cTo forum
Technology for Growth and Governance
March | 07 | 2012 | 50 Volume 07 | Issue 14
How to Set Up a High-Performing Sec Team | Big Data a $50 Billion Market | What IT Professionals Really Want
“The power of communications real-time “The analytics communications in power of inthethe cloudcloud is coming is analytics “There is no doubt in my mind that“There real-time is no doubt in my mind that
I Believe
Strategic Sourcing, Pathetic Delivery
is allowing the is allowing the coming and will drive business business toto be be agile agile and correct broader adoption” Market course beforebefore it anditshits correct Research a wall.” —Andrew Miller it hits a wall.” and will drive broader adoption”
—Andrew Miller
Page 04
Andrew Miller CEO Polycom
Viewpoint
High
“With cloud “With cloud encryption encryption solutions, you solutions, do not need to you do worry not need to worry about your data landing into the wrong hands.”
Page 52
—Sudipta K Sen
—Sudipta K Sen Sudipta K Sen
CEO & MD – SAS Institute (India)
about your data landing into the wrong hands.” —Chris Fredde
—Chris Fredde
Chris Fredde CEO, SafeNet
Five
Hugh Njemanze ArcSight Founder and VP & CTO, HP Security Solutions
Five interviews with top business “Having a mentor is an leaders on topics ranging from extremely valuable resource “Having a mentor cloud to security and from UC is an extremely | “Weto leadership spend a that canvaluable help guide CIOs resource
lot of “Wetime spend a with through the many lot of time with customers challenges that customers and Virtualisation Journey of they face.” translate their needs India Begins Page 25
that can help guide CIOs through the many challenges that they face.”
Volume 07 | Issue 14
—Harvey Koeppel
—Harvey Koeppel
A 9.9 Media Publication
Harvey Koeppel
Executive Director, Centre for CIO Leadership
and translate their needs into something that makes sense for our engineers.”
into something that makes sense for our —Hugh Njemanze
a question of answers
Page 14
editorial yashvendra singh | yashvendra.singh@9dot9.in
Staying With the Times The future CIO will transform business by transforming technology
I
t is beyond doubt that your role is undergoing a transformation. This rapid and imminent makeover in the CIO's profile is being driven partly by the need for enterprises urge to stay competitive and partly by the fast-changing technology. Emerging technologies such as cloud and unified communications are already pushing CIOs to come up with innovative and creative ways to harness these technologies. Several enterprises have moved
editor’s pick 25
on from the initial skepticism and are now testing cloud architectures. In fact, I have met CIOs who reveal their internal customers have become so used to IT-as-a-Service model that there are now building budget plans and business processes for cloud. This has made the role of a CIO more complex as the hybrid IT model calls for both external and internal IT professions to sustain a corporate’s business capabilities.
High Five Five interviews with top business leaders on topics ranging from cloud to security and from UC to leadership
Similarly, unified communications (UC) is increasingly finding favor in enterprises as a tool to aid marketing, product innovation, and ideation. The more enterprising CIOs have developed innovative tools by leveraging UC. For instance, there are solutions that let people to start videoconferencing by a simple click on a coworker’s name in the directory. The challenge here is for the CIO to don the role of a change agent. He has to usher in a mindset change in the users as they may not value UC deployments as highly as the CIO does. Yet another area that would reshape the future CIO’s profile is that of security. With hack attacks on the rise, technology decision makers in the future will have to stay a step ahead of the bad guys. In enterprises that have a CSO
function, the CIO would have to work closely with the former. In those corporates that don’t have this position, he would have to walk that extra mile to ensure the security of his organisation. Above all, the future CIO would have to become a leader, both in the areas of business and technology. He would have to transform business by transforming technology within his enterprise. For this issue, we decided to provide you insights from business leaders who shape the course of technology. We reprint our best interviews from the last calendar year on cloud computing, UC, security and leadership. Hope you enjoy this second look!
The Chief Technology Officer Forum
cto forum 07 March 2012
1
march12 Cov e r D e s i g n by A n i l VK
Conte nts
thectoforum.com
Andrew Miller CEO Polycoma
Hugh Njemanze
ArcSight Founder and VP & CTO, HP Security Solutions
Harvey Koeppel
Executive Director, Centre for CIO Leadership
Chris Fredde CEO, SafeNet
Sudipta K Sen
CEO & MD – SAS Institute (India)
25 Cover Story
25 | High Five Five interviews
Columns
with top business leaders on topics ranging from cloud to security and from UC to leadership
04 | I believe: Strategic Sourcing, Pathetic delivery A perspective on how CIOs can be wary of commitments that look too good to be true By arun gupta
52 | View point: Market Research Reacting To Change By Steve Duplessie
Features
Please Recycle This Magazine And Remove Inserts Before Recycling
2
Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301
cto forum 07 March 2012
The Chief Technology Officer Forum
18 | Best of breed How to Embrace the Consumerisation of IT It’s time to stop enforcing the status quo and instead look at the new consumer-focused devices from a business perspective
www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Executive Editor: Yashvendra Singh Consulting Editor: Sanjay Gupta Assistant Editor: Varun Aggarwal Assistant Editor: Ankush Sohoni DEsign Sr Creative Director: Jayan K Narayanan Art Director: Anil VK Associate Art Directors: PC Anoop & Atul Deshmukh Visualisers: Prasanth TR, Anil T & Shokeen Saifi Sr Designers: Sristi Maurya & NV Baiju Designers: Suneesh K, Shigil N, Charu Dwivedi Raj Verma, Prince Antony, Binu MP, Peterson & Prameesh Purushothaman C Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi
14 a question of answers
14 |Virtualisation Journey of India Begins Carl Eschenbach, Co-President,
Customer Operations, VMWare, talks about the current state of the virtualisation market and how it will evolve 42
46
RegulArs
01 | Editorial 06 | letters 08 | Enterprise Round-up
advertisers’ index
42 | next horizons: Big Data a $50 Bn Market Enterprises
46 | TeCH FOR GOVERNANCE: Manage risk in the cloud Cyber
should keep track of big data pure-plays as they continue to develop new applications
insurance may be a solution to help overcome the issue of risk while moving to the cloud
Dell IFC + Extended Cover Scottish Development 05 PID Ltd 07 Datacard 12, 13 SAS Institute 17 IBM IBC Microsoft BC This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.
advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IT, ICICI Bank Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Sr Consultant, NMEICT (National Mission on Education through Information and Communication Technology) Vijay Sethi, CIO, Hero MotoCorp Vishal Salvi, CISO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Sales & Marketing National Manager – Events and Special Projects: Mahantesh Godi (+91 98804 36623) National Sales Manager: Vinodh K (+91 97407 14817) Assistant General Manager Sales (South): Ashish Kumar Singh (+91 97407 61921) Senior Sales Manager (North): Aveek Bhose (+91 98998 86986) Product Manager - CSO Forum and Strategic Sales: Seema Menon (+91 97403 94000) Brand Manager: Gagandeep S Kaiser (+91 99999 01218) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Manager Operations: Rakesh upadhyay Asst. Manager - Logistics: Vijay Menon Executive Logistics: Nilesh Shiravadekar Production Executive: Vilas Mhatre Logistics: MP Singh & Mohd. Ansari OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Bungalow No. 725, Sector - 1, Shirvane, Nerul Navi Mumbai - 400706. Printed at Tara Art Printers Pvt ltd. A-46-47, Sector-5, NOIDA (U.P.) 201301 Editor: Anuradha Das Mathur For any customer queries and assistance please contact help@9dot9.in
The author HAs worked across industry segments such as Shipping, Express Logistics, BFSI, Telecom, Pharmaceuticals, medical as CIO since last 18 years
Photo by Jiten Gandhi
I Believe
By arun gupta Group CIO, Shoppers' Stop
Strategic Sourcing, Pathetic Delivery
A perspective on how CIOs can be wary of commitments that look too good to be true The poor fellow was looking harrowed after week long meetings sans his CIO with the big global IT services company with whom the company had entered into a long-term strategic services contract. Over a year of courting, discussions, negotiations and going over a long legal contract, it was a
4
cto forum 07 March 2012
The Chief Technology Officer Forum
current challenge consistent communication across the ecosystem
sigh of relief for the vendor and the enterprise when they did sign off the deal. As all strategic sourcing deals go, there was an expectation of maintaining business as usual with improved efficiency and lower cost; then move on to transformation driven by tools and technology which was the investment promised by the vendor. The big team arrived soon enough to transition services and fit or change existing processes into their framework, which they managed with some difficulty. Within a few months unable to scale up to diverse needs across locations, changes in the management team were enforced and that brought welcome improvements though not commensurate to expectations. Interpretations of clauses done by the execution team were in conflict to understanding while drafting them into the contract. Stretched timelines became super-stretched timelines; senior consultants attempted to provide solace with no Plan B in case success eluded the team. Why does delivery rarely match presales promises or timelines? Are sales teams preconditioned to sell unreasonable timelines or commitments to bag orders from unsuspecting and gullible customers? No, I am not calling the CIO names, but admiring the ability of the sales teams to sometimes get away with untenable contracts. I am also bewildered at the ability of delivery teams to squarely make a hash of even normal service delivery expectations. What causes history to repeat itself in almost every engagement? In this case, the CIO summed the case up with one phrase “lack of consistent communication across the ecosystem�. I believe that it does not always matter what you do; what matters is how you communicate what you have done or planning to do. Strategic sourcing will become a big tactical pain where real life experience defines success.
Aim for Scotland for success in Europe When it comes to Asian organisations finding a European base, Scotland is most definitely on the map. From the steam engine and Dolly the Sheep, to today’s bionic hand, Scotland is home to the world first and a global centre for invention, discovery and innovation. We also give businesses access to a highly skilled workforce, world class academic institutions and superb research and development facilities. And when the working day is done, Scotland offers a highly desirable quality of life, with vibrant cities, beautiful countryside and of course - the world-class golf courses which Scotland is famous for. Scotland is part of the United Kingdom but offers up to 30% lower business operating costs than London. With easy access
to Europe, we bring new customers and revenue streams closer to you. And with our continued investment in the high growth industries of tomorrow - such as renewable energy, pharmaceuticals and bio-technology, financial services and education, Scotland is an attractive place to grow your business. (As well as improve your golfing handicap). That’s why so many global and Asian leading brands, including those shown here, have chosen Scotland to access European markets. To find out more about why they chose Scotland and to see what Scotland can do for your business, visit www.sdi.co.uk/scotland
SCOTLAND. SUCCESS LIKES IT HERE.
LETTERS
Form IV
Statement of ownership and other particulars about the publication, CHIEF TECHNOLOGY OFFICER FORUM as per Rule 8 1. Place of publication
Nine Dot Nine Interactive Pvt. Ltd. Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane
2. Periodicity of its publication
Fortnightly
3. Printer’s name Nationality (a) Whether a citizen of India? (b) If a foreigner, the country of origin Address
Kanak Ghosh Indian Yes N.A. Nine Dot Nine Interactive Pvt. Ltd. Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane
Are CTOs more interested in satisfying the CFO & Board rather than the consumer?
4. Publisher’s name Nationality (a) Whether a citizen of India? (b) If a foreigner, the country of origin Address
Kanak Ghosh Indian Yes N.A. Nine Dot Nine Interactive Pvt. Ltd. Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane
I see CTO is aligned to the CFO and the Board in that order, the CTO will have to also be good at resume writing as he will not last too long. But then the question arises, is the CFO aligned to the Consumer? If he is not, then even he may be in hot water sooner or later.
5. Editor’s name Nationality (a) Whether a citizen of India? (b) If a foreigner, the country of origin Address
Anuradha Das Mathur Indian Yes N.A. Nine Dot Nine Interactive Pvt. Ltd. Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane
S P I N E
CTO FOR UM
Techno logy for Growth and
Gover nance
February
| 07 Volume | 2012 | 50 07 | Issue 12
F
WRITING
Inniovve Techative Deploy ments
WIN-WIN INTO
IT for Bu Profitasiness bility
I BELIE VE
PAGE 04
SLAS
| GOOD, NOT GRE AT
The Ne xt Gener at of IT Foion lk
VIEWPOIN T
PAGE 48
2012
| TOP TRE NDS FOR 2012
A look leader at how fiv busines deployede technology ss grow IT th | Page 18to maximise
e 07 | Issue 12
Volum
Clo to Sucud cess
NO HOLD S BARR ED
A 9.9
Media
Publicatio
n
PAGE 38
Arun gupta, Group CIO, Shoppers' Stop
WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community. Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com
6
cto forum 07 MARCH 2012
The Chief Technology Officer Forum
6. Names and addresses of individuals who own the newspaper and partners or shareholders holding more than one per cent of the total capital Nine Dot Nine Interactive (P) Ltd. 1. Dr. Pramath Raj Sinha 2. Mr. Asheesh Kumar 3. Mr. Vikas Gupta 4. Mr. Anuradha Das Mathur 5. Mr. Kanak Ghosh Bunlow No. 725 Sector 1, Shirvane, Nerul, Navi Mumbai 400706, District Thane I, Kanak Ghosh hereby declare that the particulars given above are true to the best of my knowledge and belief.
Dated: 1st March, 2012
Sd/Signature of Publisher
FEATURE Inside
Enterprise
Professionals Stick Around Despite Job Dissatisfaction Pg 10
Illustration by prince antony
Round-up
Wipro to Offer Cloud Solns Built on Open Source IaaS Tied up with Eucalyptus,
whose platform has been used in 25000 clouds Wipro Infotech, the India, Middle East and Africa business of Wipro Limited, has partnered with Eucalyptus Systems, touted as the creator of the most widely deployed open-source on-premise Infrastructure as a Service (IaaS) cloud platform. As a part of the collaboration, Wipro Infotech will offer Eucalyptus's IaaS solution as part of its end-toend enterprise cloud computing offering. Wipro will provide integrated solutions for planning, building, and managing scalable, elastic cloud services for enterprises.
