cioandleader.com
A Question of Answers
Viewpoint
Best of Breed
Connect and Empower Pg 12
Files Are Killing IT Pg 68
5 Overlooked BYOD Mistakes Pg 16
03 The Emperor's Advanced Persistent Clothing | Security: Bucking the Trend | Leonardo da Vinci and the ‘Real APTs’
T r a c k t e c h n o lo g y
B u i ld b usi n ess
Shape self
Track , Build, Shape. Top technology
decision makers
speak their mind on CIO&Leader’s positioning statement.
Volume 01 | Issue 03
Do they deem our ideology to be relevant for today’s CIOs? Page 26
Volume 01 Issue 03 March 2012 150
Affordable Video Surveillance Storage + Management Solutions
Iomega answers the call for a new class of scalable, simple solutions that enable SMBs and distributed enterprises to archive, protect and share physical security video and audio files from anywhere. The versatile StorCenter Network Storage family offers affordable video surveillance storage and management solutions.
Integrated Video Management System (IVMS)
Offers the ability to blend smart storage with leading video management software and IP cameras for an integrated, low-cost video surveillance solutions.
Router/Switch IP Cameras
StorCenter Network Storage Device
INTEGRATED VIDEO MANAGEMENT SYSTEM (IVMS)
4 Camera NVR (IP NAS)**
Rs. 10,000* onwards (ix2 diskless + VMS)
16 Camera NVR (IP NAS)**
Rs. 30,000 onwards (px4 diskless + VMS)
32 Camera NVR (IP NAS)**
Rs. 85,000 onwards (px4 rack diskless + VMS)
48 Camera NVR (IP NAS)**
Rs. 2,50,000 onwards (px12 rack 8TB + VMS)
* Available April onwards **inbuilt Video Management and Storage capability – low cost “IP surveillance solution in a box” Implementation
support available in 21 cities across India – 4 hour response time available 24/7 – 365 days Toll Free Support for IP NAS and Surveillance 24/7
editorial yashvendra singh | yashvendra.singh@9dot9.in
The 21st Century CIO The modern CIO’s position will stand on the three pillars of Track Technology, Build Business and Shape Self
I
n early March, I was in Hanover, Germany, to attend CeBIT, one of the world’s biggest IT and electronics conventions. Just to give you an idea of the mammoth scale of the event – there were more than 4000 exhibitors from 70 countries spread across 23 massive aircraft hangar-like halls! Hanover is frigid during this time of the year but the array of products, some of them wonderful (imaginary interfaces that translated hand movements into commands for switching on/off music, lights, or TV; clocks powered by water) and some of them
weird (arcade games controlled by eyes; pole-dancing robots), ensured the temperature at the venue remained high. It was no surprise that Cloud, Big Data, Social Business, and Mobility dominated the agenda. After all, CIOs across enterprises and boundaries are grappling with the same issues. I felt the inaugural address of Eric Schmidt, Executive Chairman, Google, had a strong message for technology leaders. He said, "The people who predict that intelligent robots, virtual reality or self-driving cars will soon be commonplace are
editors pick 26
Track, Build, Shape
Top technology decision makers speak their mind on CIO&Leader’s positioning statement. Do they deem our ideology to be relevant for today’s CIOs?
right. Governments will be able to spot the economic makings of a crisis before they happen and doctors will be able to accurately predict the outbreak of disease before anyone feels it.” Playing the oracle, Schmidt conveyed that technology was not just changing at an extremely fast pace, it also promised to radically change the way important decisions were taken. Now which CIO in the world won't be ready to give an arm and a leg for a solution that predicted losses before his enterprises actually incurred them? Without doubt, the future looks exciting for technology decision makers. The next threefive years could see a plethora of innovative tools and technologies at your disposal. The challenge for you will be to keep track of this fastchanging technology landscape. It will also be important to cut the clutter, and zero in on the technology that builds your busi-
ness. Above all, you will need to realise your own potential and make others realise theirs and come out on top in the ultimate test of leadership. As a matter of fact, this magazine is positioned such that it enables CIOs to meet exactly these changing requirement demanded from their role in the 21st century. Our positioning statement --- Track Technology, Build Business, Shape Self – sums it up precisely. In this issue’s cover story, we decided to get a feedback from top CIOs on our positioning statement. Read to know if their views match our ideology. I will leave you thinking with another statement from Schmidt’s address at CeBIT: “Technology does not produce miracles, but connectivity, even in modest amounts, changes lives.”
March 2012
1
March 2012 C o v e r D e s i g n : J aya n K N a r aya n a n
26
Cover Story
26 | Track, Build, Shape
Top technology decision makers speak their mind on CIO&Leader’s positioning statement. Do they deem our ideology to be relevant for today’s CIOs? Please Recycle This Magazine And Remove Inserts Before Recycling
2
Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Anuradha Das Mathur for Nine Dot Nine Interactive Pvt Ltd, Bungalow No. 725, Sector - 1, Shirvane, Nerul, Navi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301
March 2012
RegulArs 01 | Editorial 06 | Enterprise Roundup
Special leadership section Page 39 to 52
my story
42 | Balance Strategy and Execution
Umesh Jain, CTO & Sr. President, Yes Bank, talks about the inherent leadership challenges that CIOs face and how they can map their 42 growth strategy
41 | Top Down Focus on Leadership & Innovation Edward
50 | opinion Negotiation Lessons from the Jan Lokpal
46 | The best advice I ever got Have a Good Business
Goldman, CTO, Intel speaks about the various aspects of being the Tech CEO at the company
There is a lot that corporate leaders can learn and imbibe from the way in which the Jan Lokpal Bill and the negotiations around it are going
V.C. Gopalratnam VP, IT & CIO, Globalisation, Cisco talks about the importance of learning finance and business language
44 | Leading edge The right leaders for your growth strategies It takes a mix of leaders and talent to pursue a variety of growth strategies simultaneously. Few executives can do it all
47 | ME & MY MENTEE Keeping an Open Mind is the Key CR Naraynan and his mentee share what they've learnt from each other
52 | SHELF LIFE HBR’s 10 Must Reads On Leadership A single book that packs quite a punch from renowned gurus
March 2012
3
www.cioandleader.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Anuradha Das Mathur Editorial Executive Editor: Yashvendra Singh Consulting Editor: Sanjay Gupta Assistant Editor: Varun Aggarwal Assistant Editor: Ankush Sohoni DEsign Sr Creative Director: Jayan K Narayanan Art Director: Anil VK Associate Art DirectorS: PC Anoop & Atul Deshmukh Visualisers: Prasanth TR, Anil T & Shokeen Saifi Sr Designers: Sristi Maurya & NV Baiju Designers: Suneesh K, Shigil N, Charu Dwivedi Raj Verma, Prince Antony, Binu MP, Peterson & Prameesh Purushothaman C Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi
12 A Question of Answers
12 | connect and empower
Pradeep Sindhu, CTO, Juniper Networks, talks about how cloud computing is ushering in an era of new-age technology
advertisers’ index
53 | Next Horizons: Security: Bucking the Trend
16 | best of breed: Advanced Persistent Threats
Organisational approaches to risk are changing, as the 2012 Enterprise Security Spending study reveals
Security professionals need to focus on collaborating to actually secure something
4
March 2012
iOmega Schneider IBM Check Point Fujitsu VMWare Riverbed Microsoft Wipro
IFC 5, 9 11 15 21 23 IBC BC Supplement
advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IT, ICICI Bank Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Sr Consultant, NMEICT (National Mission on Education through Information and Communication Technology) Vijay Sethi, CIO, Hero MotoCorp Vishal Salvi, CISO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Sales & Marketing National Manager – Events and Special Projects: Mahantesh Godi (+91 98804 36623) National Sales Manager: Vinodh K (+91 97407 14817) Assistant General Manager Sales (South): Ashish Kumar Singh (+91 97407 61921) Senior Sales Manager (North): Aveek Bhose (+91 98998 86986) Product Manager - CSO Forum and Strategic Sales: Seema Menon (+91 97403 94000) Brand Manager: Gagandeep S Kaiser (+91 99999 01218) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Anuradha Das Mathur. Published at Bungalow No. 725, Sector - 1, Shirvane, Nerul, Navi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301 For any customer queries and assistance please contact help@9dot9.in This issue of CIO&Leader includes 12 pages of CSO Forum free with the magazine
This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.
cto forum thectoforum.com
07 MONTH 2010
4
From APC InRow to room cooling, we have the right solution
Local user terminal places sophisticated temperature and humidity controls at your fingertips
Flexible:
Energy efficient:
Easy to service:
The smaller footprint makes our room units perfect for both retrofits (as drop-in replacements) or new builds (to save floor space).
Many features were engineered for higher efficiency — EC fans to large surface area coils are standard to ensure you get the highest efficiency.
Units can be serviced from the front (instead of the side) via internal service panels so the doors can open while the unit is still running thereby preserving uptime during servicing.
Announcing the addition of precision air conditioners to the Schneider Electric data centre cooling portfolio
Our comprehensive portfolio of cooling solutions, all of which are fully managed and available through a global supply chain, includes:
> > > > > >
Data centres have always been mission-critical environments. Businesses worldwide depend on their uptime and efficiency. And uptime and efficiency depend on the right cooling deployment. Today, Schneider Electric can deliver the right solution quickly, easily, and cost-effectively. TM
Cooling solutions for every application Complementing its innovative APC InRow line and other cooling innovations, Schneider Electric now offers a comprehensive cooling portfolio. It comprises building-level options, including energy-efficient air conditioning equipment and chillers, to keep today’s fully integrated data centres operating at optimal levels. TM
Faster and easier deployment, installation, and maintenance Schneider Electric is the only company to deliver its cooling products, parts, and spares via a global supply chain, thereby making deployment, installation, and maintenance faster and easier. What’s more, our efficient cooling solutions are customizable, meeting the specs of even the most complex installations. Each deployment is fast, reliable, and energy efficient, and with its integrated end-to-end software management, ensures your data centre needs can keep up with your business.
Close-coupled cooling Precision room cooling Air distribution solutions Raised floor Chillers Heat rejection system
Whatever your cooling challenges, we have the right solution:
Perimeter, chilled water cooling
Data centre facility cooling module
HD pod with InRow cooling, including overhead, and air containment
Business-wise, Future-driven.
TM
Energy Efficient Cooling for Data Centres: A CloseCoupled Row Solution White Paper 137 Revision 1
by John Bean, Member ASHRAE Kevin Dunlap, Member ASHRAE
> Executive summary
Download White Paper ‘Energy Efficient Cooling for Data Centres: A Close-Coupled Row Solution’
This white papers was originally published in ASHRAE Journal, October 2008.
white papers are now part of the Schneider Electric white paper library produced by Schneider Electric’s Data Center Science Center DCSC@Schneider-Electric.com
Visit www.SEreply.com Key Code 16030p
©2012 Schneider Electric. All Rights Reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies.
Schneider Electric India Pvt. Ltd., 9th Floor, DLF Building No. 10, Tower C, DLF Cyber City, Phase II, Gurgaon - 122 002, Haryana, India. Phone: +33 (0) 1 41 29 70 00 • 998-5972_IN-GB
Enterprise
Personal Cloud to Replace PC as the Center of Users’ Digital Lives Pg 08
Illustration by shigil n
Round-up
story Inside
Intelligent Business Operations Next Step for BPM Organisations are integrating
CSM technologies into their processes Organisations are making their business operations more intelligent by integrating analytics, social and mobile technologies into their processes and the applications that enable them, according to Gartner, Inc. Gartner analysts call this approach “intelligent business operations” (IBO), and consider it the next stage in the evolution of business process management (BPM) programmes. The next generation of business processes will have to move beyond cost savings and efficiency, and become more adjustable to changing market and customer dynamics. “Tomorrow’s business operations
6
March 2012
will integrate real-time intelligence,” said Janelle Hill, vice president and distinguished analyst at Gartner. “This will require a new approach using IBO — a style of work in which real-time analytic and decision management technologies are integrated into the transaction-executing and book-keeping operational activities that run a business.” Integration of analytics into operational processes — which contrasts with past approaches that separated analytical work from transactional work — empowers the workforce to make better and faster contextualised decisions in order to guide work toward optimal outcomes.
Data Briefing
47%
Growth in worldwide smarphone sales in Q4,2011
Enterprise Round-up
They Michael Said it Dell Dell is “not really a PC company,” CEO Michael Dell said at an event in San Francisco. “It’s an end-to-end IT solutions company.
SafeNet Acquires Cryptocard Acquisition to deepen SafeNet’s capabilities
“The line between IT and the business is disappearing. It is becoming essential to how they all conduct their businesses. They want choices about where their technology lives, from the hybrid cloud to public cloud infrastructure.” —Michael Dell, CEO, Dell
In a transaction that will significantly broaden and deepen the authentication and cloud-based services it offers to clients, SafeNet has acquired Cryptocard, a privately held leader of cloud based authentication solutions. Financial terms were not disclosed. With the acquisition of Cryptocard, SafeNet significantly enhances its market leading authentication portfolio, providing both enterprises and service providers with one of the most advanced authentication-as-a- service (Auth-as-aService) offerings in the marketplace. Cryptocard’s platform will provide a unique opportunity for mobile and telecom service providers, as well as IT system integrators and service providers, to rapidly introduce Auth-as-a-Service and market leading authentication solutions to their end users. By combining SafeNet’s Fully Trusted Authentication Solutions with Cryptocard’s innovative & flexible Blackshield Cloud platform, SafeNet’s customers worldwide will now have access to secure, flexible and cost-effective on-premise and as-a-service solutions. The acquisition will also expand SafeNet’s addressable market opportunity, solidifying the company’s position in user authentication and strongly positioning the company to capitalise on the fast-growing Auth-as-a-Service and cloud services markets.
QUICK BYTE ON SECURITY
The number of browser-based attacks in 2011 increased from 580,371,937 to 946,393,693. The number of web-based attacks in 2011 is 1.63 times the total for 2010, which points to a much slower rate of growth than we have seen over the course of the past three years. —Source: Kaspersky Lab
March 2012
7
Illustration by shigil n
Enterprise Round-up
Personal Cloud to Replace PC as the Center of Users’ Digital Lives New level of flexibility from a new era The reign of the personal computer as the sole corporate access device is coming to a close, and by 2014, the personal cloud will replace the personal computer at the center of users’ digital lives, according to Gartner, Inc. “Major trends in client computing have shifted the market away from a focus on personal computers to a broader device perspective that includes smartphones, tablets and other consumer devices,” said Steve Kleyn-
hans, research vice president at Gartner. Several driving forces are combining to create this new era. These megatrends have roots that extend back through the past decade but are aligning in a new way. Megatrend No. 1: Consumerisation — You Ain't Seen Nothing Yet. Gartner has discussed the consumerisation of IT for the better part of a decade, and has seen the impact of it across various aspects of the corporate
Global Tracker
Globally, online risks rose 2% in 2011 to 32.3%. Just 20 countries
accounted for 86.4% of all malicious hosting.
8
March 2012
Source: Kaspersky Lab
Online Risks
IT world. However, much of this has simply been a precursor to the major wave that is starting to take hold across all aspects of information technology as several key factors come together. Through the democratisation of technology, users of all types and status within organisations can now have similar technology available to them Megatrend No. 2: Virtualisation — Changing How the Game Is Played. Virtualisation has improved flexibility and increased the options for how IT organisations can implement client environments. Virtualisation has, to some extent, freed applications from the peculiarities of individual devices, operating systems or even processor architectures. This provides low-power devices access to much-greater processing power, thus expanding their utility and increasing the reach of processor-intensive applications. Megatrend No. 3: “App-ification” — From Applications to Apps. When the way that applications are designed, delivered and consumed by users changes, it has a dramatic impact on all other aspects of the market. These changes will have a profound impact on how applications are written and managed in corporate environments. They also raise the prospect of greater cross-platform portability as small user experience (UX) apps are used to adjust a server- or cloud-resident application to the unique characteristics of a specific device or scenario. Megatrend No. 4: The Ever-Available SelfService Cloud. The advent of the cloud for servicing individual users opens a whole new level of opportunity. Every user can now have a scalable and nearly infinite set of resources available for whatever they need to do. Users’ digital activities are far more self-directed than ever before. This encourages a culture of selfservice that users expect in all aspects of their digital experience. Users can now store their virtual workspace or digital personality online. Megatrend No. 5: The Mobility Shift — Wherever and Whenever You Want. Today, mobile devices combined with the cloud can fulfill most computing tasks, and any tradeoffs are outweighed in the minds of the user by the convenience and flexibility provided by the mobile devices. The emergence of more-natural user interface experiences is making mobility practical. Touch- and gesture-based user experiences are enabling rich interaction with devices.
