cTo forum
Technology for Growth and Governance
September | 07 | 2012 | 50 Volume 08 | Issue 02
Viewpoint
The Rise of the Cloud Service Bus Page 52 Best of Breed
Mobile Security Experts on BYOD | IT Outsourcing Deals Gone Bad
Five Security Tips for the Social Enterprise
Green IT:
Page 18
Volume 08 | Issue 02
A Strong Business Case For a CIO, going green is no more a fad. It promises to yield significant cost benefits Page 28
A 9.9 Media Publication
Tech For Governance
Changing a Compliance Culture Page 40
El ev at ey ourCor eSwi t chwi t h HP10500Swi t ch Legac yNet wor ksof t ens t r uggl et opr ov i des uper i or appl i c at i onper f or manc eandqui c kert i met os er v i c e. TheHP10500Swi t c hal l owsy out obr eakt hr ough t hes el egacynet wor ksgi v i ngy ourbus i nes sagi l i t y andsuper i orper f or mance.HP10500ent er pr i se cor eswi t ch, hass etanewbenc hmar kf or per f or mance,r el i abi l i t y, andscal abi l i t ywi t ha next gener at i onCLOSar chi t ect ur e. Des i gnedf orent er pr i s ec ampusnet wor ks , t heHP10500enabl es : •75% l owerl at ency •40% hi ghert hr oughput •200% hi gher10Gbedensi t y Wi t hHP’ sIRFt ec hnol ogy , t heHP10500of f er s s c al abi l i t y&v i r t ual i z at i onupt o4c has s i swi t ha s i ngl emanagementi nt er f ac eenabl i ngflat t er , mor eagi l enet wor ks. Bas edonHPFl ex Net wor kar c hi t ec t ur e, HP10500 c anbes eaml es s l ymanagedt hr ougha s i ngl epaneof gl as swi t hHPInt el l i gent ManagementCent er( IMC) Toknowmor eaboutt heHP10500Swi t ch, SMSSIMPLIFYt o575758orEmai lUs athpnmar ket i ng@hp. com
editorial yashvendra singh | yashvendra.singh@9dot9.in
Go Green
Deploying green IT yields several benefits and a CIO can make a strong business case out of them
“A
s more and more people understand what’s at stake, they become a part of the solution, and share both in the challenges and opportunities presented by the climate crises.” Al Gore. As enterprise technology decision makers increasingly understand the unintentional negative impact of IT deployments, they are gradually moving towards environment-friendly practices. According to industry reports, the ICT industry accounts for about three percent
editor’s pick 28
of the global greenhouse gas emissions. However, for an environment conscious CIO looking to deploy green IT, the more important consideration is to have a strong business case in its favour. This may not be as tough as it seems to be. The return on investment can yield both immediate and long-term benefits for an enterprise. In addition to conserving energy and improving compliance regulations, a corporate stands to
Green IT: A Strong Business Case For a CIO, going green is no more a fad. It promises to yield significant cost benefits
enhance its image in the eyes of its employees and stakeholders. In the current scenario where the CIO is expected to do more with less, green IT stands to reduce costs to a large extent. According to estimates from IBM, in the US, a typical data centre of 25,000 square feet with electricity costs pegged at 12 cents per kilowatt hour will entail a corporate to shell out $ 2.5 million annually towards cooling and power costs. By deploying energy efficient IT solutions, IBM estimates that a corporate can slash its electricity costs by as much as 50 percent. The encouraging news is that India’s spend on green is set to rise from the $ 35 billion in 2010 to $70 billion in 2015. According to Gartner, “India’s ICT industry will be an early adopter of green IT and sustainability solutions as India is one
of the fastest-growing markets in terms of IT hardware and communications infrastructure consumption. As enterprises embrace IT to improve productivity, penetration of ICT infrastructure has been growing rapidly during the past decade, as has the energy consumption and resulting carbon emissions of India’s ICT infrastructure.” Experts feel, to begin with, the Indian corporates will deploy solutions that have proven their worth in the developed markets. The transformation through which India is progressing (the increasing divide between the urban and the rural) presents our technology leaders with an opportunity to come up with innovative green solutions.
The Chief Technology Officer Forum
cto forum 07 september 2012
1
september12 Conte nts
thectoforum.com
28
Cover Story
28 | Green IT: A Strong Business Case For a CIO, going
Columns
4 | I believe: Managing IT Integration in Banking By george tumas
green is no more a fad. It promises to yield significant cost benefits
52 | View point: the rise of the cloud service bus Stay tuned for updates on this By ken Oestreich
cTo forum
Technology for Growth and Governance
September | 07 | 2012 | 50 Volume 08 | Issue 02
viewpoinT
cto forum 07 september 2012
The Chief Technology Officer Forum
Page 52 BesT of Breed
Volume 08 | Issue 02
2
The Rise of the Cloud Service Bus MoBile SeCuRiTy expeRTS on ByoD | iT ouTSouRCing DealS gone BaD
Please Recycle This Magazine And Remove Inserts Before Recycling
Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Tara Art Printers Pvt Ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301
five security Tips for the social enterprise
green it:
Page 18
A Strong BuSineSS CASe For a CIO, going green is no more a fad. It promises to yield significant cost benefits Page 28
Tech for Governance
changing a compliance culture Page 40
A 9.9 Media Publication
Cover & imaging: shigil n
Features
18 | Best of breed: Five Security Tips for the Social Enterprise Committing to protecting the enterprise while still embracing social collaboration
www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Executive Editor: Yashvendra Singh Consulting Editor: Atanu Kumar Das Assistant Editor: Varun Aggarwal & Akhilesh Shukla DEsign Sr Creative Director: Jayan K Narayanan Art Director: Anil VK Associate Art Director: Atul Deshmukh Sr Visualiser: Manav Sachdev Visualisers: Prasanth TR, Anil T & Shokeen Saifi Sr Designers: Sristi Maurya & NV Baiju Designers: Suneesh K, Shigil N, Charu Dwivedi Raj Verma, Peterson, Prameesh Purushothaman C & Midhun Mohan Chief Photographer: Subhojit Paul Sr Photographer: Jiten Gandhi
14 A Question of answers
14 |CIO has to Re-plan IT Strategy
Marc Alexis Remond, Global Director, Enterprise Solutions, Polycom, speaks about how video conferencing solutions can be integrated with business 40
46
RegulArs
01 | Editorial 06 | letters 08 | Enterprise Round-up
advertisers’ index
40 | teCH FOR GOVERNANCE: Assessing risk management culture
46 | next horizons: Business in the Age of ‘massification’
Encouraging a risk culture throughout the organisation is a priority
Innovation is the key to survive and thrive in a world of entrepreneurs
HP IFC, 7 CTRLs 5 Datacard 11 Riverbed 13 SAS Institute 17 Gartner 25 Airtel IBC IBM BC
advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IT, ICICI Bank Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Sr Consultant, NMEICT (National Mission on Education through Information and Communication Technology) Vijay Sethi, CIO, Hero MotoCorp Vishal Salvi, CISO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Sales & Marketing National Manager – Events and Special Projects: Mahantesh Godi (+91 98804 36623) National Sales Manager: Vinodh K (+91 97407 14817) Assistant General Manager Sales (South): Ashish Kumar Singh (+91 97407 61921) Senior Sales Manager (North): Aveek Bhose (+91 98998 86986) Product Manager - CSO Forum and Strategic Sales: Seema Menon (+91 97403 94000) Brand Manager: Jigyasa Kishore (+91 98107 70298) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Office No. B201-B202, Arjun Centre B Wing, Station Road, Govandi (East), Mumbai-400088. Printed at Tara Art Printers Pvt Ltd., A-46-47, Sector-5, NOIDA (U.P.) 201301 Editor: Anuradha Das Mathur For any customer queries and assistance please contact help@9dot9.in
This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.
The Chief Technology Officer Forum
cto forum 07 september 2012
3
I Believe
By george tumas EVP & Head Technology, Wells Fargo India Solutions The author has been associated with Wells Fargo since last 12 years. Presently, he is based out of Hyderabad. Prior to Wells Fargo, Tumas was the MD of Bank of America.
Managing IT Integration in Banking It was challenging as the bank wanted to ensure that the integration doesn’t impact the customers
Wells Fargo, earlier this year, successfully completed the Wachovia — Wells Fargo integration, which was one of the largest financial services integration. It started in late 2008 and took a little over three years to complete. The integration was challenging for the bank as we wanted
4
cto forum 07 september 2012
The Chief Technology Officer Forum
current challenge To integrate the IT systems of Wells Fargo and Wachovia bank
to make sure that we executed it in a manner such that it would have little or no impact to our customers. A detailed plan was drafted after line of businesses (LOBs) determined their target operating environments, which would include the applications, features, functions to be offered. Subsequently a conversion schedule was created. This entire process engaged many resources in the technology space. An integration this size asked for a lot of co-ordination between business and technology as well as amongst the technology groups to ensure minimal impact to our customers. One could ask, “Why did the integration take so long?” The answer is simple, we placed our customers first! The decisions and schedules were made keeping the customer on top of the priority list. ‘Customer First’ is a part of our vision and values in everything we do. On the merger front, our LOB partners worked hand in glove with their technology partners to understand what was needed to ensure a smooth integration. The integration by default was a major rebranding initiative as the Wells Fargo name replaced the Wachovia brand in much of the Eastern United States. Each LOB had their respective communication plan to keep customers informed during the integration. Communication took many forms from emails to letters etc. All LOBs co-ordinated with each other so as to minimise and/or combine information conversion from the IT systems of Wells Fargo and Wachovia. We solved many challenges by building a detailed conversion plan, testing our conversion processes several times before each conversion event, practicing continuous improvement after each event and communicating with our customers. We wanted no surprises, neither from an internal perspective nor from a customer perspective.
LETTERS CTOForum LinkedIn Group Join over 900 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at: www.linkedin.com/ groups?mostPopular=&gid=2580450
Some of the hot discussions on the group are: Open Source vs Proprietary SOFTWARE Practically how many of you feel OpenSource Free software are best solutions than any proprietor software's?
are CTOs more interested in satisfying the CFO & Board rather than the consumer?
If CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later.
I would rather mention that, you call should depends on the criticality of the application to serve the enterprise business requirement, as opensource application can have security breaches and lack of support in worst come senario
—Vishal Anand Gupta, Interim CIO & Joint Project Director HiMS at The Calcutta Medical Research Institute
Here’s an update on the Oracle vulnerability
Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com
cto forum
www.thectoforum. com/content/ wan-optimisationbeyond-bandwidth
Oracle security alert analysis The best way to protect a system from this vulnerability is to apply the patches released in Oracles Security Alert. To read the full story go to: http://www.thectoforum.com/content/oraclesecurity-alert-analysis
WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.
07 september 2012
Anil Batra, MD, Riverbed Technology India talks about how his company is trying to help enterprises utilise their infrastructure better
Opinion
ARun gupta, CIO, Cipla
6
CTOF Connect
The Chief Technology Officer Forum
Alex Rothacker, director security research, Shatter
FEATURE Inside
Enterprise
60% Firms in India Struggle With Digital Info Pg 10
photo BY photos.com
Round-up
Global Server Market Revenue Declines While server shipments grew 1.4% over the 2nd quarter of 2011, revenue declined 2.9%
In the second quarter of 2012, worldwide server shipments grew 1.4 percent over the second quarter of 2011, while revenue declined 2.9 percent year-onyear, according to Gartner, Inc. The slight unit growth for the second quarter of 2012 was contrasted by a decline in revenue on a global level with geographic variations continuing to be shown based on the ongoing differences in economic conditions by region,” said Jeffrey Hewitt, research vice president at Gartner. “In terms of revenue growth, only Asia/Pacific and the United States produced growth for the quarter— all other regions declined.”
8
cto forum 07 september 2012
The Chief Technology Officer Forum
“x86 servers continued to grow but at a moderated rate with 1.8 percent growth in units for the quarter and a 5.6 percent increase in revenue. RISC/Itanium Unix servers continued to fall globally for the period – a 14.9 percent decline in shipments and a 17.9 percent drop in vendor revenue compared to the same quarter last year. The ‘other’ CPU category, which is primarily mainframes, showed a decline of 3.0 percent,” Hewitt said. From the regional standpoint, the United States grew the most significantly in shipments with a 8.4 percent increase.
Data Briefing
9000 Indian websites hacked in the last five years
E nte rpri se Round -up
They NR Narayana Said it Murthy
photo BY photos.com
The Infosys founder told ET Now that the government indifference to the plight of business has brought decision-making to an unnecessary standstill.
Cloud Market in India to Grow by 70% in 2012 Research addresses the purchase behaviours of end-users International Data Corporation (IDC) has released a cloud research report, India Cloud Market Overview, 2011-2016, which provides a reality check and detailed understanding of the adoption in India, future potential and the major trends the market is witnessing. The research also addresses the attitudinal and purchase behaviors of end users and what is influencing them in their choice for adoption. Business priorities have changed in the recent troubled economic times and are influencing the way IT is being looked as a strategic tool to grow faster. 2012 has been a tough year so far, but it is rapidly starting to get to a point where mature companies with careful planning and focus on business/operational efficiency are fast moving into the leadership spots. These companies have been proactively looking at various “disruptive technologies” that will ensure the IT is elastic enough to meet the business needs and growth. Cloud models and the flexibility they bring are definitely featuring high there. IDC estimates the Indian Cloud market to be in the region of $535m in 2011, with a growth of more than 70 percent expected for 2012 and almost 50 percent growth forecasted for the next three years.
photo BY photos.com
Quick Byte on PCs
“We have fallen far short of expectations and it’s no longer possible to sell the India story. The world expected a lot from us. And compared to that expectation, we have fallen very very short. And therefore, I would say, this is worse than 1991.” —NR Narayana Murthy, Chairman Emeritus, Infosys
The combined desk-based and mobile PC market in India totalled nearly 2.9 million units in the Q2 of 2012, a 17% increase over the Q2 of 2011. Mobile PCs, which grew 54% compared to Q2 of 2011, helped drive overall market growth —Source: Yahoo
The Chief Technology Officer Forum
cto forum 07 september 2012
9
E nte rpri se Round -up
to manage their data assets so they can have a true competitive advantage.”