8
cto forum 07 March 2012
The Chief Technology Officer Forum
"Our partnership with Wipro will provide customers with the expertise to quickly deploy reliable, costeffective on-premise clouds," said Marten Mickos, CEO of Eucalyptus Systems. "As one of the world's leading IT consulting organisations, Wipro provides a 'one-stop shop' for customers looking to architect their applications and infrastructure for the cloud. This partnership will play an important role in enabling enterprises to transform their IT operations so that they have the flexibility and scalability to meet business demands."
Data Briefing
47% Growth in worldwide smarphone sales in Q4,2011
E nte rpri se Round -up
They Eric Said it Schmidt Delivering the keynote address at the consumer show, CeBIT, Germany, Google Chairman, Eric Schmidt said data will allow us to make huge breakthroughs.
Illustration by Shigil n
“People in the digital future will spend less time worrying about technology – the Web will be everything, and nothing.”
IBM Expands System x Line New servers designed to expand cloud and analytics capabilities
— Eric Schmidt, Chairman, Google
IBM has announced new server solutions designed to expand cloud and analytics capabilities across its entire portfolio. The new offerings include high-performance systems, networking and software products aimed at helping clients optimise data center operations with flexible, easy-to-deploy solutions to help reduce complexity, lower costs and deliver rapid return on investments. Today, clients are looking for solutions that help them handle specific business challenges and make better use of existing IT infrastructures. More and more clients are turning to cloud computing, analytics and other smarter computing solutions to help their businesses grow. Cloud computing deployments are expected to grow more than 19 percent per year, according to IDC, and a recent IBM CIO study showed cloud implementations nearly doubling from 33 percent to 60 percent over the last two years. "From the design of the servers, software and services, IBM solutions are created to help accelerate the journey to smarter computing," said Satyen Vyas, Vice President System x, IBM India and South Asia. "IBM is delivering cloud and analytics products to help clients align their businesses to manage unprecedented amounts of data, and become efficient at turning that information into timely business insights."
QUICK BYTE ON CONNECTIVITY
The average connection speed in India was recorded at 0.9 Mbps, a sequential quarterly growth of 12 percent. In comparison, China’s average connection speed was at 1.4 Mbps and India remains the only measured country in Asia with average connection speeds below 1 Mbps —Source: Akamai
The Chief Technology Officer Forum
cto forum 07 March 2012
9
image by photos.com
E nte rpri se Round -up
Professionals Stick Around Despite Job Dissatisfaction Lack of opportunity cited as a barrier to career advancement
New global research from Accenture, titled “The Path Forward,” has found that despite being dissatisfied with their jobs, the majority of professionals plan to stay with their current employers. More than half of both the women and men surveyed (57 percent and 59 percent, respectively) are dissatisfied with their jobs. Despite their current job dissatisfaction, more than two-thirds (69 percent) of all respondents said they do not plan to leave their current employers, with nearly the same number (64 percent) citing flexible work arrangements as the reason for staying put.
When asked about the greatest barrier to their career advancement, respondents cited a lack of opportunity or a clear career path twice as often as they cited family responsibilities, while almost one-third (32 percent) cited no barriers to their advancement. At the same time, most respondents said they are taking a variety of steps to actively manage their careers — including accepting a different role or responsibility (cited by 58 percent of respondents), receiving more education or training (46 percent), and working longer hours (36 percent). “Despite current challenges, employees
Global Tracker
Worldwide storage market
Q4 2011, a 4.8% increase from Q4, 2010 10
cto forum 07 March 2012
The Chief Technology Officer Forum
Source: gartner
Worldwide external controllerbased disk storage vendor revenue totaled $5.9 billion in
are still striving for success — and energised, engaged employees remain a competitive advantage,” said Adrian Lajtha, Accenture's chief leadership officer. “Since the majority of today’s professionals are not job hunting, leading companies must capitalise on this moment in time to equip their people with clearly defined career paths that include innovative training, leadership development and opportunities for advancement.” The Accenture research covers a wide range of employment-related topics; some other findings include: Flexible work schedules – The majority (59 percent) of respondents reported having some type of flexible work schedule, and 44 percent of this group said they have used flexible work options for more than three years. Slowed careers – When asked about factors that have slowed their careers, 44 percent of respondents cited the economic downturn, which started in 2008, and 40 percent cited parenthood. Work/life balance – While more than twothirds (71 percent) of respondents reported having work/life balance most or all of the time, 42 percent said they often sacrifice time with family in order to succeed, and 41 percent said career demands have a negative impact on their family life. Spouses – The vast majority (73 percent) of respondents with a spouse or significant other said that person also holds a full-time job. Important attributes for career growth – Self-confidence, soft skills and hard work were cited most often as the attributes most important to career growth (cited by 28 percent, 25 percent and 23 percent of respondents, respectively). Career advice – Approximately one-third of respondents reported they get career advice from colleagues or family (cited by 35 percent and 32 percent of respondents, respectively), and 77 percent said the gender of the person giving career advice does not matter to them. “We’re looking at a new normal in the workplace,” said Nellie Borrero, Inclusion & Diversity lead at Accenture. “Employees are defining success in a variety of ways, customising their own approaches and balancing personal demands with their desire to succeed. The challenge for employers is to help employees fully integrate the whole spectrum of work and life needs over the course of their careers.”
E nte rpri se Round -up
Illustration by Anil t
Less Than 30% of Enterprises Will Block Social Media Less companies blocking access to social media
Fewer than 30 percent of large organisations will block employee access to social media sites by 2014, compared with 50 percent in 2010, according to Gartner, Inc. The number of organisations blocking access to all social media is dropping by around 10 percent a year. "Even in those organisations that block all access to social media, blocks tend not to be complete," said Andrew Walls, research vice president at Gartner. "Certain departments and processes, such as marketing, require access to external social media, and
employees can circumvent blocks by using personal devices such as smartphones. Organisations need now to turn their attention to the impacts of social media on identity and access management (IAM)." Gartner said that social media environments include mechanisms to collect, process, share and store a more complete range of identity data than do corporate IAM systems. They enable a more complete view of identity, one that extends beyond the bounds of organisations. For IAM managers, this is both a threat and an opportunity. Identity data and social media platforms can expose organisations and users to a wide variety of security threats, but organisations can also use this identity data to improve support for their own IAM practices and the ambitions of business stakeholders. Gartner identified some significant impacts of social media on IAM: Personal trust misaligned with corporate trust: Employees who participate in online social media continually make judgments about the degree of trust they should place in the platforms and in other participants, and they adjust content, structure and vocabulary to match their risk assessments. These assessments and the fundamental inputs to their assessment process may not align with corporate expectations for risk management. As a result, employees may say and do things on social media platforms that violate corporate policy or are otherwise counter to corporate expectations. Public content supports identity intelligence: The collection of identity data by public social media on a massive scale enables improvements in the production of identity intelligence. This pushes IAM programs to discover the user profiles accessed by staff and to maintain capabilities for accessing external services in order to harvest identity data.
Fact ticker
Hybrid IT is Transforming the Role of IT Hybrid IT Challenges Business Models of IT Vendors
Hybrid IT is transforming IT architectures and the role of IT itself, according to Gartner. Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome. "Many organisations have now passed the definitional stage of cloud computing and are testing
cloud architectures inside and outside the enterprise and over time, the cloud will simply become one of the ways that we 'do' computing, and workloads will move around in hybrid internal/external IT environments," said Chris Howard, managing vice president at Gartner. "As a result, the traditional role of the enterprise IT professional is changing and becom-
ing multifaceted. A hybrid IT model requires internal and external IT professionals to support the business capabilities of the enterprise." Cloud computing's business model — the ability to rapidly provision IT services without large capital expenditures — is appealing to budgetminded executives. CEOs and CIOs are pressuring IT organisations to lower overhead by offloading services to cloud providers. However, when IT organisations investigate potential cloud services, the market's volatility reveals that not all cloud services are created equal.
Maersk
H
P announced that Maersk Line, has signed a $150 million-plus infrastructure services agreement in October 2011 that will support the shipper’s global growth strategy. Under the five-year agreement, HP will help Maersk Line become an Instant-On Enterprise by using HP’s cloud-enabled data centers and HP Workplace Services to optimize its technology infrastructure. “As a global leader in its industry, Maersk Line is driving significant change in its markets and needs a reliable technology foundation to support these efforts,” said Mike Nefkens, senior vice president and general manager, Enterprise Services – Europe, Middle East and Africa, HP. “To help achieve the company’s global strategy, HP will apply its cloud computing expertise and experience in managing complex technology environments enabling internal IT leaders to expand support.” “Maersk Line operates in a competitive global industry that demands innovation to create the agile technology infrastructure we need to be a leader among our peers,” said Adam Gade, CIO, Maersk Line. “HP’s global scope combined with its proven expertise in standardizing technology across large enterprises will help us deliver greater value to our business and support our ability to remain the world’s most reliable container shipping company.”
The Chief Technology Officer Forum
cto forum 07 March 2012
11
CUSTOM SERIES
D ATA C A R D
Datacard to tap smartcard market in India
Datacard Group is the world leader in secure identification and card issuance solutions.
D
atacard India, the India subsidiary of the US Company Datacard Group , is a pioneer in creating highly secure financial card programs and government initiatives, as well as secure ID programs for Education, Corporate security and many markets around the globe, is very bullish on the Indian market and has plans to strengthen its activities in India. A leading brand in secure identification and card personalization solutions, the company’s solutions are used to personalize and deliver more than 10 million cards and 7 million cards globally and as much as 90 per cent of the world’s payment cards are issued on Datacard solutions the world over. According to Rajiv Singh, Managing Director, South Asia, Datacard Group, “The company’s vision is to collaborate with financial and government customers and relentlessly improve physical and logical security. It yearns to create new revenue opportunities for the customers and bring simplicity and speed to transactions and identity processes. The company also wants to help the customers by removing cost and improve service levels.” Datacard Group has identified India as one of its core market and has chalked out a definite plan for the next two years to tap the ever growing smartcard business in India. The core growth market for the company will be the ID, CI and FII market whereas Datacard is expecting an extended growth to come from areas like local services, local entity and government services. Angus J. McDougall, Regional Vice President, Asia Pacific, Datacard Group said, “The smartcard growth will grow threefold from 2011 to 2016 in India. In the long term, Datacard India is looking at market segments like GSM, banking and government – Rashtriya Swasthya Bima Yojna (RSBY). Some of the other concentration areas for Datacard in the government space include areas of emphasis in National ID programs, passport and travel documents, driver’s license programs, secure Rajiv Singh employee IDs, healthcare, Managing Director EBT and benefits delivery, South Asia voter registration and Datacard Group precinct management.” “The Indian market comprises of the banking, Angus J. McDougall telecom and government Regional Vice President sectors. Our emphasis is Asia Pacific on the government initiaDatacard Group tives like ‘The More Card’
which has been issued by Ministry of Urban Development and is used for travel across the country and by using this card multiple applications can be integrated on it,” said Mr Singh. He adds that given the number of cards in the wallet, personalization is most critical for the customers. Cards that are not personalized will not be used as much by the customers. Moreover, customers across the country are bullish about the usage of loyalty cards which Datacard offers in the country.
Datacard product offerings Datacard products include centralized printers and desktop printers. Centralized printers have the secure ID printing machine at one location while the desktop printers can be comfortably carried around (it weighs from 2.5 to 3 Kg). One such popular printer is SP 30+ made specifically for India and China has been approved by the Ministry of Labour as the de facto printer for the RSBY, the software is already updated to work with this printer. Some of the other innovative products that Datacard offers in the Indian market are MX2000, MX1000, MX6000, five to six products bouquet in the Financial Instant Issuance category and Cardwizard.
Financial Instant Issuance Datacard’s Financial Instant Issuance is one of the most coveted products for its clients. Consumers today expect instantly personalized products and services. By using Instant Issuance customers get convenience and can receive card wherever they choose to. It also has innovative choices which help users to choose unique card design. Moreover, card can be a preprinted embossed or flat, white card where customers can choose from a gallery of images and pictures. It has speed and responsive services where customers can receive card immediately. Another important feature is that it assists in increased profitability which can be seen by improved performance metrics of the cards which drive bottom-line profitability for the issuing bank (cost savings too by not incurring postage/paper costs for PIN mailer and card mailer) In terms of value proposition/ROI benefits, Instant issuance cards ensure service differentiation, security, customer experience and influences, reduce number of cards issued per account, no fraud loss – such as no card can be received in mail fraud, thus increasing transaction and reducing attrition rates. Datacard CardWizard is installed on your network and used to securely and accurately manage the instant issuance of the financial cards. The software monitors all card production requests and keeps
D ATA C A R D
track of all of the cards issued at the branches so you have an accurate, centralized database of all card information. Usually one computer or server is dedicated to run CardWizard’s enterprise components, and then designated PC’s at the branch run CardWizard’s branch software components to instantly issue cards, view production reports, and balance card inventory. Card production equipment is also securely installed at every branch where you want to issue cards. Think of these card production machines as shared printers and the CardWizard software tells the machine what to produce.
SP30 Designed for card issuers looking to increase productivity and manage costs, the Datacard SP30 Plus card printer offers an economical printing solution that produces professional, high-quality cards with full or partial color images. The simplified and efficient design and exclusive supplies make the SP30 Plus card printer a high-quality, low-cost printer ideal for issuing drivers licenses, national healthcare cards, corporate ID cards, government ID cards and more. The SP30 Plus card increase overall efficiency and productivity and it prints up to 750 monochrome cards per hour. It is easy to operate and the printer driver provides message prompts, recovery instructions,
Instant Issuance Ecosystem Card Wizard Enterprise Server
Card Management System
Sw itch Inte rfac e
e rfac Inte CMS
Network Switch
CUSTOM SERIES
MX2000 Datacard MX 2000 is a leading and robust product, through which the company brings global expertise to deliver value in India. The potential applications which MX2000 can work on are banking cards, prepaid cards, NID and government cards, transit cards, healthcare and insurance. Designed for cost-conscious card issuers worldwide, the MX2000 card issuance system produces high-quality personalized cards with exceptional efficiency and security. This truly modular system delivers many of the same operational advantages as the company’s higher-volume card issuance systems for an extremely competitive price. Talking about Datacard’s performance in the Indian market, Mr Singh said, “Datacard wants to be a significant player in India is the coming years. We are presently targeting the banking and commercial segment. Our market share is 41 per cent in the commercial sector and 44 per cent in the banking sector. With a large number of identification schemes coming into effect in the coming years (nearly 2.36 billion cards will need to be printed} the company has a chance to consolidate the investments that we have made and regain market share.”