Enterprise Round-up
Illustration by shigil n
Huawei Launches New Enterprise Products Combines customercentric innovation with latest ICT technologies
Huawei recently launched multiple enterprise products at CeBIT 2012, including S9700 series high-end switches (3 models), S5700-LI series mid-range switches (8 models), AR200/150 series enterprise access routers (7 models), WLAN products (7 models of ACs and APs), Open Service Platform (OSP) forum and Tecal V2 servers (6 models) that are supported by Intel Xeon E5 processors. Based on its customer-centric approach to innovation, these new products demonstrate Huawei's continual efforts to meet the ever-changing
ICT needs of global enterprises, providing customers with a better way to do business. “Customer-centric innovation is at the core of everything we do at Huawei Enterprise,” said David He, President of Marketing, Huawei Enterprise. “When it comes to designing hardware solutions, we approach innovation from the viewpoint of our customers, examining what their specific needs are in terms of features and operability. Our new WLAN products, switches, routers and servers embody this focus on the customer and we are confident that our enhanced product portfolio will set new industry standards.” Switches, access routers and WLAN products that promote the evolution of “10G Cloud Campus,” “Enterprise Branches” and “Enterprise Mobility” The S9700/S5700-LI series switches supplement Huawei's current campus network product family. Among these new products, the S9700 provides a 320 Gbps per slot switching capacity and the highest 10GE/40GE port density in the industry to cope with the emerging highdefinition video services and fast-developing “10G cloud campus.” In addition, the S5700- LI follows an energy-conservation design principle, adopting an innovative port sleeping, hibernate and awakening technology to reduce the total power consumption by over 40 percent. Mobile office technology is changing how people work. The explosive increase in WiFi-supported smartphones, tablet computers, and laptops, and the increase in WiFi hotspots all contribute an ever-growing demand for mobile access. However, the current radio technology hinders development of mobile office. When an AP has a certain number of users connected, the bandwidth allocated to each user decreases dramatically.
Fact ticker
Infosec Concerns Impacting Business Decisions Serious
consequences when trust is breached
In the wake of several high profile data breaches and privacy incidents, a new Edelman study, “Privacy & Security: The New Drivers of Brand, Reputation and Action Global Insights 2012,” reveals that concerns about data security and privacy are impacting what people buy and which companies they do business with. Data security and
10
March 2012
privacy are also pressing matters of public policy, with leaders from around the world demanding enhanced protections. Concerns about data security and privacy are not merely theoretical. Around the world, people feel that their personal information is not adequately protected and that companies are unchecked, so
it’s no surprise that they are now taking data security and privacy considerations into account when they shop. The study reveals that 70 percent of people are more concerned about privacy than they were five years ago and 68 percent feel they have lost control over how their information is shared and used by businesses. These concerns are impacting their decisions at the checkout counter. Individuals are even weighing considerations about security and privacy as heavily as those relating to a product’s design, style, and physical dimensions.
Mobility
C
apgemini and subsidiary Sogeti, have announced the joint launch of a new suite of services to support clients in creating and implementing an effective mobile strategy. Capgemini and Sogeti will provide a ‘one-stopshop’ for mobility solutions to meet the growing demand within businesses globally. As part of this launch, Capgemini and Sogeti are developing a dedicated 'Mobile Applications Service Centre of Excellence' in India, where 250 additional experts will support the delivery of mobile applications for customers globally. The focus markets for these services will include France, Germany, the Netherlands, Sweden, UK and North America. The Mobile Solutions global service line is one of the fast growing and profitable market segments the Capgemini Group is focusing on. Mobile technologies were highlighted as the second highest CIO technology priority in Gartner's recent 2012 CIO Agenda survey. Organisations are increasingly recognising that with mobile users in the hundreds of millions, and mobile apps downloads in the tens of billions, today's reality is that customers and employees expect to interact with them immediately, wherever they may be. As a result, the market for mobility services is one of the fastest growing segments in the IT services market.
A Question of answers | Pradeep Sindhu
IT Transformation: The way people live their lives and connect with each other is witnessing a major transition
12
March 2012
Pradeep Sindhu | A Question of answers
& Empower Pradeep Sindhu | CTO, Juniper Networks
Connect
In a candid conversation with Pramath Raj Sinha, Founder and Managing Director, 9.9 Media, Pradeep Sindhu, Co-founder, Vice Chairman and CTO, Juniper Networks, talks about how cloud computing is ushering in an era of new-age technology How do you see the IT industry shaping up? Information technology (IT) today is actually in the middle of a rapid change which we haven't witnessed in the last 25 to 30 years. The change that is happening is effectively pervasive, it is affecting the IT industry, the consumers, corporations as well as service providers. The entire value chain is evolving, it is not just IT that is changing, but the way people live their lives and connect with each other is witnessing a major transition. The reason this is happening is because of the power of networks and networking. We at Juniper fundamentally believe this and our vision statement states that 'connect everything and empower everyone'. Briefly this means that when you
have networks that connects a lot of people together, their power is actually maximised. What are the biggest trends emerging in the enterprise IT segment? There are two major uber trends, one of them is cloud computing and the other is hyper mobility. Let us start with the latter first. What people want today is access to information and information resources and reach out to people anytime, anywhere and the purpose of hyper mobility is not more complicated than this. The primary reason that devices like the iPhone and iPad have been so incredibly successful is because these devices are simple to use and they delight the people
that use them. In addition to this, customers expect the same behavior across multiple devices and all the applications that are available in the web browser. To provide hyper mobility, quality of mobile networks is the key to success, which works extremely variably in India. The promise that 3G had of providing us potentially several megabits per second per device have not panned out so we have a long way to go. But the hunger of people to actually use the wireless network is crystal clear. Today there are 863 million subscribers in India and even though it appears saturated, things are still growing and I expect that over a period of time the quality of network is going to be better and better.
March 2012
13
A Question of answers | Pradeep Sindhu
The second big trend is cloud computing. Let me define the term first. Cloud computing is nothing more than the delivery of information services from relatively large scale datacentres over the network to users anytime, anywhere. Here users are not necessarily human beings only, they could also be devices which are either sensing the environment or acting on the environment. Networking is the heart of cloud computing and one cannot expect this model to work without networking. The other aspect about cloud computing is that the datacentres from which the services are delivered need to be relatively large scale in order to be efficient. We need to have a world where users are carrying devices which are relatively thin clients. Fundamentally, in the cloud model, permanent state is stored in the cloud, the user can then do their work and when it is done, the state then goes back to the cloud. The user is never aware of where this state is actually kept. There are actually three reasons why we are coming to the cloud computing model. One of which is economic efficiency, because it is very efficient in terms of capital expenditure, and even more efficient in operational costs. The second reason is to be able to access information anytime, anywhere and cloud computing model makes it happen because the information is logically centralised. Finally, another factor that is pushing the model quite fast is that the network is now fast enough to allow us to implement this model. At Juniper we have spent a lot of research dollars to try to figure out the right networking technology to actually connect together the equipment to the datacentre. This is why we developed QFabric, which can act as a back plane of a datacentre. It is an open standard technology which uses standard based ethernet as the external interface but since it is an extend-
14
March 2012
“Networking is the heart of cloud computing and one cannot expect this model to work without networking�
ed machine the internals of the machine are actually proprietary. What are the advantages of using Juniper's QFabric technology? By using QFabric, the efficiency of datacentres grows dramatically. Typically a datacentre utilises only 10 per cent of its usability, but after using Juniper's technology the efficiency of datacentre can go up to 100 percent. Enterprises spend only 15 percent of their expenditure in networking whereas 85 percent is spent on computer and storage. So, our technology enables enterprises to improve efficiency 10 times. How do you view the networks in India, how is it different from other countries? I think that there are differences and commonalities, the one big difference is that the wired network in
things I Believe in We need to have a world where users are carrying devices which are relatively thin clients ypically a T datacentre utilises only 10 per cent of its usability Enterprises spend only 15 percent of their IT expenditure on networking
India is in a much much poor shape compared to the networks in the United States, Europe or even Asia. For example, India has 863 million mobile subscribers but there are only 40 million copper lines around the country and out of those only 10 million are capable of actually running digital subscriber line (DSL). On the positive side, another difference is that the penetration of mobile phones is actually phenomenal. The speed at which it has grown is really great. The third thing that I witness is the environmental conditions under which equipment has to operate, particularly mobile networks which face hostile environment. It is nice to see that there are many carriers who have increased their businesses in this kind of environment. Basically one lesson that I take is that the companies who are successful here can be successful anywhere in the world.
Best of
Breed Features Inside
The Security Tools CIOs are Buying Now Pg 18 Leonardo da Vinci and the ‘Real APTs’ Pg 20
5 Overlooked BYOD Mistakes These are the mistakes you need to avoid as more and more mobile devices enter your organisation
B
usinesses of all shapes and sizes are struggling with the bring your own device (BYOD) phenomena. On one hand, BYOD is a boon. Employees get the devices they like. Often they pay for them out of their own pockets, and productivity goes up. On the other hand, support costs can also go up, bandwidth may become saturated and, if policies aren’t crafted well, employees can end up feeling cheated by their employers. Creating a workable BYOD policy isn’t rocket science, but it is a delicate balanc-
16
March 2012
Illustration by anilt
The 3 Major Challenges Facing Your CISO Pg 22
consumerisation of it | Bes t of breed
ing act. Get it right, and you’ll boost both productivity and employee morale. Get it wrong, and you’ll need to start worrying about both security risks and increasingly disgruntled workers. There are a few BYOD mistakes that pretty much everyone knows to avoid. You need strong security in place. You need the ability to remotely lock lost device and wipe corporate data, and you must have some sort of device management scheme in place. Google BYOD and you’ll find article after article on how to handle security and management issues. While it’s imperative that you get mobile security and management right, other seemingly smaller mistakes can be just as damaging. Here are five overlooked BYOD mistakes to avoid as more and more mobile devices enter your organisation: No. 1 Pushing expenses onto employees: In organisations with poorly articulated BYOD policies, employees may think that their employers are trying to rip them off. I’ve even heard of one company that charged its employees a fee for the right to access corporate resources from their mobile devices. That’s right, it made them pay for the privilege of working while on the go. In the very early stages of the BYOD trend, perhaps some companies can get away with tactics like this. As BYOD becomes commonplace, however, employees will start to feel cheated:“First pensions disappeared. Then, they made us pay more for health care. Now, they want us to pay for the privilege of being available 24/7?” Asking employees to pay for access should absolutely be avoided. Even giving employees a one-time payment to subsidise a new mobile device purchase can be enough to engender goodwill. What’s $100 or $200 when you’ll easily get much more than that in increased productivity? No. 2 Having employees expense mobile costs to get reimbursed: The productivity gains organisations enjoy from increased employee mobility can be quickly undermined by something as simple as expense accounts. At some organisations, myopic managers worry about paying for employees’ personal activities. Thus, they require lengthy expense reports for mobile reimbursements.
This is a terrible idea. The expense of processing those reports will exceed any dollars saved by preventing employees from doing personal things on the company’s dime. Moreover, the time employees spend filling out those reports will offset mobile productivity gains, and employees will get frustrated by added layers of bureaucracy. No. 3 Forgetting to separate out different user groups: Another reason some organisations have employees fill out expense reports is that different users generate vastly different mobile costs. If you have a blanket policy of giving employees, say, $50 each month, an employee who, for instance, travels to trade shows often and constantly downloads presentations (and big data usage fees) will feel cheated. Expensing isn’t the answer to different user groups. Separating out those users
While it is imperative that you get mobile security and management right, other seemingly smaller mistakes can be just as damaging and having different policies and subsidies for each is a better and more costeffective method. Even a simple two-tier approach may work well, depending on your workforce. Any employees who is regularly on the go and spends a lot of mobile time on corporate activities should receive “corporate paid” devices; meaning the entire device and plan is paid for by the organisation. Those who don’t spend as much time on corporate activities can then receive a device subsidy and, perhaps, a monthly stipend. Sometimes, for less mobile employees, simply having corporate discounts available to them (negotiated with carriers) is enough of a plan subsidy to make them happy. Many of these discounts also apply to the handsets and accessories. If an employee’s
normal voice and data plan is reduced by 25 or even 40 percent because of a company discount, that person is going to be pretty happy about those lower costs, so long as that person’s phone or tablet isn’t primarily used for work. No. 4 Being stingy with support: Make no mistake, as more consumer devices enter your network, support requests will go up. A mistake many organisations make is being stingy with support. “It’s not our device,” the logic goes, “so it’s not our problem.” This is exactly the wrong approach. For end users, their mobile devices are mission critical. Whether they need them to complete any specific job is irrelevant. Until their mobile device is working again, their focus will be on fixing that problem. Mobile support requests should be considered an opportunity. Not only can your IT staff get the device back to working order, but it can also improve security, double-check that encryption is turned on, and ensure that an antivirus programme is running. No. 5 Failing to make recommendations on devices: If you don’t make recommendations and provide a list of approved devices, mobile support challenges can overwhelm your support staff. While I strongly recommend not being stingy with support, it’s also not practical to cope with an unending array of devices. Choose a manageable number that still offers workers variety. iPhones will almost certainly be in the mix, as will Androids, but even narrowing Android choices down to a particular handset manufacturer or two will make life much easier on your support staff. Inevitably, workers will call in for tech support when their mobile device malfunctions. If IT isn’t familiar with the device, they really can’t help. Give your employees choice, but not too much. Choice shouldn’t undermine your ability to support those choices.
—This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www.cioupdate.com.
March 2012
17
B EST OF B REED | S e c u r i t y
The Security Tools CIOs are Buying Now
What are companies spending that dough on to get the most bang from their protective arsenal? By Pam Baker
S
ecurity issues are so ubiquitous that many CIOs are tempted to bow to the seemingly inevitable and just buy insurance to blunt the losses. Cyber insurance coverage may be a good idea for some companies but it should never be used as a cop-out on locking the data center doors. Fortunately, most companies are continuing to fight the good fight and are barricading their enterprise all the more. Unfortunately, they may not be putting the barricades in the right places. Figuratively speaking, “people are so focused on putting bigger and stronger locks on the doors, metal grating over the windows, and alarm systems ringing the perimeter, they're paying no attention to the shoplifting right under their noses,” said Andrew Brandt, director of Threat Research for Solera Networks Research Labs, a network security analytics provider. “Even an enterprise-class anti-virus Roomba, sweeping the floors on a schedule and emptying the trash, is going to miss those code snippets just beyond the reach of its heuristics or hashes.” In other words, existing defense weaponry in the company armory isn’t enough to turn the tide against an onslaught of attackers both from within and without company walls. Still, there’s only so much money to go around so what are companies spending that dough on to get the most bang from their protective arsenal?
Change in tactics “In the face of more sophisticated attacks and an exploding number of interconnected devices, organisations are now taking a more holistic approach to securing the enterprise, moving away from individual point solutions,” explained IBM's Jack Danahy, director for Advanced Security. But that is not to say that enterprises are no longer spending big money on device protection. “The sheer volume of data and the need to manage the security of all of these many devices is driving endpoint management spending at the device level, while also spurring investment in a new generation of security analytics at the enterprise operations center,” Danahy added. The goal is to make the device, no matter what kind it might be, impotent from a security threat point of view. “Because of tablet OS limitations, sometimes it is not realistic to implement strong security controls on mobile applications,” said Mush Hakhinian, security architect at IntraLinks, a provider of cloud-based solutions for the exchange of critical business information. “Enterprise IT must have tools to control what class of data can be copied onto the tablets,” he added. “Better yet, the mobile applications should be designed in a way that they do not hold any data on a device’s permanent storage, so potentially sensitive data gets purged
18
March 2012
Illustration by shigil n
The goal is to make the device impotent from a security threat point of view
securit y| best of breed
when it exits. In an ideal world, the mobile application should have the ability to store only encrypted content anywhere on the device, including the sandbox, and decrypt the content on the fly for rendering.”