Information is Skyrocketing and It’s Expensive
photo BY photos.com
Businesses of all sizes are dealing with enormous amounts of data. The total size of information stored today by all businesses globally is 2.2 zettabytes. Small to medium sized businesses (SMBs) on average have 563 terabytes of data, compared with the average enterprise that has 100,000 terabytes. The survey also reveals that information is expected to grow 67 percent over the next year for enterprises and 178 percent for SMBs. Globally, on average, enterprises spend $38 million annually on information, while SMBs spend $332,000. However, the yearly cost per employee for SMBs globally is a lot higher at $3,670, versus $3,297 for enterprise. For example, a typical 50-employee small business spends $183,500 on information management, whereas a typical large enterprise with 2,500 employees would spend $8.2 million.
60% Organisations in India Struggle With Digital Info
Information sprawl, duplicate data compounding problems for firms Symantec the India findings of its firstever State of Information Survey. According to the survey, business data in Indian organisations is expected to grow 67 percent in the next 12 months. From confidential customer information and intellectual property, to financial transactions, organisations in India possess massive amounts of information that not only enable them to be competitive and efficient — but also stay in business. In fact, the survey revealed that digital information makes up 51 percent of an organization’s total value. However, with
Information Loss is High and Has Significant Impact
information spiralling rapidly, 60 percent Indian businesses are struggling to effectively manage and protect their digital information. “Our survey shows that only 15 percent of businesses in India can confidently use their business information without being either too permissive or too restrictive about its access,” said Anand Naik, managing director—sales, India and SAARC, Symantec. “Without the ability to properly protect their information assets, this data can become a liability. To counter this, businesses in India need to put in place a plan
The survey found that a huge 89 percent of Indian organisations have lost information in the past year. These incidents have a significant impact: 31 percent of Indian organissations revealed that losing some/all of their information could lead to decreased revenues, apart from loss of customers (34 percent), increased expenses (33 percent) and brand damage (35 percent). Furthermore, 31 percent of respondents were unable to comply with government regulations and 40 percent faced similar challenges with external legal requirements around information management in the past year.
Protection Measures Global Tracker
Gartner reported a dip in global sales of mobile phones for the second quarter in a row and will cut its 2012 outlook as consumers hold back on handset upgrades due to economic uncertainty 10
cto forum 07 september 2012
The Chief Technology Officer Forum
Source: gartner
Mobility
With so much at stake, protecting information should be a top priority, yet businesses are still struggling. In the last year, besides 89 percent of organisations losing information, 94 percent of businesses in India have had confidential information exposed outside of the company, and 31 percent have experienced compliance failures related to information. Another challenge is the amount of duplicate information businesses are storing.
INSTANT ISSUANCE GIVE CARDHOLDERS THE CONVENIENCE AND SERVICE LEVELS THEY DEMAND New financial instant issuance portfolio Datacard Group offers a full range of new innovative printers, CardWizard® software, the world’s #1 instant issuance software and unmatched global service and support. Our solutions give you the flexibility to issue permanent embossed, unembossed, magnetic stripe, EMV®-compliant cards and NFC enabled mobile devices immediately. Datacard India Private Ltd B-302,Flexcel park,S.V.Road, Next to 24Karat Multiplex, Jogeshwari (W) Mumbai-400102.India Tel:+91-22-61770300 Email:India_sales @datacard.com
Datacard Group makes it easy and affordable to launch a profitable instant issuance card program. Our Secure Issuance Anywhere™ platform empowers you to manage your card and mobile payments programs the way you want to – anytime, anywhere.
To schedule an instant issuance demo, visit www.datacard.com/cto
Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved. Datacard, CardWizard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. EMV is a registered trademark of EMV CO., LLC. ©2012 DataCard Corporation. All rights reserved.
E nte rpri se Round -up
photo BY photos.com
App Development Market to Reach $227 mn in 2012 Cloud is changing the way applications are designed
The India application development (AD) software market is expected to reach more than $227 million in 2012, an increase of 22.6 percent over 2011, according to Gartner. Growth will be driven by evolving software delivery models, new development methodologies, emerging mobile application development and open source software. “Application modernisation and increasing agility will continue to be a solid driver for AD spending, apart from other emerging dynamics of cloud, mobility and social computing,” said
Asheesh Raina, principal research analyst at Gartner. “These emerging trends are directing AD demand towards newer architectures, programming languages, business model and user skills.” According to a new Gartner report, “Market Trends: Application Development Software, Worldwide, 2012-2016”, cloud is changing the way applications are designed, tested and deployed, resulting in a significant shift in AD priorities. Cost is a major driver, but also agility, flexibility and speed to deploy new applications. 90 percent of large, mainstream enterprises and government agencies will use some aspect of cloud computing by 2015. “The trend is compelling enough to force traditional AD vendors to ‘cloud-enable’ their existing offerings and position them as a service to be delivered through the cloud,” said Raina. “AD for cloud demands rapid deployment, a high focus on user experience and access to highly elastic resources for software testing, while requiring comparatively less underlying infrastructure for developing applications.” Gartner predicts that mobile AD projects targeting smartphones and tablets will outnumber native PC projects by a ratio of 4:1 by 2015. Emerging mobile applications, systems and devices are transforming the AD space rapidly, and are one of the top three CIO priorities at the enterprise level. Gartner research found that CIOs expect more than 20 percent of their employees to use tablets instead of laptops by 2013, hastening the process of change as AD tools and applications evolve to address the requirements of these new devices. Also driving the AD shift, Gartner expects open source software to continue to broaden its presence and create pressure on market leaders during the next three to five years.
Fact ticker
42% Decision Makers Believe Cybercrime Will Grow As big a
concern as economic instability Cyber-threats were second only to worries caused by economic instability, according to the survey conducted in July 2012 by B2B International in cooperation with Kaspersky Lab. As part of the survey, 3,300 company representatives from 22 countries across the globe expressed their opinions on IT security issues. All the respondents are
12
cto forum 07 september 2012
actively involved in making important business decisions, including those related to IT security. In the future, the significance of cybercrime-related problems is set to grow – this is the belief of 42 percent of those surveyed. According to business representatives, in the next two years cyber-threats will pose the greatest danger for companies, sur-
The Chief Technology Officer Forum
passing even the fear of economic problems. Statistics collected by Kaspersky Lab indicate constantly growing cybercriminal activity, confirming that the apprehensions are not unfounded. While in 2011 Kaspersky Lab detected an average of 70,000 new malicious programmes daily, this year the figure has grown to 125,000. The amount of mobile malware, specifically targeting the Android mobile operating system, is growing even faster: the number of malicious objects grew by a factor of 200 during 2011.
Acquisition
A
ccenture has entered into an agreement to acquire Singapore-based NewsPage, a leading provider of integrated distributor management and mobility software for the consumer goods industry in emerging markets. Upon closing, the acquisition will complement the capabilities of the Accenture CAS software platform. Terms of the transaction were not disclosed. The Accenture CAS software platform helps consumer goods companies achieve greater trade efficiency and sales by enabling improved product availability on the shelf and increasing their ability to efficiently collaborate with retailers, while supporting the management of large, mobile sales and distribution forces. The combination of the Accenture CAS software platform and NewsPage's products will offer consumer goods companies the ability to manage all of their sales processes on a single global sales platform – from trade promotion management and optimisation to retail execution, and from distributor management to direct store delivery. “This acquisition is important as it will enhance Accenture's ability to help global consumer goods companies by supporting all route-to-market sales and delivery models across mature and emerging markets,'' said Fabio Vacirca, senior managing director of Accenture's Consumer Goods & Services practice.
YOUR CLOUD PRIVATE, PUBLIC OR HYBRID. OPTIMIZED FOR PERFORMANCE. With Riverbed, you’ll get breakthrough performance –whether yours is a private, public or a hybrid cloud environment. You’ll have greater flexibility to implement your cloud strategy and business goals. And you’ll have resilience when you need it the most. You’ll have your cloud on your terms. Go to: riverbed.com/hybridcloud For any queries, please contact marketingindia@riverbed.com
A Question of answers
Marc Alexis Remond
Challenge: A CIO is required to integrate process, people and technology
14
cto forum 07 september 2012
The Chief Technology Officer Forum
Marc Alexis Remond
A Question of answers
Marc Alexis Remond | Polycom
CIO has to Re-plan IT Strategy Marc Alexis Remond, Global Director, Enterprise Solutions and Market Development, Polycom, spoke to Akhilesh Shukla on how video conference solutions can be integrated with business for seamless work and growth Businesses are fast evolving so are technologies. In this fast paced environment, how are CIOs using various tools for smoother and seamless functioning of an organisation? Collaboration of technologies, business tools and applications are a must for any fast growing enterprise. Today, enterprises are evolving into a more mobile, social and collaborative avatars. A CIO is required to integrate process, people and
technology. He has to re-plan IT strategy because today different executives have different connectivity and communication needs in an organisation. For example, a sales executive, most of the time, is on the field while executives at the back-end are always in the office. Then there are those executives who are both in office and in the field. Thereis therefore, a varied need for mobility and collaboration. Further, organisations are collaborating
business tools with social applications as well. Video conferencing (VC) solutions could play an important role in interactions of various technologies and connecting people. They can help to connect people on mobile devices, laptop, tablets and PCs. Video conferencing solutions were largely used by enterprise to save travel cost and time. How are CIOs redefining VC
The Chief Technology Officer Forum
cto forum 07 september 2012
15
A Question of answers
solutions to help their organisations grow faster? Video conferencing solutions help an enterprise to save travel cost by 30 percent. However, the benefit of video conferencing solutions are way beyond travel cost saving. By integrating video conferencing in HR process, CIOs have reduced hiring time by 19 percent. Similarly, by smartly using video conferencing solution among various departments, the time to market of a product can be reduced by 24 percent. This reduction in time of various process gives an enterprises an edge over competition by helping business to grow, faster and smarter. The adoption of video conferencing solution is growing among enterprises across all verticals. These solutions are increasingly being deployed at manufacturing sites connecting engineers to keep a close watch on production line. The technology has evolved and is bringing value in various domain including CRM, supply chain management, quality management, human capital management, and R&D. How are issues of connectivity and cost making it a challenge for CIOs to adopt high resolution VC solutions? Enterprises in India are excited about high resolution video conferencing solutions. Healthcare is one such sector which has already started using high-resolution VC solution. Fortis Healthcare, in New Delhi, for instance, is using high-resolution VC for medical administration purposes. Patients rooms and OPDs are connected over a network and VC facility is available on the desktops, tablets and mobile devices of doctors and administrative staff. Manufacturing, BFSI, Oil and Gas are other sectors looking forward for implementing high-resolution VC solution. It is true that bandwidth is an issue in India. At the same time it is expensive, as well. Keeping in mind the needs of developing countries
16
cto forum 07 september 2012
Marc Alexis Remond
“Enterprises in India are excited about high resolution video conferencing solutions�
like India, we have embedded our VC solution with H.264 high profile. It helps to cut down the bandwidth requirement by half. For example, a 720p resolution VC requires a bandwidth of 1 megabit/ second. By using Polycom solution, the same resolution VC is possible on a 512 kilobit/ second bandwidth. Governments in other countries are investing in VC solutions for various means including disaster management and recovery. Do you see such adoption in India? VC solutions can help government in cases of emergency, chaos, natural disaster, planning and risk mitigation. VC solutions can also be used to train people, in a very short duration, for disaster management and prepare them for any risk or disaster. The cost of training would be minimal, as no traveling is required. Further, it helps in early detection
The Chief Technology Officer Forum
things I Believe in VC solutions can help government in cases of emergency, chaos, natural disaster, planning and risk mitigation Adoption of VC solution is growing among enterprises globally and in India VC solutions helps an enterprise to reduce travel costs by 30 percent
of emergency, giving an agency to respond in minimum possible time, thereby saving precious human life and infrastructure. VC integration can also help in better management of recovery and rebuilding process. Emergency rooms, CCTV cameras can be connected on VC platform and satellite images can be received on a laptop, tablet and PC, though the VC solution. The Indian government is investing in building up network, connecting cities, villages and blocks. It would graduate to such services in the second phase. What are the global and Indian trends in the VC space? The adoption of VC solution is growing among enterprises globally and in India. Investments are being made in audio/video conferencing, bridging, recording and streaming. Polycom offers video-audio conferencing beyond the internal network of an enterprise to connect to a third party.