Bank Internal Network
CardWizard
color image preview and online user help. Moreover, once installed, the SP30 Plus card printer recognizes Datacard proprietary supplies and automatically enables enhanced product features that leverage Datacard’s exclusive Intelligent Supplies Technology including automatic ribbon identification, ribbon saver and ribbon low warning.
R
Datacard partnership with DeviceFidelity
PC/Server running Enterprises Server Component Super CMC Component
"Enterprise" Design Host Application TCP/IP Network
Branch LAN Photo Station
Camera Super CAT
Photo Printer
Card Wizard Client/Admin PC(s)
Datacard has recently ventured into an equity investment and strategic partnership with DeviceFidelity Incorporated --- a company that develops Near Field Communications (NFC) based plug-and-play technologies, services and payment applications for mobile devices worldwide. This partnership enables Datacard Group to offer DeviceFidelity’s In2Pay suite of solutions which use microSd technology to transform smartphones into interactive contactless mobile payment devices. Financial institutions and wireless carriers will now be able to easily issue consumers a credit, debit, prepaid or multi-account mobile wallet that can be used at contactless point-of-sale terminals. “This partnership effectively expands on Datacard Group’s Integrated Secure Issuance Anywhere platform, which provides our customers the freedom to manage programs exactly the way they want," said Mr McDougall. n The Chief Technology Officer Forum
cto forum 07 March 2011
53
A Question of answers
PERSON' S NAME
Virtualisation in Production: Increasing use of VMs in production environment is acting as an assurance for virtualisation
14
cto forum 07 March 2012
The Chief Technology Officer Forum
C ar l E sc h en b ac h
A Question of answers
Carl Eschenbach | VMWare
Virtualisation Journey of India Begins
Carl Eschenbach, Co-President, Customer Operations, VMWare talks to Ankush Sohoni about the current state of the virtualisation maket and how it will evolve Could you tell us what the Indian virtualisation market is looking like today? Well as per our statistics, the Indian market stands as 10 percent virtualised. At the same time, just in the last two days while talking to our partners, and customers, I can tell you it’s only a matter of time until it really takes off. When I compare this to just two years ago, we were still evangelising and telling people how much this technology can help them in terms of increasing operational efficiency, and reducing data centre costs. We were still telling customers why they should virtualise. But now when I talk to my customers, or potential customers, they really do understand the need to do it themselves. The key challenge today is that even though organisations want to get virtu-
alised, there are still issues with regards to skills and how and when to virtualise. These are the things that we are trying to help our customers with today. A lot of CIOs today are concerned with security and data on virtualised platforms. How does VMWare alleviate their fears? Security is definitely a big question for most CIOs and we as providers of virtualisation have been proactive in alleviating their fears. We have brought to market a product that is highly integrated into our VSpher platform called VShield. Vshield allows security vendors to write a virtual appliance that integrates into the API. It’s a very open product and we see Symantec, Trend Micro and McAfee writing virtual appliances for VSphere which plugs into the solu-
tion and allows people to get all the compliance and security concerns taken care of when they move onto the platform. One of the key things that is making this product different is that customers today have a large number of Virtual Machines in production. It gives people a lot of assurance that virtualisation is now very safe. So when you talk to customers in emerging markets they are hesitant. When faced with this kind of situation I always speak to them and tell them not to worry because some of the largest businesses are running virtual appliances on VSphere without any glitches. Some of them have 25000 - 40000 Virtual Machines in production and when you look at some of the compliance requirements that they have, it goes to show how much confidence they have in our platform. The Chief Technology Officer Forum
cto forum 07 March 2012
15
A Question of answers
C ar l E sc h en b ac h
Are you noticing any vertical specific adoption trends as far as Virtualisation is concerned? When I look at Indian market I wont say that there is one particular market using more virtualisation than another. Our software is horizontal and works the same for any vertical that decides to use it. We were having some meetings the other day and we have use cases from financial services companies, telecom companies, Healthcare, Manufacturing, you name it. We are also seeing tremendous offtake from SMBs. They are also looking for secure and solid solutions. We talk so much about large companies, but companies of all size and scope use virtualisation. Sometimes the SMB players are more aggressive because they don’t have the politics or layers to make decisions and are always looking for a competitive advantage. They just decide to buy the technology. There are many layers of approval in larger companies fro virtualisation because of the implications of course, but this is less dominant in smaller companies. What phase of the virtualisation journey is the Indian market on? Well when we talk about virtualisation from the context of what is happening globally, in India, we have only conquered the IT production phase. This basically means that we look at enabling the technology production environment to use virtualisation and create a more efficient operational experience. We have 3 phases of the journey to take users to the cloud. The first phase is the IT production phase. From there they move into business production where you see companies running mission critical apps like Oracle and SAP on our platforms. The third phase is to approach it as a service. We are trying to reduce the friction between the producers of IT and the consumers. By implementing more automa-
16
cto forum 07 March 2012
The Chief Technology Officer Forum
“We talk so much about large companies, but companies of all sizes and scope use virtualisation.”
tion and management, people can go and get access to IT services without having to interact with the IT department itself. So we take technology from a highly virtualised state to business production and finally deliver it as a service for the cloud ready enterprise. How do you think the management views technologies like virtualisation that have immense benefits in reducing operational costs? I think there are three things to address in that question. The first is the obvious. We significantly reduce the organisations CAPEX budget. We go in and consolidate their hardware and that’s a straight off benefit on capital expenditure. If there is anything that we help a CXO with is to go in and crystallise this message. The second area is around OPEX savings. When you get a customer about 70 - 90 percent virtualisation
things I Believe in In India, virtualisation has only conquered the IT production phase From here companies need to move into business production where you see them running mission critical apps like Oracle and SAP on virtualised platforms With automation, people can get access to IT services without having to interact with the IT department itself
the real savings comes from management automation which enables OPEX savings. More OPEX is spent on IT than CAPEX these days. So we go and talk to the CXOs once we get them to a highly virtualised state and we talk about impact on OPEX savings, helping in consolidating IT staffing and so on. Thirdly if you get to the point of cloud computing, you can greatly simplify the computing environment in your organisation. By simplifying the IT operations the company can focus on revenue generating activities. So CAPEX savings, OPEX savings allow companies to focus on revenue generating activities. Also from the OPEX standpoint, real estate in Mumbai for example is so expensive that reducing physical server sprawl in a datacenter will allow immense savings. The other problem we clearly address is power. So in terms of the value proposition to CXOs – we are still very solid.
ANALYTICS Drive more value.
Par for the course won’t differentiate you. With SAS Analytics, you can increase profits, reduce risk, predict trends and continuously improve the way you work. Decide with confidence. ®
Scan the QR code* with your mobile device to view a video or visit sas.com/india/golf for a free Harvard Business Review report.
For more information please contact Jaydeep.Deshpande@sas.com.
*Requires reader app to be installed on your mobile device
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. © 2011 SAS Institute Inc. All rights reserved. S75378US.0611
Best of
How to Set Up a HighPerforming Sec Team Pg 21 What IT Professionals Really Want Pg 22
illustration BY prince antony
Breed
Features Inside
How to Embrace the % Consumerisation of IT
Data Briefing
40
of devices employees use to access business applications are personally owned
18
cto forum 07 March 2012
It’s time to stop enforcing the status quo and instead look at the new consumer-focused devices from a business perspective By Daniel Burrus
I
t used to be that any change in an organisation would flow from the top down. For example, the C-suite would decide that a new computer system was needed or that a new policy should be enacted, and the mandate would trickle all the way down to the frontline workers. Sure, it would get resistance along the way, but eventually
The Chief Technology Officer Forum
the change took place just as the leaders wanted. Today, especially when it comes to the consumerisation of IT, the change process is quite different. What we’re seeing now is a “bottom-up” approach, where the end user (the employee) is pressuring the CIO and other C-suite leaders to change. The consumerisation of IT is extremely disruptive for
c o n s u m e r i s at i o n o f i t
B E S T OF B R E E D
to be tethered or plugged in. I can do my work wirelessly and remotely. And I can use amazingly powerful tools that I like better than the ones IT is providing me.” Remember, apps (even the business productivity ones) are inexpensive, easy to install, powerful, and focused. If you don’t like one, you can easily uninstall it with the push of a button. And, from the employee’s perspective, they know their job and what they need to do better than anyone in IT so why shouldn’t they decide what tools they use and how they use them? This is why we often see business professionals with two devices: the one they want to use and the one their IT department is able and capable in making their own purmaking them use. And while you may think chasing decisions to apply technology tools your employees are always keeping the two for work; and devices separate, that they are always using Almost a third were willing to pay for their their business device for business use and own devices and applications to use at work. their personal one for personal use, think Now here’s what’s really eye-opening: again. In a Unisys-sponsored research study Only 27 percent of executives have begun of 2,660 information workers, researchers to address the consumerisation issue in a found that employees are bringing personal structured way. Now it’s easier to see why the devices into the enterprise at an increasing consumerisation of IT trend is so disruptive. rate. In fact, 40 percent of the devices they This trend is not just in the United States, use to access business applications are perit’s global. In fact, the leaders in the consonally owned. That’s a 10 percentage point sumerisation trend are China and India folincrease from the previous survey year. lowed by Brazil and Mexico. In other words, Additionally, the survey concurred with it’s spreading and growing rapidly. So if my statement that the increasing penetrayou’re one of the 73 percent of executives tion of consumer technology in the enterwho has not addressed this trend yet, you prise is being driven by a desire for mobility. need to do so now. According to the findings, 53 percent of employees surveyed say that mobile devices The big boost such as laptops, smart phones, and tablets What really gave the consumerisation of IT are their most critical devices for doing a big push is Apple with their iPhone and work. This is up from 44 percent in 2010. In iPad. Apple took the concept of a smartaddition, 65 percent of employees say that phone and raised it to a new level. Additiona mobile device will be their most critical ally, it launched the apps trend, which also work device in 2012. started as a consumer oriented offering Despite this growing awareness, however, rather than a business one. the research found that IT departments Now, with a small iPhone or iPad, conare falling further behind in sumers could have a true the consumerisation race. For multimedia computer in their example, employees report hand. Of course, competitors using their mobile devices for quickly came and launched business purposes at twice the even more consumer oriented of executives rate that IT executives believe powerful tools, making the to be the case (69 percent usage trend grow quickly. are addressing reported by employees versus Armed with these new tools Consumerisation 34 percent usage reported by and the wide spread deployissue in a IT executives). In addition, 44 ment of 3G and 4G wireless percent of employees report as well as Wi-Fi, employees structured way using social media for customer quickly realised, “I don’t need
In the early days of consumerisation, we didn’t have wireless data or cloud computing,
much less the bandwidth, storage, and processing power to make things powerful so the threat was perceived as minimal the CIO. Not only is the change coming in the opposite direction from what the CIO is used to, but it’s also coming so fast that many CIOs are unsure what to do. What’s really behind this consumerisation of IT trend? In a word? Mobility. Because of advances in bandwidth, storage, and processing power, the tools an average consumer can purchase are extremely powerful. Even as recent as 10 years ago, technology tools for the consumer weren’t that impressive and didn’t have much business application. As such, CIOs simply had to pronounce mandates like “No video games on your work computer,” or “Don’t bring in outside CD-ROMs,” and “No personal cell phones in the office” and the problem was solved (or so they thought).
Kicking it 'old school' In the early days of consumerisation, we didn’t have wireless data or cloud computing, much less the bandwidth, storage, and processing power to make things powerful so the threat was perceived as minimal. For example, even the early Blackberry wasn’t a true smart phone. It didn’t give you video, audio, or a browser. It was simply a phone and email tool -- something the CIO could easily control. But that was then, and this is now. Today, the average person can purchase, understand, and easily implement an array of new technologies designed to make work and life easier. Consider this: Almost half of employees felt that their personal consumer devices and software are more useful than the tools and applications provided by their IT departments; Almost half of employees felt comfort-
27%
The Chief Technology Officer Forum
cto forum 07 march 2012
19
B E S T OF B R E E D
c o n s u m e r i s at i o n o f i t
communication, while only 28 percent of employers believe that to be the case.