Form IV
Statement of ownership and other particulars about the publication, CIO & LEADER as per Rule 8
Patterns of spend and spin Current security spend patterns are showing a focused effort on actual security performance and a widening distrust of security vendor claims. In a recent Crossbeam study, complaints against existing security features and products were alarmingly high. Key findings of that report are: Almost 60 percent surveyed did not trust the performance claims made by security vendors, with Mobile Operators and Education ranking highest. 94 percent of all respondents noted that the performance metrics in data sheets were misleading. 81 percent surveyed had to disable features within the security device to meet their performance goals. 90 percent were forced to make some form of trade-off between security and performance. 63 percent were forced to purchase additional hardware for a security solution because of vendor performance claims that did not match reality. When evaluating security equipment, 42 percent admitted that they do not test the equipment under realworld conditions. 51 percent said they will be purchasing network security equipment in the next two years or less. 53 percent said they were planning on purchasing a next generation firewall — 33 percent said they already had. “Many organisations are finding that their network firewalls operating at Layer 3 or 4 in the TCP/IP stack are having problems protecting against application layer attacks because the traffic is encrypted by SSL,” said Jeff Wilson, principal security analyst at Infonetics. “Lacking the visibility and intelligence to inspect the entire protocol stack, traditional firewalls can’t protect against today’s increasingly sophisticated and massively distributed attacks. In addition, many network firewalls have only a fraction of the connection capacity required to handle the millions of requests per second that typify modern DDoS attacks.”
An S.O.S. for SSL Another top line item in security budgets is website protection to guard against social engineering, malware and malvertising although companies are increasingly confused over how to accomplish website security. SSL-related breaches, such as those in the highly publicized website certificate DigiNotar and Comodo cases, inflamed the public and rattled corporations’ belief in SSL. “A persistent topic in 2011 was whether high-profile SSL breaches signified the impending demise of SSL technologies, and even online trust itself,” said Fran Rosch, vice president, Identity and Authentication Services at Symantec.
1. Place of publication
Nine Dot Nine Interactive Pvt. Ltd. Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane
2. Periodicity of its publication
Monthly
3. Printer’s name Nationality (a) Whether a citizen of India? (b) If a foreigner, the country of origin Address
Anuradha Das Mathur Indian Yes N.A. Nine Dot Nine Interactive Pvt. Ltd. Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane
4. Publisher’s name Nationality (a) Whether a citizen of India? (b) If a foreigner, the country of origin Address
Anuradha Das Mathur Indian Yes N.A. Nine Dot Nine Interactive Pvt. Ltd. Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane
5. Editor’s name Nationality (a) Whether a citizen of India? (b) If a foreigner, the country of origin Address
Anuradha Das Mathur Indian Yes N.A. Nine Dot Nine Interactive Pvt. Ltd. Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane
6. Names and addresses of individuals who own the newspaper and partners or shareholders holding more than one per cent of the total capital Nine Dot Nine Interactive (P) Ltd. Directors 1. Dr. Pramath Raj Sinha 2. Mr. Asheesh Kumar 3. Mr. Vikas Gupta 4. Mr. Anuradha Das Mathur 5. Mr. Kanak Ghosh Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane I, Anuradha Das Mathur here by declare that the particulars given above are true to best of my knowledge.
Dated: 1st March, 2012
Sd/Signature of Publisher
March 2012
19
B EST OF B REED | S e c u r i t y
“Data indicates that both claims are overblown for 2011 and 2012,” added Rosch. “SSL technology wasn't the weak link in DigiNotar and similar hacks; instead, these attacks highlight the need for organizations to harden its security infrastructure and reinforces that certificate authorities (CAs) must implement standards for stronger security around business operations and authentication processes.” Given the shaken belief in SSL, albeit unfounded, will it be replaced with a different technology? No, says Rosch. “SSL-based authentication solutions for mobile and cloud deployments will become even more popular as customers want their online transactions protected wherever they or their data are,” he said. “Along with SSL, businesses and websites should be implementing two-factor authentication and extended validation SSL (EV SSL), which undergoes the strictest vetting standards on the Internet. Both of these offer added security for both businesses and customers,” Rosch added. Look for enterprises to push US banks to finally adopt EMV chip card transactions in a big way to help offset fraud that leads to high-
er charge-backs and liability for website owners. Europe and Asia are already heavily uses the technology to thwart online credit and debit card fraud. The US, as the last major country to use the weaker magnetic strip cards, is now the country with the highest rate of online credit and debit card fraud. EMV transactions are not fool-proof, however. That technology too is constantly being improved upon with upgrades such as cards with built-in two-factor authentication like those produced by Swiss manufacturer NagraID.
—A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times,and LinuxInsider. —This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www. cioupdate.com.
Leonardo da Vinci and the ‘Real APTs’ eonardo da Vinci once said, “Even the richest soil, if left uncultivated, will produce the rankest weeds.” It’s a sentiment with which gardeners everywhere can empathise. If there’s one thing you can be certain of, when it comes to weeds, it is that they thrive on a lack of attention. Much like computer crime. Although many of the details are still not known, it looks as though the recent disclosures of a (very) long lasting breach at Nortel could be a prime example of the risks of not dealing swiftly with a breach. Back in 2004, it seems administrators noticed some odd activity associated with senior employees’ accounts, specifically downloading sensitive documents. When they investigated, it became clear that a breach had occurred, and they took steps to shut it down. However, those steps work.
20
March 2012
Illustration by Sristi Maurya
L
A commitment must be made on the commercial and federal levels to build strong defences
B EST OF B REED | S e c u r i t y
Nortel's downfall aided by APTs? Anyone who’s ever dealt with weeds will tell you that you can’t just pull up the stems; you need to get to the roots. And in the case of the Nortel attackers, the roots were still very much intact. During the initial breach the hackers placed spyware on Nortel’s spyware that allowed them to continue stealing information for a long, long time. Years, in fact. The extent to which Nortel management knew they still had a problem is not clear. What is clear is that once a breach has been discovered the investigation has to be thorough to eradicate all traces of the attack. Much like a weed infestation, the problem doesn’t go away if the response isn’t complete enough it simply goes underground until the time is ripe for it to resurface. Indeed, all that happens is while some steps get taken to clear up the symptoms of the breach, the attackers in many ways gain time to consolidate their foothold and look for opportunities. Worse, they may now know their initial attack has been detected and will “lay low” for a while to throw off investigators.
of highly mobile information on distribAnd here is the real difference between uted networks of devices. the average run-of-the-mill cyber criminal, Defending against attackers such as these bent on stealing credit cards or whatever is never going to be easy or cheap, but unless other valuables can be snatched off, and the we are comfortable with the prospect of widehighly professional and possibly state-backed spread IP leakage, and the long-term comactor targeting valuable intellectual property. petitive disadvantage that goes with it, a comFor while most organisations spend time mitment must be made both on defending against the drive-by the commercial and federal level attackers looking for a quick to build those defences. The buck, there are obviously certype of attackers who so thortain industries, especially R&D oughly breached Nortel aren’t heavy ones, that must also face year on year growth going away. Indeed they have the very real threat of focused, is expected in user improved significantly since technically capable, and above authetication market: 2004. It’s a long-term fight, and all patient attackers — attackGartner it’s one that we really can’t afford ers who don’t think in terms of to simply draw a line under and weeks or months, but years, if claim, that the problem has been necessary. The real, advanced addressed. persistent threats (APTs), in fact. Otherwise, as Robert M. Such attackers require a difPyle said, “Make no mistake: the weeds will ferent level of diligence. Organisations win; nature bats last.” should recognise that building defences in layers is the only hope of catching —This article has been reprinted with permission them. Such defences must start not from from CIO Update. To see more articles regardthe perimeter and work in, but from the ing IT management best practices, please visit sensitive data itself, especially in a world www.cioupdate.com.
30%
The 3 Major Challenges Facing Your CISO
W
The EC-Council CISO Summit reveals the most immediate challenges for the CISO
hat are the highest security threats that are coming down the pike facing all market verticals and why? How do CISOs effectively and efficiently manage the ever-evolving information security risk landscape and adequately mitigate that which we cannot control? As I and several other information security executives discussed at the EC-Council CISO Summit, we must take a risk-based approach to manage future security challenges to address the risks and effectively prioritise our efforts and financial spending. We need to balance the tradeoffs of risk vs. reward and tactical vs. strategic. We are all in the midst of ever-changing technologies and paradigm shifts that carry inherent security challenges: mobile computing,
22
March 2012
WiFi, 3G/4G, multimedia, cloud computing, social media, personal devices, HTTP tunneling, increasing regulatory governance, etc. While there are many looming challenges for the CISO, these are the top three which the EC-Council CISO Summit panel found to be the most immediate and far-reaching: Authentication: Authentication continues to be one of the highest areas of security risk. We know there is a leapfrog effect of the white hats implementing stronger authentication methods and the black hats finding ways to defeat them. Traditional token-based two-factor authentication has had a long lifespan, and rightly so, but what's next? Out-ofband (OoB) is the next evolution of strong multi-factor authentication. Basically, OoB is two or more factors of a) something you know (pass-
To know more, contact us at Toll free numbers 1800-102-6802, 080-42486800 or write to us at : vmwareindiasales@vmware.com
Today, 97% of the Fortune Global 500 rely on VMware®, the global leader in virtualization. We helped your enterprise become cloud-ready. Now that you’re embracing cloud computing, we offer the best path to a secure, managed and controlled environment. Because, it’s not just about getting to the cloud. It’s about getting to your cloud.
Visit vmware.com/whiteboard
The power behind your cloud.
Copyright © 2011 Vmware, Inc.
B EST OF B REED | s e c u r i t y
word, PIN, passphrase), b) something you have (token, ATM card, phone), and c) something you are (biometrics). OoB is the use of mutually exclusive independent communication networks to authenticate an individual or entity such as the public Internet and the public switched telephone network (PSTN). The key is the ability to do this using end-users’ native phones, mobile or landline, without requiring any software or hardware installation and providing smooth user experience regardless of telephone type. The result is a native interactive voice response (IVR) type solution that is completely ubiquitous, regardless of the telephone type.
Illustration by shigil n
The goal of an outsider is to first become an insider
The recent update by the FFIEC to their Authentication in an Internet Banking Environment further supports this direction. CISOs need to begin investing in OoB pilots for traditional workforce remote access as well as customer and business partner facing Web applications, as well as internal administrative access to critical technologies. Additionally, strong authentication is the enabling prerequisite for safe and sound single-sign-on federated identity management and trusting SAML assertions. Cyber warfare: This risk can take many forms, ranging from traditional fraud to espionage and organised crime. The nature of the global Internet is such that the international cyber warfare issue is really a domestic issue. For example, apply the insider threat philosophy — “The goal of an outsider is to first become an insider and then see what they can accomplish”— to the international cyber warfare issue: “The goal of a foreign perpetrator is to first become a domestic perpetrator and then see what they can accomplish.” Mobile workforce: Finally, CISOs must balance the tradeoffs between enabling the mobile workforce. The advent of smartphones and the BYOD phenomenon means our workforce will continue to have personally owned devices with digital cameras, web browsers, personal email, social media, etc. inside the workplace. CISOs must embrace these technologies and formulate strategies and solutions to adequately mitigate the data leak risks by controlling the flow of sensitive company data and information. —This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www. cioupdate.com.
PRESENTED BY
IN PARTNERSHIP WITH
ORGANISING PARTNER
. MEDIA
FOCUS AREAS:
Ideas. Innovations. Insights.
Breaking new ground in the development debate
The IFIP World IT Forum 2012 comes to India! SUSTAINABLE HUMAN DEVELOPMENT PLENARY SESSIONS:
Open Government/Open Innovation ICT for Development Social Media for Citizen Empowerment Policymakers' Panel SOME OF OUR SPEAKERS Mr. Kapil Sibal Minister for Communications & Information Technology and Human Resource Development, Government of India Mr. Nandan Nilekani Chairman, Unique Identification Authority of India (UIDAI) Mr. Arun Maira Member Planning Commission, Government of India Mr. David Hume Executive Director, Citizen Engagement, Government of British Columbia, Canada Mr. Jānis Kārkliņš Assistant Director-General, Communication and Information Sector, UNESCO Prof. Geoff Walsham Judge Business School, Cambridge University, UK Dr. Samantha Liscio Corporate Chief Strategist, Ontario Public Service, Government of Ontario, Canada Mr. Ajit Balakrishnan Founder, Chairman & CEO, Rediff.com Mr. Padamvir Singh Director, Lal Bahadur Shastri National Academy of Administration, India Prof. Ashok Jhunjhunwala Indian Institute of Technology - Madras, India amongst many more...
AGRICULTURE: Developing solutions for food security and public distribution, raising productivity and improving farmers' quality of life EDUCATION: Adapting new, innovative educational tools and assessing IT interventions to improve learning and building a high-quality workforce e-GOVERNANCE: Empowering the State's agenda of delivering ‘anytime, anywhere’ services to its citizens, building capacities and fostering transparency HEALTH: Creating viable public health management systems; effective service delivery channels to improve health outcomes and better human resource management
The 5th IFIP World IT Forum SUSTAINABLE HUMAN DEVELOPMENT
AGRICULTURE I EDUCATION I e-GOVERNANCE I HEALTH
16 - 18 April, 2012 Vigyan Bhawan, New Delhi
Over 500 registrations and counting…
REGISTER NOW @ www.witfor.org
Call John Khiangte +91 98710 39988
Registration closes on 31st March 2012 SUPPORTING PARTNER
CONSULTATIVE PARTNER
ASSOCIATE PARTNER
PARTNER
Imaging by Jayan K Narayanan
COVER STORY | opinions
26
March 2012
Track, Build, Shape Top technology decision makers speak their mind on CIO&Leader’s positioning statement. Do they deem our ideology to be relevant for today’s CIOs?
Our motivation to launch CIO&Leader is rooted in the evolution of your role and responsibilities. When we set out 12 years ago, the CTO Forum was tagged ‘Enabling the Enterprise’; the very first step in establishing the importance of technology in an enterprise. Before we had even settled with this description, the expectation from you and your office grew out of simply ‘Enabling the Enterprise’. It began to reflect a larger footprint – from driving productivity and efficiency through technology to providing strategic inputs for the business. This created a need for alignment of technology and business and we began to incorporate relevant content into our magazines and programmes. Then came the recognition that technology had a huge role to play in ensuring good governance. And
slowly but surely, you as the CIO were expected to contribute as much to the business as to compliance and ethics. Our tagline changed to ‘Technology for Growth and Governance’. We moved to offering insights that would help you uphold your organisation’s reputation as well as its business objectives. This marked the advent of the ‘Tech CEO’ – the call of the day was to build the IT organisation as an independent unit to drive and build the business, and watch over every other element of a successful venture. Any observer of organisations and organisational functions would recognise how rapidly the demands from CIOs have changed. And if signs are anything to go by, this is going to be an eternal quest. This is the sweet-spot that CIO&Leader intends to occupy – to equip CIOs
to lead in an ever-changing environment with new and bigger demands. While you cannot let go of your mastery of technology or of your strategic role in the business, there is a whole new dimension without which all other efforts could come to nought i.e. how you shape yourself to integrate all of these demands and live your role. And therefore the new tagline of CIO&Leader: Track Technology. Build Business. Shape Self. While we have received tremendous support from you for the first two issues of CIO&Leader, we thought it was pertinent to get a feedback from leading technology decision makers on our ideology. We, therefore, touched base with four leading ‘Tech CEOs’, and sought their opinion on the relevance of our positioning statement for the 21st century CIOs. Turn the pages to know their thoughts.
March 2012
27
Anil Khopkar | As CIO, Bajaj Auto, he believes the success of a CIO lies more in his deciding what not to do rather than what to do.
