks and their evolution, and with respect to the recent attacks, I find the analysis of last Q3 2012 report very useful. The title of the report is exhaustive, “Q3 2012 was defined by extremely large DDoS attacks. It is clear that bitrates of 20 Gbps are the new norm”. It has been
November 2012
55
N E X T H O R I Z O N S | se c u rit y
observed an increase number of attacks with an average bitrate in excess of 20 Gbps, a worrying trend if we consider that the majority of company are not prepared to these offensives. So large attacks represents a novelty compared to similar isolated events occurred last year according the declaration of Prolexic's president Stuart Scholly. This is significant because very few companies or organizations have the necessary network infrastructure to deal with such attacks. There might be some companies with popular websites such as Google or Facebook that are able to handle such highbandwidth floods, but most companies are not, Scholly said.
Prolexic is planning to respond to the new wave of attacks upgrading the capacity of its own cloud-based DDoS mitigation infrastructure to hold out high-bandwidth attacks. The report provides an interesting comparison with the same period of previous year and also with the data registered in the previous quarter. The scenario is worst respect same period of last year. It has been observed an increase of the number of the attacks of 88 percent but what is impressive is the efficiency of the offensive, to a reduction in of the average attack duration (19 hours vs. 33 hours) is corresponded an increase in average attack bandwidth of 230 percent reaching 4.9Gbps.
What is changed respect previous quarter? Despite the total number of attacks is declined of 14 percent it has been registered an increase in average attack bandwidth of 11 percent. The average attack duration is slight increased passing from 17 hours to 19 hours and also Packet-per-second volume increase of 33 percent. Prolexic firm classifies DDoS attacks into those targeting infrastructure (Layer 3 and 4) and applications (Layer 7), the first group accounted for 81.40 during Q3 2012 while application- based attacks represented 18.60 percent of total attacks. Once again China confirms the leadership
56
November 2012
image by photos.com
How to mitigate so powerful attacks?
China confirms the leadership for origin of DDoS attacks with 35% attacks originating from there for origin of DDoS attacks with 35.46 percent attacks originating from there, mainly linked to the effect of botnet diffusion followed by US at 27.85 percent and India at 7.8 percent. Let’s note that the only country of South America is Brazil, but Prolexic alerted on a gradual increase in botnet activity originating from that area. The Prolexic noted that the highbandwidth DDoS attacks are arranged in different way respect the past, in the last incidents weren't caused by botnets of compromised computers to launch the attack but by botnets of compromised servers exploited by attackers due the presence of un patched vulnerabilities in outdated architectures and applications. On the occasion of the recent attacks against US banks Dan Holden, director of
research at Arbor Networks, confirmed that the attackers were compromising PHP applications on web servers and Wordpress sites using the outdated TimThumb plugin in order to deploy tools that allowed total control of the victims. "Attackers connect to the tools directly or through intermediate servers/proxies/scripts and therefore the concept of command and control does not apply in the usual manner," he declared to CSO Website. The report proposes a case Study on “itsoknoproblembro” web-based DDoS suite, the toolkit used to launch high-bandwidth attacks against U.S. financial institutions, despite the origin of the application isn’t clear, the experts of Prolexis noted that it is constantly improved.
f orensi c s | N E X T H O R I Z O N S
istrative privileges access to a The report states: compromised server in order to “A tsunami of high bandwidth install it and launch attack. packet floods was observed during Q3 2012. These attacks targeted a number of high Main advantage of profile organizations within "Itsoknoproblembro" of all worldwide financial services, media/teleThe toolkit appears very simple DDoS attacks originate com, energy, and other sectors. to manage and according Proout of india The bot toolkit responsible for lexic experts it “allows attackers the majority of these attacks is to react faster to any defenses a PHP-based suite known as they might encounter and “itsoknoproblembro”, and the modify their attack strategy”, it infected hosts are known as “brobots.” is so considered an adaptive tool that allows The toolkit is used by a meaningful attackers to send the orders to the compronumber of attackers that don't need adminmised servers almost instantly.