Stop reacting and start anticipating Unfortunately, most IT departments are reactionary. They didn’t anticipate the consumerisation of IT trend even though it was relatively easy to see. And when it hit in full force, they became crisis managers rather than opportunity seekers. They viewed the consumerisation of IT as a threat and tried to protect and defend the company and the network never realising that the consumerisation of IT is a hard trend. It’s not here today and gone tomorrow; it’s here forever and it’s only going to accelerate. Why? Because the trifecta of bandwidth, storage, and processing power is continuing to march on, giving us even more powerful tools in the consumer market in an inexpensive way and very quickly. Here’s one example of what we see happening in IT departments across the country. The IT help desk that companies provide has little ability to support and help their employees. The help desk and the IT department are designed to help with the "approved" devices and tools. But now they are seeing tools that are not approved and don’t know how to help with them. While this issue may seem small, it quickly slows productivity and causes many employees to think negatively of IT. If you’re ready to stop reacting and start seeing the opportunity staring at you right now, here are some steps you can take to turn the consumerisation of IT trend into your company’s competitive advantage: No.1 - Start a dialogue: The benefits of the consumerisation of IT are clear. It provides greater business agility, faster problem solving and innovation, increased collaboration, increased communication, higher productivity, and overall improved employee satisfaction because people are using the devices they want to use. Additionally, your Gen-Y and Gen-X employees are vey tech-savvy and need to use the newest devices so they can feel empowered. All employees like to feel empowered, therefore survey the people in your company to find out what’s working and what’s not working for them technologically-speaking. As the CIO, you need to know what they are using and trying. Ask them such things as,
20
cto forum 07 March 2012
The Chief Technology Officer Forum
“How are you using the device or technology when you travel?” “What do you wish you had that we don’t currently provide?” and “What tools do you think are best?” In other words, start the dialogue. Engage your employees so they see IT as a resource rather than a deterrent to technological innovation. Then, after the conversation, test the tools the employees mentioned. Get to know how they work and put them on your company’s approved list. No. 2 - Spur innovation: You and I both know that no matter what policies you enact to keep outside technologies away from
Your employees are going to find their own ways around any security features you enact on the network. So why not create a “doorway,” to help them work in a secure way the enterprise, the employees are going to buy them and bring them into work anyway. So instead of defaulting to “no” when something new comes out, encourage your people to bring the new item to IT to look at it, track it, and provide suggestions for how the company can use it. After all, the next new device may have a huge business use. Either way, if your people are using it, you want to know how they’re using it so you can replicate their successes with the technology company-wide. So rather than have employees hide their technology tools from you (which makes IT out to be the “bad guys”), strive to co-create the future with the staff. No. 3 - Create a list of recommendations to help employees make an informed
decision: After your IT staff analyses the potential tools, create a list of the ones you recommend employees use, even though the company does not supply that particular item. In other words, if someone wants to get a tablet, an ultra-light laptop, a smart phone, or even an app, they can go to IT and see which ones IT recommends and why. This approach engenders collaboration, elevates IT to the status of a trusted advisor, and puts IT back in the driver's seat. No. 4 - Help your employees stay safe: Develop some tools to help secure consumer technology, and create secure doorways of entry for your staff. Again, your employees are going to find their own ways around any security features you enact on the network. So why not create a path, a “doorway,” to help them get in and work in a secure and productive way.
Opportunity favors the bold For CIOs, the consumerisation of IT brings change into the organisation from a different direction. But it doesn’t have to be that way. You can become more innovative, more opportunity focused, and ultimately more valuable to the organisation when you lead the change by embracing the trend rather than fighting it. It’s time to stop enforcing the status quo and instead look at the new consumerfocused devices and tools from a business perspective. When you anticipate what your employees want and need to do their jobs better and then devise smart and flexible policies for managing and securing those technologies, you’ll find that the consumerisation of IT can unlock new opportunities and revenue streams for your organisation. Daniel Burrus is considered one of the world’s leading technology forecasters and business strategists, and is the founder and CEO of Burrus Research, a research and consulting firm that monitors global advancements in technology driven trends to help clients better understand how technological, social and business forces are converging to create enormous, untapped opportunities. —This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www.cioupdate.com.
B E S T OF B R E E D
securit y
How to Set Up a HighPerforming Sec Team
Using the right management styles effectively is the key to building a strong security team
illustration BY Prince Antony
By Jeff Bardin
M
ost IT execs like to speak of methods on securing funding, implementation of the latest technology, or performing enterprise-wide risk assessments but this completely overlooks the impact that people can have on building such a high performing security program. When security executives overlook team creation as a core component of a security program, they fail. A well-oiled machine is critical to creating an ever-expanding and improving information security posture. So how should a CISO manage his or her team? My experience tells me that I must hire people who are smarter than I am. That I must find, hone and develop a group of experts who understand the need for a unified approach. But the key to managing these individuals and building a successful
team is to accurately identify the personality types of the team members. One of the techniques used to success is Myers-Briggs testing. Testing your staff and/or prospective staff to determine personality types goes a long way in identifying the right mix of staff, and the placement of your people in the roles they are most likely to enjoy and drive success. For example, you do not necessarily want an ISTJ (introvert, sensing, thinking, judgmental) personality type as the key driver for your strategy. That may be more aligned to an E/INTP/J. The ISTJ in most cases is very comfortable executing a plan and getting into the tactical details. My belief and proven experience indicates that it is much more effective to accentuate the positive aspects of an individual’s skills and personality then it is to try to improve the functions they do not care to do. It takes a great deal more time, effort and expense to improve deficiencies then it does to continue improving the positive aspects and perfections of your team members. Jared Pfost, of Third Defense, has a different approach and formula that he recommends: Empower and support people to execute. Help those who do not find other opportunities. Buy-in, skills, desire, and diversity trump personality types and demographics. Establishing a strategy that contains what you do (mission), where you are (maturity assessment), where you are going (vision), and how to get there (execution strategy/roadmap). Service catalogue to clarify objectives and scope for team members. Role definitions — using the RACI method (responsible, accountable, consulted and informed) — for key processes such as assessment, response, compliance, operations, architecture, treatment decisions. Measurements to track actual vs. target ‘team’ performance (metrics). Recognition: reward improvement and incentivize internal promotion. Execution: accountability for on scope/time/budget. Jared blends skills with strong leadership and structure as a method to building strong teams. CMMi for people The Chief Technology Officer Forum
cto forum 07 march 2012
21
B E S T OF B R E E D
Securit y
44%
CISOs should treat their staff based upon their emoSupporting - Leaders pass day-to-day decisions, such tional and skills maturity level. Treating each person as task allocation and processes, to the follower. The the same on your team is fine for HR-type policies and leader facilitates and takes part in decisions, but control procedures, but when it comes to getting the job done, is with the follower. The focus is on praise, listening, employees situation leadership is the only way to go. asking, explaining, and facilitation. CISOs should base their leadership methods and Delegation - Leaders are still involved in decisions and report using style based upon the emotional and educational needs problem solving, but control is with the follower. The folsocial media of the team member and on the tasks given to each lower decides when and how the leader will be involved. for customer team member. There are four management styles that Knowing how to use these management styles are individually used or blended depending upon the communication effectively is the key to building a strong security tasks and team members involved (moving up the team. It is important to identify your team members’ maturity chain): personality types and apply the right blend of leadership in order to maximize their contributions, and to create a Directing - Leaders define the roles and tasks of the 'follower', high-performing program. and supervise them closely. Decisions are made by the leader and announced, so communication is largely one-way. The focus is on — Jeff Bardin is the chief intelligence officer at Treadstone 71. Jeff sits on structure, organize, teaching and supervising. the board of directors of Boston Infragard; was a founding member of the Cloud Security Alliance. Coaching - Leaders still define roles and tasks, but seek ideas and — This article has been reprinted with permission from CIO Update. To see more suggestions from the follower. Decisions remain the leader's prearticles regarding IT management best practices, please visit www.cioupdate.com. rogative, but communication is two-way.
What IT Professionals Really Want
S
A recent survey reveals that IT professionals are ready to stand up and say: “Show me the money.” By Marc J. Schiller
ome time back, I put forth the position that the reason IT leaders don’t get what they want from their careers is because they don’t really know what they want. To help prove or disprove my position, I reached out to CIO Insight readers and members of my personal mailing lists and asked them to participate in a survey with one simple question: What do you most want from your professional career? We received 160 responses across a range of IT and business positions.
IT Pros: What We Learned To make the answers as meaningful as possible, participants were required to choose a first, second and third response from more than 16 choices. (Respondents also
22
cto forum 07 March 2012
The Chief Technology Officer Forum
had to option to write in a choice of their own—although fewer than two percent chose to do so.) The goal in providing so many choices with only slight variations between them was to “force” IT pros to reveal the exact nature of what they want most from their careers. No hiding behind broad statements like "career advancement" or "challenging work environment." The top three survey choices for all IT respondents, from non-managerial IT pros to CIOs, were: 1 I want to make more money 2 I want to be more influential 3 I want a seat at the table In absolute terms, 129 of the 160 IT pros who participated in this survey (over 80 percent) chose one of the above items as either their first, second or third choice.
More significantly, 45 percent of respondents chose “I want to make more money” as their first, second or third choice. News flash: IT leaders want to make more money and have greater influence and presence in the executive suite. Really? Is that really such a big deal? Is that even news? Yes, it is. It’s a HUGE deal and it’s big news. Because it’s the first time I have ever seen IT leaders and professionals actually come out and say their number one priority is that they want to make more money. I often hear about the desire for greater influence and a seat at the table. That’s become a very important professional goal for many IT folks. (Heck, it’s the main focus of my own work.) But a hard-core, no-holdsbarred focus on money? That’s atypical for the IT community. For a variety of reasons, most IT profes-
m a n ag e m m e n t
Well, according to this data, it seems this trend has made a sharp turnaround. And I for one couldn’t be more delighted to see it. Now that it’s out in the open, you can get to work in earnest on making it happen. Along with it, you can add in the other two goals of greater influence and a seat at the table. These three actually go hand-in-hand. All too often, IT professionals and leaders are afraid to admit they want to make more money. But until you do, it’s going to be near impossible to build a meaningful plan to get yourself there.
IT leaders want to make more money and have greater influence sionals and leaders have difficulty saying that they want to make more money until they are pushed to admit it. Like it’s some sort of bad thing to be financially motivated when you work in the world of business. Hello?
B E S T OF B R E E D
Actively pursuing greater financial reward is part and parcel of the business world. And it’s something every IT professional needs to learn how to do. The first step to making more money (or realising any goal for that matter) is fully recognising it and embracing it. And so I say: well done. Of course, wanting to make more money or attain a seat at the table doesn’t just happen on its own. It requires a very deliberate set of actions. I’ll have more to say on this subject in future columns. In the meantime, if you would like a full copy of the survey results (so you can see into the variations of what IT professionals want most and how they differ by role) email me. I’ll be happy to send them along to you. — Marc J. Schiller, author of “The 11 Secrets of Highly Influential IT Leaders,” is a speaker, strategic facilitator, and an advisor on the implementation of influential analytics. — This opinion was first published in CIO Insight. For more stories please visit www. cioinsight.com.
CEO INTERVIEWS
COVE R S TO RY
Andrew Miller CEO Polycom
High Chris Fredde CEO, SafeNet
Five
Five interviews with top business leaders on topics ranging from cloud to security and from UC to leadership
Sudipta K Sen
CEO & MD – SAS Institute (India)
Hugh Njemanze ArcSight Founder and VP & CTO, HP Security Solutions
W
Harvey Koeppel
Executive Director, Centre for CIO Leadership
e reprint five interviews with top business leaders on topics ranging from cloud to security and from UC to leadership. Amongst those interviewed are Andrew Miller, CEO of Polycom. He provides insights into the metamorphosis undergoing in the UC market; Hugh Njemanze, Founder, ArcSight on what customers want in terms of security solutions; Harvey Koeppel, Executive Director, Centre for CIO Leadership talks about what it takes to be a technology leader; Chris Fredde, CEO, SafeNet discusses the importance of encryption in the changing enterprise environment; Sudipta K Sen, CEO, SAS Institute (India) shares the reasons for the continued growth of business intelligence. The Chief Technology Officer Forum
cto forum 07 MARCH 2012
25
Leading the Change In the 10 months since Andrew Miller took over as the CEO of Polycom, he has been leading the company from the front. In conversation with Yashvendra Singh, Miller talks about the metamorphosis undergoing in the unified communications market, and how Polycom is addressing it 26
cto forum 07 MARCH 2012
The Chief Technology Officer Forum
How is the overall enterprise communication and collaboration space changing? There are lots of exciting changes and strong growth drivers that are propelling the market for unified communications (UC). First, we see an expanding market for UC both within and beyond the enterprise to SMB, mobile and consumer applications. This growth is driven by three factors: adop-
CEO INTERVIEWS
ing for ways to improve communication and collaboration across locations and time zones to accelerate decision making and time to market, and to lower operation costs and better leverage existing resources. The market for Unified communications has immense potential. According to a Frost & Sullivan research study in 2009, the APAC market size of video conference-infrastructure is around 330-350 million dollars, of which, India’s contribution is around 9%. But, by 2015 this industry is expected to reach around 850- 900 million dollars and the growth in India is expected to be 15%. You have been leading Polycom's Open Collaboration Network initiative. How has the progress been so far? The Polycom Open Collaboration Network (POCN) is a key strategy for Polycom that provides significant value for our customers. By working with leading unified communications platform providers, Polycom is able to deliver its productivity-enhancing and cost-saving telepresence, video and voice collaboration products as an integrated part of core unified communication environments, making the technologies easily accessible as part of the everyday workflow within a comprehensive solution that is easy to deploy and manage. Our strategic Polycom Open Collaboration Network partners include Microsoft, Avaya, BroadSoft, HP, McAfee, IBM, Juniper Networks and Siemens. Through this initiative, our customers can stay assured their solutions continue to interoperate in a best-in-class environment, rather than being tied to one particular vendor.
tion of open standards and integration into best-of-breed UC solutions like Microsoft Lync; accessibility of telepresence solutions ranging from consumers and the mobile market to SMBs, enterprises and service providers; and the widespread availability of cost-effective bandwidth. Second, the underlying business drivers for UC are increasing as more businesses of all sizes are operating globally and look-
2010 was the year when you believed in "sell-through philosophy" where the service provider sells and fulfills services to customers. Will this strategy continue in 2011 too? It will definitely continue. In fact, we think 2011 and moving into 2012 will be when the service provider market for UC really gains momentum. One of Polycom’s key strategies is to enable the next generation of cloud-based services in conjunction with our service provider partners. We will do this by powering service provider networks through the Polycom UC Intelligent Core
COVE R S TO RY
infrastructure platform, and by bringing together partners around standards and open interoperability to drive a network effect for customers. How is Polycom enabling the service provider channel to host and manage services for end users? In India, Polycom has a 2-tier distribution structure. There are 3 distributors and 50+ channel partners. By first quarter of 2011, Polycom will be launching ‘Polycom Choice Programme’ for defining its channel partners, their certification and growing their reach. To enable service providers to deliver UC services reliably, cost-effectively and with a differentiated experience, Polycom is building the most scalable and robust platform to deliver these services through the Polycom UC Intelligent Core. How do you see consolidation in the industry affecting technology advancement? Consolidation is happening, but Polycom is winning in the market, because we remain focused on delivering greater customer value, flexibility and investment protection. Polycom believes it is critical to continue to innovate in a standards-based way and to provide seamless UC integration through our POCN partners, while also solving the interoperability challenges for our customers by connecting the islands of communications that exist between enterprise, mobile and consumer applications. This is also proven through Polycom’s commitment to UCEverywhere, a strategy for seamlessly connecting communications across the continuum of consumer, mobility, SMB (small to medium businesses) and the enterprise, regardless of platform or network. These same innovations enable service providers to deploy open cloud-based UC telepresence services, giving customers the capability to communicate outside their organisations and across their supply chain to suppliers, partners and customers. While yourn ‘UC Everywhere’ strategy includes a cloud computing solution, there are issues such as end-point equipment installation, training, lighting and sound, and operating procedures in
The Chief Technology Officer Forum
cto forum 07 MARCH 2012
27
especially in the verticals of Government, Healthcare and Education.