28
March 2012
opinions | COVER STORy
“Make clear cut choices” Anil Khopkar, CIO, Bajaj Auto opines that a CIO should not get awed by the tech deluge. He ought to make clear cut technology choices in the context of his company’s business.
Anil Khopkar Company: Bajaj Auto Established: 1945 Headquarters: Pune, India products: Motorcycles, three-wheeler vehicles and cars Employees: 10,250
Conceptually, business and technology are akin to a horse and cart. Business is a horse and technology is the cart. There are times when a CIO puts the horse behind the cart, which obviously doesn’t work. He has to track technology to grow and build business but he should remember to keep business ahead of technology. A CIO should not try to build business around technology. His role should be to build technology around business. For a CIO to be relevant in today’s environment of flux, he and his team need to track technology and weigh its relevance to their business. Today, there is a wide range of technology and it is easy for any CIO to lose track of these emerging technologies. For instance, with so much hype around cloud and BYOD, a CIO would think how he could adopt these technologies in his enterprise. However, he should not get awed by the hype. Instead, a technology leader should make clear cut choices in the context of his company’s business. A CIO has to know his customers, understand their work, see the processes they follow, and learn how they drive business. Only then can he come up with the relevant technology to support their business and processes. To drive business growth, a CIO has to consider himself as one of the business people. While tracking technology to eventually build business is important, it is impossible for a CIO to
achieve this unless he shapes himself too. He has to lead from the front and keep his team motivated. He has to realise his potential and make his team realise their potential as well. As a CIO, he needs to take a firm stand when it comes to deciding which technology to adopt. The success factor is not so much as a CIO's decision of what he wants to do. The success factor is more of his decision regarding what he doesn’t want to do. For instance, in the context of Bajaj Auto, we took the strong decision that the time has come when we will not do scooters. So, while it is about doing motorcycles, it also about not doing scooters. We also decided to manufacture four wheelers but simultaneously decided that we will not manufacture car. By taking this decision, our market and customers got aligned in a different segment. When we announced we would be developing a car, people thought we would be competing against Nano. But our product doesn’t compete with Nano. General Motors, on the other hand, makes all sorts of vehicles -- small, medium and heavy -- but are they in control? On the other hand, look at Ducati, which specialises in motorbikes and that too only highend ones. Or look at Porsche for that matter. Their volumes may be low, but they are amongst the most profitable automobile companies, totally in control of their business. In our industry, Bajaj Autio has one of the highest EBIDTA. This is because I have focused on those technologies that are relevant and in context to my business. Understanding the business and deciding to implement the right technology will eventually bring harmony between technology and business.
March 2012
29
Anil Jaggia | CIO, HDFC Bank, feels certain technologies are blown out of proportion and a CIO should not be carried away in this hype
30
March 2012
opinions | COVER STORy
“Partner to build business” Anil Jaggia, CIO, HDFC Bank strongly feels that a CIO should partner with the business guys in his enterprise to drive growth.
Anil Jaggia Company: HDFC Bank Established: 1994 headquarters: Mumbai, India Services: Banking and Financial Services Network: 2201 branches spread in 1174 towns and cities across India
Technology means different things for different people. Depending upon what size of company you are, there are different technologies that are of interest to different people. From a CIO’s perspective, keeping track of the latest developments in technology is of prime importance. It is his life blood. Having said that, there are times when certain trends and technologies are blown out of proportion. It is here that a technology leader needs to tread carefully. For instance, Bring Your Own Device (BYOD) is made out to be a bigger terms then what it is. I do 99 per cent of stuff on my iPad. Same is the case with virtualisation. While there is so much hype around desktop virtualisation, we already have 200 branches which have fully virtualised desktops. On an average a branch has six desktops, which takes the number of virtualised machines to around 1,200 desktops. In the next four to five years, we will have everybody having virtualised desktops. While technology is essential, a CIO has to leverage it to drive business growth. This is where the importance of building business comes in. Today, in the era of BYOD, I feel a CIO can drive business growth by enabling people to do everything that they want to do from where ever they want to. Personally, I believe in making sure people have choices. To add value to the business, a CIO has to be aware of the day to day business of the company. He has to work with the business guys, sometimes guide them and sometimes show them new ideas.
However, CIOs need to understand that they are not the only one who build business, they are partners in building it with the business guys. Participate a lot in business meetings is a good way for a CIO to understand what is happening in business. Shaping self is an extremely vital aspect for a CIO, not just professionally but also in personal life. Research has shown that highest performing CIOs are effective because they embrace the idea that everything they need to accomplish will be achieved through people, by people, and with people. For this, they need to shape themselves into a people’s person. In order to lead both in office and in life, a CIO can’t just talk about this, he needs to live it. Not just himself, a CIO also needs to shape his team. We at HDFC Bank are progressing towards more and more sophisticated training programme to train every employee on technical and leadership aspects. As a CIO, I encourage my team members to attend a lot of industry seminars and conferences on technologies.
March 2012
31
Sandeep Phanasgaonkar | CIO, Reliance Capital, opines in the future, the CIO will no longer be the person solely responsible for purchasing technology
32
March 2012
opinions | COVER STORy
“Believe in the power of human touch” Sandeep Phanasgaonkar, CIO, Reliance Capital, believes while digital platforms increase efficiency, nothing can beat the power of one-on-one interaction.
sandeep
Phanasgaonkar Company: Reliance Capital Established: 1986 Headquarters: Mumbai, India Services: Asset Management, insurance, broking and distribution, commercial finance ans, Mutual Funds, Equity Broking & Wealth Advisory employees: 11,000
The CIO’s role today is half technology and half business. This implies that he needs to keep a keen eye on both. With a large part of the customer population, especially the younger generation, now using social media and mobile devices, it has become imperative for a CIO to keep a track of technology. If he fails to do so, he would not be able to do business with them. Also, new technologies tend to be interconnected -- thin clients are related to mobility, and cloud. These technologies are very dynamic and a CIO needs to be on top of them. Business people are looking at how technology can help in terms of connecting them to the customers. A CIO, therefore, needs to be aware of not just the pain points of doing business (operations) but also issues related to customer satisfaction. Understanding the various aspects of business can help a CIO simplify several complex processes through the use of technology. He can reduce the turn-around-time, rectify errors and mitigate pain points. Reaching out to the customers, understanding their needs, and leveraging technology to solve their problem is the key. By doing this, a CIO will also become aware of the business and help drive growth. A CIO cannot live in a silo and think only about technology, understanding business is equally important. As the ability to work is increasingly being shaped by technology, it is also shaping the person-
ality of a CIO. The new age technology leader will have to shape up and communicate on the totally digitised platform. While these three points (tracking technology, building business and shaping self) are important, I always feel that the relationships that a CIO creates with people attach a very high value. Although today’s digital world has increased efficiency, it has lost the power of the human touch. The actual one-on-one conversation creates a much stronger bonding and trust between two people. I feel a technology decision maker needs to strike that balance between the digital world and human bonding. Over the next three-five years, I see the role of a CIO undergoing a change. The CIO will no longer be the person solely responsible for purchasing technology. People will go and buy technology on their own and start using it for their own work as well as company's work. So, in a way the complete dependency on the CIO for delivering 100 percent of IT, the TCO of IT and its RoI will get diminished. With the end user themselves getting their own technology, a lot of responsibility will be on them to ensure that it is working. The end users’ life will also change. They will become more of change agents. I feel probably the whole business of maintaining applications will start changing in the next three-five years.
March 2012
33
C N Ram | CIO, Essar Group, believes the next five years could see a lot of CIOs becoming CEOs.
34
March 2012
opinions | COVER STORy
“CIO Role
Demands agility”
C N Ram, Group CIO, Essar Group, feels for a CIO to be in tune with the times, he has to be agile and deliver consistently towards his organisation’s growth.
C N Ram Company: Essar Established: 1969 headquarters: Mumbai, India Services: Infrastructure, Energy, Telecom Network: Operations in more than 20 countries across the world
I feel the positioning statement of CIO&Leader epitomises the mandate for the 21st century CIO. The three spheres – technology, business and self – symbolise the most critical areas a CIO has to focus on. From the standpoint of tracking technology, I believe it is the lifeline for a technology decision maker. Given the array of technologies that we have today, it is a perplexing situation for a CIO. It is tough for him to zero in on a technology that he could profitably use for his organisation. While on the one hand there is lot of dependence on core brands such as SAP and Oracle, on the other hand there are several peripheral systems emerging. Google, for instance, is one such fast-emerging company that may not be getting into the mainstream as yet but it giving a very powerful edge around the core. The core (traditional vendors) is evolving slowly but the edge (emerging players like Google) is changing rapidly. So will it impact the core eventually? It might. Nothing is static. The players at the core are trying to reinvent themselves by developing appropriate solutions. The aim is clearly to retain existing customers and attract new ones because new customers may not subscribe to old technology given the array of choice they have. Besides tracking all these technology developments, there is yet another challenge for a CIO. While he may be ready to usher in a change, his business guy would be willing to change as well. A CIO, therefore, will have to go about changing technology in a structured and a gradual way. But all in all, keeping a track
of technology will never go away for a CIO. The importance of building business for a CIO cannot be overlooked. At the end of the day whatever technology a CIO deploys, it has to make a positive and quantifiable difference to business. There are instances when the business guys are uncomfortable using a technology. The reason is not that they are afraid of technology. The reason is that the CIO is not able to influence them properly. For technology decision makers to get internal users shift to a new technology, they need to look at applications that are ready-made, available and interoperable. From the perspective of shaping self, I feel the CIO needs to recognise the fact that he needs to run his department as a separate business unit. He needs to shape up to shoulder the responsibility of profit and loss associated with his IT department. I feel, there is also an opportunity for a CIO to evolve into a CEO. The CIO identity in an organisation is a fairly recent phenomenon. I would say that it is in the last five-six years that organisations started to care about CIOs whereas the CFO and the CMO have been there for several years. The CIO is responsible for reducing costs, enabling growth, getting the supply chain to work efficiently, and ensuring delivery of finished goods. Wait for another five years and you will see lot of CIOs becoming CEOs. The role of the CIO will continue to evolve. He will have to be agile and deliver consistently to an organisation’s growth. Keeping an eye on the three spheres will help him achieve this..
March 2012
35
COVER STORY | opinions
Overcoming the
Three CareerLimiting Myths Do you believe that IT leadership is only applicable to those with formal responsibility to manage others? If so, then you've fallen prey to the three false and highly limiting beliefs about IT leadership. These three beliefs are held by IT pros on all rungs of the organisational ladder What exactly is IT leadership? Since I spend an awful lot of my time teaching leadership skills to IT professionals and managers, it’s a question I get asked on a regular basis. For a while, I answered the question with a synthesised review of different academic theories of leadership and how these apply to the world of the IT professional. Result? Glazed eyes and frustration. Trial and error yielded what I thought was an answer that would drive engagement and discussion rather than provide an exact definition. The new response went like this: IT leadership is a lot like pornography. I can’t tell you exactly what it is, but I know when I see it and when I don’t. But, more important than defining it is learning to see when you need to provide it and how to do just that. I liked the laughs this answer got, and the interest it seemed to create with workshop attendees. But questions about the scope and nature of IT leadership kept coming up throughout the day. During one session a few months ago, a bright young analyst asked very matter-of-factly, “Why, exactly, am I at this leadership training? I don’t manage anybody.” I responded with a question that was directed at the entire room of about 30 IT professionals: “Do you believe that IT leadership is only applicable to those with formal responsibility to manage others?” Imag-
36
March 2012
ine my surprised when nearly all of the attendees raised their hands. This was my “aha” moment. See, all this time, I’d thought people were asking about the nature of leadership and how it differs from management. In reality, it wasn’t an academic question at all. It was a question of basic relevance. And most non-managerial IT professionals (at least those showing up in my workshops) weren’t exactly sure of the relevance. Over the next several months I explored this issue carefully. I asked IT professionals, managers and leaders a number of questions about leadership in general and IT leadership in particular. These questions included: Which are the biggest leadership challenges facing IT pros today? What are the leadership skills needed most by IT pros? Who in the IT organisation should acquire which skills? Why is it important to have IT leadership skills in the first place? The collective answers to these questions revealed many important things about the nature of IT leadership development. The answers also helped explain why CIOs so frequently complain about the lack of leadership skills and abilities of their people. Among the important insights the survey uncovered were the three false and highly limiting beliefs about IT leadership. These three beliefs are held by IT pros on all rungs of the organisational ladder: 1 IT leadership only applies to managers with staff to manage.
opinions | COVER STORy
“Leadership is fundamentally about the way one behaves that inspires and motivates others to follow them”
2 Leadership is mostly about motivating people and getting them to do what you want.Leadership is leadership. 3 There is little difference between IT leadership and any other functional leadership. Let's debunk these limiting beliefs in reverse order. Myth No. 3: Most people would agree that leadership is fundamentally about the way one behaves that inspires and motivates others to follow them. And while there are certain behaviors that are generally applicable to all functional areas of life and work, there are wide variations in what motivates people in one functional setting versus another. For example, political leadership skills and motivations are vastly different from ethical or educational leadership skills and motivations. That’s why we often find that people are well suited for one type of leadership role and totally unsuited for another. This is an especially important point when considering the functional context in which IT professionals need to demonstrate leadership. For example: It is not uncommon for a business analyst (with five or so years of experience) to “lead” a group of middle managers (each with an average of 15 years of experience) to agreement on a new business process and how it should be automated. The skills required by this business analyst, to drive this type of content-based facilitation, are vastly different from the skills required by a mid-level sales executive who is “leading” a new team of distributors. This same example serves us equally well in debunking mistaken belief No. 2, i.e., that all leadership is essentially about getting others to do what you
want. The business analyst I described above doesn’t personally “want” anything. His leadership role is to help his colleagues articulate what they want. The leadership he needs to deliver is in showing others a path to their success, NOT in getting them to walk in his path. This style of facilitative and consultative leadership (as opposed to managerial leadership) is a hallmark of IT leadership and applies to all levels of the IT organisation. This example also debunks mistaken belief No. 1 that leadership is only for managers with staff to manage. It demonstrates that IT leadership is mostly about inspiring, influencing, facilitating and guiding people you interact with, whether these people work for you, or are your peers, your boss, or the stakeholders of a specific IT operational system or project. Bottom line: IT leaders and professionals alike need to let go of their very limited views of what IT leadership is, and to whom it applies. Marc J. Schiller, author of “The 11 Secrets of Highly Influential IT Leaders,” is a speaker, strategic facilitator, and an advisor on the implementation of influential analytics. He splits his time between the front lines of client work and evangelising to IT leaders and professionals about what it takes to achieve influence, respect and career success. — This opinion was first published in CIO Insight. For more stories please visit www.cioinsight.com.