7.8%
What to expect in Q4? The increase in the number of observed attacks and related offensive capability leave bode well for the next quarter, we also consider that the period is historically "delicate" for the approaching Christmas Holiday. This time of year we expect an increase in online shopping and in general the use of web services that are the main targets of attackers responsible for the offensives discussed. — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
Digital Forensics for Handheld Devices “Digital Forensics for Handheld Devices” is a valuable reference By Ben Rothke
T
oday’s handheld device is the mainframe of years past. An iPhone 5 with 64 GB of storage and the Apple A6 system-on-a-chip processor has more raw computing power entire data centers had some years ago. With billions of handheld devices in use worldwide, it is imperative that digital forensics investigators and others know how to ensure that the information contained in them, can be legally preserved if needed. In Digital Forensics for Handheld Devices, author Eamon Doherty provides an invaluable resource on how one can obtain data, examine it and prepare it as evidence for court. One of the reasons many computer crime cases fail to be prosecuted is that the evidence was not properly handled and could therefore not be admitted into court. Once of the first things a defense attorney will do in a computer crime case is to attack
how the digital evidence was obtained and preserved. In far too many cases, it was done incorrectly and the evidence, no matter that it may be a smoking gun, can’t be admitted into court. The case then is dismissed, to the chagrin of the victim. The books 8 chapters of nearly 300 pages are densely packed text, where Doherty brings significant real-world experience to every chapter. As the cybercrime training lab director at Fairleigh Dickinson University, he brings both an academic formality in additional to real-world experience in this highly tactical guide. Chapter 1 details cell phone forensics. After a brief introduction to the history of the cell phone, it details the entire inner workings of a cell phone. The chapter also details differences in cell phones worldwide. An important fact is that many Asian countries have cell phones available 12-18
months before they appear in the US. With that, American forensic investigators need to be cognizant of this when entering into an investigation. The chapter includes an overview of the Susteen Secure View application which is an extremely powerful tool for the mobile phone forensic investigator. Besides that tool, in each chapter, Doherty lists many tools that provide specific assistance to the topic at hand. The book is worth it for those listings alone. Chapter 2 is similar to the previous chapter except this is about digital camera forensics. The chapter provides a detailed overview of how digital cameras operate and how the underlying hardware works. The chapter includes an extremely comprehensive overview of seemingly every tool available to investigate images on a digital camera. The chapter also includes a number of
November 2012
57
N E X T H O R I Z O N S | f orensi c s
image by photos.com
When considering a career in forensics, as fascinating as it is, it may not be for everyone fascinating case studies on how to effectively perform a forensics analysis of a digital camera. It concludes with an observation that when considering a career in forensics, as fascinating as it is; it may not be for everyone. Doherty notes that as a forensics investigator, the examiner is often exposed to disturbing material. He quotes a report that studied investigators from over 500 agencies who had been exposed to child pornography during investigation of crime involving child exportation. The report noted an alarming 35 percent of the participants had problems arising from work exposure to child pornography. Chapter 5 provides an extremely detailed look at forensics investigation on a corporate network. Throughout the book, Doherty stresses the need for effective chain of custody and other issues to preserve digital evidence. It is imperative to preserve the integrity of the digital evidence obtained from the time it was seized until it is presented in court. To facilitate this, the book states a best practice to use checklists to ensure nothing is forgotten. The importance of checklists
58
November 2012
has been detailed in The Checklist Manifesto: How to Get Things Right where author Atul Gawande makes a compelling case for the use of checklists. As to evidence and checklists, Doherty writes that once the evidence is obtained, a chain of custody form should be filled out. Each time the evidence is copied, processed, or transported, it should be documented on the chain of custody form. If others receive a copy of the evidence for prosecution or defense purposes, they too should sign for it. This is an imperative if it expected that the evidence would end up in court or be used for human resources purposes. But at the corporate setting detailed in chapter 5, that same level of diligence is not necessarily required. Chapter 5 also has overviews of nearly 50 different forensic tools for every imaginable purpose. While the book has exploratory and technical overviews on many tools and numerous case studies, this is not an introductory text on the subject. It is meant for someone with a technical background that is looking for a technical reference to gain competence on the topic of digital forensics. The only lacking of the book is that while