Best of
Mobile Security Experts on BYOD Pg 20 IT Outsourcing Deals Gone Bad Pg 24
illustration BY raj verma
Breed
Features Inside
Five Security Tips for bn the Social Enterprise
Data Briefing
$9
will be the size of application development market globally in the year 2012
18
cto forum 07 september 2012
Committing to protecting the enterprise while still embracing the transformative business value social collaboration will deliver By John Thielens
A
s a member of an enterprise, several things strike me when I think of the idea of creating a social enterprise, with its promise of new collaboration models. The very phrase “social enterprise” calls to mind the ways an enterprise connects with its business partners, and how it might use The Chief Technology Officer Forum
social technologies like collaborative documents and instant messaging to strengthen customer, supplier and community relationships. Still, the enterprise itself is a community. When I look at my desktop, the idea of applying social techniques even within the enterprise is daunting. Yet our potential to engage external part-
securit y
Policy will have to become both
more flexible and more explicit, so that people across job functions can use social technologies more broadly
in order to better collaborate with their business partners. Compliance is a hurdle almost every organisation must contend with ners more effectively depends on our ability to engage internal partners effectively first. This concept of internal social engagement is nothing new, of course. Instant-messaging apps that give enterprise users the ability to internally share their status (“On the phone,” “BRB,” etc.), and create ad hoc Web conferences with ease, have been around for years. Their advocates are passionate about them, and quick to attest to how completely they can transform interactions between colleagues. Even so, those advocates are not as numerous as you would think. The truth is that adoption of these technologies is relatively low. Everywhere, even internally, where IT and the CIO have the power to exercise unilateral control, push the same software out to everybody's desktop, create rules for how it’s to be used, control the directory, and ensure that everyone is reasonably secure or well-authenticated. So why the lousy adoption rate? What’s making us so reluctant to embrace the concepts of internal social interaction, apply them across the enterprise boundary, account for both the B2B context and the internal enterprise context, and make it all so transformative and useful that adoption will be high everywhere? First, in order to adopt true multi-enterprise social technologies, we must establish trusted partnerships at a deeper level. Don’t require employees to create another login and password. Instead, establish a secure, professional enterprise framework that allows us to trust each other all the time, every time. Open standards for authorisation, such as OAuth, look promising. But for now, it’s enough to say that identi-
B E S T OF B R E E D
that will have to change. Policy will have to become both more flexible and more explicit, so that people across job functions can use social technologies more broadly in order to better collaborate with their business partners. Compliance is a hurdle almost every organisation must contend with no matter their industry. Without the right kind of supervisory surveillance and policy frameworks in place, the transformative potential of social enterprise technologies will be far outweighed by risk of compliance exposure to the business. Here are five ways to address these issues: 1. Integrate directly with your community of customers and partners: The social enterprise accelerates speed-to-delivery by establishing data connections that lead real-time business decisions and opportunities. 2. Insight into every interaction: End-to-end visibility provides IT teams with the tools to monitor information sharing whenever and however it’s happening. 3. Policy to support the “right” connections: Organizations must be able to customise policies and rules to business needs, using automated policy management to save the sanity of IT. 4. Direct connections to critical endpoints: Provide secure, direct lines of communication and information sharing — whether for files, instant messaging or email. 5. Meet compliance needs: Use reporting capabilities to meet the requirements of industry-specific watchdogs. Is it a big challenge for IT, security and compliance officers to enable social technologies at least internally, while our external compliance and security framework continues to evolve? Yes, but these challenges are solvable. Let’s commit to protecting the enterprise while still enabling and embracing the transformative business value social collaboration will deliver.
ty exchange and tighter integration and collaboration with our business partners must be built on a foundation of trusted identity, so that we are at least sure who we're talking to. That kind of trust is a necessary prequel to making the leap into sharing content and collaborating across multi-enterprise business processes in ways that truly add value. We must also consider supervisory surveillance and policy. When employees are instant messaging with business partners, sharing screens and doing much more than simply emailing, you may wonder, “How am I going to monitor all of this? How will I audit it?” This is especially important for organisations in heavily regulated industries, like financial services and healthcare, with specific data security requirements for everything from paper print-outs, to email and file transfers. We must engage in a range of tough issues, for instance: What sort of retention, discovery, expiration and destruction requirements should we create in response to these social enterprise technologies? What's my supervisory obligation to inspect, archive and record all that connectivity? What kind of policy framework can successfully govern all of this activity, since it involves people with multiple roles and levels of authority, and multiple types of commu- will be the growth nications? of IT spending by Existing policy frameworks in end users in china most organisations are limited in 2012 to a particular set of customers and roles. That’s something
12%
— John Thielens is CSO at Axway, a provider of business transaction software. — This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit cioupdate.com.
The Chief Technology Officer Forum
cto forum 07 september 2012
19
B E S T OF B R E E D
securit y
Mobile Security Experts on BYOD
What can employees do to minimise risk when bringing their own devices to work? By Ian Broderick
20
cto forum 07 september 2012
The Chief Technology Officer Forum
illustration BY manav sachdev
W
hile all our experts have their unique perspectives, some common themes arose including changing employees’ view of security. We want to thank all our respondents for participatin. When security executives overlook team creation as a core component of a security programme, they fail. A well-oiled machine is critical to creating an ever-expanding and improving information security posture. What can employees do to minimise risk when bringing their own devices to work? Even with the move to BYOD, information security is still a core IT responsibility. In other words, regardless of who owns the device, IT and Info Sec are still responsible for protecting the data on that device. Fortunately we have a growing arsenal of tools to help with that from the mobile device management companies like Sybase, MobileIron, Airwatch, Good Technologies, and the like. While those solutions give IT the ability to enforce security policies like requiring strong passwords and file encryption, users are always the weak link in the security chain. Mobile devices are all about convenience, and unfortunately, security introduces some degree of inconvenience. It’s long been known that if we make security too inconvenient, users will resort to the most insecure solutions to avoid it. The two keys to success are management support and good communications with users. C-level execs are often the worst secu-
securit y
rity offenders, but if you can plant the seed that we now have hundreds or thousands of potential security exposures traveling around in people’s pockets or purses, hopefully you can get them to pay attention. Clearly, that’s a lot easier to accomplish in regulated industries like health care and finance, but every company has information it needs to keep secure. Security awareness must be part of employee orientation, and we need to explain why even seemingly innocuous information like a salesperson’s calendar could hold a treasure their attitude is that risk minimisation is the trove of useful information for a competitor. responsibility of the experts at their comPeople are far more willing to cooperate if we pany. They will do the minimum required to tell them why it’s important. prevent risk and protect data. Security gets However, this can’t simply be a onein their way. Not a very good attitude. shot deal. Security requires an ongoing Employees need to work with their secuprogram of security awareness to create a rity departments to get better educated on “culture of security”. I know of one organitheir organisations’ best practices for proteczation that puts tent cards with little security tion. Protection isn’t fool proof, so they also “tips” on the tables in the cafeteria and need to know who to call and how quickly to changes them once a week. To build that react when an incident occurs. Employees ongoing awareness, you have to think like need to change their mindset to embrace an “advertiser” and what you’re “selling” is a that bringing your device to work also secure organisation. means that you need to take ownership of BYOD is here to stay (at least in the near minimising risk and protecting data. term), so IT and Info Sec specialists need to Company leadership are generally early think creatively to truly protect all that sensiadopters of new technology that is brought tive information that’s traveling around on to work. While that’s great for being producsmartphones and tablets. We’re dealing with tive (if they work), those devices are also a whole different type of “perimeter” now, higher risk. They are most targeted 1) for so we need to focus on protecting “data” their street value and 2) because corporate rather than protecting “devices”. executives tend to have the most interesting This BYOD movement reminds me of information stored on their devices. If you when I was in high school. There was a sign are a member of your company’s leaderin the study hall which read, “Success is 13 ship, you need to comply with company percent aptitude and 87 percent attitude.” I BYOD protection rules just as much as your don’t know where they got that ratio from, subordinates need to. No exceptions. but in this context, the exact percentages Some additional tips on how employees don’t matter. The point is that with a little can protect themselves when they bring bit of smarts and a whole lot more positive their own devices to work. thinking, you’ll wind up where you need 1. Get insurance to protect the to be. replacement cost of your high Most employees on a network value asset or for yourself from don’t have the security aptitude employers redirecting liability. to make the right choices when This is especially true if you it comes to risk minimisation handle large quantities of govwith their own devices. They will be the worth ernment-regulated or PCI DSS tend to choose first what’s free, data on your device. then software with the most of social media 2. Your organisation’s BYOD Consumerisation of IT features market in the decision provides you with the and then whatever’s available year 2012 privilege to bring your own on the sales rack at their local device, but they also have the tech store. Generally speaking,
B E S T OF B R E E D
BYOD is here to stay (at least in the near term), so IT and Info Sec specialists need to think creatively to truly protect all that sensitive information that’s traveling around on smartphones and tablets
$17bn
right to revoke the programme. If you don’t agree, change your attitude. 3. Work with your IT departments and InfoSec officers to keep your device patched, AV up to date and data protected. You only need to know if your device is current and how to get current, not all the details of what it means to be current. 4. Learn to work with security tools rather than around them. This is especially true with encryption. Just because the technology sounds complex, using it shouldn’t be. 5. Educate yourself by reading security blogs and listening to podcasts so you are aware of the latest threats. Bringing your own device also means accepting working beyond your scheduled business hours. Devices aren’t the main problem in a BYOD strategy: employees are. That’s why BYOD is not just a technical issue that can be left to an organisation’s IT department. It needs a holistic approach that includes HR, data security and legal stakeholders. Sensible organisations adopting a BYOD strategy will have put in place a strategy that includes policies and guidelines, as well as technical constraints and parameters. The main thing that employees can do to minimise risk, therefore, is simply to comply with the policy approaches that their employers have – presumably for carefully thought-through reasons – put in place. If an organization concludes that, for compliance and liability reasons, it wants to use a particular file sharing platform instead of, say, Dropbox, employees should comply with that restriction instead of simply applying their own workaround and using Dropbox because their own clients use it, it’s more convenient and they think that it’s great.
The Chief Technology Officer Forum
cto forum 07 september 2012
21
B E S T OF B R E E D
securit y
It doesn’t help that many of the “approved” platforms to enable BYOD are less sexy and functionally flexible than “unapproved” ones – which encourages employees to go off-piste and use their own workarounds. So I think that the best thing an employee can do to minimise BYOD risk is to comply with whatever policies and technical parameters are in place and not take a BYOD policy as a licensed free-for-all. Pay attention to the forms, declaration or pop-up screens that warn of the scope of your organisation’s BYOD programme and how security applies to it. And one final thing: just be sensible. There was a reported case over here in the UK just last month of a someone who showed his young son how online spread betting worked and then left his laptop around unsecured. You’d be surprised how short a time it takes for a 5 year old to run up £50,000 in losses! You can’t blame the device or the policy if someone willfully or recklessly ignores the rules. The first thing employers need to do is to create and maintain an “authorized BYOD device list”. Employees wishing to bring new devices should submit a request for addition to this list. It should also be ensured that a remote wipe facility exists and is enabled, especially if company confidential information will be stored on the device. Here are a few other things we encourage customers and our employees to practice: Ask employees to disable MiFi access to prevent other office workers from using a co-workers phone as a back-door Internet gateway. Make sure all employee devices have an auto-lock feature and that it’s enabled. Also, educate against “1111” or “1234” as the unlock code. Remind the employee that while their phone or tablet is at the office, it’s subject to inspect just like any other corporate device. If you’re like most everyone else, your kids will often play games and make use of your phone, ask employees to educate their children on safe browsing and reiterate that “this is mommy/daddy’s work phone, be careful!” Always try to use a secure connection ‘https://’ to favorite sites.