March 2012
37
ion ial ct ec se Sp ship er ad le
“As we look ahead into the next century, leaders will be those who empower others.” —Bill Gates
March 2012
39
Introduction
CIO&LEADER This special section
on leadership has been designed keeping in mind the evolving role of CIOs. The objective is to provide an eclectic mix of leadership articles and opinions from top consultants and gurus as well as create a platform for peer learning. Here is a brief description of each sub-section that will give you an idea of what to expect each month from CIO&Leader:
42 My Story
The article/interview will track the leadership journey of a CIO/CXO to the top. It will also provide insights into how top leaders think about leadership
41
top down
This feature focusses on how CIOs run IT organisations in their company as if they were CEOs. It will comment on whether IT should have a separate P&L, expectation management of different LoB heads, HR policies within IT, operational issues, etc. This section will provide insights into the challenges of putting a price on IT services, issues of changing user mindset, squeezing more value out of IT, justifying RoI on IT, attracting and retaining talent, and competing against external vendors
47
44
Leading edge An opinion piece on leadership penned by leadership gurus. Plus, an insightful article from a leading consulting firm
ME & MY MENTEE
Cross leveraging our strong traction in the IT Manager community, this section will have interviews/features about IT Managers and CIOs talking about their expectations, working styles and aspirations. In this section, a Mentor and a Mentee will identify each other’s strengths and weaknesses, opine on each other’s style of functioning, discuss the biggest lessons learnt from each other, talk about memorable projects and shared interests
52
SHELF LIFE
A one-page review of a book on leadership
40
March 2012
46
The best advice I ever got Featuring a top CIO/Technology Company Head and the best guidance/ recommendation he received with respect to his personal or professional growth. The advice could relate to dealing with people, managing personal finance, and balancing work and life
Top Down
Edward Goldman
CTO and GM Strategy & Architecture, Intel
Focus on Leadership & Innovation
Edward Goldman, CTO, Intel speaks to Ankush Sohoni about the various aspects of being the Tech CEO at the company At Intel, we strongly believe in cultivating a leader in every individual. For someone responsible for the IT department, it is important to build the next line of leaders. To enable the same, I run an IT leadership programme. We use this to help our teams get their strategic skills. I believe this is extremely crucial especially for IT employees. Technology teams definitely need to be trained so that they can look beyond just pure technology skills and also look at acquiring strategic skills like people management, resource management and so on. This allows them to work better and it expands their knowledge base to a great degree. As part of this programme, I help my team mentor under the right people so that they can be exposed to various perspectives around them. It is very important to empower people with leadership programs like the one we have on IT leadership, because it prepares
them for a time when they can apply their learnings to practical scenarios. Leadership is about taking up something that you’re passionate about and driving it forward. We believe that through initiatives like our IT leadership programme, we do have many participants who emerge as good leaders, who can share their vision with the rest of the team and help them see value in what they are doing. Recognising what someone has done is also very important. It is one thing to have your vision executed the way you envisioned but getting your team to a point where they can help you do this (through mentorship programmes) is a very important aspect of leadership from an organisational development perspective. At the end of the day, I really think it’s a matter of creating an ecosystem of leadership in your organisation. There are some key aspects to this whole equation. First, creating the vision for people to look forward to and the second is enabling your teams to translate your vision into reality for you. My job as their leader has allowed me to help them grow to a point where they can take my vision and execute it flawlessly. This kind of flawless execution also comes with teams that you begin to trust and mutually benefit.
March 2012
41
My Story Umesh jain
“Balance Strategy and Execution” Umesh Jain, CTO & Sr. President, Yes Bank, talks to Ankush Sohoni about the inherent leadership challenges that CIOs face and how they can map their growth strategy Umesh Jain serves as Sr. President & Chief Information Officer at Yes Bank. Jain has an experience of over 18 years working in the banking industry. Before joining Yes Bank, Jain was the Business Head - Corporate and Investment Banking Technologies at Citigroup IT Operations and Solutions
Tell us about the CIO role today and the leadership journey that it entails? The CIO role has evolved immensely over the past few years. If you looked at enterprises close to 7-10 years ago, the highest technology position was probably an Executive Deputy Systems Officer. This then evolved to Head of Technology, which then evolved into the Chief Information Officer (CIO). The CIO role today involves a huge chunk of a general business leadership role. So, very few CIOs today really dabble in core technology. This is taken care of by CTOs (at least in organisations that have a formal structure). Today CIOs are more concerned with strategic decisions that can ease enterprise operations and streamline processes, so that the technology implemented can have maximum impact on the organisation. Apart from this, CIOs need to be extremely well-aligned with the enterprise business goals and enable them using technology. So, while all of us do need to evolve, there is certainly a gap when I look at it from a practical standpoint. Yes, all of us need to evolve, but have we evolved? Well, the answer is No. At what point of the leadership journey are CIOs and what are the challenges you see in their way? At this point of time, CIOs are somewhere in the middle of the continuum if you ask me, hence it is extremely important that a CIO performs an exceptional balancing act. If I had to break it down, I would do it in terms of four dimensions that need to be worked on. The first is domain expertise. It is extremely important for my team to be as good in understanding the busi-
42
March 2012
ness as they are in understanding the need for a certain implementation or a certain contract. Only when they understand the need for a certain technology can they collaborate and have a value add to offer. On the other hand, if you are not aligned with business needs, you end up more as a person who starts taking orders. This above described situation is one of the aspects of the whole equation. The evolution does not come naturally to us, but defines how much you can grow as an individual. This evolution does not come naturally to a lot of us, but it has to be done. When it comes down to general management and leadership, these are two aspects that technology folks in general need a lot of grooming on. Most technology workers come from an engineering or science background where performance is based on pure quantitative aptitude. Now although these people are natural born problem solvers and are great at brainstorming and solutions; put them in a room where they have to influence key stakeholders, they will be lost. Which is why, learning about management and leadership are two extremely important aspects of growth in a technology career. So when it comes to these aspects a lot of techies need grooming. There are of course ways to do this. Techniques like training workshops, mentoring can certainly help someone see how business goals are created defined and the kind of impact that technology can have on these. The last dimension in my view is the technology itself. In the days gone by, we atleast had Moore’s law to rely on. This is now obsolete and technology is changing extremely rapidly. So one expected to keep track of the technologies and how they apply to organisations.
u mes h j a i n | I n t e r v i e w
5points 1
The CIO role has evolved immensely over the past few years
2
Most CIOs are coping with huge amount of expectation that they have to live up to
3
As a technologist, you are expected to keep in sync with the latest technologies
4
CIOs also need to understand how to balance strategy and execution
5
Given the scenario you have drawn out for us, how can a CIO grow as a leader in his organisation and among his peers? The current paradox that most CIOs are coping with is the amount of expectation that they have to live up to. As a business leader you need to know the business in and out. As a technologist, you are expected to keep in sync with the latest technologies and computing concepts – not only
photo by Jiten Gandhi
Being the leader of an organisation entails multiple parameters, and in order to be successful, you really have to balance them well
in the capacity of knowledge but also in terms of application. They also need to understand how to balance strategy and execution. Since you have to get work done from so many people who are not from your organisation then you have to balance strategy with execution and it is difficult to balance both. Sometimes people are more execution-centric as opposed to strategy-centric or vice versa. To give you an example, this is what I went
through. I am primarily execution-centric, but as a CIO I was expected to strategise as well. I was not too good at strategising and had a tough time. One has to keep strengthening both the sides of the equation and balance these well. It is important for CIOs to realise that being the leader of an organisation entails multiple parameters, and in order to be successful, you really have to balance them well.
March 2012
43
Leading edge
Sven Smit The Author is Director in McKinsey's Amsterdam office
The right leaders for your growth strategies It takes a mix of leaders and talent to pursue a variety of growth strategies simultaneously. Few executives can do it all By Sven Smit Is there a link between growth and specific leadership traits? We’ve tried to shed some light on this question by integrating two unique databases: McKinsey’s granulargrowth database, with information on the growth performance of more than 700 companies, and a database created by the executive search firm Egon Zehnder International that contains performance appraisals of more than 100,000 senior executives. The overlap between the two databases—a group of 5,560 executives1 at 47 companies across a broad range of industries2—allowed us to examine in detail the relationship between leadership competencies and revenue growth. We found that leadership quality is critical to growth, that most companies
44
March 2012
don’t have enough high-quality executives, and that certain competencies are more important to some growth strategies than to others. Companies that know how they want to grow can use these insights to cultivate the right skills in top executives. Only 1 percent of the executives in our sample achieved an average competency score of 6 or 7 out of 7 (although excellence in a single competency was more frequent). Just an additional 10 percent had an aboveaverage score of 5. That’s a challenge for growth-oriented corporations because leaders with high competency scores appear to make a difference: for every competency we reviewed, executives at companies in the top quartile of revenue
growth scored higher than their counterparts at companies in the bottom quartile. Similarly, companies where the top teams as a whole had excellent scores (that is, 6 or 7) on the various leadership competencies were also those with strong corporate revenue growth. On the other hand, we found no measurable correlation between revenue growth and teams with solid but unexceptional leadership. Since such a small percentage of executives had above-average scores across all competencies, trying to jump-start growth by looking for great “all-rounders” is a risky bet. An alternative approach is for companies to cultivate specific competencies correlated with growth in their existing teams or to seek new talent with the needed skills.
ILLUSTRATION BY raj verma
Sven Smit | Leading edge
If your company is seeking a launching pad to improve performance, the analysis shows that one competency drives the greatest gains: delivering customer impact (defined as the capacity to understand customers’ evolving needs). Companies that had a critical mass of executives who got excellent (6 or 7) scores in this competency recorded superior growth consistently— both organically and through acquisitions. What constitutes critical mass? Companies where at least 19 percent of the senior executives excelled at customer impact were also the most likely to achieve above-average revenue growth (in the top half of our database). For a company to be highly likely to have superior growth (the top quartile), 40
percent of its senior executives needed to be highly skilled in that area. So all of an organisation’s leaders don’t need to be top flight at customer impact, but when a substantial number are, the impact on growth can be significant. Tailor talent strategies to growth priorities At most large companies, of course, there isn’t just one growth strategy. Rather, companies rely on a diversity of approaches that vary by business segment and by circumstance: at times executives might place more weight on acquisitions, while at others they focus on stealing share from competitors, for example. Our analysis shows that high growth rates for these different strategies are associated with excellence in a
range of leadership skills wielded by managers at various levels of the organisation. Consider portfolio momentum growth, which flows from market growth across a company’s existing business segments. To drive this type of growth, senior managers beyond the top team typically need to execute a strategy effectively across often far-flung organisations. Senior managers at companies in the top quartile of this growth category were highly rated in competencies relating to dynamic people and organisational leadership: developing organisational capability, change leadership, and team leadership. By contrast, companies in the top quartile of M&A-driven revenue growth had top-leadership teams that excelled at a broad range of skills. The first is market insight—looking beyond a company’s current business landscape to discern future growth opportunities. That competency no doubt supports the identification of deals, while another competency crucial for M&A-driven growth—a wellhoned orientation toward achieving results— helps in postmerger integration. If your company pursues multiple growth strategies, the talent bar is even higher. Our study shows that the average skill level of top teams at companies with a dual-growth strategy—defined as top-quartile performance in two of the three strategies (portfolio momentum, stealing share from competitors, or growth through acquisition)—was almost one and a half times that of their single-growthstrategy counterparts on key competencies. In short, to achieve stronger growth, companies must not only assemble a critical mass of talent, which will require attracting and retaining an “unfair” share of excellent leaders, but also align these leaders’ roles and skills with the companies’ growth strategies. In our experience, the best companies conduct detailed assessments of the talent required—across the organisation and by business unit and geography. They then create clear leadership-development targets for executives and managers and incorporate these targets into performance-management, recruitment, succession, and reward processes. In this way, top companies systematically build excellent leaders with the skills needed to drive growth. This article has been sourced from the McKinsey Quarterly.
March 2012
45
The best advice I ever got
Have a Good Business Acumen The best advice that I ever got was that as a CIO one needs to have good business acumen. A CIO really needs to understand what are the key business drivers for his enterprise. The language of business is finance. Most of the business acumen starts from finance. You therefore need to understand what drives revenues, what drives profitability, what is your competitive positioning. You need to have the commercial skills and also have the ability to take what you do as a CIO and relent it in business terms to the business stakeholders. I personally feel that an IT professional needs to be a business professional first. As organisations start to focus on customer centricity, CIOs also need to interact closely with not only internal but also external customers in partnership with your sales community. IT needs to build solutions for internal productivity and external growth. The CIO has to interact with every business unit in the company and therefore, whatever he tries to achieve in the organisation needs to be achieved through people, by people, and with people. He not only needs to be good at his job, but understand the roles of other C level executives well. While there is no going back on the customer centricity part, he needs to ensure that he clearly understands the complexities and challenges involved in every aspect of business and not just challenges with IT. So, what I started to do at Cisco, I began working with our sales team and met our
46
March 2012
V.C. Gopalratnam
VP, Information Technology & CIO, Globalisation, Cisco key customers to help them in understand where their infrastructure and technology is today and where the world is headed. So, I personally work with the customers to tell them how they can go from point A to point B in their technology migration strategy. This way, I went beyond my role as a CIO and stepped into the shoes of a sales person, but at the same time complimenting it with my core expertise in IT and at the same time acting as a consultant. We make sure that we run our products in our infrastructure. Then I talk to the customers and tell them our first hand experience with the technology. What went well, what we did differently and what we could’ve done differently. For example, we
have deployed consumerisation of IT internally at Cisco and therefore, when I meet our key customers with our sales team, we don’t only tell them the benefits of consumerisation of IT but share our entire experience doing it internally. In this way, we can easily translate our internal initiatives into business opportunities for the organisation and also gain customer mindshare. Therefore, a CIO needs to wear multiple hats in the organisation as per the demand of the environment. He needs to be a tech CEO at times, a Sales person at times, a marketer and even a consultant.
—As told to Varun Aggarwal
me & my Mentee
MENTOR
CR NARAYANAN CIO, TULIP TELECOM
MENTEE
RANJIT KUMAR
MANAGER – SAP, TULIP TELECOM
Keeping an Open Mind is the Key What do you look for in a mentee/ mentor? CRN I look at energy levels of a person and his adaptability to situations. He has to be innovative. He should not accept everything being told but should be able to question and take up a task only once convinced. He should have multifarious interests and should be able to contribute to good and interesting discussions. Over and above all these, the mentee should have an open mind. Ranjit I seek five Cs in my mentor: Committed: My mentor should be committed to the growth, development and cultural integration of my professional career. Confidential: Many a times, mentee wants to be open and honest about his work experience as much as possible, therefore, my mentor should be capable enough to keep thing confidential. Communicative: My mentor should be very well communicative. The dialogue between the two actually develops the strong professional and personal relationship which is a key characteristic for the growth of both the persons. Conceptual and Technical Knowledge: My mentor should be able to demonstrate conceptual and technical knowledge to the mentee to give him/her a significant guidance. Contributive: My mentor should be able to spend appropriate amount of time and should have enough emotional intelligence to solve the conflict and difference
of opinion in much contributive way and should have harmony among his/her team members. How do you identify and prioritise areas where you think your mentee needs to focus on for further professional development? CRN Nobody is perfect and there is a scope for improvement. This applies both to the mentor and mentee. I would like my mentee to have a balanced life in terms of social and office life. If this is skewed, my first task would be to put the balance in place. I would look out for all-round development and not like a frog in the well. These aspects are very necessary for professional development. Do you think your mentor spends enough time with you? How do you think your mentor could contribute more towards your professional growth? Ranjit Whenever I am in need of any guidance and any discussions to do with my Mentor C R Narayanan, he is most of the time available for the help. I personally feel CRN gives me appropriate amount of time not only for professional assignments but also for the growth of my professional career. CRN is a very good listener and guides me accordingly. Mentor plays a very vital role in the growth of the career of an individual. I have been blessed with this significant opportunity to work with CRN directly under his guidance.
March 2012
47
me A n d my M e n t ee | CR NARA Y ANAN & RANJIT K U M AR
How do you think your mentee can take on more responsibilities and take more/bigger decisions? CRN The only mantra for this is to give full freedom in terms of responsibility and power. All the mistakes need not be pointed out but have to be diplomatically conveyed. Micro management should be avoided. The responsibility for mistakes would need be owned by the mentor, which gives confidence to the mentee to become confident and assuming higher responsibility.