the author is an expert on the topic and the tools, the writing style is one that screams out for an editor. The text suffers from run on sentences and repetition of defining the same acronym, in addition to other readability issues. The book is pervasive its use of passive voice that can be annoying to many readers. It is hoped that the second edition of this book will be updated with the current tools of the time and a good re-editing of the text to ensure its readability doesn’t suffer. Aside from the grammatical issues, for those looking for a very hands-on guide to gain proficiency on the topic, Digital Forensics for Handheld Devices is a valuable reference. Dr. Eamon Doherty has a unique perspective in that he has academic, law enforcement and very practical experience, which is manifest in every chapter. The notion of digital forensics is seize it, examine it and then prepare it for evidence in court. In Digital Forensics for Handheld Devices, you found out how to do just that. — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
TECH FOR
GOVERNANCE
image by photos.com
75% Data Briefing
of smartphones sold in third quarter are running on Android
Panalpina’s “World Wide Web” It is important to include contractual language specifically targeted to the FCPA By Mary Shaddock Jones
60
November 2012
O
co m p l i ance | T E C H F O R G O V E R N A N C E
On November 12, 1990, Sir. Tim Berners-Lee with help
from Robert Cailiau published a formal proposal for the World Wide Web in Switzerland. Today, twenty-two years later- we look at a different world wide web, one which ensnarled a Switzerland based company named “Panalpina”. According to the Department of Justice, Basel, Switzerland based Panalpina World Transport “is one of the world’s leading suppliers of forwarding and logistics services, specialising in global supply chain management solutions and intercontinental air freight and ocean freight shipments and associated supply chain management solutions.” It operates “a close-knit network with some 500 branches in over 80 countries,” does business in a further 80 countries with partner companies, and employs approximately 15,000 individuals. The criminal information focuses on a “network of local subsidiaries … each of which was responsible for providing the freight forwarding and logistics services to customers and for coordinating with other Panalpina-affiliated companies with respect to the transportation and shipment of cargo from abroad.” In addition, PWT and its subsidiaries “provided customers with importation, customs clearance and ground shipment services once the shipped goods reached their destination jurisdiction.” The subsidiaries under investigation were from the U.S., Nigeria, Angola, Brazil, Azerbaijan, Kazakhstan, Russia and Turkmenistan (hence my reference to the “world wide web”!) There have been many blogs, papers and articles written about the facts and settlement the DOJ and SEC entered into with Panalpina and many of the oil service companies utilising its services. There is no reason for me to recite the facts of that case again. More importantly, I have seen first-hand the improvements made by Panalpina in its own compliance program since the investigation began in 2005. This is a company that should be lifted up as a model for others to follow. I have always been taught that it isn’t the fact that you get knocked down that shows your strength and courage, but the fact that you get back up and learn from your mistakes.All of us can learn improvements from each and every one of the FCPA reported settlement agreements, including that of Panalpina. Practical Pointer for today’s blog- once a third party has passed the due diligence process, it is important to include contractual language specifically targeted to the FCPA. There are several well recognised concepts that should be included in the contractual language, including
an overarching statement that the Agent or Partner will not authorise, offer, or pay anything of value to a foreign government official (or private entity if UK Bribery Act is encompassed) for the purpose of obtaining or retaining business or gaining any improper business advantage. This concept is followed by the promise to submit itemised invoices, with accurate supporting documentation to allow for transparency in the processing of payments. Along with these two requirements are the rights to audit, to terminate or suspend the contract, and perhaps, the right to recoup any losses and investigation costs for violation of the above. The final agreements would include the obligation to undertake training, periodic due diligence requalification and annual certifications. Recently, we discussed the Due Diligence process and provided some language to assist in the identification of “Red Flags” when considering the use of a third party Agents or Partners. Today, we provide you with additional language to consider utilising once an Agent or Partner has been retained: In addition, unless approved by the Company Compliance Officer or his or her designee, all contracts with Agents or Partners shall contain provisions addressing the following matters: payment mechanisms that comply with this Manual, the FCPA, the UKBA and other applicable anti-corruption and/or anti-bribery laws during the term of such contract; the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual; the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) counterparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable
November 2012
5
POINTS
Panalpina World Transport is one of the world’s leading suppliers of forwarding and logistics services PWT and its subsidiaries provided clients with importation, customs clearance etc till the shipped goods reached their destination jurisdiction This is a company that should be lifted up as a model for others to follow Once a third party has passed the due diligence process, it is important to include contractual language Companies can be held liable for the acts of third parties acting on their behalf