migrating video conferencing to the cloud. What is your take on it? There is no doubt in my mind that realtime communications in the cloud is coming and will drive broader adoption, because it solves many of the issues limiting adoption today that we have discussed previously. However, you question is a good one. Regarding equipment installation, the barriers for businesses today is not actually plugging in the cameras and codecs, it is making sure they systems can easily connect across the network and between firewalls. The cloud will solve these issues. Areas like training, specialised lighting and sound, etc. provide a great opportunity for value-added services through service providers and channel partners. One example is BT, which has created reference architectures to give customers the assurance that Microsoft and Polycom technologies will be deployed and managed in solutions that not only consider the server and software platform, but also at the full network impact and utilization. Telepresence adoption in India seems to be quite far. What is your strategy to push its growth? Yes. Polycom believes there will be several major factors driving growth of telepresence. Polycom is helping to enable the cloud-based services that will simplify how customers purchase and use visual communications technologies like telepresence and make it easier to extend
28
cto forum 07 MARCH 2012
The Chief Technology Officer Forum
“There is no doubt in my mind that real-time communications in the cloud is coming and will drive broader adoption” —Andrew Miller
video use across business, mobile and consumer applications. Regionally, there are two key areas that need to align so that you see growth, namely broadband infrastructure deployments and then industries see the bottom benefits of adopting the telepresence solutions. Firstly the India government is very committed to the deployment of highspeed networks both wireless and fixed broadband across the breadth of India, this then becomes the foundation to build from and we are working closely with them on this initiative. Next, we have aligned with a number of key channel partners in India which include leading telecommunications player. Together with these channel partners and our PCON partners, we are developing innovative solutions for many end user customers
But why is the market still reaching out for closed technologies as opposed to open, standards-based ones? The market is undergoing a sort of metamorphosis. We are seeing tremendous traction for open and interoperable technologies. Enterprises are realising multiple benefits by choosing open platforms based technologies. There is also confusion in the market, some of it propagated by other vendors, about the current state of interoperability. For example, we hear from Cisco Telepresence customers all the time that were promised interoperability, but find themselves locked behind proprietary walls. It is this customer demand that led us to support Cisco TIP on our infrastructure platform. We are breaking these customers out of the proprietary walls and providing a way to leverage their existing systems, but scale their network with standards-based solutions moving forward. UC’s full IP-based approach can introduce reliability, security and regulatory issues that are frightening to certain industries such as healthcare, for instance. What is the way ahead? On the Healthcare front, organisations face challenges mainly in three areas; delivering quality patient care, streamlining care delivery processes, and improving business processes. These challenges are compounded by an environment with many time-dependent critical processes, multiple modes of communication, and many mobile caregivers and other workers with widely varying availability throughout the day. Polycom offers a portfolio of end-to-end, scalable, secure, Unified Collaborative solutions, which increases productivity of healthcare professionals, are used extensively for training of hospital staff, can extend patient care and expertise to remote areas, and also improve patient care with mobility solutions.
COVE R S TO RY
CEO INTERVIEWS
ArcSight, which was acquired by HP last year, was started when the dot-com bubble had burst. CTO Forum talks to Hugh Njemanze, ArcSight Founder and VP & CTO, HP Security Solutions, about the company’s journey so far and how it has been able to sustain a robust growth
“Understanding the customer is the key to success” What inspired you to incubate ArcSight? How has the journey been so far? Before we started this company, we saw that there were organisations building tools in-house, and they were realising that they cannot be in the business of maintaining those tools. The reason being thta perhaps the person who originally built the tool moved on to another company and someone would need to reverse-engineer it to understand it. So it was better to find a commercial solution. There was clearly a need for log consolidation and analysis tool in the market that could meet the enterprise needs for strategic monitoring.
The Chief Technology Officer Forum
cto forum 07 MARCH 2012
29
COVE R S TO RY
CEO INTERVIEWS
We started at a fairly difficult time when $16 million and then did a second round the dot-com bubble had just burst and not of funding a couple of years later. That was many customers had discretionary funds to the last time we raised money until we start new projects. But we turned it into an went public. We started selling our product advantage because while we were building in 2002 and by 2004 we started generating our first product, we could focus on buildprofits and went public in 2008. ing a great product as we weren’t worried about selling it by using our funding. You hired a sales person and met By January, 2002, there was a reviewer who potential customers even before you did a round of all such tools in the market, had a product? How did you manage to and told us that ours was the most mature achieve this? tool in the space. When we launched our We described the log management and first product and published analysis problem that we had the details on our website, the been hearing from other cuscompetitive website claimed tomers and they agreed they the same features within had similar problems and weeks on their own websites. needs and were therefore willHowever, that worked in our ing to talk to us even though favour because when we did we didn’t even have a proper PoCs for the customers, they told us that we were the only product that actually matches its website specs. In fact, I also met some of my competitors at trade shows and they said we had an unfair advantage because we wrote fresh code base and they used the same old code base that evolved over a period of time. Most of our competitors started out as security consultants and wrote these tools for themselves and became a software company almost by accident. Another advantage that we had was our conservative fiscal approach. During the dotcom days, there was almost a formula that if you were —Hugh Njemanze to be acquired you’d be paid a million dollar for every employee. So these companies kept hiring employees without thinking much about profitability and viability as they just name. We used to call ourselves Wahoo, wanted to be bought. On the other hand, which is the name of a fish. People thought we maintained a small team initially and that it was just a copy of the name Yahoo. as we got customers we expanded the With some of those cold calls that Pat (the team. This approach helped us survive the sales guy) and I made, the customer said that downturn and helped us become profitif you could build a product that could solve able at a very early stage. the problems we described, they were ready to buy it. We saw a solid interest in the solution. We spend a lot of time with customers How much funding did you receive? and translate their needs into something We started with a venture capital of
that makes sense for an engineer. Every year we have a user conference where every presentation is either given by engineers or the customers using it. Engineers love it because they get to interact with the customer and therefore they come back very inspired and motivated. Customers love it because they get the ground truth from peers and the guys writing the code. You started when the dot- com burst happened. Recently we experienced an economic recession. How did that impact you? Rather than change things, we survived the downturn in a different way. We continued to grow at a rapid pace. We have a lot of BFSI customers. Banks were hit very hard during recession. Some of the banks folded, some got acquired. The interesting thing for us is if a bank got acquired, at least one of them would be using ArcSight, so they’ll expand their licenses to cover both the banks. So, we found that the mergers were driving higher adoption of our products. It was an interesting set of events because we went public in December 2008 when the economy had started declining and the advice was against going public. But we went against all odds and went public and 18 months into it, we were the only company trading above the IPO price amongst those that went public during recession. We continued climbing till the time we got acquired by HP.
“We maintained a small team initially and as we got customers we expanded the team. This approach helped us survive the downturn and helped us become profitable at a very early stage.”
30
cto forum 07 MARCH 2012
The Chief Technology Officer Forum
How do you ensure that your solutions suit the requirements of diverse verticals and customers? One of the principles we have is to build products that meet customer needs without applying the features to just one customer. So every time a customer explains to us what they want to do, we try to understand how that can apply to other customers and build solutions in such a way that it can appeal to others. So, sometimes that means creating a feature in a
CEO INTERVIEWS
more generic way and creating authoring tools so that customers can customise to their specific needs. For eg. One of our early customers wanted to be able to have a workflow inside a ticketing system. We didn’t want to rebuild the entire ticketing system but at the same time, we didn’t wanted to build that was narrowly built to just one customer. We talked to a few customers and we built something that can be parameterised so that you can use all the terminologies that are there in your particular environment. So, we built a straightforward workflow which can be made to look and feel the way the customer wants. Log management tool has a potential hazard of being misused. How did you educate the customers to ensure it isn’t misused? Our customers actually educated us instead of vis-a-versa. Different customers have different tolerance levels. For eg. In Germany, privacy is a very important consideration in the workplace. They have legislations against workers being monitored etc. So as per the rules you can capture the logs but you have to purge them after 24 hours. That led us to build some flexibility in our products. Now, the customers can say when they want what data to expire. This ensures no data is stored beyond the acceptable limits. We’ve always tried to make the software configurable so that it meets the needs for most customers. How is ArcSight changing post its acquisition by HP? This was our biggest concern before getting acquired. One of the reasons I felt comfortable with the acquisition by HP was because we can pursue the vision of the company as part of HP. So far that has been the case. We have our R&D team completely intact. We have our own sales force intact and even our own facilities intact. So far, HP is willing to understand how we’ve been successful and if it makes sense, HP will adopt some of ArcSight’s processes and if it makes sense, ArcSight would adopt some of HP’s processes. We’ve been going through the process for a while and it has been very constructive.
COVE R S TO RY
It’s Hard Work Not Genetics Harvey Koeppel, Executive Director, Centre for CIO Leadership talks about what it takes to be a technology leader By Yashvendra Singh Do you feel people are born leaders or leadership traits can be inculcated over time? In my experience, some people may be born with an intuitive understanding of what it takes to be a leader although most have honed their skills over long periods of time and they have become familiar with the both successful and not so successful experiences along the way. Leadership is much more about hard work than about genetics. What are the critical issues associated with leadership in general and technology leadership in particular? Leaders, by definition, are agents of change. For most people, change is hard even if the change is desired and the outcome is positive – it requires venturing into the unknown and it means taking risks. Good leaders have a clear vision and have the skill to clearly articulate the vision to their stakeholders. Further, they must be able to inspire and motivate their constituencies to do the hard work to move their enterprise in ways that enable the vision. Leadership also requires taking and managing risks. It’s not about avoiding risks – it’s about managing them. If you are not taking risks you’re not making progress. It’s ok to make mistakes,
The Chief Technology Officer Forum
cto forum 07 MARCH 2012
31
COVE R S TO RY
CEO INTERVIEWS
just not the same ones. I always tell my team that “…it is fine to make mistakes, just make new ones. If you make a mistake, acknowledge it, fix it and move on. Don’t hide mistakes – wear them on you sleeve as merit badges that you are proud of – that will almost guaranty that you won’t make the same mistake again!” Technology leadership is particularly challenging, driven by a few key dynamics. Information Technology is one of the fastest moving industries and is somewhat uniquely characterised by the continued availability of increased performance and capabilities at lower cost. The pressure to continuously adapt to changing technologies to enable both process efficiencies (expense reduction) and competitive differentiation (revenue/earnings enhancement) is significant and non-stop. Continuous change is one of the few constants. Another significant dynamic that characterises IT leadership is the need to inspire, motivate and ultimately influence many constituents who are not necessarily within their direct sphere of management, e.g. business unit staff, and often are not internal to their enterprise, e.g. supply chain partners. What does leadership mean in the context of a CIO? At the Center for CIO Leadership, we have created a Competency Model which describes the core competencies, skills and good practices that CIOs need to acquire and master to advance their profession. The key elements of the model include: Leadership (articulate, inspire, motivate, coach, develop) Relationship Management and Communication (build trust, credibility, listen, influence, communicate) Business Management (govern, measure, connect to business value creation) Business Strategy & Process (understand/articulate vision, have end-to-end view of business and customer value creation, mobilize resources, implement metrics) Innovation & Growth (promote new ideas, collaborate with stakeholders, link to business outcomes, develop culture) Risk Management & Compliance (understand, manage, communicate, develop culture)
32
cto forum 07 MARCH 2012
The Chief Technology Officer Forum
CEO INTERVIEWS
Ultimately IT has to add value to the business. How can a CIO, therefore, exhibit leadership quality when it comes to business? CIOs need to start by leveraging their seat at the table to have a voice at the table. CIOs ultimately need to participate in the ideation and formulation of the business strategy, not just be handed the plan for implementation. They must be considered as true peers within the executive management team. Participation at this level does not just come with the title – it must be earned. It must start with CIOs being able to speak the language of the business and not expect their business colleagues to understand (or even care about) IT jargon. Conversations should not be about architecture or networks, data warehouses, etc., but must be about leveraging IT assets to drive revenue, increase earnings per share, customer satisfaction and retention, reducing time to market, etc. Then it is about delivering on commitments – say what you are going to do and do what you say and communicate results in business value terminology the c-suite peers can relate to. Of course, all of this presumes that day to day processes and operations are running smoothly and efficiently.
“It’s ok to make mistakes, just not the same ones. I always tell my team “…it is fine to make mistakes, just make new ones. If you make a mistake, admit it, fix it and move on.”