48
March 2012
What are the two or three key things you have learned from your mentee? CRN There is learning possible from everyone and learning is a continuous process. Ranjit is endowed with so many qualities which I would like to acquire. He has taught me to be patient and has many times cajoled and convinced me in not taking some harsh and impulsive decisions. He has a great capability in mingling with all type of people appropriately which I have been able to emulate. Ranjit I have learnt three key things from CRN: Time Management: A great balance in spending time in your personal and professional life can make you successful in all the aspect. CRN is very good in maintaining this. Keeping the cool: Keeping your cool in case of a disaster gives you opportunity to solve the problems before the situation goes out of control. Sometimes when we get impatient about any major issue with our important IT project, he guided us with lots of patience and
photos by Subhojit PauL
“Ranjit has taught me to be patient and has many times convinced me in not taking impulsive decisions�
Are there any conflicts between you and your mentee? If so, how do you resolve them (you may also cite one or two instances)? If not, what do you think is the secret of your smooth working relationship? CRN There has to be conflicts and difference of opinion else it will be a boss and subordinate relation which will explode after a certain point. This can happen only with an open and healthy discussion. The mentor should be ready to accept his mistakes and not stick to his point of view. There is nothing called resolution but accepting the right point of view. Recently there was a need to evaluate a BI tool for the organisation. I was inclined to buy a certain tool but Ranjit was not in agreement about the selection. This point was deliberated with context to Tulips environment. He could spell out the pros and cons which was quite convincing and I changed my point of view. Similarly when there was a decision to be taken for selection for the implementing partner for SAP, the management along with Ranjit was keen to go with a Tier-1 implementing partner since Tulip had already burnt its finger with SAP implementation earlier. But I could convince Ranjit about the reasons for my decision to go again with a new Tier-2 partner. Then he was with me in making the presentation to the management and to get the nod from the management. Ranjit Conflict of opinion is real thing to happen in the educated world. Managing the conflict of opinion in a healthy learning process is a fundamental skill of a leader. That is what I learned from CRN most. Many a times whenever we have conflict of opinion, we talk openly with each other about the issue at hand and we actively listen to what the other person is saying.
me A n d my M e n t ee
CRN It is a incorrect notion that the mentor has to spend a lot of time in developing the juniors. It is basically the management style. If you are able to guide the mentee at the conceptual level and leave the intricacies to the mentee to fend himself, then there is no need to spend too much time. As a CIO, one need to spend only about 30-40 percent of the time in day-to-day activities and the rest on innovation, creativity and knowing the pains of business.
Does your mentor delegate enough task and responsibilities to you? How often do you take decisions yourself? How would you like the situation to change (if at all)? Ranjit CRN believes in not only delegating responsibilities but giving opportunities to do it. During the major IT Projects of the organisation, I got lot of opportunities to complete my task. That has given immense opportunity for me to take decisions independently. I am now ready to take up new challenges in the organisation because I know that my Mentor will give all sorts of support to help complete the responsibilities given to me.
“CRN believes in not only delegating responsibilities but giving opportunities to do them” motivation to get out from the problems and surprisingly it clicked. Interpersonal Skills: CRN has demonstrated success in establishing and maintaining professional networks and relationships, both Inside and Outside the Organisation, both Personal and Professional, both Online and Offline. This interpersonal skill makes him highly successful. What are the challenges and constraints for a mentor/CIO to devote more time and effort for the development of their immediate juniors?
Please share your views on the role you think a CIO can play in mentoring IT managers and take them to the next level. CRN Every person has a potential to do good work and it is the responsibility of the senior to find the same and put him on the right track. They have to be given higher responsibilities with authority to gain confidence. The mistakes should never be reprimanded in front of others but at the same time conveyed in a diplomatic manner. They should be asked to spend more time with the user group rather with their team. What are your views on the need for a mentor for IT managers in realising their full potential? Ranjit In this dynamic world of IT, an IT Manager can only grow with an opportunity to take new challenges of changing technologies. The role of a mentor is vital to understand the potential of the individual so that he can get the opportunity to prove his worth to the organisation. Mentor’s confidence in his IT manager gives the mentee a great chance to realise his full potential and grow with new initiatives and knowledge. IT Managers are most of the time under tremendous pressure to complete the business requirements of the organisation, thus always get busy with the routine chores of job. Whereas, a mentor involves him in many other new things, which grooms the IT manager for multitasking and guides to do prioritisation of the work, which is always a great help to him/her for the professional growth in the growing roles. —As told to Sanjay Gupta
March 2012
49
OPINION David Lim
Negotiation Lessons from the Jan Lokpal There is a lot that corporate leaders can learn and imbibe from the way in which the Jan Lokpal Bill and the negotiations around it are going
You can’t have visited India in mid -2011 without learning something about the agitation and political give-and-take related to the Jan Lokpal Bill and the attendant sound and fury. So what can we, as leaders, learn from the negotiation approaches taken by the various camps involved? While not an expert, or a scholar in these matters (unless a degree in Law that included constitutional law counts); here’s my view as a negotiation expert on what transpired and what the two sides could have done to get more traction. The context seems straightforward: The Hindu reported that nearly US$1.5 tn in ‘black money’ or illegally transacted funds from India lie in Swiss banks. Since 1968, an ombudsman bill has been unsuccessful in clearing India’s Parliament on a dozen occasions at the cost of many crores. The establishment of such a Bill, and the organs thereof, is viewed by many in India as one more weapon in the fight by ordinary citizens against corruption. When the 2010 Lokpal Bill was offered, many social activists, including the Gandhian Anna Hazare thought it was insufficient, and mooted their own “citizen’s bill” — the Jan Lokpal. Right from the onset, there were issues which affected the negotiation ability of the leaders from both camps.
1) Lack of clarity of a BATNA I covered the importance of having a Best Alternative to Negotiated Agreement (BATNA) before entering a negotiation. Apart from Anna Hazare’s fast and agitation, the challenge for the India Against Corruption
50
March 2012
ABOUT THE AUTHOR David Lim, Founder, Everest Motivation Team, is a leadership and negotiation coach, best-selling author and twotime Mt Everest expedition leader. He can be reached at his blog http:// theasiannegotiator. wordpress.com, or david@ everestmotivation. com
movement (IAC) was coming up with a BATNA if their Jan Lokpal proposal was rejected. Here, a lack of typical party machinery in politics, or even some leadership structure, hampered the movement’s ability to come up with a concrete BATNA. By sticking with the Jan Lokpal and drumming up support for it, the IAC participated in brinkmanship. This does not aid the principle of building partnerships in a two-sided negotiation. Some BATNA elements must have arisen in Round Two when a the Joint Drafting Committee was formed with government representatives and social activists. However, an impasse was created as no agreement could be reached. As a result Parliament is now debating the Lokpal as written by the government — for all its strengths and weaknesses This brings me to my second point and that is, by this stage, parties were locked into a situation where:
2) Parties were negotiating on ‘positions’ and not ‘interests’ So if the interests of the IAC groups were to reduce corruption and increase transparency, they hobbled these interests by probably adopting very unyielding positions so as to not lose face, lose internal support from their constituency. The government also lost social and political capital by sticking to various positions such as the ‘extra-constitutional’ demands of the social activists. By locking out integrative solutions i.e., solutions which combined the most workable proposals from either side; India might well get a much lower quality Lokpal Bill when it emerges.
D a v i d L i m | OPINION
At an impasse, a number of things could have been done that could have improved the working relationship of the Joint Draft Committee. These could have included taking a break changing some of the team members offering a concession bringing in a mediator To what extent some of these were done, I am unsure, but we do know that at some stage Sri Sri Ravi Shankar exerted his influence to get things moving again. When you can’t agree on a particular issue, get agreement in principle; that is, get agreement on anything you can, even if it is only an agreement in principle. EXAMPLES: You might agree that in the past both parties have always been able to come to a mutually acceptable solution You might agree on a deadline for completing certain issues, returning to them later if unresolved You might even agree on an objective procedure to resolve major differences, if and when they occur
image BY photos.com
3) At an impasse adopt some of these measures
“By locking out integrative solutions i.e., solutions which combined the most workable proposals from either side; India might well get a much lower quality Lokpal bill when it emerges”
4) In team negotiations, gain clarity regarding member roles In this instance, both the government and the IAC were often confused, and delivered many uncoordinated public messages. Not only does this affect the quality of
Points to Ponder • By sticking with the Jan Lokpal and drumming up support for it, the IAC participated in brinkmanship • Both the government and the IAC were often confused, and delivered uncoordinated public messages • Not only does this affect the quality of team negotiations, it also confuses your team and sometimes endangers hard won positions
team negotiations, it also confuses your team and sometimes endangers hard won positions. Fewer spokespersons, clearer messages that stay ‘on message’ would have been the way to go. The future of the ultimate Lokpal Bill will definitely depend on what is negotiated between civil society and the Parliament; balancing citizens’ rights against the constitutional right of an elected government to run the country. The better the negotiators, the higher quality the outcome will be. But as long as an us-versus-them approach is taken stridently, it is difficult for parties to offer concessions, create integrative solutions or reach a solution which benefits India DAVID LIM IS A LEADERSHIP AND NEGOTIATION COACH AND CAN BE FOUND ON HIS BLOG http:// theasiannegotiator.wordpress.com, OR subscribe to his free e-newsletter at david@everestmotivation.com
March 2012
51
SHELF LIFE
“I have never encountered an executive who remains effective while tackling more than two tasks at a time.” — Peter Drucker
HBR’s 10 Must Reads On Leadership A single book that packs quite a punch from renowned gurus By Sanjay Gupta
This book is not really one single volume but an assortment of thinking from some of the best management minds. It contains articles on leadership by Daniel Goleman, Peter Drucker, Warren Bennis and Robert Thomas, and Jim Collins, among other luminaries. While the book may lack the advantage of a single narrative, it more than compensates for it by the sheer richness and variety of its content – even if the matter is coalesced around the one theme of leadership. To be frank, I approached it with a sense of trepidation and awe, considering the gargantuan stature of its contributing authors. I was a bit worried, too, that there might be many dense or boring theories about leadership. Fortunately, none of that! All the articles are written with amazing simplicity, and the theories or ideas are almost always illustrated with interesting and insightful business case examples. For instance, I knew that Lou Gerstner had made an elephantine IBM dance to the tunes of new revenue streams – but it was quite interesting
52
March 2012
to know the story of his remarkable turnaround at American Express as well. He did this by questioning the long-held beliefs at AmEx and creating a dynamic, entrepreneurial culture, according to a story shared by John Kotter. In another case study presented by Jim 'Good to Great' Collins, we learn about Darwin Smith, the unassuming and even “awkward” CEO of Kimberly-Klark. When Smith, a mild-mannered in-house lawyer, was appointed the chief exec by the company's board in 1971, Kimberly-Klark was spoken of as a “stodgy old paper company” and its market performance had been slipping for the past 20 years. Even Smith wasn't sure if the board had made the right choice: a view that was reinforced when a company director told him he wasn't qualified for the top job. It didn't help, too, when Smith was diagnosed with cancer barely two months into the position – doctors gave him a year or so to live. Not only did Smith live on for another 25 years, he spent 20 of those as Kimberly-Klark's CEO – turning a stodgy firm around to
ABOUT THE SERIES HBR's 10 Must Reads series focuses on the core topics that every ambitious manager needs to know. Harvard Business Review has sorted through hundreds of articles and selected only the most essential reading on each topic. Each title includes timeless advice that will be relevant regardless of an everchanging business environment.
make it the leading consumer paper products company in the world. In the book, Collins terms Smith as a Level 5 leader – one who blends the paradoxical combination of deep personal humility with intense professional will – indeed, a rare kind of leadership. (As per his research, only 11 out of about 1400 Fortune 500 firms had a Level 5 leader at the helm.) Such case studies make the book quite lively, but even the leadership theories make for interesting reading and give us points to ponder. Whether it is Drucker's eight practices of effective executives (among them: figuring out what's right for the organisation, taking responsibility for communication and decisions, thinking in terms of “we” rather than “I”); the four components of high emotional intelligence in leaders suggested by Goleman; or the crucibles (severe tests or trials) of leadership recounted by Bennis and Thomas – the reader is certain to take away valuable lessons in leadership for their own grooming. Indeed, HBR's 10 Must Reads On Leadership justifies its name pretty well.
NEXT
Illustration by prince antony
HORIZONS
Features Inside
Security: Bucking the Trend Organisational approaches to risk are changing, as the 2012 Enterprise Security Spending study reveals
BYOD & BYOC May Re-evaluate Security Pg 55 Hactivistson: You Next Great IT Hire? Pg 56
T
he more things change, the more they stay the same. While much of IT is engulfed in sweeping transformation brought on by four technology trends — virtualisation, mobility, cloud computing and consumerisation — it turns out that organisational approaches to risk are reverting to old form. We can see this in the results of our CIO Insight 2012 Enterprise Security Trends study, conducted from late December 2011 to early January 2012. To conduct the study, we emailed a survey to a random sample
March 2012
53
N E X T H O R I Z O N S | se c u rit y
Fewer organisations than last year are spending on security in their cloud computing, mobile device, and application development budgets have remained quite stable in this regard. But of IT security executives culled from the the fact remains that security-related spendaudience lists of our corporate parent Ziff ing isn’t particularly accompanying spending Davis Enterprise's magazines, newsletters among the new IT fundamentals. and events; 341 respondents who work in Perhaps we should not be surprised. It organisations with 50 or more employees does seem as though the basic building responded. Of these, 188 (55 percent), work blocks of an IT strategy are becoming quite in companies with 1,000 or more employdifferent—a transformation we’ve been ees, giving our data good representation of reporting on for some time. But forwardboth midrange and large enterprises. The looking as it is, this kind of reporting can survey examined IT security spending that is sometimes overstate the degree to which formally budgeted, as well as that which falls transformation is actually occurring now. within other budget areas. In early 2011, we One of the advantages of conducting fielded the same survey using a sample from research is that it can put trends in perspecthe same source, so now we can see how secutive. Those four new elementals may be rity investment patterns have changed, or not the real future of IT, but that doesn’t mean changed, in the past year. And surprisingly, they’ve taken over the present yet. And IT the survey results show a significant return to security must always focus strongly on curtradition in terms of which areas of IT are getrent realities on the ground. ting the most security attention, and which are That said, we’re not entirely happy about receiving the least. what looks, in general, like a cautious For example, the networking equipapproach to IT security. The first reaction of ment budget was the only area to grow risk managers to new technological developconsiderably from 2010 to 2011 in share of ments tends to be adjustments to policies organisations seeing higher security-related and procedures, especially to prevent or modspending, from 45 percent of respondents ify user behavior. Though this is an effective to 58 percent. Conversely, the number of way to reduce risk levels (or at least caution organisations spending on security within the business about the risks involved) while compliance plummeted. However, most trabuying time to formulate an effective security ditional budget areas — such as databases, response, all too frequently it seems that the servers, storage and enterprise software — work stalls there. In the case of cloud comremained stable in terms of the frequency puting and consumerisation, particularly, of security-related investments. the potential for improved productivity and Meanwhile, the most dynamic areas of IT growth is big and immediate enough that it are tending to see less security-related spendbehooves organisations to push on and adopt ing within their budgets, rather than more. security solutions that enable For example, fewer organisations taking full advantage of them. than last year are spending on In last year's report, we consecurity in their cloud computcentrated most on the amount of ing, mobile device, and applicasecurity spending that was “hidtion development budgets. In this den” outside of any dedicated, year’s survey, application developof respondents centralised IT security budget. ment spending was reported, on expected their This point bears repeating again average, to be only five percent security budget this year, particularly given the higher to address security issues, to increase by 50 fact that many fewer of our surcompared to 12 percent higher percent vey respondents say their organilast year. That's the only extreme sations have such dedicated IT example, as most budget areas
25%
54
March 2012
security budgets: only 42 percent, compared with 50 percent in 2011. Centralisation and decentralisation come and go in waves, and looking at these results, we may very well be seeing some decentralisation arising from today’s pretty intense business-side pressure to deploy and manage IT to achieve business goals. For example, the survey reveals a reduction of IT consulting spending as part of the corporate security budget, where it exists; with so much activity at a departmental level, IT becomes more reactive and management-focused, and less proactive in planning. This is true throughout IT these days, of course — it’s not particular to IT security. Corporate security managers surveyed do remain, on the whole, hopeful about the prospects for the corporate security budget this year. Half of those we surveyed expect at least 10 percent growth in 2012 over 2011. But it must be said that last year’s survey results were similar. In fact, when you look at the share of specific budget growth expectations, security managers polled are actually less optimistic this year. Just over one quarter of respondents expect their centralised security budget to increase by 25 percent or more. Last year, 25 percent of respondents expected their centralised security budget to increase by at least 50 percent. We're in an era in which business departments and their employees are finding and deploying applications, platforms and services on their own. One viable security strategy to deal with this is to push risk-remediation out to these same lines of business. We expect this trend to be short-term, representing only the decentralisation part of the cycle. Recentralisation will take place as the new IT elementals develop and mature, and central IT infrastructure efficiencies are found again. In strange times, you should continue to rely on your common sense and gut instinct as you learn and experience more about the changes around you. Perhaps this is an overly dramatic way to characterise the IT transformation we’re currently experiencing. But you can say at least that when it comes to IT security, you should continue to rely on the common-sense risk-investment equation that shows you how much, and where, to invest: Annualised loss expectancy ($ALE) =
se c u rit y | N E X T H O R I Z O N S
chance of an event each year — estimated loss due to the event; $ALE without remediation measure — $ALE with = $savings per year (realised or not); Any security investment lower than the $savings represents net lower costs for the organisation and is profitable spending. When you think about it, it’s only the calculation of $ALEs that has changed because of virtualisation, mobility, cloud computing and consumerisation. Each of these elementals brings multiple new threat vectors with it. Identifying those vectors is the easy part (to the extent that we all know we can never
find them all—we must just keep looking on an ongoing basis). The hard part is estimating the likelihood of an event from that vector. That is always the chief bone of contention between technology proponents and risk managers. There’s nothing new there. This simple kind of corporate and IT discussion of risk is not occurring in most organisations.And though, as we mentioned at the start, we probably should not be surprised that security strategies have not changed very rapidly in response to these strong trends sweeping through IT, we can also say that this is one unfortunate result of
a general lack of ALE-based planning. From this perspective, our survey results highlight not just real opportunities for the security strategy to contribute to the bottom line; they point to a method as well. As we have all experienced, the four elementals are unlikely to wait for us. You would do well to buck the security spending trend, using good old-fashioned risk assessment to find ways to put today’s most revolutionary technology tools firmly in the hands of the most creative executives and employees in your organisation. —This opinion was first published in CIO Insight. For more such stories, please visit www.cioinsight.com.