61
T E C H F O R G O V E R N A N C E | co m p l i ance
determines that payment in another jurisdiction does anti-corruption and/or anti-bribery law; not violate local law and that a valid business reason for the Company’s right to audit the counterparty’s books payment in another jurisdiction exists, funds shall be and records, including, without limitation, any docutransferred only to a bank account owned by the desigmentation relating to the counterparty’s interaction nated recipient and that such account shall be located in with any governmental entity (or any entity if UK the jurisdiction where the relevant business services are Bribery Act applies) on behalf of the Company, and q-o-q growth in to be performed/occurs. the counterparty’s obligation to cooperate fully with consumer PC market Companies can be held liable for the acts of third parany such audit; and in India in q3, 2012 ties acting on their behalf. The use of the contracting remedies (including termination rights) for the failure strategies suggested above will clearly communicate to of the counterparty to comply with the terms of the the Agent and/ or Partner the seriousness of your comcontract, the Code of Conduct, the Anti-Corruption pany’s commitment to abiding by the law and spirit of Policy and Compliance Manual and other applicable the FCPA and similar anti-corruption laws and regulations. anti-corruption and/or anti-bribery law during the term of such contract. All contracts that provide for the disbursement of funds by the —Mary Shaddock Jones has practiced law for 25 years in Texas and Company to a third party shall be in writing and shall require the Louisiana primarily in the international marine and oil service indusother party to submit a written invoice for payment in compliance tries. She was of the first individuals in the United States to earn TRACE with the terms of its contract with the Company. All invoices shall be Anti-bribery Specialist Accreditation (TASA). She can be reached at accompanied by accurate and sufficient supporting documentation msjones@msjllc.com for all outlays to third parties. Contracts requiring the disbursement This article is printed with prior permission from www.infosecisland. of funds by the Company for such services shall also require that, com. For more features and opinions on information security and risk unless the Company Compliance Officer or his or her designee management, please refer to Infosec Island.
13.5%
New Techs Raise Doubts on Privacy & Security There are several problems with patents like the one under discussion By Pierluigi Paganini
R
ecently a colleague alerted me on a news published online related to a patent obtained by Microsoft titled "CONTENT DISTRIBUTION REGULATION BY VIEWING USER". The patent could, according to some experts, a clear violation of privacy because it uses technology to gather information on user's consumption of video content. The major concerns are related to the use of cameras of video devices such as PC, mobile devices and TVs to identify the user and verify its rights for vision and of course to determine his habits with the
62
November 2012
purpose to pack it for the best offer in terms of contents. How does Microsoft will use the cameras? There are several technologies that can serve the purpose, probably using "facial recognition techniques" combining with analysis of video and audio input. The patent states: "[0028] In an alternative embodiment, a fee can be charged for each viewer of the content for each view. In another alternative, at 225 and 240, a per-viewer license may comprise counting the number of viewers in a viewing area and directly charging for each identified user in the viewing area.
Viewers may be uniquely identified and a count of the viewers determined, with the licensee then charged for each viewer accessing the content. Age and identity restrictions can be applied in this embodiment as well. " The cameras could be used to validate user's license and enabling content vision, they must be able to count the number of users present in front of video. The patent authorizes a private company to get so invasive in our homes and maybe this is the first of different similar cases. TV, PC and gaming console are object technological extremely evolved that thanks
to sensors, cameras and microphones are able to operate a meticulous control of the surroundings. Last year I presented a project funded by the US government to acquire information through the analysis of gaming console on the network. There are several problems with patents like the one under discussion. Who will govern the information obtained and how? Are these devices secure from external attacks? Who guarantees the security of information collected? The doubts are raised mainly by the implementation of the content of the patent, let's image for example what could happen if an hacker takes control of such devices. It will be able to spy on victims, and similar attacks represent serious risks from different perspective. Governments, but also cybercriminals could be interested to exploit the devices, same interest is from a commercial perspective to gather information on user's habits. The patent applies to both streaming content as well as downloaded material, and it is sure that many other companies are interested in the technology. I personally think the technology is ripe for
image by photos.com
s ec u r i t y | T E C H F O R G O V E R N A N C E
several similar uses but to be really useful it always have to compare with the demands of privacy and safety of users ... unfortunately the trade goes in the opposite direction.