22
cto forum 07 september 2012
The Chief Technology Officer Forum
1-2-3. Since that time, organisa Setup the browser to clear the tions have turned to network cache upon closing the web security to protect themselves. browsers. Since the network handles all Regarding strange emails, the traffic (no matter what the tell employees “Don’t click on could be the user is doing while at work), that, this is not your the network is the best place lucky day!” drop in cost of to secure that traffic, log it and Remote BYOD access should electric-batteries report on it. be treated in some ways the by the year 2025 An employee bringing their same as remote laptop access. own devices to work is not a For example, Cisco offers new concept; the problem in AnyConnect a Security Mobiltoday’s world is that they want to connect ity Client for BYOD remote access. the devices to corporate networks. Some Use stronger one time password authentimay want to access wireless networks cation when possible. so that they can bypass web filters, other Relying on employees to deal with security want to use their device to access business issues is like putting teenagers in driver’s ed applications and data. Whatever reasons classes. It may help make them better drivthe employee gives for bringing a device to ers but it doesn’t make them good drivers. work they should follow these basic tips to Nonetheless, just like teenagers can use minimise the risk they present: driving tips, employees can use tips on how to minimise risks when bringing their per Firstly inform the information services sonal devices to work. department that you want to connect your First off, no jailbreaking! There’s device to the corporate network. They may just too much that can go wrong when have some guidelines that you need to someone tries to open up the OS on follow. Many networks will have systems their smartphone. that detect mobile devices so it’s better to Second, the age-old recommendation to inform them directly. back up data applies to tablets and smart Do not use the device as a storage system phones as well. The complicating factor is for work data. If the device falls into the that you might not want them to back up wrong hands this data can be accessed. their business data via their personal back Stop using passwords and start using up methods. Backing up their work emails passphrases. Keyboards on mobile and documents should be done on the busidevices can be cumbersome but this is ness network and nowhere else. not an excuse for using short and easy to As for applications, it’s better to be guess passwords. safe than sorry. Android by default blocks Do not jailbreak or root the device. If the users from installing apps that aren’t in device has been tampered with then a full the Android Market. And, while there are factory restore is recommended. Most other legitimate places to get Android security problems that I have come across apps (such as the Amazon Appstore), do were associated with jail broken devices. It you really want users to enable “Unknown also introduces a new risk as applications Sources?” This is less of an issue for iOS can gain root access and you may end up devices, but nonetheless, remind users to be exposing your personal data. careful what they download. Another hint Avoid installing unnecessary apps. The is for them to check the settings of EVERY more apps that are installed the greater application they download. Apps have a the attack vector. Many malware infected funny way of sending private information apps exist in the mobile market places. to the net. Don’t be reliant on technologies like face Now, with all these things said, good unlock. A lot of these features are new and security really begins on the network. The untested in the real world. move to personal devices at the office is a Employees need training before using continuation of a trend that started back their own devices. Risk profiles change in the 1980’s when accountants began dramatically as soon as any company allows buying Personal Computers to run Lotus any form of external device connectivity –
70%
securit y
whether via 3G, 4G or WiFi. Employees need to understand and share the risk with their employers and this needs careful planning. In its simplest form, companies should consider using dedicated ‘sandboxed’ applications to allow access to information under the control of proper authentication, encryption, and access control frameworks. Ideally, these dedicated applications should automatically enforce security and privacy controls, while providing management tools to enable or disable services remotely. Employees should always lock their devices – and employ a second, different passcode to work-related applications. In this way, the device and its data have a basic level of protection. Also, every employee should read and understand the company policy on device break legacy services and applications then usage – mobile devices deserve their own require updates as appropriate. Employcategory in all policies – and these require ees need to consider the liability issues of regular review. Technology changes rapidly introducing a problem by simply upgrading in the “bring your own device” (BYOD) a device in line with the manufacturer’s environment, and policies need to reflect recommendations. Fundamentally, device changes in technology, platforms and serowners need to assume that others will have vices. Employees, therefore, need to keep access to their devices. Or that work will themselves up to date with new policies and sometimes come in at a less than opportune raise any concerns with appropriately qualimoment (in the middle of a party, or during fied technical managers. the night) or while the employee travels. In Employees also need to consider questhese circumstances, profiles and policies tions such as legal use and liability for should reflect working hour directives, and use. After all, an employer has permitted consider the implications of an employee an employee to use a personal device. The having 24 hour communication with the company has no right of access to personal company. In many countries, directors have possessions, therefore, can the employer a legal obligation to protect the well being demand a full audit of a device and all its of their employees and should promote or data? If so, what controls does the comenforce sensible working hour directives. pany have in place to protect any personal Employees may also want to consider information from abuse? Another reason what happens when things go wrong: what for implementing sandboxed dedicated happens if broadband or mobile data serapplications – the company can then convices fail? Who pays for excessive data control its own sandbox, without needing to sumption or international roaming charges? inspect the device as a whole. Remote wipe How do you back up, restore, becomes a particular risk in a lock or remove data from devicnon-sandboxed environment – es – and prevent its loss? Does the company may need to wipe the company provide adequate its data, but leave the employcontrols over encryption poliee’s data and applications intact. will be the dip in cies (so that an employee could Mobile devices also require
Companies should consider using dedicated ‘sandboxed’ apps to allow access to data under the control of proper authentication, encryption and access controls
25%
regular software updates to remain current. Employees need to check with employers prior to updating devices with the latest operating systems or services. Upgrades may
revenue from voice services on fixed line by the year 2016
move between countries where encryption laws differ, without risk of imprisonment, for example)? Who insures what – and who pays for the insurance (does your domestic insurance
B E S T OF B R E E D
cover your equipment for business use, for example)? Proper policies and training resolve many of these issues. This topic really covers managing risk – in a shared environment. Employers and employees need to take responsibility for their own tools and provide adequate assurances (through regular audits) that the chosen device, any applications, data, and the associated management processes all operate correctly. I’ve already accepted the fact that BringYour-Own-Device (BYOD) is a business trend that’s here to stay. According to “BYOD or Bust: Survey Results Report” by Software Advice, Inc. I recently read, just 23 percent of enterprise employees use company-sanctioned mobile devices only – meaning 77 percent of employees are using their own devices in some capacity to do their job. As the Chief Information Security Officer at Veracode I have experienced this trend firsthand and if it hasn’t hit you yet, the BYOD tidal wave is coming your way! Formulating a BYOD policy is only one side of the equation – employee education is the other. Most business users simply aren’t aware of the security threats facing them when they use their favorite mobile device at work. We need to increase that threat awareness level and ultimately convert employees into willing participants in a secure mobile computing or BYOD programme. Here are ten tips to help device users protect personal information as well as their company’s data, IP and brand when they use their mobile devices at work. Use password protected access controls. Control wireless network and service connectivity. Control application access and permissions. Keep your OS and firmware current. Back up your data. Wipe data automatically if lost or stolen. Never store personal financial data on your device. Beware of free apps. Try mobile antivirus software or scanning tools. Use MDM software. — This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www. cioupdate.com.
The Chief Technology Officer Forum
cto forum 07 september 2012
23
B E S T OF B R E E D
outsourcing
IT Outsourcing Deals Gone Bad
There is a probability that IT outsourcing arrangements will not survive the initial term
S
cores of articles and studies have highlighted the statistics around unsuccessful IT outsourcing deals – many establishing the failure rate at well above 50 percent. While the concept of IT outsourcing is not inherently flawed, the execution in many cases is – i.e., the classic distinction between “doing the right thing” versus “doing things right.” Consequently, CIOs must thoroughly evaluate their contingency options to protect the integrity of outsourced IT initiatives should an engagement come off the tracks. As a first step, CIOs need to develop a clearly defined exit strategy prior to executing the agreement, which, needless to say, is a challenging endeavor when in the throes of attempting to build a sustainable partnership with that same provider for the future. This goes well beyond standard termination-transition language and gets into tactical provisions such as: Requiring the exiting provider to provide incident management and asset data to the succeeding provider Retaining the rights to configured tools that have been used in the delivery of services, and Minimising the financial consequences of a termination for convenience event (recognising that proving “cause” is an incredibly arduous undertaking even under the most dire circumstances).
24
cto forum 07 september 2012
The Chief Technology Officer Forum
Identify the Root Cause of Outsourcing Failure For engagements already in progress, first ask the question, “What problem are we trying to solve?” The answer generally falls into one or more of the following five categories: 1. The provider is failing to meet the agreed upon service level agreements (SLAs); 2. The provider is meeting the SLAs but is failing to meet the non-documented performance requirements; 3. Provider personnel quality is inadequate; 4. Provider costs have become misaligned with the market; and
When deals go bad, the vast majority of customers ultimately decide to at least test the market through the competitive process
By Steve Martin
5. Infrastructure and services have not been maintained at market leading levels. Despite the notion that customers are generally complicit in each of these scenarios – either through failing to negotiate adequate protection in the underlying contract, enforcing the contract, or implementing appropriate governance – the second question becomes: “What is the best path for addressing the problems?”
Option 1: Restructure or Renegotiate the Existing Vendor Contract As this strategy clearly has the potential to be the least operationally disruptive, unless the relationship between the provider and customer has become irreconcilably dysfunctional (or the provider has become financially unstable), this option should always be considered first. That said, CIOs should be vigilant about time-boxing the effort. Allowing negotiations to drag on generally results in problems festering. The contract restructuring or renegotiation process should squarely address the core offending issues identified above. For example, if the SLAs are being met but there is dissatisfaction with the overall performance, then redesign the SLAs. If the quality of the personnel is inadequate, then (re)identify the key personnel positions, develop minimum qualifications
92
What would you do with an extra 92 hours?
High-performance analytics from SAS ® helped a financial services firm reduce loan default calculation time from 96 hours to just 4 Early detection of high-risk accounts is crucial to determining the likelihood of defaults, loss forecasting and how to hedge risks most effectively. Now, SAS can help you speed that time to decisions from days to literally minutes and seconds – transforming your big data into relevant business value.
high-performance A real analyticsgame changer. High-Performance Computing Grid Computing In-Database Analytics In-Memory Analytics Big Data
sas.com/92
to learn more
For more information please contact Mahesh.Bangera@sas.com
Each SAS customer’s experience is unique. Actual results vary depending on the customer’s individual conditions. SAS does not guarantee results, and nothing herein should be construed as constituting an additional warranty. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. © 2012 SAS Institute Inc. All rights reserved. S90309US.0412
outsourcing
for replacement personnel, and ensure that market-based key personnel terms (e.g., customers’ approval and dismissal rights, limitations on turnover, and financial consequences for failure to meet personnel requirements) are incorporated into the future contract. If the rates have become misaligned with the market, give the provider the target rates and negotiate benchmarking or other terms to protect rates from becoming misaligned going forward.
Option 2: Time to Shop Around for IT Outsourcing Services When deals go bad, the vast majority of customers ultimately decide to at least test the market through the competitive process. But, in the words of George Santayana: "Those who cannot remember the past are condemned to repeat it." CIOs need to revert back to the underlying current-state issues when approaching the competitive market, but also understand and control the root causes of those problems. While it’s relatively straightforward to draft an RFP and even negotiate an agreement with a new provider that addresses the problems on paper, a highly disciplined governance framework must be established to ensure that the contract, provider and internal customer stakeholders are tightly managed. For example, the most favorable key personnel language will not result in the delivery of the provider’s “A” team if the customer is reticent about invoking its right to cause the provider to replace underperforming personnel. Likewise, best-in-class rate benchmarking provisions won’t result in rates being
26
cto forum 07 september 2012
The Chief Technology Officer Forum
marked to market each year if the customer doesn’t trigger the benchmarking process. Even with a new provider contract and a world-class governance process, transferring services to another outsourcing provider is far from trivial. These types of moves are often transformative in nature (i.e., are done in concert with a major change in the underlying service delivery model), are extremely resource intensive, and often result in a near term degradation of service performance, albeit all with an expectation of sustainable performance improvements in the future.
Option 3: Repatriate Some or All of Your Outsourced Services Clearly not for the faint of heart, this model presupposes that the only way to control one’s destiny is to own it. While it is unusual for companies to do wholesale insourcing or repatriation of outsourced work, companies are increasingly pursuing more surgical initiatives by carving out components of an outsourced service model and managing those services in-house. Repatriation initiatives tend to focus on the high-value IT services, e.g., architecture,
engineering, and level two and three support, rather than resource-intensive commodity services such as desktop support, level one helpdesk and managed network services. This is often the case as the outsource model for the latter highly routinized services generally offers a more competitive cost structure and absorbs the burden of hiring and retaining resources. Those contemplating a repatriation model often still issue an RFP for most of the potentially in-sourced services in order to gain market intelligence as well as to create a safety net for an alternative decision. While many first and even second and third generation IT outsourcing relationships become stale over time, CIOs who take the time to analyse all aspects of a deal before it is signed (or renewed) and keep their hands on the wheel throughout the period of performance can preclude many deals from going bad. However, if a deal turns sour—due to an underperforming provider or otherwise—companies should be prepared to move swiftly. Setting in place a well-thought-out exit strategy—using powerful alternatives such as renegotiating, recompeting, or repatriating the work— safeguards customers and ultimately protects the IT initiatives at hand. — Steve Martin is a partner at Pace Harmon, a third-party outsourcing advisory services firm providing guidance on complex outsourcing and strategic sourcing transactions, process optimisation, and supplier programme management. — This opinion was first published in CIO Insight. For more such stories, please visit www. cioinsight.com.
illustration BY manav sachdev
B E S T OF B R E E D
COVE R S TO RY
G r e e n I T: A S t r o n g B u si n e ss C as e
G r e e n I T: A S t r o n g B u si n e ss C as e
COVE R S TO RY
Green IT:
A Strong Business Case For a CIO, going green is no more a fad. It promises to yield significant cost benefits By Akhilesh Shukla
Design by Shokeen Saifi Imaging by Shigil N, Peterson & Prameesh Purushothaman C
The Chief Technology Officer Forum
cto forum
07 september 2012
29
COVE R S TO RY
G r e e n I T: A S t r o n g B u si n e ss C as e
“Just by saving energy cost we got back the investment on green practices in a year and seven months” Baskar Raj, CIO, FIS Global
Power outage is not an uncommon thing in a developing country like India. Recently, the country had witnessed the biggest power outage on July 30 and 31. It had affected over 620 million people of country, spilling over 22 states. In other words nine percent of the world population remained without power. Some of the modern infrastructure, running on power, came to a halt. State-of-the-art Delhi Metro, to remain functional, had to get electricity supply from Himalyan nation of Bhutan.
It is worth mentioning that India is the world’s fifth-largest electricity producer. US, China, Japan and Russia are other big producers. However, India’s per capita consumption of electricity is lowest in the world. In the year 2009, Indian’s power consumption was 571 kWh per capita, while every US citizen consumed 12,914 kWh. Ample supply of electricity, petrol and diesel are must for economic development of a country. Some of the small states, including Himachal Pradesh and Uttarakhand, had flourished in the last few years because of ample electricity supply. Uttar Pradesh and Bihar, two of the most populous state, on the other hand, never attracted much of investment from private sector. One of the prime reasons was lack of proper electricity supply. Combustion of fuel and usage of electricity, on the other hand, contributes to carbon emission, having negative effect on environment and health. After the Indian economy was opened to the world, consumption of fuel has increased and so has the carbon emission. As per a World Bank report India’s per capita emission of carbon dioxide in the year 1984 was 0.6 tonnes. It increased to 1.53 tonnes in the year 2008. The report attributed growth of carbon dioxide to burning of fossil fuel and manufacturing of cement. As part of environmental concern, large enterprises had also started taking initiatives to control carbon emissions and using electricity smartly. Investments were made in development of products that consume lesser power. Adoption of “Green Practices”, as they are often called, became a new phenomenon among enterprises.