How can he be a leader in the true sense to his subordinates in the IT department? CIOs need to understand the business vision and be able to clearly communicate that vision across —Harvey Koeppel the IT organisation. They Executive Director, Centre for CIO need to establish the corLeadership responding IT vision and programmes that support the business vision and demonstrate how major IT programs align with key business objectives and have material (hopefully positive) impact upon business outcomes. They need to implement appropriate programme governance structures that carefully balance the needs of their business with the practi-
COVE R S TO RY
cal considerations and realities of a fixed (and often diminishing) level of resources. Having the right bench strength to support the key IT programmes is critical. CIOs also need to ensure that their own delegation skills are sufficiently developed and empower their teams to handle much of the day to day responsibilities to ensure that they have the time to spend with their business partners, as needed. IT staff training, education, coaching, mentoring and staff development must be a key priority. IT staff need to have an understanding of both the business and IT context within which they work, they must have knowledge of how the projects that they are working on fits into both the business and IT contexts, and they must have a clear view of how their careers can progress along with the growth of their enterprise. Can leadership qualities add value to a CIO’s personal life as well? If yes, how? Leadership skills are not specific to a profession, an industry and are definitely not exclusively applicable to one’s work life. The ability to listen, to understand needs, envision creative approaches and solutions to challenges and problems, add value to relationships, inspire and motivate others and manage risks are essential components of a healthy and vibrant personal life characterised by rich and meaningful relationships. A satisfying and enriching personal life can also be a significant contributor to a successful career. How can a CIO inculcate leadership qualities? There is a vast body of research and educational materials available to CIOs to assist in the identification, acquisition and development of leadership qualities. The core mission of the Center for CIO Leadership directly addresses this need. Having a mentor or coach is another extremely valuable resource that can help guide CIOs through the many challenges that they face. Working with an executive team that understands the value of IT and is supportive of the IT agenda as a key enabler of business objectives is also an important aspect of the CIO’s ability to develop their leadership skills and to step into a true enterprise lead-
The Chief Technology Officer Forum
cto forum 07 MARCH 2012
33
COVE R S TO RY
CEO INTERVIEWS
ership role, well beyond the role of managing the IT cost center.
CEOs, need to be extremely flexible, adaptable, courageous and bold.
There are several leadership models. Is there one that has an exact fit for a CIO? We have found no one model that comprehensively addresses the needs of the CIO in this area. Key considerations for evaluating leadership models and different approaches include: the CIO’s background and current level of expertise, the culture of their enterprise and its view of how to most effectively leverage IT assets, the industry, geography,
How does the Centre for CIO Leadership help CIOs to transform into leaders? Toward this end, we maintain a virtual community of more than 2,500 CIO’s representing over 70 countries, 45 industries across public and private sectors and small, medium and large enterprises. We work with our community to facilitate dialog exclusively focused upon how to most effectively enable the journey. We start by asking lots of questions and listening to where CIOs see their major challenges and opportunities. We then enact both quantitative and qualitative research programmes throughout our global community, often in partnership with leading academics, research partners and other CIO organisations. Analysis of research findings result in the publication of whitepapers, case studies and drive the content of Centreproduced virtual roundtables, webinars, podcasts, panel discussions and in-person events designed to share insights and help CIOs to identify and implement pragmatic solutions to the everyday issues they face. Our website serves as a repository where CIOs can access more than 400 pieces of content to help them identify and develop the leadership skills that they need. We also sponsor a Mentor Programme to help CIOs to continue their conversations in a more personalised context. Additionally, we work with a global roster of leading academic partners to deliver executive education programmes focused upon the Center’s Competency Model and related themes. Recent examples include collaborations with Harvard Business School, MIT Sloan/CISR, and INSEAD.
“Having a mentor is an extremely valuable resource that can help guide CIOs through the many challenges that they face.” —Harvey Koeppel Executive Director, Centre for CIO Leadership
and the local and global economic outlook that the CIO is working within. Interestingly, we have identified the age of the CIO’s enterprise to be a major factor in determining how the CIO needs to lead and manage. Understandably, the older the enterprise the more investment there is in heritage and legacy guidelines, policies, processes and systems that support the enterprise, i.e. “…that’s the way we have done it for the past 75 years…”. Typically, older firms demand that an increased proportion of CIO agenda (budget, staff resources, time and attention) be allocated to maintaining and enhancing the legacy environment and a correspondingly smaller proportion of investment be made in innovation and new development. In many ways, CIOs more than any other executive, except perhaps for
34
cto forum 07 MARCH 2012
The Chief Technology Officer Forum
—yashvendra.singh@9dot9.in
Encryption in Enterprises: Fredde believes enterprises need a comprehensive encryption solution.
CEO INTERVIEWS
COVE R S TO RY
What would be your key priorities for the next few quarters after taking up the CEO’s role in the organisation? Currently our priority is to understand key security requirements for the next few years. As the threats and regulations change, we need to understand what technology would be required in order to cater to the market and the threat landscape in the next few years. Three years ago, we felt that cloud would gain prominence and thus started working on products for the cloud. Now, that people have started putting up data over the cloud, they realise the importance of protecting it using cloud encryption solutions that we developed. We are currently working on mobile security solutions as we see the next wave of security issues coming from the mobile. Today’s cyber criminals are highly motivated and leverage advanced technologies to build an attack. Therefore, it is often impossible to evade such attacks and data theft becomes inevitable. However, encryption can safeguard
“You Cannot Wipe Your Data from the Cloud” The increasing number of high profile data breaches like the attacks on Sony, T J Maxx and WikiLeaks have brought the importance of encryption to the fore. Chris Fredde, CEO, SafeNet talks to Varun Aggarwal about the importance of encryption in the changing enterprise environment The Chief Technology Officer Forum
cto forum 07 MARCH 2012
35
to send the data to some other application? You’ll have to decrypt the data and then send it leaving it exposed while in transition. Most of the available point encryption tools are not interoperable, leading organisations to decrypt the data before sending it to another application, creating a big security risk. That is the reason such point encryption products do not work for an enterprise and a comprehensive encryption solution is required that works across applications and also secures the data in transition.
the data even in case of a breach. The attacker can have the data but it’ll remain useless to him if the data is encrypted. Encryption moves the vulnerability to how do you manage the keys. I will say if you've got a professionally designed encryption system, an enterprise that's architected to accommodate encryption systems, then the answer is yes. You have, in fact, solved the problem. In many cases recently, hackers stole the victim’s digital identity. How can organisations protect themselves against stolen digital certificates or digital identity? Firstly, there are ways to detect stolen certificates that may prevent any misuse. Moreover, the Controller of Certifying Authorities has been assigned an anchor role in IT Act of India to ensure that besides all the areas related to governance of PKI technology, appropriate strength of security is maintained. CCA has made a comprehensive change with respect to security of digital identity. Earlier, it allowed for the digital identity to be issued and stored in any kind of storage (hard disk, thumb drive etc.). It has now made it mandatory for the digital identity (for Class 2 and above) to be generated and stored inside a FIPS140-2 compliant hardware device only. It means that no one can take out and copy your digital identity. Is it safe to put your sensitive data over the cloud? The biggest challenge with storing data over the cloud is that even when you delete it, you can never be sure that it is completely gone. Even the cloud providers cannot assure you
36
cto forum 07 MARCH 2012
The Chief Technology Officer Forum
Despite the growing data theft incidents, encryption adoption is still quite low. What are the reasons for this? There have been a number of high-level breaches lately and people still don't recognise that it applies to them too. One of the reasons is also that these advanced threats are very quiet. Their whole goal is to steal information silently so that the person losing information is unaware of it. People just don't recognise that the threat is real and the target could very well be them. They don't have an appreciation for how imminent, how insidious and how right in their own backyard this problem really could be. Moreover, people respond to events instead of anticipating them. Therefore, they wait for such events to happen in order to restructure their security infrastructure. Historically, cost has been the biggest limiting factor for low adoption of encryption solutions. For vendors like us, the challenge is that we need to deploy an encryption solution based on customer’s infrastructure and requirements. Unless we do that, the system would not be effective. However, newer technologies like virtualised data centers and mobility solutions add to the complexity and thus the cost. It is also very important to encrypt only the sensitive information because if you encrypt things that don't need to be encrypted, you run into a lot of issues. It's harder to share information, it can slow down your processes and of course, increase the cost.
“With cloud encryption solutions, you do not need to worry about your data landing into the wrong hands.” —Chris Fredde CEO, SafeNet
if your data is permanently deleted when you want it to be. You cannot let your sensitive data lying somewhere in the cloud and assume that it will not be misused. With cloud encryption solutions, you do not need to worry about your data landing into the wrong hands. All you need to do is encrypt the data and when you do not require it anymore, just forget about it. You do not have to worry about deleting every instance of the data because in encrypted form it’ll remain safe even if it lands in the wrong hands. Most popular databases come with free encryption tools. Then why does an organisation require an expensive encryption solution? It is good to encrypt the data using such tools only as long as it is stored in the application. But, what do you do when you have
Telecom, BFSI Drive Growth for SAS Despite the market downturn, SAS Institute continues to witness a double digit growth year-on-year. In conversation with CTO Forum, Sudipta K Sen, CEO & MD – SAS Institute (India) shares the reasons for the continued growth and the company’s future road map.
How has the Business Analytics and Business Intelligence journey been in the last few years, specifically in India. The journey has been very pleasant in the space of BA/BI. Specifically in India, in the last few years there have been good experiences. We have been following trends that are visible in the matured markets, but in certain areas in India we are leap-frogging. Typically there have been four key factors that are driving the trends in this space. Be it a bank, a financial insti-
The Chief Technology Officer Forum
cto forum 07 MARCH 2012
37
photo by Jiten Gandhi
COVE R S TO RY
CEO INTERVIEWS
That’s where a company like SAS plays a very important role as we have the capability to address both the areas.
tution, telecom or retail, for all, managing profitability, managing growth, managing customer expectation and managing share holders are the key factors. All data-rich verticals where there is humungous data being churned are the fastest at the maturity curve. Technology wise, the adoption is at a much matured stage than it was a few years back. For example, a bank would have core banking in place, a CRM system and the likes. Similarly in the telecom space too, the OSs have gone through the maturity curve. This is turn is leading to market dynamics in the BA/BI space.
of other similar services use the power of predictive analytics. People are looking at new avenues and areas for analysis. Verticals which are dealing with humungous data like BFSI, telecom etc are driving the growth for BA & BI. Today businesses are in an extremely dynamic and competitive market where they need to proactively reach out to customers not only for retention but for acquisition also. Here the power of analytics is allowing the business to be agile and correct before it hits a wall.
How have these dynamics impacted the BA/BI market and what are the challenges? Today the scenario is such that no vertical is limited to just one service. A bank today is no longer engaging in just traditional banking service. It offers a bouquet of services. They are selling insurance, mutual funds, credit cards and a whole lot of other products. This bought in a scenario where the key challenge was the management of data. The data is not sitting in one place but is in multiple locations and in multiple formats. Banks have moved much beyond the product-centric approach to a customercentric approach, and as you go ahead in the market that’s the way to be. The challenge is to get all the data related to one person under one umbrella. The first challenge is the technological challenge as the data is in different forms in different locations and in different databases. The second even bigger challenge is the quality of the data. After the cleansing, it is put in the mart, than starts the process of analytics and then BI. This is also where predictive analysis is playing an important role. This allows the company to link the products to the profiles and enable specific campaigning to the target audience. Thereby enabling targeted bombing rather than carpet bombing.
The IT landscape at most organisations has undergone a change with mobility and penetration of smart devices? What impact is it having on BA & BI ? Earlier we were only on the internet. Today the scenario has changed and everyone is on social media, be it Twitter, facebook, etc. A personal example that I would like to share is recently my daughter bought a car. Earlier in a typical scenario you would have short listed 3 models, done the test drive and brought the car. But now, my daughter had finalized two models, had a blog, got her reviews and related details on the car and even before we went for the test drive we knew exactly what to expect out of the test drive. We had all the details with us; social media has become extremely important not only for the marketers but many others. Form a marketer’s perspective you can do sentiment analysis where you can figure out the brand value, how is it moving, get feedback and check the issues around it, change what is required, correct or fix what is wrong and have a better market presence. Clearly earlier analytics was looked at for own set of data created internally but today not only own set of organised data but also a lot of unorganised, unstructured set of data has come into the play. Unstructured data has to be treated in a substantially different manner and the size of the unstructured data is much larger than the structured data.
What is fuelling the growth? It all starts with the ever increasing data and how to reduce cost. Analytics play a very important role in ‘risk’ and ‘optimisation’. Typical scenarios like loan approvals, the parameters used to weed out fraud cases, inventory optimisation and the array
38
cto forum 07 MARCH 2012
The Chief Technology Officer Forum
How have SAS offerings evolved? If you had come and met me six years back I would have said we have some wonderful technology called data integration, data quality, SAS data, Stats, graphs and min-
“India is now an independent region from this year. This is a clear reflection of the potential the company sees in the Indian region” —Sudipta K Sen CEO, & MD – SAS Institute (India)
ing etc. But progressively we recognize that most clients are looking at that how quickly can they ramp up and that’s why the term leap frogging, how can they leverage IT and not waste time in reinventing the wheel. That’s where SAS came up with industry specific solutions. We have solutions for banking, telecom, retail, manufacturing and a few of these solutions are developed at our R&D facility in Pune. Which verticals have been contributing to the SAS pie? Initially 75 percent of our revenue was from banking and finance and one of the reason for this was that it was one sector where data was readily available and it had a faster adoption curve in terms of technology. Today the BFSI contribution has dipped and the segments contribution has come to 50 percent, but this is not because the market has come down or there is lesser business but purely the other segments have seen growth and addition. Telecom has caught
CEO INTERVIEWS
COVE R S TO RY
leading hotel chains like Hilton, Sheraton, Shangri-La, Oberoi, Marriott etc. Progressively we will be rolling out to other areas. Trends will be in SME type of organizations who will not have the infrastructure and the capability for the analytics. What about the organic and inorganic growth, any specific investment plans for India? If we see any good assets in the market we are agile and open to pick it. In the recent past we had picked three companies and amongst that latest is Assetlink, which fits in very nicely with our customer intelligence portfolio where we do customer campaign management and marketing optimization. This is actually out of cloud, so all your digital assets are sitting out of the cloud. Assetlink, is in marketing resource management (MRM). Combining SAS Customer Intelligence offerings with Assetlink's marketing resource management solutions into an integrated marketing management platform will make it easier for marketers to plan, create and optimize marketing programs.
in big way, 15-20 percent now comes from telecom, and another vertical is government that is seeing an excellent growth. Pharma and clinical research is another vertical of focus and it contributes 7-8 percent to the pie. Some examples in government are Ministry of health where they are doing some good projects on curbing the widespread diseases using SAS solutions. Another example is NACO (National Aids Control Office). They are also using SAS and have gone a step further and have integrated it with the GIS system by which they can know the epicenter and prevent the spread out of the disease. Retail is another vertical which has been seeing increased activity. Recent examples would be Shoppers Stop and in addition web based retailers like makemytrip.com also
use SAS solutions. Hence the adoption and usage of analytics is no longer confined to the biggies. People have seen the value and that’s where the next wave is coming from. Talking about Cloud, it seems to be an offering for every technology, what is its impact on BA & BI? There are some areas where cloud is here to stay, going ahead software as a service on cloud will play an active role. At SAS we have some offering in the hospitality space where we offer our analytics on a software as a service (SaaS) basis. An example would be optimization of room rates. Room rates vary on number of parameters like location, season etc and is an extremely dynamic scenario, we have a cloud based offering for the same and have signed up with most of the
SAS is known to invest around 24 percent of its revenue in R&D. Any plans to take this figure up and increase capacity at the R&D facility in Pune? For SAS this is the highest investment of the total revenue which is way higher then the industry norms. We continue to invest but no specific revised figures for the same. At the R&D in Pune we continue to improve the product profile and add IP on the top. Few of the Assetlink members also are based in the facility. How important is India in the SAS growth plans globally? India is now an independent region from this year. This is a clear reflection of the potential the company sees in the Indian region. There are other markets which are already seeing the maturity curve; there is high future growth that is expected from the Indian region. India has shown a constant double digit growth year on year. Am extremely bullish, earlier India was known to not be progressive because of the large population but today the million population is what is giving the BA/BI market the much desired impetus.