This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
Software is Eating the World: APIs are the Fuel Mobile applications have become the driving force of transformation on the Web By Ben Kepes
C
loudU Notebooks is a weekly blog series that explores topics from the CloudU certificate program in bite sized chunks, written by me, Ben Kepes, curator of CloudU. How-tos, interviews with industry giants and the occasional opinion piece are what you can expect to find. If that’s your cup of tea, you can subscribe here. Over the past handful of years I’ve com-
mented on a seemingly disconnected bunch of areas: the rise of cloud computing, the forced re-design of how enterprises work, the focus on more project-specific teams, dispersed workers. The list goes on. In the last 12 months of so I’ve seen these formerly disconnected areas converge together into one topic area – call it Enterprise 2.0, social, mobile, local or whatever; it is starting to look consistent – the need for an organisation to be more
nimble in reacting to external and internal factors; the need to meet employees’ demands in terms of how and where they want to work; and the desire to unlock data from both inside and outside the organisation. All of these desires are delivered, at least in part, by the cloud – cloud brings a level of agility that allows organisation to be more nimble than before. Cloud powers workers in disparate geographies to collaborate on proj-
November 2012
63
T E C H F O R G O V E R N A N C E | s oft w are
If cloud is the enabler of the dramatic shift of organisations, then the API is the glue that holds it all together driving force of transformation on the Web, creating not only whole new categories of software, but also creating new ways of consuming content and accessing services. Much of Willmott’s article focuses on the massive growth of consumer APIs. At the same time however he touches on the fact that there are a number of vendors that are solely focused on enabling the realisation of
an API strategy by organisations. These companies do the heavy lifting which allows an organisation to focus on the strategy behind their API strategy rather than the mechanics of actually deploying an API. It is this latter trait that makes these companies, and the rise of the API, of such critical importance for enterprises. By extension for many existing enterprises, “cloud” wasn’t a strategy per se, but rather a way of delivering an outcome. Oftentimes this outcome is quite simply the unlocking of existing data, the provisioning of that data across multiple platforms and services and the ability to integrate that data with data from
other sources. The API is the common thread across all of these desires, and it is for that reason that enterprises need to think about their API requirements sooner rather than later. This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
Nation Approach to Information Activities
Connectivity is how information is passed from Point A to Point B By Joel Harding
W
hat are logical ways for us to discuss what we do? That question alone raises a ton of questions. Who is we? What is it we do? Who does what? Can
64
November 2012
something fall into multiple categories? Now that IO has a new definition, there is no longer a clear cut way to divide up the parts. My friend and mentor, Dr. Dan Kuehl, invented a model I like to use, called the
Three C model. ‘What we do’ can be divided into Connectivity, Content and Cognitive. I’m going to paraphrase below, probably badly, so please excuse me for not reproducing his highly refined explanation.
illustration by photos.com
ects. Cloud enables the mobile provisioning of mass information in new ways. Cloud makes insights into vast stores of data more readily obtained. If cloud is the enabler of this dramatic shift of organisations, then the API is the glue that holds it all together. APIs have an integral part to play in delivering all this agility. Want to give your employees access to data inside legacy systems? An API strategy can help with that. Want to tie together two discrete applications in ways that deliver a specific need? APIs are the glue that binds. Want to set up some cloud infrastructure that lets you scale and deliver in a utility fashion? It is APIs that sit behind much of that. Given this critical, yet often unheralded, role that APIs play in all of this, it was interesting to read an article by 3Scale CEO Steven Willmott recently. The article is well worth reading in its entirety, but essentially Willmott puts the case that the so-called “App Economy” is in fact better titled the “API Economy.” As Willmott says: Mobile applications have become the