30
cto forum 07 september 2012
The Chief Technology Officer Forum
G r e e n I T: A S t r o n g B u si n e ss C as e
This practice has dual impact, first it cut the power bill, at the same time reduces the carbon emission. The commendable part of these technologies is that functionality remains at par. Information and communication technologies (ICT) has always been at the forefront of adoption of latest initiatives. CIOs, today, are taking greater initiatives in the promotion of green practices, among enterprises. This is despite the fact that government has not issued any strict guidelines to control emission form ICT infrastructure. Interestingly, ICT infrastructure, as per industry estimates, contributes three percent of the total carbon emission worldwide. One of the major contributors of carbon emission are datacenters, contributing to 14 percent of the total carbon emission of ICT industry. The US Environmental Protection Agency estimates that datacenters are responsible for around 1.5 percent of the total US electricity consumption or 5 percent of US green house gas emissions. The agency estimates that given the business scenario green house gas emissions from data centers is projected to more than double from 2007 level by 2020. Keeping the finding in mind, CIOs started contemplating solutions to reduce power consumption of datacenters. During the second half of the last decade, CIOs started the implementation of virtualisation to consolidate their datacenters. Some of the large enterprises initiated desktop virtualisation as well. FIS Global, a provider of banking and payments technologies, is one such enterprise which adopted virtualisation for its huge ICT infrastructure and took green practices to the next level. Three years down the line, the company is reaping benefits of its green practice adoption by significantly reducing the operational costs. The company has 32,000 employees world wide and have 25 strategic operation centers housing 13 datacenters. It caters to more than 14,000 clients, spread across 100 countries and has a revenue of $5.7 billion, with cash flow of more than $1 billion. ICT infrastructure of FIS in India comprises of 200 servers and 4000 desktops. The cost of the running the huge infrastructure was immense. As FIS has plans to build a new facility in Manila, as a part of its expansion and growth plans, the cost was expected to grow further. The new infrastructure required a seating for 1200 employees. Besides, the infrastructure had to be robust for faster delivery of services to newer market. It had to be flexible, scalable and highly reliable, with lower IT maintenance and operational cost. The mounting operational cost of existing IT infrastructure and the requirements of a new IT infrastructyure has lead Baskar Raj, CIO, FIS Global to look for solutions, which can reduce the cost of operations. Virtualisation was one such solution that perfectly fit the needs of FIS Global. In the second half of 2008 the company started its virtulisation journey. “The concept of virtulisation was altogether new and there were no trained manpower available. The team had to depend on the documentation provided by the vendor and content available on the internet. It was very difficult to anticipate problems which would
COVE R S TO RY
“A CIO needs to have a good reputation and understanding with management otherwise it becomes difficult to take up green initiatives” Umesh Mehta, CIO, Jubilant Life Sciences crop up very often. We had to find solutions through trial and error,” said Bhaskar Raj, CIO, FIS Global. Raj constituted a core team of four members including one each from network and technology and two from systems engineering. The team was supposed to do all the research and training required for implementation of virtualisation solution. It was the core team that had completed the first phase of virtulisation of 40 desktops and 10 servers at Manila in January 2009. Success of Manila’s virtulisation implementation led to a similar initiative in India. FIS has migrated around 3000 physical desktops and 150 servers to a virtual environment. The team is migrating another 1000 The Chief Technology Officer Forum
cto forum 07 september 2012
31
COVE R S TO RY
G r e e n I T: A S t r o n g B u si n e ss C as e
desktops and is expected to complete it by the end of this financial year. As many as 100 severs were virtualised to 10 blades, freeing up around 90 percent space in the datacenter. Calculation shows that the company was saving 5559.60 KWs per day on running desktops and servers. Another 6671 KWs per day were saved on cooling requirements. The total saving stands at 4,464,359 KWs per year. The monthly saving was equivalent to more than 1400 tree plants. The saving translates to more than 2700 tons of carbon dioxide emission avoided. The efforts had a monitory impact as well. The company saved a huge cost, which was earlier required to run ICT infrastructure. The saving stood at a staggering $842,814 per year on running the ICT infrastructure in India and Philippines. “Our total investment for the infrastructure on the virtulisation efforts was worth about $1,500,000. Just by the cost saving from energy alone, we got back the investment in an year and seven months” said Raj. After virtulisation deployment, FIS' datacenter space requirement was reduced by almost 80 percent. The entire IT environment become flexible to login from any terminal. One of the biggest challenges the organisation faced was convincing its own employees, to move to virtual desktops. Employees were feeling a loss of control on their personal data, in absence of the traditional desktop with independent hard drive and CPU. The company conducted educational sessions to convince employees. Security compliance was another issue FIS had to deal with. It was hard for FIS to convince some of its clients. However, slowly and gradually the organisation overcame all the challenges. One of the major challenges faced by CIOs in adopting green practices, is to convince the management, especially in today’s tough time when economic growth has hit an all time low. Most of the enterprises are sitting on money and are not making any investments. “To add to the problem, these technologies demand a premium,” said Umesh Mehta, CIO, Jubilant Life Sciences. “Though you have all the numbers and ROI to show to the management, but a CIO has to have a good reputation and understanding with the management, otherwise it becomes difficult to take up such projects,” Mehta said. Jubilant Life Sciences (JBS) is a pharmaceutical and life sciences company headquartered in Noida. It is a part of $4 billion Jubilant group and has presence North America, Europe and China, as well. JBS is into custom research and manufacturing services (CRAMS) and also know as drug discovery and development solution provider. In the start of the 2012, as a part of its green practices adoption JBS has replaced CRT monitors of more than 6000 employees, with TFT. It helped JBS to save a huge cost in terms of power saving, cooling and added more space to the work stations. Power consumption by the IT facility came down by around 25-30 percent. The company recovered the cost of investment in a short period of six months. Another major investment that the organisation had made in green practices was virtualisation of servers. The VMware virtualisation solution has helped JBS to consolidate 50 servers into five. JBS is now planning to move its desktops to virtualised platform. Mehta was exploring solutions and expected to migrate the company's
32
cto forum 07 september 2012
The Chief Technology Officer Forum
desktop infrastructure to the virtualisation platform by the end of the ongoing fiscal year. “One of the best parts of our organisation is that the management is always open to invest in newer technologies leading to green practices. There is no cap on the budget,” he added. Major industry trends for green practices for ICT infrastructure includes cloud computing and virtualisation. Besides, organisations are moving some of its ERP application on cloud platform. Cloud services are becoming popular among SMBs, start up and even among large corporate who could not or are not willing to invest in ICT infrastructure.
“Most of the green solutions available in the ICT industry are based on software and applications” Amod Malviya, VP Engineering, Flipkart
G r e e n I T: A S t r o n g B u si n e ss C as e
“We are focusing on getting all our facilities green certified and have undertaken a green audit of our server footprints” Sankarson Banerjee, CIO, India Infoline
“Most of the green solutions available in the ICT industry are based on software and applications. However, we are yet to see innovations happening on the hardware front. Still, we cannot run ICT infrastructure on alternate source of energy including solar and wind power,” said Amod Malviya, VP engineering, Flipkart. Flipkart, an online shopping portal present across various categories including movies, music, games, mobiles, cameras, computers, healthcare and personal products, home appliances and electronics, stationery, perfumes, toys etc. has more than three million registered users and claims to have a sale of 30,000 items per day.
COVE R S TO RY
The company is yet to adopt any green practices for its ICT infrastructure, but it regularly monitors the power usage of its datacenter based out of Chennai. Interestingly, most of the CIOs are themselves driving these initiatives in their organisation. They are the ones selecting technologies and convincing their organisations to adopt green practices. Management hardly initiate such efforts. Besides, in the absence of proper certifications for good green practices in India, CIOs were getting their organisation certified by global agencies. JBS’s manufacturing units based out of Bangalore and Roorkee received Good manufacturing Practices (GMP) certification from the US Food and Drug Administration Services (USFDA). Its facilities based out of the US are already certified by USFDA. CIOs are following global green metrics for their ICT infrastructure, as well. One of the common metrics adopted by the Indian CIOs to determine energy efficiency of data center is Power Usage Effectiveness (PUE). It is a ratio of the total power consumed by data center divided by the power used by the IT equipments. The average data center in the US has a PUE of 2.0. US Environmental Protection Agency has a Energy Star ratings for large or standalone centers. European Union also has similar initiative know as EU code of conduct for Datacenters. However, India has a rating system for consumer durable products given by Bureau of Energy Efficiency (BEE). The country does not have any such ratings for datacenters. Leadership in Energy and Environmental Design (LEED) is another popular standard the CIOs are following. LEED consists of a suite of rating systems for the design, construction and operation of high performance green building including homes. Its is developed by US Green Building Council in the year 1998. Till the last count, LEED has certified some 7000 projects in US and 30 other countries covering 1.501 billion square feet. “We are focusing on getting all our facilities “Green” certified. Our new building in Gurgaon is expected to be fully LEED certified, and older facilities will also be targeted in phases. We have recently undertook a green audit of our server footprint also,” said Sankarson Banerjee, CIO, India Infoline. India Infoline provides financial services. Its offer advice and execution platform for range of financial services including equities and derivatives, commodities, wealth management, asset management, insurance, fixed deposits, loans, investment banking, gold bonds etc. It cater to 2500 families in India and have presence in over 3,000 business locations spreading across 500. The company has presence in key global markets including Colombo, Dubai, New York, Mauritius, London, Singapore and Hong Kong. Cost saving, of course, is one of the major driving force for the green practices. But the role of CIOs in driving these practices are commendable. These CIOs are single handedly driving such initiatives. Pushed by CIOs, green practices have come a long way. Government needs to further promote green practices and needs to take some major initiatives, announce some incentives or subsidies for green practices and technologies. This could impact the adoption of green practices in a positive and bigger way. The Chief Technology Officer Forum
cto forum 07 september 2012
33
How is IT contributing to carbon emissions worldwide and in India? India is the second fastest growing economy in the world today. In a couple of years, it will be the fastest growing economy in the world. Projections from the Indian government, global financial institutions and international economic bodies indicate that India’s GDP will double in the next twenty years from the current levels. And so will the demand for energy, to fuel this growth, and the consequent per capita carbon emission levels. The need of the hour for India therefore, undoubtedly, is to embark on a path of sustainable growth that will maintain the economic growth momentum while addressing the need for reducing carbon emissions through the use of green technologies. Over the next five years, we therefore expect to see a flurry of sustainability initiative and programmes being introduced that will lay the foundation for sustainable growth in the future. This as a result, will lead to India’s spending on sustainability initiatives that impact various spheres of economy, industries and the society at large, doubling from the current levels through 2015. What are the major trends in green technologies adoption in India? India’s information and communication technology (ICT) industry is definitely an early adopter of green IT and sustainability solutions. India is one of the fastest-growing markets in terms of IT hardware and communications infrastructure consumption. As enterprises embrace IT to improve productivity and drive growth, penetration of ICT infrastructure has been growing rapidly during the past decade, as has the energy consumption and resulting carbon emissions of India’s ICT infrastructure. While awareness of green IT and sustainability issues is very low in Indian organisations, the increasing global focus on energy efficiency, energy security, green IT and sustainability issues is now causing the executive leadership in the technology sector to track, report and manage sustainable and resource-efficient business practices.