BYOD & BYOC May Re-evaluate Security Both BYOD and BYOC will continue to force a change in the basic principles of information security practices By Geoff Webb
I
Illustration by Shokeen Saifi
f you were the CISO of a large enterprise you'd already know that an IT security earthquake may well be on the way because there is a fault line that runs beneath most of the assumptions upon which we have built the last decade of security progress. That fault line can be described using just four letters: BYOD. Bring your own device (BYOD) or the growing practice of employees using their own devices: laptops, smartphones and tablets, blurs the line between enterprise and personal computing, and as a result, complicates the job of governance, risk and compliance management significantly. As a trend, the consumerisation of end-point devices is still in its early stages. However, as more and more employees start to routinely use their own laptops and tablets to access corporate information and services, so the potential impact of BYOD, like stress in a fault line, continues to build. For the enterprise security team trying to both enable end users and maintain compliance and security best practices, there are a number of problems that must be dealt with in short order. For example, simply defining policy can be a tortuous task (let alone getting everyone to follow it). While end users may want to use their own devices, the business must provide clear guidance on acceptable and safe usage. Opinions (and options) on what is and is not acceptable may vary dramatically. Worse, users will almost cer-
March 2012
55
N E X T H O R I Z O N S | se c u rit y
team who discover that a former employee had been accessing tainly regard policies restricting what they do with their own device protected healthcare information on a smartphone owned by the as, at the very least, somewhat unwelcome; precisely the sort of employee, but stored on a cloud server outside of corporate controls. response that IT security teams want to avoid. In fact, both BYOD and BYOC will continue to force a re-evalEven if policies can be agreed upon, enforcing them is often even uation of the basic principles of information security practices. more arduous. In highly decentralised businesses, such as in many Ultimately, the only way to meet the demands of an increasingly healthcare organisations, enforcing data security policies when the independent user population and yet continue to operate within a device accessing the information is employee owned can be difficult framework of escalating regulatory requirements is to move away at the best of times. Yet a failure to enforce security policies, even from a mindset that focuses on the “where” of information security unpopular ones, can leave an organisation open to an audit finding and instead focuses on the “what.” or worse, a breach. For while many devices may have As “data-centric” becomes the mantra for information the capability to be properly secured, ensuring that security, so the concerns over the platform for accessthose security capabilities are correctly enabled, and ing that data diminish. Once the data itself becomes documenting that they are, can require both additional self protecting through the use of technologies such management software and new processes to be put in as tokenisation, encryption, and so on, so the need to place. In the event that a device is lost, or the employee of young employees manage every endpoint or service upon which it resides. leaves the businesses, the security team must navigate want flexibility Indeed, as the data becomes the target for our security the potential minefield of ensuring that corporate data in choosing their thinking, we can provide not only better security for the on the device is removed while trying to minimise computing device critical information but more easily adapt to the evolvimpact to the end user for their own information. ing needs of business users- both of why, as Winnie the However, all the above challenges may rapidly pale in Pooh would say, are a “Very good thing.” significance when compared to the looming specter of the combination of employee owned devices utilising —Geoff Webb has over 20 years of experience in the tech corporate information connected to third party cloud services. This is industry and is a senior member of the product marketing team at Credespecially the case when the cloud services are brought into the enterant Technologies. Geoff provides commentary on security and compliance prise by the employee themselves, as is often the case with such things trends for such journals and websites as: eSecurityPlanet, CIO Update, as cloud storage. The Tech Herald, Compliance Authority, Virtual Strategy Magazine, and This “bring your own cloud” (BYOC) phenomenon will add even many others. Prior to Credant, Geoff held management positions at NetIQ, more pressure on existing security processes by further complicatFutureSoft, SurfControl and JSB. Geoff holds a combined bachelor of ing the task of tracking, security and documenting where data is science degree in computer science and prehistoric archaeology from the being stored. Imagine, for example, the problems facing a security University of Liverpool.
40%
Hacktivists: Your Next Great IT Hire?
L
Experts at the RSA Conference discussed “rehabilitating” members of hacktivist groups in order to channel their talents
aw-enforcement officials, IT security providers and executives at the RSA 2012 Conference in San Francisco recently were concerned about the kind of damage hacktivists can cause on networks and on a company's
56
March 2012
reputation. Still, while some see chaos, others see potential, and a panel of experts worried about all this technical knowledge going to waste. Eric Strom, unit chief of the Federal Bureau of Investigation’s cyber-initiative
and resource fusion unit; Misha Glenny, a journalist; and Grady Summers, a vice president from Mandiant, joined Jeffrey Brown, a senior correspondent with “PBS NewsHour,” for a panel on hacktivism at the RSA Conference in San Francisco Feb. 29.
se c u rit y | N E X T H O R I Z O N S
image by photos.com
Instead of arresting and jailing hacktivists for taking part in the political protests, they should be hired by firms to provide insight and real technical skills The panelists agreed that many of the hacker collectives online, such as Anonymous, were primarily political movements rather than criminal organisations. For many of the members, the Internet is part of their lives, and computers and mobile devices integrate their digital and physical identities seamlessly. Hacktivism would be the preferred method of protest for a group comfortable with online life, Glenny said. The groups are full of “skilled young people who are persuaded to go to the other side,” said Glenny. Anonymous is primarily viewed by members as a political movement, and its methods are political tools of protest, much in the same way marches and sit-ins were part of civil disobedience in the physical world. While organised criminals do recruit individual members for criminal activity or attempt to direct campaigns in a way to benefit their interests, for the most part, groups like Anonymous are political. It is difficult to draw the distinction between what is a legitimate protest and what is illegal, said Summers. While launching distributed denial-of-service attacks are illegal, it's not always clear how taking a site offline is more disruptive than physically protesting in front of an organisation and preventing it from doing business, he said. For many organisations, last year was the
first time information security was even mentioned in front of the board of directors. Hacktivists aren’t just a security concern for organisations, but also a public relations issue. Regardless of whether a cyber-incident was the work of Anonymous, and if it is an advanced persistent threat (APT) or something else, organisations still need to respond. Anonymous has no formal hierarchy or organisational structure. A small group of highly skilled individuals influence other members, who are usually less advanced and younger, panelists said. Much of the activity in Anonymous’ operations is carried out by younger members who are excited to be part of a political process. “Most of them are minors. How do we prosecute someone like that?” asked Strom. FBI agents generally wind up talking to the parents, Strom said. A lot of people think hacktivists are just kids fooling around, but the bottom line is that they can cause a lot of harm to an organisation, said Strom. Regardless of their motivation, hacktivists have forced two major changes among organisations. Their activities have increased information sharing between organisations and law enforcement, but they have also increased senior management’s perception of the importance of security, said Summers. Glenny advocated “rehabilitating” hacktivists to use their talents for the organisations,
instead of against them. Instead of arresting and jailing hacktivists for taking part in the political protests, they should be hired by companies to provide insight and real technical skills, said Glenny. “If your only skill is using a computer, and you're not able to do that, I think that’s likely to put you back into the underground,” said Glenny. Summers didn’t think it was likely that organisations would take on the responsibility of bringing hacktivists on board. While some companies have hired hackers in the past, there are others with a clear policy against the practice. While hacktivists were for the most part young between 14- and 22-years-old there are professionals and IT employees also taking part in these activities, said Strom. The older members often have enough skills to be hired as professionals. The younger members have skills that could be transferred to other uses, and it is important that officials try to divert their interests while they are still young, said Glenny. “We have a lot of talent out there and we should start to think of developing methods so we can find incentives to channel those talents before it happens,” said Glenny. —This opinion was first published in CIO Insight. For more such stories, please visit www.cioinsight.com.
March 2012
57
Event
Becoming the Tech CEO CIO&Leader hosted Pradeep Sindhu, CTO, Juniper Networks who talked about the CIO’s mandate Pradeep Sindhu, CTO, Juniper talking about the importance of cloud computing
Delegates are all ears while Pradeep Sindhu shares his views on the changing IT landscape
Audience listening to Sindhu with rapt attention
C
IOs today lead an IT function that is akin to a strategic business unit. In effect, CIOs are now their company’s ‘Tech CEO’, who have to contribute significant measure to the business and ensure that their domain expertise adds real value. Since domain expertise is non-negotiable, the role of technology in innovation remains crucial in ensuring a CIO’s Leadership Journey. Solutions implemented by CIOs have to fulfil today’s requirements while fostering future innovation.
58
March 2012
To throw more light on this, CIO and Leader hosted, Pradeep Sindhu, Founder and Co-Founder and CTO, Juniper Networks. In a session moderated by Dr. Pramath Sinha, MD, 9.9 Media, Sindhu talked about the mandate of the 21st cen-
tury CIO - that goes well beyond technology. According to Sindhu, information technology today is in the middle of a change that is happening in the most rapid way since the last 25 to 30 years. The change that is happening is effectively pervasive; it is affecting the IT industry, the consumers, corporations and service providers. So the entire value chain of information technology is affected, but it is not just information
J u n i p e r | E V E NT R E P O RT
technology that is changing but the way people live their lives and connect with other people is also changing. The reason this is happening is because of the power of networks and networking. “The primary reason that devices like the iPhone and iPad have been so incredibly successful and Apple is the world's most valuable company is because these devices are simple to use and they delight the people that use them,” Sindhu opined. It is again not more complicated than that. We are also learning that we will be able to use devices like these anytime, anywhere. “Many of us who have these smartphones, have used them dozens of times for business purposes. I understand that this desire is completely normal because human beings want to be connected. In fact if we isolate human being completely, they die because the emotional connection is not there, so we are made to be want to be connected and we like to do that anytime, anywhere. This has huge implication on the quality of mobile networks because the last air gap between the user and the device and the network cannot be over wire, so in 95 plus per cent of the cases this connection has to be done wirelessly simply because of convenience. You don't want a wire hanging out because it just doesn't work,” Sindhu said. Sindhu pointed out that cloud computing is one of the big trends in IT today. To give more clarity about what is cloud computing, Sindhu gave a clear definition, “Cloud computing is nothing more than the delivery of information services from relatively large scale data centres over the network to users anytime, anywhere where users are not necessarily human beings only. They could also be devices which are either sensing the environment or acting on the environment
Pramath Raj Sinha, MD, 9.9 Media quizzes Sandhu during the discussion
CIOs interacting with each other over dinner
It is networking time for CIOs after a highly engaging session with Sindhu
in addition to being human beings.” While there is increasing consolidation of data centres taking place, there are two kinds that are being built. One is public data centre where the idea is that organisations will share the infrastructure and get rid of their servers all together and run their applications in public data centre. Sindhu explained, “Now this is a tall order because that stuff is not ready for prime time yet. Very few people will agree to run their ERP in a public data centre. On the other hand, if I am a large company and
I can afford to build my own data centres by consolidating my own servers, then it is okay for me to have those data centres in a faraway place as long as I own the facilities, I protect them and make sure that they are built well. This is not so different than the current situation except that it is far more efficient.” Finally Sindhu suggested that the way to convince someone who does not know much about technology is to make him understand that it is lot more economically beneficial for him to go for cloud computing.
March 2012
59
Event
CSO Think Tank Conference The first in a series of conferences, CSO Think Tank Conference in Mumbai was a grand success
Murli Nambiar, CTO and Group CISO, Reliance Capital, during his workshop on rolling out a successful DLP strategy
Anuradha Das Mathur, Director, 9.9 Media talking about the evolving role of a CISO Delegates quizzing the panelists during one of the discussions
E
ncouraged by the overwhelming feedback received during the Annual CSO Summit in December 2011, CSO Forum has decided to start a series of CSO Think Tank conferences during the year. These are essentially regional conferences where the focus would be on various operational challenges that CSOs face and how others in the community are addressing these. The first CSO Think Tank Conference took place on 2nd March 2012 at The Renaissance in Mumbai. The conference
60
March 2012
saw highly enthusiastic participation from the CISO community of Mumbai. The conference began with an interactive panel discussion with senior and influential CSOs to understand what were the “high-impact� security challenges of last year, and where have organisations made
progress in addressing information security over the past year? Members of the panel included Burgess Cooper, CISO, Vodafone India, Murli Nambiar CISO, Reliance Capital, Sunil Dhaka, CISO, ICICI Bank and Anuradha Das Mathur, Director and Co-Founder, 9.9 Media. The panel highlighted the issues related to privacy regulation in the country and
C S O T h i n k T a n k | E V E NT R E P O R T
how the CISO community needs to gear up to face the new regulation and an evolved role in the organisation. Another trend that was brought to fore by the panel was that of BYOD. The panel discussed how this trend is now top driven and what CISOs can do to ensure this doesn’t turn into a security nightmare. In a workshop on Data Leakage Prevention conducted by Murli Nambiar, CISO, Reliance Capital, Nambiar shared his learnings in rolling out a successful DLP program across Reliance Capital. CSOs are grappling with the challenges of managing data leakage in a world where boundaries are rapidly disappearing. Sighting his own company’s experience, he talked about how does one roll out a program to manage this, how does one address ground-level realities, how does one get various business units to buy into such a program and how does manage this with limited resources. Cloud turned out to be another topic of interest at the conference where panelists such as LS Subramanian, Founder & Director, Cloud Security Alliance, Mumbai Chapter; Hitesh Mulani, CISO, Yes Bank and Sunil Varghese, Head - Enterprise Business, India & SAARC, Trend Micro tried to clear the air around the security challenges in cloud and how they can be carefully mitigated using the right tools and processes. Subramanian threw insight into how the Indian government is also keen to use cloud and is building something called Bharat Badal. Bharat Badal is a national cloud computing infrastructure for India which will benefit the rural India and bring the information technology within its grasp. In another highly engaging session, Sunil Varkey, CISO, Idea Cellular addressed many issues that often CISOs encounter when it comes to setting up and managing a security operations center. It is clear that every CISO has either already started on the
Members of CSO Advisory Council sharing their views on some of the key security issues in enterprises
Sameer Ratolikar, CISO, Bank of India giving his views on how to handle a Distributed Denial of Service attack
LS Subramanian, Founder & Director, Cloud Security Alliance, Mumbai Chapter talking about the importance of cloud computing and the risks can be mitigated
Delegates paying keen attention to a workshop by Sunil Varkey, CISO, Idea Cellular on setting up a SoC
SOC journey or is planning to – whether inhouse or with an external partner. However, everyone knows that even with the best of technology and sophisticated tools, managing a SOC is a challenge where the bar is being constantly raised. Varkey talked about how does one firstly build and subsequently manage a SOC, how does one pick the right tools and techniques, how does one build the appropriate processes and how does one put together a team for this.