The Chief Technology Officer Forum
cto forum 07 MARCH 2012
39
The Chief Technology Officer Forum
cto forum 07 March 2011
53
NEXT
HORIZONS
Feature Inside
Be the Gas Pedal, Not the Brake Pg 44
Illustration BY shigil n
T
Big Data a $50 Billion Market Enterprises should keep track of big data pure-plays as they continue to develop new applications and services 42
cto forum 07 march 2012
The Chief Technology Officer Forum
he world is buzzing about Big Data and it begs the question: "How big is the Big Data market?" Unable to find any market size information, Wikibon, a open-source-style community of industry analysts, kicked off a project to study the size and forecast the market and report on market shares. The study, How Big is the Big Data Market?, written by Jeff Kelly with David Vellante and David Floyer, looks at who is who in the Big Data space today, who is innovating and which companies are jockeying for position. Wikibon defines Big Data to include data sets whose size and type make them impractical to process and analyse with traditional database technologies and related tools. The Big Data market, therefore, includes those technologies, tools and services designed to address these shortcomings, including: Hadoop distributions, software, subprojects and related hardware; Next gen data warehouses and related hardware;
B i g d ata
Data integration tools and platforms as applied to Big Data; Big Data analytic platforms, applications and data visualisation tools; Big Data support, training and professional services. Highlights from the study show that the market leaders are IBM, Intel, and HP. These mega-vendors, the study said, will face increased competition from established enterprise suppliers as well as big data pureare Vertica, Greenplum, and Aster Data. plays, like Vertica, Splunk and Cloudera, All three vendors experienced significant who are developing big data technologies revenue growth over the last two-to-three around Hadoop and use cases that are drivyears, with Vertica leading the way with an ing the market. estimated $84 million in revenue in 2011, While IT heavyweights IBM and Intel followed by Aster Data with $50 million, currently lead the big data market in overall and Greenplum with $40 million. revenue, this is mainly due to their breadth Big Data analytics platforms and applicaof offerings and entrenchment in many tions - A handful of up-and-coming vendors enterprise data centers, the study said. are developing applications and platforms Most of the "impactful" innovations are that leverage the underlying Hadoop infracoming from the many small pure-play structure to provide both data scientists and vendors. While not all will succeed in the “regular” business users with easy-to-use long term, and some have yet to deliver any tools for experimenting with big data. significant revenue, Wikibon said it expects These include Datameer, which has develmany of these vendors to grow quickly. But, oped a Hadoop-based business intelligence as their offerings, support services, and platform with a familiar spreadsheet-like sales channels mature they will also become interface; Karmasphere, whose platform take-over targets. As was the case with Verallows data scientists to perform ad hoc tica (HP), Aster Data(Teradata), and Greenqueries on Hadoop-based data via a SQL plum (EMC). interface; and Digital Reasoning, whose What follows is a listing of some of the Synthesis platform sits on top of Hadoop to bigger independent players and what they analyse text-based communication. play with: Big Data-as-a-Service (BDaaS) for Hadoop distributions - Cloudera and HorSMBs - BDaaS is developing raptonworks are responsible for the majority of idly thanks to vendors such asTrecontributions to the Apache Hadoop project sata, 1010data and ClickFox. Tresata’s that are significantly improving the open cloud-based platform, for example, leverages source big data framework’s performance Hadoop to process and analyse large volumes capabilities and enterprise-readiness. of financial data and returns Cloudera contributes sigresults via on-demand visualisanificantly to Apache HBase, the tions for banks, financial data Hadoop-based non-relational companies, and other financial database that allows for lowenterprises services companies. latency, quick lookups and 1010data offers a cloud Hortonworks' engineers are do not have application that allows busiworking on a next-generaautomated ness users and analysts to tion MapReducearchitecture tools to measure manipulate data in the familiar that promises to increase the spreadsheet format but at big maximum Hadoop cluster size productivity data scale. And the ClickFox beyond its current practical platform mines large volumes limitation of 4,000 nodes. of customer touch-point data to map the Next-gen data warehousing - The three total customer experience with visuals and leading and, until recently, independent analytics delivered on-demand. next-generation data warehouse vendors
N E X T H OR I Z O N S
While IT heavyweights IBM and Intel currently lead the big data market in overall revenue, this is mainly due to their breadth of offerings and entrenchment in many enterprise data centers
82%
Other non-Hadoop vendors contributing significant innovation to the big data landscape include: Splunk, which specialises in processing and analysing log file data to allow administrators to monitor IT infrastructure performance and identify bottlenecks and other disruptions to service; HPCC Systems, a spin-off of LexisNexis, that offers a competing big data framework to Hadoop that its engineers built internally over the last ten years to assist the company in processing and analysing large volumes of data for its clients in finance, utilities and government; and DataStax, which offers a commercial version of the open source Apache Cassandra NoSQL database along with related support services bundled with Hadoop. Enterprises should keep a close eye on these and other big data pure-plays as they continue to develop innovative but practical big data platforms, applications and services. The big data market is exploding, not only in terms of marketing hype but also in real revenue. While reasonable people can debate definitions and overall market sizes, one thing is clear - big data is a large and fast growing market. For IT practitioners it means investigating ways in which you can monetise data sources at your organisations and obtaining the skills necessary to achieve that objective. For the vendor community it means you need to have a story around big data that is credible with a roadmap that offers clear business value and flexibility to move with this fast-growing space.
—This article has been reprinted with permission from CIO Update. To see more articles regarding IT management best practices, please visit www.cioupdate.com.
The Chief Technology Officer Forum
cto forum 07 march 2012
43
N E X T H OR I Z O N s
social media
Be the Gas Pedal, Not the Brake Even as CIOs try to control social media, they are being pushed by stakeholders from across your organisation to create a social enterprise
By Vasudev Murthy
illustration BY Prince Antony
L
ike it or not, your enterprise is now social. You don't need a report from a research firm to tell you what you already know—that people don’t leave their personal lives behind when they enter the workspace. Their mobile devices ensure that they can be reached at any time, and they expect to reach out to others on demand too. News they can use about friends and events reaches them in a flash, and that’s the way they want it. As the next generation enters the workplace, they will simply assume their access to the world of "tweets" and "likes" and status updates will continue at work as it does at home. Online petitions and campaigns, viral videos, tweets that gather their own unstoppable momentum—that’s the world we live in. Pity the poor CIO, trying your best to get your arms around threatening social media concerns such as data security and confidentiality as this new reality impinges upon enterprise technologies. Even as you're trying to bar the doors, you're being pushed by stakeholders from across your organization to create a social enterprise. Department heads have their own perfectly reasonable agendas to engage in social media. Marketing wants to reach customers faster than ever with “content” and wants to improve its digital brand and extend its influence. Your CEO is concerned about reputation management -- of himself or herself as well as your company. Even your CFO is all for reaching out to investors via social media. As for internal communication, you just can't beat the social media mantra of "communicate, be accessible, and constantly generate new content." I know a CEO who wants to use social media to rebrand himself within his organization to become accessible. His goal is to reduce employee attrition by creating an organization that is flat and based on ease of communication. Executives with whom I speak in the banking industry understand that social media has to
Online petitions and campaigns, viral videos, tweets—that’s the world we live in
44
cto forum 07 march 2012
The Chief Technology Officer Forum
be part of customer acquisition and retention, despite substantial technological and logistical challenges. Some organizations are playing a game of catch-up. Others have realized that social media is a competitive differentiator that's diminishing rapidly as a growing number of companies embrace and exploit it. An organization's social media strategy is no longer simply about its marketing and branding; it's also about finance, human resources, and business operations. In short, social media should no longer be the sole province of your company's marketing department. All of this means that today's CIO must embrace social media. To do so requires some practical adaptations. Here are five key recom-
social media
N E X T H OR I Z O N S
5 Give your people the tools they need to be productive using mendations for CIOs as you think about the Social Enterprise: 1 Make social media an asset, not something to fight. The very social media. Make smartphones and iPads or other tablets an integral part of your business environment, and educate employees qualities that have the potential to make social media a distracabout privacy issues. You might be surprised that they are more tion for workers can also create advantages for your organization. sensitive about your company's data security and confidentiality Do make this a reality, you have to take ownership and work with concerns because they have already dealt with such your colleagues to discover the areas in your organizachallenges in their own lives. tion where social media can enhance your brand, your None of this diminishes the expectation that CIOs processes, your customer service, and your internal and must continue to keep business humming 24/7, secure external communications. 2 Create and distribute a social media policy. The issues the rate of decline the data that’s central to the company’s charter, and provide the highest level of IT service to the staff. Yet, this is the policy should address include confidentiality, privacy, in the number an opportunity for a CIO to be more than the keeper of communications standards for engagement, personal technology and, instead, become a strategic player within versus business engagement, harassment, and other of companies your organization. With this additional responsibility areas specific to the organization. Will violations hapblocking comes opportunity. The key is to be the gas pedal, and pen? Certainly. But having a policy in place protects your social media not the brake. employees, and your organization, by establishing the standards you expect everyone to meet. 3 At the department level, ask employees to brainstorm ideas on how social media can enhance their work, business processes, and —Vasudev Murthy is Practice Partner, Functional Consulting, and head of your company's brand in general. Your employees already are social the Social Media Practice for Wipro Consulting Services. He is based in media experts and good things will emerge. Trust them. Bangalore, India, and can be reached at vasudev.murthys@wipro.com. 4 Investigate technologies that will integrate social media with —This opinion was first published in CIO Insight. For more stories please your business processes, including CRM, to create synergies visit www.cioinsight.com. across the board.
10%
T E C H FOR G O V E R N A N C E
c lo u d
5
POINTS
To criminals Cloud providers are prime targets hile customers W may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want T he early cyber policies included liability and property components
Illustration BY anil t
Cyber insurance is a much more established market with more carriers entering on a regular basis
Manage risk in
the Cloud
Cyber insurance may be a solution to help overcome the issue of risk while moving to the cloud By David Navetta
46
cto forum 07 March 2012
The Chief Technology Officer Forum
Breach notification costs are direct and almost unavoidable after a personal information breach
c lo u d
T E C H FOR G O V E R N A N C E
With SB1386 and the subsequent passage of breach notice laws in 45 other states (and now coming internationally), the risk profile changed for data breaches. Instead of burying the breaches, companies were required to incur significant direct expenses to investigate security breaches and comply with applicable breach notice laws, including the offering of credit monitoring to affected individuals (which is not legally required by existing breach notice laws, but is optionally provided by many companies or "suggested" by state regulators). As a result, the plaintiffs’ bar now had notice of security breaches and began filcoverages addressed claim expenses and ing class action lawsuits after big breaches liability arising out of a security breach of (usually involving high-profile brand the insured’s computer systems (some early name organisations). As such, cyber policies only covered “technical” security insurance coverage went from coverage breaches, as opposed to policy violationaddressing a hypothetical risk of future based security breaches). lawsuits, to a coverage addressing real-life The property-related components covrisk (and now we have lawsuits getting ered business interruption and data asset deeper into litigation and public settleloss/damage arising out of a data breach ments of these types of cases). (during the holiday season many online Moreover, shortly after the passage of retailers suddenly developed a tasted for SB 1386 many cyber insurance policies business interruption coverage after realbegan covering the direct costs associated ising just how negatively their business with complying with breach notification would be impacted by a denial of service laws, including attorney fees, forensic attack). Additional first party coverages investigation expenses, printing and mailincluded cyber-extortion coverage and criing costs, credit monitoring expenses and sis management/PR coverage. call center expenses. Unfortunately for the carriers, it was Breach notification costs are direct and not easy to get people to understand the almost unavoidable after a personal inforneed for this coverage (and that is still a mation breach. Regardless of lawsuit activchallenge today, but certainly a lesser chality, a direct financial rationale for cyber lenge with all of the security and privacy insurance coverage now existed. news constantly streaming). Early on The other change that occurred more there were very few lawsuits and regugradually over time, but which has had lators were just beginning to consider a significant impact concerning the freenforcement of relatively new statutes quency and magnitude of data breaches like GLBand HIPAA. was organised crime. In the early 2000s Two things changed that made cyber hacking was more of an exerinsurance much more relevant. cise in annoyance or a used for One was a rather sudden event, bragging purposes. and the other more gradual. Hackers at that time wanted First, in 2003, California their exploits talked about and passed SB1386, the world’s expected revenues know. They wanted credit for first breach notification law. hacking into or bringing down The reality then (as now) is from Business a sophisticated company (or betthat companies suffer security intelligence ter yet a division of the Federal breaches each and every day. market in india in Government or military). As Prior to SB1386, however, such, when an attack happened breaches of personal informa2012 it was discovered and remedition simply went unreported.