34
cto forum 07 september 2012
The Chief Technology Officer Forum
Ganesh Ramamoorthy India should embark on the path of sustainable growth
Simultaneously, the operational costs of IT are putting pressure on CIOs in Indian companies to develop strategies to optimise ICT utilisation — including company-built urban areas and gated communities. Which are the top technologies being adopted by enterprises in India? There are many existing technologies and applications that can be applied to improving the sustainable performance of Indian enterprises — technologies that are mature and simply need repurposing. But we also see the emergence of a plethora of new exciting and interesting technologies and applications that will help enterprises to make both incremental and substantial improvements in sustainable performance. But the key here is IT organisations should identify the right technologies for incubation and piloting. While there is
much excitement around many of these technologies, it is important to recognise their relative maturity or immaturity and how apt they are for your organisation’s critical business issues. We believe, IT organisations will specifically need to pay attention to EHS applications, sustainability/CSR performance management systems, enterprise wide carbon and energy management software applications, e-waste, ROHS/WEEE, LCA tools and sustainable design and product lifecycle management tools, and sustainability business operations and consulting services. How significant are the environment norms laid by the Indian government for the ICT sector? India has laid out significant emission reduction norms. The government has set a target to increase energy efficiency by 20 percent by 2016, and to achieve a 20 percent
G r e e n I T: A S t r o n g B u si n e ss C as e
Green IT: A Tactical Move for CIOs
In an interview with Akhilesh Shukla, Ganesh Ramamoorthy, Research Director, Gartner talks about the latest trends and technologies in adoption of green technologies in India
to 25 percent reduction (from 2005 levels) in emission intensity by 2020. Moreover, most importantly, for the first time, a chapter on Sustainable Development and Climate Change was introduced in the government’s annual Indian Economic Survey, 2011-2012. The survey has suggested making lower-carbon sustainable growth a central element of India's 12th five year plan, which commenced in April 2012. How true is the statement — 'Green technologies are driven by business not environmental considerations'? It is one 100 percent true. Unless the top management is convinced and has the visibility on the returns in green technology investments, I see no reason why there will be any organisation will commit any investments. The short-term drivers for green investments may be compliance to
local environmental regulations but the real motivation ultimately will be either cost savings or revenue generation. US has a US Environmental Protection Agency putting an Energy Star rating for standalone or large data centers. Similarly, there is an EU Code of Conduct for data centres. What are the popular metrics that Indian CIOs are following to keep a tab on the energy consumption? Yes, India too has a whole lot regulations starting from energy ratings standards by Bureau of Energy Efficiency for all kinds of IT hardware equipments and consumer electronic equipments to the mandatory reporting and spending on corporate social responsibility for Indian organisations. What are the other green practices/ technologies that enterprises
COVE R S TO RY
are adopting, apart from those related to IT? Technologies such as advanced metering infrastructure, carbon capture and sequestration, intelligent transportation system, solar energy technology, building integrated PV systems, ecolabels and footprints, combined heat and power technology, e-waste, distributed power generation, and water management are very essential to usher in low-carbon sustainable growth, and a variety of pilot projects funded by private organizations and government bodies are underway in many of these technology areas currently. Do you see a change in role of CIOs for adoption of green technologies? Today, for CIOs, green IT is a tactical move, and that needs to change, into a strategic move. Just as the enterprise will need to track its overall carbon and energy footprint, and where relevant track the reductions it is able to achieve, the IT organisation needs to do the same thing. This will help the CIO to communicate the environmental value add of IT, which will become an increasingly important part of IT value proposition. What is your advice to CIOs planning green initiatives? My recommendations to CIOs are as follows: Understand what “sustainability” means to your organisation Initiate internal communications to establish sustainable business and information systems. Think holistically — make green IT initiatives a part of your overall sustainability programmes Identify and prioritise areas where ITenabled interventions will deliver significant value Develop capabilities in energy and carbon management now Identify suppliers and partners with whom you want to innovate solutions Develop an innovation center to incubate technologies to achieve sustainability goals Appoint an enterprise architect to build sustainable business systems Start tracking the net value-add of IT in terms of energy and carbon
The Chief Technology Officer Forum
cto forum 07 september 2012
35
COVE R S TO RY
G r e e n I T: A S t r o n g B u si n e ss C as e
“BYOD is another trend that is helping organisations in reducing power consumption� T K Padmanabhan, CIO, Wipro
What are the technological innovations happening on the front of green practices? Innovation are happening on two fronts. First on the front of ICT infrastructure, making them to consume lesser power and cooling requirements. These technologies including virtulisation, Cloud computing etc are very popular among CIOs. Adoption of these technology help to save power and reduce carbon emission. Similarly, technologies are being developed which can monitor and manage power consumption. These smart and intelligent technologies help an organisation to map power consumption of each and every device. Such technologies could help industry verticals such as telecom, hospitality etc for whom electricity bills constitute a large part of their operational cost. We are working with one of the big Fast Food joints in the United States of America. Energy contributes 17 percent of their operational costs. Similarly, few of the large telecom operators are using our technology to reduce power cosumption of telecom towers. These towers are power guzzlers and contribute to 20 percent of the operational cost of a telecom operator. By using these energy mointoring and management devices, these companies have successfully reduced the electricity bill by 3-4 percentage points. What green initiatives are you taking to reduce carbon footprint in your IT infrastructure? As a part of our WiproEco programme, we have and will continue to look for opportunities in reducing energy footprint through virtual computing, travel substitution technologies, transport and logistics optimisation. We will
36
cto forum 07 september 2012
The Chief Technology Officer Forum
have focused targets for each of these levers and we'll benchmark ourselves with peers and industry leaders. As far as ICT technologies are concerned, we have consolidated our seven datacentres into three. We operate laboratories for carrying out various Research and Development (R&D) initiatives. As a part of our green initiative, we have also consolidated 120 labs of these labs into just 50 labs. Both these developments have helped cut the electricity budget by few million dollars. Bring Your Own Device (BYOD) is another trend that helps in reducing power consumption. Smart phones and tablets, which employees are using after the policy adoption, consume 10 times lesser power than destops or laptops. Similarly, we have moved some of the R&D activities on virtual infrastructure. What are the major challenges in green adoption? IT infrastructure is rapidly moving towards lower energy consumption and lesser cooling cost. However, one of the major challenges against green practice adoption is the old ICT infrastructure. For a CIO it is like deciding between the devil and the deep blue sea. A huge capital investment is required to completely change old infrastructure. On the other hand, the operational costs are high due to the old infrastructure. Power Usage Effectiveness (PUE) is popular among Indian CIOs who monitor their datacenter power usage. PUE is a ratio of the total power entering the data center devided by the power used by IT eqipments. Besides, CII has developed a datacenter handbook last year. LEED is another popular metric that Indian CIOs are following.
“We will continue to look at reducing energy footprint” T K Padmanabhan — CTO, Wipro, talks to Akhilesh Shukla on how innovative technologies are helping enterprises to adopt green practices The Chief Technology Officer Forum
cto forum 07 september 2012
37
G
odrej Consumer Products (GCPL) is a Fast Moving Consumer Goods (FMCG) company based in Mumbai. As a part of its increasing global footprint, GCPL had recently acquired a few companies in emerging markets including 51 percent rights in the Darling group in Africa. The ambitious plans of the company has lead to acquisition in West Africa, Indonesia, Argentina, United Kingdom, South Africa and Middle east. GCPL owns international brands and trademarks in Latam, Europe, Australia, Canada, Africa and the Middle East. About a year ago, GCPL faced numerous challenges with the physical infrastructure at their datacenter in Mumbai. Its datacenter houses some 39 physical servers with each server hosting one database or an application. This had resulted in very low server utilisation and had added to maintenance, power and cooling costs for these servers. GCPL's entire business of manufacturing, sales, and distribution is served by the SAP R3 applications running on these physical servers. Load on these servers wase increasing following the increase in the company's expansion drive. Further, GCPL also needed a robust ICT infrastructure to support facilities in the new countries where they were acquiring new businesses. Two other developments were also putting pressure of the ICT facility of GCPL. The first was upgradation from SAP R3 to SAP
38
cto forum 07 september 2012
The Chief Technology Officer Forum
ECC6.0. The other was roll out of SAP landscape for Argentina entity. The IT team realised that it would be difficult as well as time consuming to deploy the new roll outs and upgrade on the physical infrastructure. It was the time when IT team started exploring a solution of their problem. GCPL evaluated virtualisation to help them mitigate these challenges in a short span of time. One of the primary objectives to move to virtualisation was reduce server sprawl and improve the utilisation of server resources. “We were aware of the benefits of virtualisation. Our concern was requirement of key parameters including high availability, flexibility, and scalability of the virtualisation solution. These requirements was assured by VMware vSphere,” said Dinesh Chandra Gupta — DGM IT GCPL. The IT team at GCPL set up a test and development SAP environment for the Argentina entity. It took them only a week to complete this setup in a virtual environment. A similar set up on physical infrastructure would have taken four to five weeks. The success of the SAP environment in the test environment gave GCPL the confidence to deploy SAP roll out in a virtualised environment for the Argentina business. The biggest benefit that the IT team realised with the virtualised infrastructure was the ability to roll out new virtual servers within a negligible time, which was not pos-
COVE R S TO RY
G r e e n I T: A S t r o n g B u si n e ss C as e
Moving to the ‘Virtual’ World
Godrej Consumer Products' global acquisition spree had put its ICT infrastructure under strain. The FMCG firm implemented virtualisation to fulfill its growing ICT needs in a fast and cost-effective way sible with the physical infrastructure. Interestingly, GCPL had planned to host only four SAP virtual machines on two physical servers, but later it was realised that they could configure eight virtual machines on the same infrastructure within a month’s time. For the deployment, GCPL worked with HP and Galaxy project as the implementation partner, having expertise in implementing virtualisation solutions. Most of the business critical applications including various modules of SAP such as Document Management System (DMS), Warehouse Management System(WMS), MDO, SAP GRC servers, and XI servers for production, QA and development environment were virtualised. The GCPL IT team consolidated the physical servers at the Mumbai datacenter using VMware vSphere. The implementation eliminated server sprawl, reduced power, cooling, and maintenance costs while improving server utilisation. VMware vCenter helped GCPL easily manage servers from a central point. GCPL implemented a “Virtualisation First” policy for their entire IT infrastructure. “We started reaping benefits from the very moment we deployed virtulisation at our facility. A budget of Rs 60 lakh was allocated for the first phase and we had completed the entire project in just Rs 12 lakh, thus saving Rs 48 lakh unfront,” said Gupta.
By moving to a virtualised infrastructure, GCPL has reduced the operating cost by a huge margin. GCPL’s new servers needed only 1200 watts of power per hour. Earlier the consumption rate was 4800 watts per hour for the eight old servers. As a result, the operational cost of the ICT infrastructure was reduced by 75 percent. The organisation automated the daily operations of IT environment and reduced the dependence on people, which further improved the operational cost. From being people dependent organisation, GCPL is now more policy dependent. GCPL, at present, runs 16 business critical applications on two virtulised servers, instead of earlier requirement of one server per application. GCPL head office in Vikhroli, Mumbai houses these servers. “Earlier, as per the process, if we required test servers with 4GB RAM and a 250 GB hard disk, we had to seek various approvals. And it was a lengthy and time consuming process. Now an administrator can easily allocate CPU and server space without any hassle and in no time,” said a delighted Gupta. GCPL is currently in the process of implementing DR for the complete group on VMware vSphere Enterprise Plus platform. The company also plans to setup a virtual private cloud with auto-provisioning. The Chief Technology Officer Forum
cto forum 07 september 2012
39
T E C H FOR G O V E R N A N C E
compliance
5
POINTS
culture describes the way human beings behave together regulator should not be enforcing culture because it is a contradiction many CEOs want to create the type of company at which they wish to work
Illustration BY raj verma
a strong corporate culture will not on its own protect a company that has a bad strategy, poor governance or a weak business idea poorer performing companies often have strong cultures, too, but dysfunctional ones
changing A
compliance Culture
A company’s values must start with tone-at-the-top and need to be communicated again and again By Thomas Fox
40
cto forum 07 september 2012
The Chief Technology Officer Forum
compliance
What is a healthy culture and how do you
change an unhealthy culture? I have always thought that baseball was a simple game: you throw the ball; you hit the ball; you catch the ball. I had also thought that you could measure whether a baseball team had a healthy culture with a fairly easy-to-understand metric; that being wins and losses. For example: the more wins that your team has the better it should be, conversely the more losses your team has the worse it should be viewed. Based upon this fairly straightforward metric, I would have said that the Houston Astros did not play baseball very well in 2011, when they lost 106 games and won 56 games. I would have also said that they are an even worse team this year as they are on track to have an even shoddier season; their current trajectory is for 109 losses vs. 53 wins. All-in-all a pretty unhealthy baseball culture. However, it turns out that my straightforward analysis of baseball culture is in fact too simple. As reported in the Houston Chronicle, team owner Jim Crane said “he believes sophisticated baseball fans are in tune with the team’s plans.” I would have thought that having not only the worst record in baseball and indeed the worst record in the history of the Houston franchise showed that the culture of baseball is not particularly good right now in Houston. However, it turns out that I simply have an “unsophisticated” view of how to approach the Astros culture and losing for the past three years and up to the next five years is the team’s culture plan. On a more positive note, in the same interview Crane said that the redesign of the Astros uniform that he has been so diligently working on has been submitted to Major League Baseball (MLB) for approval. So, if a winning baseball culture includes redesigned uniforms, it sounds like the Astros are the team for you. I thought about the Astros culture of losing, my “unsophisticated” view of baseball and the Astros redesigned uniforms when
T E C H FOR G O V E R N A N C E
to destroy unless the company is itself dismantled or taken over.” Hill went on to cite one example where a company Chief Executive Officer (CEO) had a strong “Lutheran philosophy” and the Chairman of the Board had a more creative tone. They certainly had a tension but this tension played out as constructive discussions at the highest levels of the company and did not allow for a shift too much in one direction or the other. Hill recognises that many CEOs want to create the type of company at which they wish to work. However, if they desire to make such changes they must communicate “from the start the values staff were expected to follow.” Nevertheless, Hill continued, “the message needs to be constantly reiterated, in person.” He also noted a “that a strong corporate culture will not on its own protect a company that has a bad strategy, poor governance or a weak business idea, let alone one that takes the wrong operational decisions.” Hill cited from the book “In Search of Excellence” where authors Tom Peters and Robert Waterman pointed out that “poorerperforming companies often have strong cultures, too, but dysfunctional ones. They are usually focused on internal politics rather than on the customer, or they focus on ‘the numbers’ rather than on the product and the people who make and sell it.” All of this would seem to point, again and again, that a company’s values not only starts with tone-at-the-top but those values must be communicated again and again. Hill closed his article with a quote from Roger Steare, who said that he always asks the Directors that he consults with what is the purpose of their entity. “If they respond ‘To make a profit’, I know we’ve got a problem?” So how about the Astros and their culture? Do they have strong culture but are simply dysfunctional? Or do they need an intervention or structural change? Maybe all three...
reading a recent article by Andrew Hill in the Financial Times (FT), entitled “Lofty Aspirations”. Hill quoted Roger Steare, an expert on corporate leadership, values and ethics, who said that culture “describes the way human beings behave together – what they value and what they celebrate.” Hill posed the question of whether it is possible for government policy makers or regulators to shift the behaviors and values of scandal hit sectors of the business and if it is even desirable. Hill looked at the ongoing crisis in the financial services sector and found that it is so deep that regulators in the UK have “explored whether to intervene to influence corporate culture.” Hill cited a speech from 2010 by Hector Sants, then head of the Financial Services Authority (FSA) where he said that regulators can ask a Boards of Directors to provide agencies with “evidence of healthy culture, such as functional whistleblowing regimes, positive customer and employee engagement surveys, and a system for challenging “group think” at board level.” However, Sants also cautioned that “I don’t believe the regulator should be enforcing culture because it’s a contradiction in terms: if you enforce culture, you get a police state with compliance on the surface and subversion underneath.” Hill argues that the best way to effect culture “is to combine strong leadership with the existing internal elements of a healthy corporate culture.” Further, for businesses which will be the are “assailed by allegations of growth of app bad behaviour is that, while
23%
it may take as long to create a good culture as it does to establish a good reputation, a strong set of values is usually harder
— This article is printed with prior permission from infosecisland.com.
dev market in
For more features and opinions on
india in 2012
information security and risk management, please refer to Infosec Island.