Connectivity is the how information is passed from Point A to Point B. This may be a broadcast message over FM radio, it might be via cyber in an email, it might be by fax, telephone, television, even the spoken word from your mouth to my ear. Content is how we put the message together, what is contained within the message or what is shown, heard or even felt, tasted or smelled. In Afghanistan there is a low literacy rate, so more pictures are used. This may also be a narrative, what words we use can also be less or more dependent on culture, history, religion and a myriad of other factors. Cognitive is how is the message received and then internalised by our audience. I prefer to use Measures of Effectiveness as part of my initial planning process, so when planning and then conducting the rest of an information operation we can better measure the efficiency of our campaign. My friend Dr. Lee Rowland uses the principle of “Under what conditions will a certain behavior change”, which is more difficult to determine but offers a much more refined approach and ensures cognition and efficiency of messaging is both easily measured and determined. But IO cannot and will not work without including the rest of the government, not in peace, crisis or even war. I recently sat down with some friends and we discussed information operations at a higher level, at the governmental level. In the US the Department of Defense does IO, the Department of State is in charge of Strategic Communication and Public Diplomacy, but I was having problems describing a “whole of government” approach, and I was having even more difficulty explaining how a “whole of nation” effort might be divided. We finally came up with five categories for what I might call government/corporate/ private information activities. Information Operations. The integrated employment, during military operations, of information-related capabilities in concert with other lines of operation to influence, disrupt, corrupt or usurp the decision-making of adversaries and potential adversaries while protecting our own. This will include Department of Defense, to include Cyber Command and the CIA. Most important about this category is these are the only enti-
illustration by photos.com
connect i v i t y | T E C H F O R G O V E R N A N C E
Cognitive is how is the message received and then internalised by our audience. ties that may conduct offensive operations; they can break things. Strategic Communication & Public Diplomacy: SC: the synchronised coordination of statecraft, public affairs, public diplomacy, military information operations, and other activities, reinforced by political, economic, military, and other actions, to advance U.S. foreign policy objectives. PD: communication with foreign publics to establish a dialogue designed to inform and influence. SC/PD would also include “liberation technologies” or ways to bypass, circumvent and/or thwart blocking, filtering and jamming by authoritarian governments. This will include the Department of State, the BBG and others as identified. Information Research and Analysis. Data, information and intelligence collection, reporting by all media, analyis, editing and publishing. This will include reporters, editors, intelligence collection, intelligence analysis and publishing. Technical Innovation. How we communicate information. This includes cyber, communication means of all types, and efforts of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the
systems and processes used for those purposes. This will include information assurance, cyber defense and research and development efforts for the storage and transmission of information, broadcast, satellite, telegraph, even semaphores. This includes DISA, corporate and private R&D efforts. Information Infrastructure Assurance. Efforts to protect government, corporate and private infrastructure from natural and manmade threats to critical, corporate and private infrastructures. This would the Department of Homeland Security and other efforts to protect critical and private infrastructure. The problem I seem to have is categorising military public affairs, I might have to change the name to military information activities or some such generic name. Many Public Affairs officers seem to believe they can inform without influencing. If I take a whole of nation approach then I should include marketing, public relations, perception management, reputation management and strategic communications (with an s). —This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
November 2012
65
T E C H F O R G O V E R N A N C E | s trateg y
I Lost My Theory of Mind
Without the theory of mind everything that social engineers do would fail By Will Tarkington
66
November 2012
illustration by photos.com
T
he theory of mind is an intricate part of understanding how humans interact. Now my blog typically deals with real world examples of my social engineering techniques. However I’m taking a moment to discuss one piece of theory. The reason I’m taking the time to do this is simple. Without the theory of mind everything that social engineers do or attempt to do would fail. The theory of mind is basically one’s ability to differentiate perspectives. From perspective comes intention, from intention comes reaction, and from reaction comes reward (or failure). So to begin with the First Order of the Theory of Mind: The first order is simply the awareness of self. You know that question you hear people ask “Is this animal self-aware?” This is the first order of the theory of mind. In essence it’s the ability to determine that you are unique. That you have an individual perspective and individual desires. It is this ability that lets you make statements like; “I would like chocolate over vanilla.” It may seem odd but without this you could not think of yourself collectively or individually as an entity. There would be no YOU to want chocolate.