Sameer Ratolikar, CISO, Bank of India shared his views on the increasing risks from distributed denial of services attacks. Every enterprise seems to live under the perpetual threat of a DDOS attack. Along with Jaydeep Nargund, Service Line Manager, Akamai on the panel, Ratolikar analysed a DDOS attack in depth, looked at steps enterprises can take to guard against one and also what can be done if an organisation does come under a DDOS attack.
March 2012
61
Event
Modifying Data Centre, Transforming Business The three-city event saw CIOs discussing ways in which data centre transformation can fuel growth
Participants talk about various challenges surrounding the storage and data centre issues
Delegates discuss possible solutions that can help them imporve their data centre efficiency after the roundtable session
Vivekanand Venugopal, VP and GM, HDS, India talks about the need to improve storage and datacentre efficiency
C
hange is inevitable, more so in today's scenario of rising IT costs and fluid economic outlook. It is, therefore, inevitable to reenergise the data center to readily accommodate changing business requirements and demands for always-accessible information. This was the theme of the three-city event jointly organised by CTO Forum and Hitachi Data Systems (HDS). The roundtable event, held in Delhi, Pune and Chennai, witnessed an indepth and thought-provoking discussion amongst top technology decision makers around the issues of improved storage infrastructure efficiency and data center
62
March 2012
efficiency; bridging the technology consumption gap; and storage economics. The roundtable in Delhi saw CIOs debating the issue of reducing costs of storage infrastructure. They agreed that the past several years of IT procurement had left their IT organisations with under-utilised
and oversubscribed storage capacity. With a squeeze on capital and credit, they were now faced with edicts to do more with less and to make tough decisions on where to invest available funds. As one of the CIO said, “The costs in the data centre are rising. However, there is no visibility of these costs. A CIO can look at cost reduction only if he is first able to track what these costs are.” Addressing the issue, Vivekanand Venugopal, Vice President and General Manager,
HDS | EVENT REPORT
HDS, India said, “Difficult economic times require new perspectives and strategies for reducing the cost of storage infrastructure.” “Since 2002, Hitachi Data Systems consultants have documented and characterised some 34 different types of costs that make up storage TCO. Some of these costs are hard or direct costs, others are soft or indirect. Some cost areas are OPEX while others are CAPEX. Each IT department needs to define what cost categories are relevant to creating their baseline cost picture and planning subsequent actions to reduce costs,” he said. In Pune, CIOs raised the issue of decreasing asset life. As one of the CIOs remarked, “When we purchase new storage, we have to move, migrate or re-master the data onto the new frame. Re-mastering adds even more time to a migration, in effect diminishing the useful life of an asset while generating greater costs.” Providing a solution to this problem, Vivekanand said, “Virtualisation is a key enabler in technology refresh processes. By virtualizing existing assets, migration to the new storage platform is seamless — without any application downtime. Also, virtualisation increases the useful life of existing assets. Virtualisation technologies substantially reduce the time and effort for deployment, thereby increasing the useful life of the asset. HDS provides high-performance data migration technology, combining best-inclass storage systems,” he said. The issue of increasing cost of power and space also came up for discussion. CIOs unanimously agreed that they were struggling to keep pace with balancing business requirements for storage with the corresponding cost of power and space. To mitigate these rising costs, Vivekananda said, “HDS is an experienced partner for implementing environmentally efficient IT solutions to help you achieve more sustainable data centers through technologies and services. Our strategy for achieving these goals is designing, manufacturing, and supporting sustainable storage throughout its entire life cycle. By deploying HDS solutions you can realise better capacity per square foot and lower power consumption per terabyte; gain more capacity, save on
Participants from various enterprises discuss their respective concerns on data centre and storage
One of the delegate expressing his thoughts during the roundtable in Chennai
One of the partcipant making his comment
rack space, save power and cooling costs; and reduce energy costs.” On the issue of emerging technologies, Vivekanand said, “Over time, new technologies continue to emerge that can contribute in building. At present, however, the experience of Hitachi Data Systems points to a critical three technologies that organisations can be implemented in concert to create their individual best storage architecture.” “Storage virtualisation is a key element that has been proven over the years to make an impact on storage TCO. Virtualisation is more than a technical building block; it can serve as a foundation that enables other key capabilities, such as dynamic tiered
storage and 10 dynamic (thin) provisioning. Together, these three key elements — storage virtualisation, tiered storage with automated, policy driven movement between tiers, and thin provisioning — can deliver a TCO reduction of 20 percent to 35 percent over older storage architectures. HDS customer case studies and testimonials demonstrate improvements of this magnitude,” he averred. The events concluded with the message that the journey to transforming the data center may seem tough. However, it could turn out to be smooth if technology leaders aligned with the right partner.
March 2012
63
TECH FOR
$14bn Data Briefing
The Emperor's Advanced Persistent Clothing Security professionals need to focus on collaborating to actually secure something By J. Oquendo
64
March 2012
photos by photos.com
GOVERNANCE
SAAS revenue predicted by Gartner in 2012
I
S ec u r i t y | T E C H F O R G O V E R N A N C E
In 1837, Hans Christian Andersen penned “The Emperor’s New
Clothes.” The story for those who are unaware of it goes like this: Two charlatan weavers promise an Emperor a new suit of the world’s most glamorous clothes however, the clothes are invisible to those unfit for their positions, stupid, or incompetent.
It is only after the Emperor is on a parade wearing these immaculate clothes that a child cries out: “But he isn’t wearing anything at all!” And so the story went, and so I begin. Present time has brought forth some of the best minds in computer security as well as some of the absurd. It has also brought about a flurry of self-imposed experts on security. Normally I do not like being so brash as I too am still learning the ropes when it comes to this field however, do not mistake this learning for in-experience. I have accomplished a lot throughout my years and the education is something I heap on myself to stay a-top of the game. Moving slightly away from security for just a moment, I will talk to you about Osteosporosis. Not because I am a doctor, have ever had to treat or diagnose anyone for it, but simply because I have worked in the medical arena and have overheard many talks about it. Not only talks, but I have also read what everyone else is muttering and I couldn't agree more; Osteosporosis weakens your bones, and weaker bones will likekly mean your bones can break. With that out of the way, would anyone care to label me a subject matter expert in the medical field? Then why are we doing this to many of these quote on quote “Security Experts” or as they have painfully signed their e-mails: “Security Evangelist.” Many times, when I see the term “evangelist” I always equate it with “televangelist.” Then I think of people like: Jim Bakker, Ted Haggard, Leroy Jenkins and Jimmy Swaggart. Criminals and charlatans all pitching “God” while picking the pockets of innocent victims. In this instance, the victims are businesses and governments that have less of a clue than the “evangelist” themselves. Make no mistake, I am the biggest culprit calling the kettle black. Anyone who has ever read anything I have written can point out the self-exaltation in my writings from a mile away. Sitting around the keyboard, I blindly spew re-hashed information in an effort to promote the company I work for. Why the hell should I care, a sucker is born every minute and should I need to scare the bejeezus out of government for contracts, so be it.
After all, this is the method of the Beltway no? Lest I choose to further step on toes and rub garlic on any wounds I take it all back, companies would never do such a thing. Besides, I also never promote any product and have yet to disclose where I work. So both are false companies telling the truth and me lying in my writings. As of this writing, there are very real threats against every network. This is not limited to governments and or businesses. Any device that is networked is targeted for compromise and it is not necessarily that someone is “targeting” the device per se, but rather it is a resource to be used. This is common logic on the Internet. If a criminal organisation or random attacker or even “focused” attacker could get their hands on a device either via way of a log-on, they will do so. They can re-use this device as a gateway at some point. Aside from that, data is king and data is always a good thing for an attacker. Ever-present attacks out of the way, we still have all sorts of attackers. The disgruntled employee, disgruntled vendor, corporate espionage types, governments, anyone under the sun. This is not new, nor is it newsworthy. What should be newsworthy is how far too many “security sharks” are now in the water. Just about every other week I see no less than a dozen new experts in the field. I try to be optimistic in the hopes that I can learn something new from some of the guys but most often shake my head in disgust at what is being passed as “security” nowadays. Imagine going into a trial at say a federal court and telling either a district attorney or a judge: “Your honor, I read it from John Doe who was quoting Jane Doe who got the dibs from a respected security guy who sells antivirus. While he has never analysed a virus or instance of malware, he has read a lot about it and he theorises that...” See the problem with this scenario? Nevertheless this is what security has become and it is definitely spiraling out of control. Disturbing as that may be, more disturbing is whenever
March 2012
5
POINTS
Security professionals need to focus on collaboration Any device that is networked is targeted Attacker can be a disguntled employee or a corporate espionage types. In fact he can be anyone under the sun security experts forget about advanced level hackers There are far too many security experts in the field
65
T E C H F O R G O V E R N A N C E | S ec u r i t y
some of these “experts” start believing their own hodge-podge of truths. It spreads like a cancerous tumor and ends up in the ears of politicians and decision makers who do not know any better. While I can pound the podium in hopes that politicians and key decision makers start thinking logically, the fact is, some of these “evangelists” are in some pretty serious positions. One would have thought once upon a time: “Man, Richard has grown throughout the years. I remember him as a nobody. Now he is CTO Company X. Maybe he will make an impact!” Only to turn around and sigh: “Man, there he goes with his APT BS.” One would think that some of these “evangelists” were perhaps bullied by Asian kids growing up. Last year, we had what appeared to be someone who took things to an extreme that bordered on the
line of “Taxi Driver” crazy with his ramblings. And I am constantly asking myself “When will this cease?” When will some of you security professionals take a step back and instead of focusing on marketing BS, in hopes of selling shares of the Brooklyn Bridge, focus on collaborating to actually secure something. Far too many experts in this field, yet these same experts are in companies that were compromised by low level hackers forget about the “advanced” ones. The irony. Eventually the emperor will wake up, what will you the “evangelist” say to him then? Just sayin... —This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
Redefining Security Intel with NOC and SOC Holistic enterprise service management can provide the critical visibility security teams need
O
ver the past decade, an ever-growing divide has been forming between the network operations and security operations teams. In many organisation these two separate teams sit on different floors, have different lines of reporting, and work with completely different tool sets. But this separation into silos perpetuates what can be referred to as blind spots on the radar. The role network operations plays is to keep the network running smoothly; which is to say that they ensure the network pipes are flowing smoothly so information and traffic can get to and from the on-network devices as needed between servers, services and consumers. They generally operate under the CTO whose job it is to make sure the IT organisation is performing to agreed-upon service levels and that the systems, applications and network are available and functional. Their tools include network probes, logging from
66
March 2012
photos by photos.com
By Rafal Los
S ec u r i t y | T E C H F O R G O V E R N A N C E
routers, switches and sensors. If there is a MPLS failure between sites, or a fiber cut, they know about it and can typically pinpoint the issue relatively quickly. The lingo typically heard around network operations teams are things like “packet loss,” “latency,” and “link saturation” among others. The Security Operations Center (SOC) on the other hand, is an entirely different side of the coin. This team generally looks at output from security devices to determined the threat posture in as near-real-time as possible. Analysis of port scans, detected pieces of malware, and malicious signatures on the IPS and WAF along with a million other things combine to determine whether the enterprise is actively under attack or has already been compromised. Unfortunately, while the goal is visibility, the result is often either an over-saturation of incident data which causes the SOC to lose focus on what is truly dangerous, or a serious lag in the near-real-time expectation allowing attackers to slip in and do their dirty work before they're detected several minutes, hours or days later. Security dashboards are archaic. And often security operations teams have a
in the CPU utilisation of an edge switch to an half-dozen or more dashboards to provide application that just became unavailable to them visual confirmation on current hapyour users all while getting information from penings. In well-run SOC organisations, your IPS that tells you that you're under a very a SEIM or new-school SIRM can provide specific DoS attack that exploits a vulnerability context and close the real-time analysis gap in an Apache server which creates dummy a little further but this isn't enough. responses from the app server and effectively Both teams are working against downtime, causes it to become unavailable. which is a business disrupter, A seemingly innocuous portfrom different angles and with scan across your external IP seemingly different objecaddresses, combined with a rare tives. What doesn’t often become spike in CPU utilisation on one apparent until a really big inciof your older routers may indident is either missed, or becomes of worldwide spam cate you've just had your outpainful to diagnose, is that both is produced in the dated Cisco IOS compromised of these organisations can and United states, which but if the attack is previously should be cooperating and colis the highest in the unidentified your IPS may never laborating to fight downtime and world even see it. business disruption. Combining the collective With the goal of helping the intelligence of the NOC and the business perform better, network SOC leads to an increased abiland security operations teams ity to detect malicious activity and perform should be collaborating across their silos to smarter, faster root-cause analysis. enable better visibility and more accurate detection of incidents. This is, as you may —This article is printed with prior permission from have guessed, a lot easier said than done. www.infosecisland.com. For more features and Imagine if you could link a spike in the CPU opinions on information security and risk manageof one of your data center routers to a spike ment, please refer to Infosec Island.
11%
VIEWPOINT Steve Duplessie | steve.duplessie@esg-global.com
Illustration by shigil n
Files Are Killing IT And Creating A New Market Opportunity
Data growth is what destroys everything in IT operationally. If data stopped growing, you could actually fix all of your issues once and for all. What a concept! Everything that works today will eventually explode due to data growth. Every process will cease to work. Backup. DR. Performance. Management. Everything will break once you pile that final straw of data onto it. This is what IT deals with. Inevitable failure. Data growth is the male IT equivalent of prostate cancer. Wait long enough, and both will eventually kill you. If data didn’t grow, we would actually stabilise our operations, make sure we could handle failure (because performance wouldn’t change), size everything appropriately ONE FINAL TIME, and be done with it. Then we’d all start acting strategically since we’d no longer have anything to worry about tactically. Since file data is by far the fastest growing data type in the enterprise, it is the primary culprit we must address. The current industry movement to deal with said data is all
68
March 2012
around the cloud. In short, let someone else deal with it. If file data growth is going to continue to rob me of nights and weekends by breaking everything in my data center, why not come up with a different (note I did not necessarily say better) way of dealing with it? Why not ship it offsite and let someone else deal with the headaches? This is exactly why the likes of Box or Dropbox, et. al., are seeing bizarre stratospheric valuations. People are finding it easier to let someone else deal with their never ending file growth operationally. Plus, while doing so, you actually get some immediate opportunities such as the ability to collaborate, and get rid of those pesky VPNs, etc. There are a ton of issues to overcome before the whole world dumps traditional infrastructure for the cloud in this sense, but the primary motivation for change is there – people can’t keep doing what they are doing and expect a positive outcome. Failure is inevitable. Thus, the issues of security, performance, protection, privacy, etc., (all
About the author: Steve Duplessie is the founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com
real) COULD take a back seat. And if and when those issues are satisfactorily resolved, look out. Why would you continue to buy expensive NetApp, EMC, IBM, HP, HDS, etc., gear to support your ever growing file environment if you can simply pay someone else to deal with it – at a known cost with a known SLA? Eventually, you wouldn’t. That means there are billions upon billions of capital valuation dollars at stake – and THAT is why those outrageous valuations (which currently have no basis in any reality I know) of the online file services companies are what they are. If the traditional infrastructure provider cannot make it easier, cheaper, and better for IT customers to support their file growth problems – the customer will seek aid elsewhere. And that will cause a disruption in the IT financial universe. All I’m saying is that none of the current regime want the world to move to a cloud-based service (that they don’t control), but when the pain level gets high enough, people will. Party on.
YOUR CLOUD PRIVATE, PUBLIC OR HYBRID. OPTIMIZED FOR PERFORMANCE. With Riverbed, you’ll get breakthrough performance –whether yours is a private, public or a hybrid cloud environment. You’ll have greater flexibility to implement your cloud strategy and business goals. And you’ll have resilience when you need it the most. You’ll have your cloud on your terms. Go to: riverbed.com/hybridcloud For any queries, please contact marketingindia@riverbed.com