The Chief Technology Officer Forum
cto forum 07 september 2012
41
T E C H FOR G O V E R N A N C E
m a n ag e m e n t
Assessing Risk Management Culture Encouraging a risk culture throughout the organisation is a priority By diana graham
42
cto forum 07 september 2012
The Chief Technology Officer Forum
illustration by Shigil N
T
he past 24 months have seen a number of man-made and natural disasters bring risk management demands to the forefront of executives and board directors. Whether these have been natural disasters, such as the Japanese Tsunami or manmade disasters, such as the Gulf of Mexico oil spill, fat-tail disasters have created a renewed interest in enterprise risk management (ERM) practices. Although demand for these practices and the discussion level for their use is high inside the C-suite of many corporations and private enterprises, studies have shown that there is a discontinuity of both talent and practice in Western economies. So, how can organisations ensure a culture of risk awareness is put into place? “Get a commitment from senior management that encouraging a risk culture throughout the organisation is a priority. Put together a communication strategy that can include newsletters, lunch-andlearns, speaking at head office and regional business meetings. Look at the gaps or challenges in your Risk Appetite and Material Risks for ideas on where to focus your efforts,” says Diana L. Graham, Chief Risk Officer at ResMor Trust Company. Marcus Evans spoke to Ms. Graham, before the forthcoming 2nd Annual Enterprise Risk Management Canada Conference, October
2-3, 2012 in Toronto, Canada. Within her role at Resmor Trust, she has built a successful internal risk culture involving individuals from every level of the organisation. Key to this success is developing transparency across these risk buckets to enhance communication and minimise potential gap risk
from falling through the cracks. “Ideally, risk management would be included as a business stakeholder in budgeting decisions when areas seek to streamline operations resulting in the elimination or weakening of controls” says Graham. “Risk management should be an influenc-
c lo u d
ing stakeholder regarding certain compensation decisions, i.e., risk management targets in areas outside risk management and weighting of the risk management segment in balanced scorecards. Additionally, risk management should sign-off on all new product/new business decisions” says Graham. Companies in Canada are in a unique position because they are in various levels of implementing enterprise risk strategies within their organisations. The key to the success of establishing an enterprise risk management (ERM) framework
lies within the creation of risk appetite and tolerance levels across risk buckets. “Canadian companies tend to be more conservative than those in the US, so there may be more of a foundation in place across the organisation. Generally, I have found that there is a 'healthy tension' among stakeholders in Canada as opposed to that found in the US in building a risk culture” says Graham. While the need to incorporate the Board of Directors within the ERM framework is a global challenge, Canadian companies’ cultures are more open to
T E C H FOR G O V E R N A N C E
implementing risk structures and processes at every level of the organisation. — Diana Graham has been Chief Risk Officer at ResMor Trust Company since January, 2010. Prior to this, she worked on behalf of the FDIC in the closure of US banks, and in senior risk management positions in large US and Canadian financial institutions. — This article is printed with prior permission from infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
On Cloud Outages (Yeah, They Happen)
R
ecently the world went wild when Amazon web services suffered an extended service outage. I’m not going to make a song and dance about AWS’ woes – suffice it to say that every provider, cloud or otherwise, has outages. I will say that with cloud computing outages are more obvious than with traditional on-premise infrastructure. I will also say that on a net basis, cloud providers are more likely to have better availability and uptime than traditional providers. Rather I’d like to reflect upon outages generally, and see what we can learn from them. Looking at the bigger issues, the outage reminded me of a roundtable that I took part in just over a year ago. I was joined by a number of cloud thought leaders, amongst the men Stratus co-founder George
Reese and Bechtel Cloud Architect, Christian Reilly. Despite the particular event we were discussing being over a year ago, the roundtable is well worth revisiting and listening to for a summary of issues relating to outages, and some best practices to avoid being dragged down in a post-outage flow on —
feel free to have a listen here. When talking about outages generally I’m reminded of a post I wrote after last year’s AWS outage, I was reflecting on the naysayers who use any outage to pronounce the end of cloud — last year it was the turn of NetworkWorld who claimed that the “Amazon outage set Cloud Computing back years”. As I said then; “Yes the AWS event means people will think long and hard about their architecture. Yes, some enterprises that were toying with the idea of public cloud might pull back for awhile.” So let’s instead focus on the learnings from an outage. What are the components and solutions needed to build a service that would avoid issues were an outage like the one we saw recently to occur? As I stated in my post from last year — smart organisations will learn from The Chief Technology Officer Forum
cto forum 07 september 2012
43
illustration by Shigil N
But they’re unavoidable. Smart firms will think about ways to lessen the impacts of any outages
T E C H FOR G O V E R N A N C E
m a n ag e m e n t
this and other outages and look to the following:
Multi site All cloud vendors are quick to point out just how reliable their data centers are with their redundant communication channels, power supply structures and the like. Any application running on the clouds needs to consider the same issues — it is unrealistic to rely completely on one single data center — a chain is only as strong as its weakest link ad by relying on one DC only the idea of multiple redundancies is rendered a fiction.
Multi provider This one is a little more contentious, and difficult to effect right now. But with the advent of more open standards, cloud users have the ability to obtain service across multiple providers. More and more third party solutions are helping with this process.
Automaticity The real opportunity here is for providers that offer infrastructure-vendor agnostic orchestration and automation services. Case in point Layer7 who came out quickly with a post that explains why their own rules based
cloud broker product would have avoided downstream issues from the AWS event.
Summary Outages happen – they’re not fun but they’re often unavoidable. Smart organisations will think about ways to lessen the impacts of any outages – simply running a mile from cloud because AWS went down really misses the point. — This article is printed with prior permission from infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
Shared Ownership for Success
Military models tend to work in the military but they do not work so well in business world.
N
ot many compliance practitioners will think of Silly Putty as an aid to their compliance programmes. This is particular in companies where the hierarchy is very military in discipline. Orders were pronounced from on high and they were expected to be followed. Military models tend to work in the military but they often do not work so well in the business world. In these types of organisations, creative thinking is usually not rewarded or even appreciated. I have certainly worked for such organisations. I was reminded of this example when reading this week’s Corner Office in the Sunday New York Times (NYT)
44
cto forum 07 september 2012
The Chief Technology Officer Forum
Business section, entitled “Tell Me Your Idea (and Don’t Mind the Silly Putty)”, in which reporter Adam Bryant wrote about an interview with Laurel J. Richie, the President
of the Women’s National Basketball Association (WNBA). Prior to her assuming the Presidency of the WNBA, Richie was a Vice President of Ogilvy & Mather, an international advertising, marketing and public relations agency. After returning to work from a vacation, she found that her entire team had gone to HR and said “We can’t do it anymore. It’s a great account, but we don’t like working for Laurel because working for her feels like it’s all about her and not about us. So we want to work on another piece of business.” In the more military based organisations where I work, the employer would have simply fired all the employees who dared to go to HR. However,
illustration by manav sachdev
By Thomas Fox
m a n ag e m e n t
such was not the case at O&M where Richie used this opportunity to learn a insightful lesson, which she said was “I learned very profoundly in that moment that if there is not shared ownership of the work, both our successes and our failures, people aren’t going to have a satisfying experience.” Recognising that she need to make a significant change, Richie redefined her job as a leader to “to create an environment where good things happen, and where people feel good about their role on the team, and they feel acknowledged, they feel empowered, and they feel visible.” To help facilitate and accomplish this goal, Richie said to her team “I got the feedback. Thank you for doing that. I had no idea. Can I have another chance and can we work together on this?” She then initiated a programme where she sought from the team the things they wanted to be involved in. She asked them to identify situations where they felt that their input had been marginalised by her and she then asked them “to talk to me in the moment when I was heading down that path again.” The next thing she did was
T E C H FOR G O V E R N A N C E
even talking to the people they to bring out Silly Putty. It was affect the most, the business not to copy the Sunday Comics. unit employees. This is cerRichie brought out the “little tainly the tradition that I have pink egg” to play with while her observed where an outside law team members were talking to firm drafts an initial compliance remind her that she needed to business school programme which is written by let her team members present pass-outs are lawyers for lawyers, with little their “points of view or share unemployable, to no relevance about how busiwork that may have been not ness is actually accomplished by exactly the way I would have states a survey the company. This leads to great done it.” From this exercise frustration by business unit she learned that there can be folks who are trying to do the right thing “many ways to get to the end point.” I found but probably cannot get through the legalRichie’s leadership lesson to be applicable to ese in which the compliance programme the compliance arena. I came into compliis written. A firm will then have to bring ance from the corporate legal department, in someone like me to actually rewrite the where things were not only top down in compliance programme, policy and proceterms of a command structure but where dures. Richie’s experience in leadership repronouncements where made from the law emphasised to me the collaborative nature department on high: Do it this way. This is of compliance. not the problem where the legal department or compliance department is viewed as the — This article is printed with prior permission Land of No, inhabited by only Dr. No. It is, from infosecisland.com. For more features and instead, the perception that legal or compliopinions on information security and risk manance simply institutes requirements without agement, please refer to Infosec Island.
79%
NEXT
HORIZONS
Feature Inside
Tackling Modern Malware? Pg 48 Being Your Own Worst Enemy Pg 50
photo by photos.com
A
Business in the Age of ‘Massification’ Innovation is the key to survive and thrive in a world of entrepreneurs By Faisal Hoque
46
cto forum 07 september 2012
The Chief Technology Officer Forum
lways innovating and bringing the best customer experience possible, new businesses in Europe have unleashed the Web and social media as powerful business tools with far more finesse than the US. China’s bright burgeoning English speaking middle class is bursting with small business owners who are going global with government backing. India’s technically talented middle class is replacing America’s skilled white collar workers. Innovation is key to survive and thrive in a world of entrepreneurs who typically speak English well and understand technology better than their US counterparts. Yet SMB owners constantly struggle to juggle management, sales, marketing, customer service, distribution and finance. Along that path to success, small business owners are swiftly approaching a cliff they can’t glimpse. A growing number have stopped growing. They got left behind as their landscape transformed and their niche was replaced or reinvented. As the risk takers made a leap ahead, many small businesses
m a n ag e m e n t
lost their once loyal customer bases (sounds like an enterprise story, as well). Therefore, they needed to rethink the way they ran their business; including who they depended on for their revenue streams, how they reached them, and how they could ensure once reached, they could keep them coming back for more.
The answer? The solution was (and is) a 360-degree view that tethers everyone in your business to clear goals met daily at each point of customer contact; from incoming calls and emails to point-of-purchase and follow-up offers. At the core of this view is building and maintaining customer affinity. Most businesses are born from curiosity, or even frustration, that fosters innovation. An entrepreneur is always seeking a better way to do something new, or improve upon something that’s essential but could become obsolete. It’s that kind of thinking that compelled a blacksmith in Illinois to create a smooth-sided steel plow to replace the wooden and iron ones that were getting stuck and dirty in the rich Midwestern sod. John Deere’s 1836 innovation boosted migration into the American Great Plains in the 19th and early 20th century, transforming the region into America’s breadbasket and setting the foundation for what has become the world’s leading manufacturer of agricultural machinery. Today’s farmers, can communicate across the plains with Beck Ag, a virtual company of employees and contractors working out of their homes. Its Facebook-like network allows American and Canadian farmers to share ideas on reducing production costs, increasing profits and improving marketing. Beck Ag also connects large agribusiness suppliers and vendors with farmers to alert them to the latest research, news and products, and to exchange opinions on those products. The current economic downturn has led many SMBs to become cautious, retrench and even slash their staffs as risk aversion stifles incentive and banks deny credit. Such downturns can spark new opportunities, which can be seized anywhere in the world by competitors you don’t even know. As an owner, you can retrench and hit a wall, or walk through a new door hidden in plain sight.
N E X T H OR I Z O N S
Analyse, measure, and adjust every customer touch point you have. Find ways to build the customer’s buying experience to make the relationship sticky New tech equals new opportunities New developments constantly change the way customers think and act. Easier access comes in many forms, including Skype video conferencing, which has eliminated the need for costly, frequent air travel, for example. Changing habits have made it easy for a customer to shift loyalty and shop elsewhere. Affinity as a brand requires leveraging customer experiences. Small business owners and entrepreneurs who switch to a 360-degree view will analyse the strengths and weaknesses, opportunities and threats and evolve from their antiquated 20th Century business practices to a more agile 21st Century blueprint. Shifting to an experience-based economy means customers’ memories of an event become the real product they buy from you. Starbucks doesn’t sell coffee they sell the experience of a European café where maybe you can chat with an attractive person in line every morning. Customer affinity motivates them to return to your business. Your brand is the memory your customers take from the experience you offer. Conjuring positive emotional memories is vital for business owners.