s trateg y | T E C H F O R G O V E R N A N C E
The Second Order of the Theory of Mind: The second order provides you the ability to identify someone else’s perspective. For this example we are going to use a common example that happens all over the world. Salt, there is a salt shaker and in the first order you would be aware that you want the salt. In the second order you would be aware that someone ELSE wanted the salt. This is important because it means you can now decide if the person reaching towards you is likely trying to kill you or not. It also means that you can now decide if you want to assist that person in getting the salt. You can also evaluate if your wanting the salt should trump their wanting of the salt. However the REAL fun begins in the next order. The Third Order of the Theory of Mind: This is the place where most of the Social Engineering will start to come into play. Essentially and convolutedly the third order is: I want the salt You want the salt I am aware that you want the salt I am aware that you are aware that I want the salt It is at this exact moment that negotiation
The theory of mind is basically one’s ability to differentiate perspectives. From perspective comes intention, from intention comes reaction, and from reaction comes reward (or failure). begins. Prior to this event it was a contest of desire vs desire and now it’s part of an abstract concept involving “trade” or reciprocation. If I give you the salt now will you help me later? I know you know I’m helping you. Thus social mechanisms such as guilt and friendship or rivalry come into play. The Fourth Order of the Theory of Mind Are we ready? This is going to start get convoluted but here we go! I want the salt You want the salt I know you want the salt You know I want the salt I know that you know that I want the salt I know that you know that I know that you know that I want the salt Wheeeeeeeeeeee it’s starting to turn into the princes bride here. The only other thing I want to note is that TOM (Theory of Mind)
doesn’t have to relate to only 2 people in regards to their orders. So for example a third order TOM could be: I want the salt You want the salt Sheri wants the salt I am aware you and Sheri want the salt In this scenario you start to see the complexities of making alliances or influencing different people to change the outcome. Who should get the salt? Which is more beneficial to me Sheri or you? Are you both aligning against me? This is the crux of our social society. I encourage everyone interested in human behavior to spend some time studying the TOM become aware of when to apply it and how to apply it. This makes all sociological research easier to do.
VIEWPOINT Steve Duplessie | steve.duplessie@esg-global.com
illustration by photos.com
Size Matters
The size of a company’s portfolio matters I recently attended HDS’s Influencer Summit. It’s where a company hosts those who are supposed market influencers - analysts, bloggers, etc. What’s interesting is that it didn’t include traditional media, who I think still have legitimate influence. Different issue. First, on the HDS event itself, bravo. A company like HDS never gets the kudos it deserves, because of its historical conservatism. Did you know HDS, who has had over 12 record quarters IN A ROW (and is growing faster than any other large player in the space - 20% y/y in the Americas, for example), sells only HALF of its stuff to large enterprises? The rest is small enterprise and midmarket. I didn’t know, or didn’t pay attention the last time they told me that. Their channel accounts for a huge percentage of revenue - also something I elected to forget. Anyway, what the HDS presentations made me realize is that size really does matter. Not so much the size of the company as the size of the portfolio, at least today. HDS is part of Hitachi LTD, which just so
68
November 2012
happens to be a $118B tech powerhouse. How does that help? Well, for example, HDS built the train system in London used for the Olympics. What’s the relevance? The train system uses some serious bad ass technology - like the ability to do instant analysis on data inputs from a zillion sensors in real-time. Their trains themselves are highly automated using thousands of sensors feeding millions of inputs a second into a real BIG DATA system keeping the trains running on time, not crashing, adjusting for weight, temperature, external conditions, etc. The point is that when a disk subsystem maker normally talks about how great their big data story is, I yawn. HDS, in this example, brought some credibility to the story. If they can do real time analysis and automated decision making based on machine generated data, then how can they not be smart when it comes to me making a goofy marketing query against a fairly static (albeit large) data set that has no real time significance? Hitachi, at its core, develops technology. That technology is then
About the author: Steve Duplessie is the founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com
applied to use cases, ranging from escalators to content stores, and everything in between. It’s pretty amazing when you think about it. So, in summary, HDS made me change the way I think about holistic technology implementations and the advantages a big company can have. The big Japanese tech companies are built from a foundation of technology, which is then applied to market use cases. Most US tech companies do the exact opposite - they build products based on market use cases and develop technology to improve those outcomes. Subtle but different. Thus, in the age of the “stack” in IT, most are building a consolidated use case model, but few can bring to bear technologies that are very far reaching. Those that can have an inherent leg up on those who can’t. Those who can’t may be better marketers and thus more effective in certain use cases, but for overall economic value that spans outside of that specific use case, it seems a more global technology base has a higher likelihood of longer term success.