Who are your real customers? There are many key concerns for SMBs who want to stay competitive, including demographics. You must identify not only your existing customers, but the ones who abandoned you and figure out what compelled them to choose another business. Impact analysis is important, as you must be prepared for the worst-case scenario. Geography is no longer an impediment, as technology allows access to trump location. You cannot lose sight of your competitors. You must remain focused on customer loyalty and affinity at all times. Analyse, measure, and adjust every customer touch point you have, from telephone
messages to the website. Find ways to build the customer’s buying experience to make the relationship sticky — in other words, keep them coming back to you. Amazon’s "suggestions to buy" are perceived as enhanced service — not like untargeted junk mail. Virgin and Southwest may be at opposing ends of the airline industry, but both have developed branded affinity with customers. Apple’s fierce customer affinity draws crowds who camp out ahead of a new product hitting the shelves.
Affinity wins new customers. Amanda Hocking, an New York Times bestselling author of young adult novels, was rejected by countless publishers, so at 26, she self-published her novels and promoted them using Facebook, Twitter and blogs. Within two years of diligent self-promotion from her Minnesota home, she’s earned $2 million. In January 2011, she sold $417,152 worth of e-books just from the Amazon and Barnes & Noble websites. Suddenly several traditional publishers took notice. St. Martin’s Press presented her with a $2 million advance and a four-book contract. You can create a new blueprint for rebuilding your small business. A new examination of your business ecosystem requires more than a 360-degree view. It requires an end to short-term reactive thinking and tunnel vision. Use both sides of your brain, the right side to see nuance and to think creatively and the left side for logical and mathematical thinking. Small businesses must see an ecosystem that is global and individual. We do business in a world of "massification", but we stay in business through personalisation. —This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www.cioupdate.com.
The Chief Technology Officer Forum
cto forum 07 september 2012
47
N E X T H OR I Z O N s
securit y
Tackling Modern Malware Users need to connect to the internet to do anything useful By Simon Heron
W
ith new unique pieces of malware emerging daily and everincreasing access requirements from a host of new endpoints, the challenge posed by malware detection has changed. Zero-day threats pose an increasing risk as, by definition, nobody has a signature for this and in many cases heuristics can be bypassed. User habits are changing too; the vast majority of applications are now downloaded and installed over the internet. Users need to connect to the internet to do anything useful; time off-line is usually brief and increasingly rare and unproductive. This, though, provides a new way of delivering security that can keep users safe and up to date instantly. Webroot have used this in their Secure Anywhere (WSA) product to provide a new concept that changes the antimalware game. WSA doesn’t download vast databases of signatures onto an end user’s device, which is a boon for the increasing army of endpoints that are being used. This also saves bandwidth and it saves time, the installation times drop dramatically and make it very easy to install. Some anti-malware solutions are downloading vast quantities of data everyday in updates. Instead, Webroot’s system stores a vast database in the cloud (over 400TBytes and
48
cto forum 07 september 2012
The Chief Technology Officer Forum
growing), which is updated all the time with new solutions (around 200GBytes a day). Any file that can be executed is first ‘hashed’ and then sent up to this vast store and categorised as: Known good software – the hash uniquely identifies the code as a known piece of software that has been tested and known to be safe to run. Known bad software – the hash uniquely identifies the files as a known piece of malware that will be blocked from run-
When a brandnew infection emerges, the infection simply roams freely across all endpoints, deleting, modifying, and moving files at will
ning and either quarantined or removed from the endpoint. Unknown – this is where the clever stuff happens and the fact that Webroot’s database defines known as well as unknown makes this category very useful: The graphic below illustrates the communication flow between the agent and cloud. If the Webroot Intelligence Network (WIN) responds with an unknown classification, the file is executed in a virtual sandbox environment. This allows the behaviour of the file to be monitored. This behaviour is then packaged and sent up to the Webroot Intelligence Network where it’s compared to thousands of behavioural rules. In the diagram, you can see the behaviour is classified as Good. This means that Webroot haven’t observed any malicious behaviour at this stage. Because the behaviour is good (so far), the file is allowed to execute on the endpoint but it’s placed in monitor mode. While in monitor mode, the behaviour is watched to see if changes. As soon as it starts to behave maliciously, or as soon as Webroot’s Threat Research team identify the threat, the malware is quarantined or removed and, more importantly, it is remediated. While in monitor mode, every single change the file makes to the endpoint is recorded in a local change-journal data-
base. So if a file is found to be malicious, remediation means not just quarantining or deleting the malware, it means that all changes that the file made to the endpoint can be reversed, providing a perfect clean-up routine. In addition to the Monitoring functionality, there is also a powerful Identity & Privacy shield to protect data from information stealing malware which means that even if the initial infection tries to make changes, the endpoint and user’s data will still be protected. The other major benefit this solution brings to companies is that it can be run from an interface in the cloud allowing the administrator to manage the system from wherever they are without the time and expense of maintaining a locally sourced server. Added to which this administration interface provides a wide range of features that will even allow administrators subsequently found to be malicious, WSA to do all the usual administration tasks as proceeds to clean up the threat when it is well as white and black listing applications online again. The important thing here is right down to executing commands on end that WSA doesn’t just simply delete the users’ systems if required. main file—it removes every change that the The other thing to consider is what hapthreat made and returns the endpoint to its pens when the endpoint is not connected previously known good state. If at any point to the internet. If a brand-new piece of a suspicious program tries to modify the software is introduced when the endpoint system in such a way that WSA cannot autois completely offline, and it has no relationmatically undo it, the user is notified and ship with any existing software on the endthat change is automatically blocked. point, then WSA automatically applies speWith conventional antivirus products, cial offline heuristics blocking many threats their signature bases are never automatically. If a threat gets completely up to date. When a past this logic, it is run in monibrand-new infection emerges, toring mode which ensures any and the antivirus software hasn’t threats that do execute cannot do applied the latest update or there lasting damage. The suspicious isn’t a signature written for that programme is monitored to was the specific threat, the infection see precisely what files, registry simply roams freely across all keys, and memory locations are growth of changed by the software promobile Pcs in q2 endpoints, deleting, modifying, and moving files at will. As a gramme, while remembering 2012 result, it doesn’t really matter if the “before and after” picture of a device is online or offline—the each change. If the software is
54%
N E X T H OR I Z O N S
photo by photos.com
securit y
malware infection has succeeded in compromising the endpoint. When a traditional AV product comes back online, it applies any updates and if configured to do so, runs a time-consuming scan—it might then be able to remove the infection. But it will not be able to completely reverse the changes the infection made, so the user or administrator will have to activate the System Restore function. More likely, the endpoint will need to be re-imaged because it’s so unstable—a major further drain on time and productivity. Conversely, WSA leverages behavioural monitoring to pick up infections when the Internet is inactive or the endpoint is offline and it isn’t sure whether a file is malicious or not. This process provides uniformly strong protection against the damaging effects of malware. — This article is printed with prior permission from infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
The Chief Technology Officer Forum
cto forum 07 september 2012
49
N E X T H OR I Z O N s
securit y
Being Your Own Worst Enemy Security as a fear-based sale is quickly fading into something that is having an adverse reaction
By Rafal Los
illustration BY Prameesh Purushothaman C
H
aving had the pleasure of 14 of Wellington, New Zealand's top corporate technology executives for lunch, I've managed to confirm something interesting. Even in the land of the Kiwi, enterprise security is (and has been) its own worst enemy. I recognise this won't be a very popular post amongst security practitioners, but you'll have to take my word for it that it's true according to your management. There's no denying that enterprise security has largely been sold (whether internally or externally) to the enterprise on the basis of fear for the vast majority of the last 15 years. Sure, I readily acknowledge people like Jon in our luncheon who have long given up on pushing fear for business reality but by and large, we’re in the business of fear. Think of the years of pushing fear-based security as over, with corporate senior management. While there are still those boards and business executives that can be swayed based on fear, that population is quickly shrinking faster than ever before. There are a number of reasons for this... Breach overload - I've written about it before as applied to Software Security Assurance (SSA), but data breach overload in the media and every other medium is at an alltime high and it's long lost its shock value. Hierarchical detachment — If you look at the corporate structure of many organisations, the ‘security guy’ is so far removed from the business decision makes (from a strategic perspective) it's not even realistic
Dependence on technology teaches security managers to chase the next big shiny thing
50
cto forum 07 september 2012
The Chief Technology Officer Forum
for them to interact. The business is so insulated from the security function it isn't realistic for them to understand each other. Chasing shiny things — Related to #2 above, the folks in the room today reminded me how reliant on technology their security manag-
securit y
N E X T H OR I Z O N S
Every time the security group is given a chance and a ers are...and how far from the basics they’ve moved. A seat at the table we seem to squander it being irrational dependence on technology is dangerous because it teachand overly dramatic and this is leading security to be es security managers (or those responsible for security) marginalised. Sure, this isn’t true for 100 percent of the to chase the next big shiny thing, rather than focusing organisations out there, but many of the director-level strategically on supporting the business. folks in the room of 15 today confirmed it for me... it’s The sky hasn’t fallen, or it has — There are two outUnits of true by and large, and it’s not getting better. comes to selling fear to pad your security budget. Either personal So it seems the chickens are coming home to roost, if you you get more money to ‘secure’ the company, and you still computers fancy that phrasing. Pushing fear has made our enterprisget breached... or you don't get a penny and you don't get breached. Neither of those are good outcomes... because sold in q2 2012 es largely apathetic to our cause, and now we have to work twice as hard to be taken seriously and gain acceptance. I they both vastly undercut the value of real security. Imagbelieve that we have a chance, right now, to make a positive ine if the “the company will go out of business if I don't impact. If you want to learn how to do security right you should be get more money to secure it” CISO gets nothing ...and the company looking to people like Eric Cowperthwaite, for example, who has a doesn’t get hacked. The business just learned that they can get away pragmatic and no-bull approach to security... but unfortunately there with doing nothing and skating by — a dangerous (and largely aren't enough security practitioners getting on the bus. untrue) lesson... which will end badly, guaranteed. Bottom line — security as a fear-based sale is quickly fading into And so enterprise security firms find themselves to be their own something that is having an adverse reaction. Rather than scaring worst enemies. From what I heard confirmed today security is largeexecutives into throwing bags of money to "be secure", the fear-based ly disconnected from the business, largely dependent on technology, approach is pushing executives further away from sound security and unable to be anything more than a cost center... and it seems strategy. How this story moves forward is entirely up to you. like the more we rant and wave our arms the deeper the hole gets. Security’s inability to go back to the roots of why IT is around, is —The article is printed with prior permission from www.infosecisland.com. what's hurting. The inability to enable the business to move faster, For more features and opinions on information security and risk management, like brakes on a high performance car, make things worse. please visit Infosec Island.
3mn
cto forum
VIEWPOINT illustration BY Prameesh Purushothaman C
ken oestreich
The Rise of the Cloud Service Bus Let’s see what else the market will generate
I have posited that the advent of hosted cloud services (particularly PaaS and SaaS) will slowly morph the role of the CIO into that of an IT Supply Chain Manager. Technologically, I believe this move to a “Buy-and-Integrate” mentality (vs. a “Build-Everything” mentality) will open the door to a new class of products to assist with services integration. And, if you agree that the importance of leveraging external services will be elevated for the CIO, then I believe a significant enabling technology will be a rebirth of the need for a robust “service integration bus”. Why? As I mention in my blog, enterprises integrating external services require: Identity and access management for each provider Data compliance, legal and regulatory audit access across each provider Security compliance systems Provisioning, including capacity forecasting Performance (e.g. SLA) monitoring
52
cto forum 07 september 2012
Cost and budget tracking (i.e. for billing, showback and/or chargeback) Disaster Recovery/redundant service sources where needed Some would call the above integration functions “Glue Logic.” Indeed in the past, many of these functions were hand-integrated across the few external services that were leveraged, and customengineered into each internally engineered stack. But time is changing the model. With more turnkey services sourced from cloud (IaaS/ PaaS/SaaS) providers, the need for a more efficient integration function will escalate. Integration will need to be standardised and replicable, scalable and responsive to the business’ needs. You may recall one component integration approach has been theEnterprise Service Bus, primarily associated with SOA leveraging SOAP protocols. This Integration Bus was originally to orchestrate access and workflow between component services within the enterprise. (By the way, Microsoft offers
The Chief Technology Officer Forum
About the author: Ken Oestreich is a marketing and product management veteran in the enterprise IT and data centre space, with a career spanning start-ups to established vendors.
a great overview of ESBs — albeit BizTalk centric - here on MSDN). I believe that the “2.0” Integration Bus will be one which brokers higher-level services generated from external, public cloud providers — not just internal component services. And it will use more generalised interactions than SOAP, since the providers and their environments will be less standardised. To this end, there are some great current/upcoming thoughts suggested by Mike Ponta of the notion of a “Cloud ESB”, and can’t wait to hear more. A quick survey of the market also yielded what looks to be potentially promising integration technology coming out of Mulesoft called their CloudHub. Conceptually, the “mashed-up” service was the 1.0 version of this integration concept. But as enterprise IT begins to regularly tap and integrate multiple external services, the 2.x integration busses will need a more structured, standardised and rapid approach to integration. I can’t wait to see what else the market will generate. Stay tuned.