As organisations of all stripes
increasingly rely on cloud computing services to conduct their business, (with many organisations entering into cloud computing arrangements with multiple cloud providers), the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. Cloud providers are sitting on reams of data from thousands of customers, including sensitive information such as personal information, trade secrets, and confidential and proprietary information. To criminals Cloud providers are prime targets. At the same time, based in large part on the amount of risk aggregated by Cloud providers, most Cloud customers are unable to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem.
A Short History of Cyber Insurance Coverage In the early 2000s, just around the “DotCom Bust”, some insurers began developing a product designed to address the financial loss that might arise out of a data breach. This was a time where most “brick and mortar” companies were just beginning to leverage the economic potential of the Internet. At that time insurers wanted to target the big “dotcom” companies like Amazon, Yahoo, eBay, Google, etc., and other companies pioneering e-commerce and online retailing. At some point, somebody dubbed this type of insurance “cyber insurance.” The early cyber policies included liability and property components. The liability
$81m
The Chief Technology Officer Forum
cto forum 07 March 2012
47
T E C H FOR G O V E R N A N C E
c lo u d
ated, and that would be the end of it. True criminals, of course, are less interested in such notoriety. In fact, when trying to steal thousands/millions of records to commit identity theft or credit card fraud it is much better to NOT be detected. Lingering on a company’s network taking information for months or years is a much more profitable endeavor. Recognising that this type of crime is low risk (it can be performed from thousands of miles away in Eastern Europe with almost not chance of getting caught) and high reward, organised crime flooded into the space. And in this context the word “organised” is truly appropriate – these enterprises retain very smart IT-oriented people that use every tool possible to scale and automate their crimes. They leverage the communication tools on the Internet to fence their “goods” creating, for example, wholesale and retail markets for credit cards, or “eBay”-like auction sites to hawk their illicit wares (e.g. valuable information). The change in orientation described above has essentially resulted in a 24/7/365 relentless crime machine constantly attacking and looking for new ways to attack, and always seeming to be one step ahead of those seeking to stop them. That is why we read about security and privacy breaches practically every day in the newspaper. Fast-forward to present time. Cyber insurance is a much more established market with more carriers entering on a regular basis. There are primary and excess markets available for big risks, and companies of all sizes are looking at cyber more as a mandatory purchase rather than discretionary. As the world continues to change at seemingly light-speed and cyber risks increase (with the advent of hacktivism, social media and the consumerisation of IT/BYOD ) the need for cyber is also growing. With competition pushing cyber insurance prices down, and significant security and privacy risk being retained by organisations, risk transfer is becoming very attractive (and from an overall big picture systemic point of view, spreading is risk is also attractive). Another area where cyber may help smooth out security and privacy risk is with cloud computing.
48
cto forum 07 March 2012
The Chief Technology Officer Forum
Where Privacy and Security Risk Breaks Down in Cloud Computing Contracts As we have written extensively of in the past, Cloud computing raises significant privacy and security risks that are often difficult to hammer out in a Cloud computing negotiation (to the extent a Cloud customer gets a chance to negotiate at all). The net result of these contract negotiation difficulties and Cloud provider unwillingness in many cases to take on meaningful risk contractually, is that the risk is retained solely by the Cloud customer. The following examples outline the privacy and security-related Cloud issues that
As the world continues to change at seemingly lightspeed and cyber risks increase (with the advent of hacktivism, social media and BYOD ) the need for cyber insurance is also growing impact the Cloud customer's risk: a Cloud provider failing to maintain reasonable security to prevent data breaches; a Cloud provider failing to comply with privacy and security laws applicable to the Cloud customer; a Cloud provider refusing to allow a Cloud customer to conduct its own independent forensic investigation of a data breach suffered by a Cloud provider; potential conflict of interests with respect a Cloud provider’s handling a data breach that may have been the fault of the Cloud provider, including failing to cooperate with its Cloud customers if that cooperation could adversely impact the Cloud provider; the Cloud customer’s potential obligation to comply with breach notice laws, including absorbing expenses for legal fees, foren-
sic investigators, printing and mailing, credit monitoring and maintain a call center; lawsuits and regulatory actions against the Cloud customer because of Cloud provider security and privacy breaches, and the legal fees, judgments, fines, penalties and settlement costs associated with them; and Cloud providers seeking to leverage and data mine Cloud customer information being processed in the Cloud. The justification used by Cloud providers to avoid responsibilities for these risks and the costs associated with them is essentially risk aggregation. Cloud providers maintain that, because they serve hundreds or thousands of customers on shared computing resources, a single attack could expose Cloud providers to liability from all of those customers at the same time. In fact, we already have one example involving a business interruption of a Cloud provider that demonstrates how multiple customers can be affected by a security breach. They also claim that independent forensic investigations by customers in the wake of a data breachare not possible because they cannot accommodate multiple customers at one time, and even if they could a forensic assessment would essentially expose each Cloud customer’s data to every Cloud customer conducting such an investigation.
Cyber Insurance: Addressing Retained Risk in the Cloud So how does cyber insurance fit into this picture? As it currently stands, cyber insurance can be a very valuable tool for Cloud customers who are not able to get their providers to contractually take financial responsibility for security and privacy risk. Most cyber insurance policies cover data security and privacy breaches of not only the computer networks directly under the control of the insured, but also those computer networks operated by third parties for or on behalf of the insured. What this means in the Cloud context is that most cyber insurance policies may cover data breaches of the Cloud provider’s systems where the Cloud customer's/ insured's data is stored and processed on those systems. This coverage will typically include most of the expenses listed above, including those direct expenses to comply
c lo u d
such a world considering the dominance with breach notice laws and costs to defend of Google, Amazon, Rackspace and other lawsuits and regulatory actions arising out big cloud players). of Cloud provider data breaches. Many insureds/Cloud customers are As such, in the event a Cloud customer going to be dealing with this relatively cannot get reasonable contract terms, small number of Cloud providers. For assuming it has purchased the correct example, I am sure that for most cyber cyber coverage, it will have a fallback risk insurance companies, if they were to transfer and will not be retaining that risk check their books, would find that many solely on its own. of their insureds already use the same Is there a catch? Not really currently, Cloud providers and/or other except of course the premium third party service providers to that must be paid and the fact store and process the insureds’ that most cyber insurance data. Further consolidation of policies have a self-insured Cloud provider, should that retention that must be satisof occur, will only increase the fied by the insured before the aggregation of risk. carriers is required to pay. organisations However, as long as cyber However, there may be longer lose data insurance is more widely adoptterm problems that arise for through mobile ed, the aggregation risk may be the carriers. manageable. The entire purAt this point, whether they devices pose of insurance is to spread like it or not, carriers whose the risk across a wide comcyber insurance policies cover munity of insureds, and by doing so hopesecurity and privacy breaches of third fully individual insureds that experience a party service providers are already beginbreach are not catastrophically impacted. ning to aggregate their risk when it comes At the same time carriers can build to Cloud providers. Imagine a world with reserves and achieve reasonable profits. The a relatively small number of Cloud providlong term question is whether there are ers serving a much larger customer base enough insureds purchasing cyber insur(to some degree we may already live in
51%
T E C H FOR G O V E R N A N C E
ance to spread the risk and allow for the building of reserves to cover a breach of a major cloud provider that impacts a wide audience of insureds. We probably are not there yet, and unless demand increases, we may not get there. One thing that may happen, perhaps, is a push from the Cloud provider/customer community to somehow make cyber insurance more of a mandatory condition of doing business in the Cloud. Time will tell as to whether the cyber insurers view this aggregation issue as serious, and whether they will take steps to mitigate it (hopefully those steps will not involve narrowing the coverage). In the meantime, companies that are going deep into the Cloud should quantify the risk they are retaining and seriously consider Cyber insurance coverage. The price may be right, and the peace of mind priceless.
— This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
Using Email Lists for Detecting Botnet IPs A new approach to performing botnet mitigation By Gianluca Stringhini
A
lthough spam is at its historical low, it still remains a big problem for network and system administrators. Since most of the nowadays spam comes from botnets, spam mitigation research tends to blend with botnet detection. By detecting and shutting down a spamming botnet infrastructure, researchers can have an impact on reducing the worldwide spam levels.
Usually, this can be achieved in two ways: By detecting and taking down the Command and Control infrastructure By detecting machines as they get infected, and perform cleanups The first approach requires to reverse engineer the Command and Control protocol of a botnet, and understand what are the critical The Chief Technology Officer Forum
cto forum 07 March 2012
49
T E C H FOR G O V E R N A N C E
securit y
servers in its infrastructure. This can be a very complicated task, especially for those botnets using multi-layer infrastructures, or peer-to-peer schemes. After researchers have detected the critical parts of the botnet infrastructure, they can start mitigation steps (for example, sinkholing the DNS requests to the domains associated to those hosts, or asking the ISPs hosting them to take them down). This type of approach has been followed by Microsoft during the Rustock takedown in 2011, as well as by our group at UC Santa Barbara during the attempted Cutwail takedown in 2010. Although useful, this approach has two drawbacks: first, it depends heavily on the botnet being analysed. The detection techniques developed to find the critical nodes of one botnet might not apply to attack a second one. Second, the effects of such takedowns tend to be ephemeral: often times, it doesn't take long until the botmasters set up new servers and take their botnet back up. The second approach suffers from similar problems. The methods used by botnets to propagate vary from botnet to botnet. Therefore there is no technique that can easily monitor machines as they get infected (at least, not from the network vantage point). Also, since the popular trend is to have users click on malicious emails attachments in order to get infected, this is not an easy problem to solve. In our research, we instead propose a third way of performing botnet mitigation. Instead of learning different features that allow to identify and attack the different botnets, we study how bots behave when sending spam. The intuition here is that there are behavioral characteristics that are common across multiple botnets, and allow to distinguish between bot infected machines sending spam and legitimate users sending emails for legitimate uses. As a first step in this direction, we developed a system, called BotMagnifier. This system is explained in detail in a paper, that got published at the USENIX Security Symposium last August. The idea behind BotMagnifier is that bots belonging to the same botnet will share the same codebase and will take orders from the same set of C&C servers. Based on this insight, it should be possible to detect bot infected machines by learning the spamming behavior of a subset of known bots, and look in a network traffic dataset for
more machines (i.e., IP addresses) that behaved in the same way. In particular, the system looks for groups of bots that contact the same set of SMTP servers while spamming. The idea behind this is that, while the email templates and the bot IP addresses a botnet uses might change over time, the victim email lists spammers use to spread their malicious content stay reasonably constant. Having an extensive list of bot infected machines is useful for many purposes: it helps tracking the size of the world's largest spamming botnets, and it can be used by ISPs to clean up their networks, by removing or sanitising the infected machines. In our experimental setup, we looked at the IP addresses that sent emails to our spam trap, grouped them based on campaign (i.e., botnet), and learnt the set of destinations they target by looking at the logs of our Spamhaus mirror. By tracking IP addresses over a period of four months, we were able to observe important events in the lifetime of large spamming botnets, such as takedowns. We also were able to track hundred of thousands of IPs corresponding to infected machines. The approach is not limited to the datasets we used. A network administrator could apply it to their own network, and be able to detect spamming machines in it. Although just a first step, this approach shows that looking at interaction with mail servers is a good way of detecting spambots. Also, this type of techniques is harder to evade from the botmasters: while they can come up with more complicated Command and Control structures, and develop proprietary protocols for their communication, they cannot obfuscate their connections to mail servers.
photo BY photos.com
Having an extensive list of bot infected machines is useful for many purposes
50
cto forum 07 March 2012
The Chief Technology Officer Forum
— Gianluca Stringhini is a PhD candidate working as research assistant at UC Santa Barbara. His research interests are Network Security, Botnets, and Spam Mitigation. You can follow him on Twitter at @gianlucaSB — This article is printed with prior permission from www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
VIEWPOINT Steve DUplessie | steve.duplessie@esg-global.com
Illustration BY shigil n
Market Research Reacting To Change
eSG conducted its annual IT spending intentions survey late last year. As part of that effort, we always analyse spending trends by industry. Normally we see traditional IT big spenders such as financial services and communications/media report the most bullish budget increases from year to year. This year, however, we noted that some 65 percent of manufacturing organisations expected to increase their IT spending levels in 2012, second only to business services. This is actually a continuation of a trend in which manufacturing organisations surveyed by ESG have consistently reported stronger IT spending year over year since a low point of 2009. In the U.S., some recently-released economic data validates ESG’s findings and the overall rebound of the manufacturing sector. First, a benchmark New York Fed survey on manufacturing activity found that manufacturers expect significant capital spending increases in 2012. Second, on February 3, the U.S. Bureau of Labor Statistics reported that the U.S. added 50,000 new manufacturing
52
cto forum 07 March 2012
The Chief Technology Officer Forum
jobs in January alone, compared to 235,000 in all of 2011. While these are great validations of the work our research team has done, the real beauty is in the underlying fact – manufacturing, shunned by IT vendors, is back in the U.S. So if you are still clinging to your 2010 business plan theories, you are missing an important market. Why manufacturing is back is a different question. Perhaps it is simply because the sector is now way behind due to no/limited spend over the past 4 years, or maybe it’s because the economy really is stronger than I think. Regardless, those manufacturing folk are spending. It takes time to refocus selling and marketing efforts – but don’t delay. Knowing where to refocus them is a critical part of the process – but it’s not the only part. You now have to re-learn the vernacular of the manufacturing sector – because there have been changes since you’ve played there last. Every sector has its own language, cadence, and way of doing things. Making sure you have mastered them is what
About the author: Steve Duplessie is the founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com
separates those who sell from those who spin their wheels. The guy making huge buying decisions today was looking for a job, taking a pay cut, or just trying to keep the lights on with no budget at all three years ago. Now he is the king, dictating what companies are coming along for his ride. Did you ignore him? He’ll remember. Did you try to help him? He’ll remember. If you show up now not knowing his language, he’ll toss you out on your arse, and you’ll remember. Common sense should tell you that the U.S. cannot continue to run at such outrageous deficit spending, and clearly IT will suffer (along with the rest) – but just how aggressively have tech companies altered their plans to diminish government sector targets and made the move back to manufacturing? Not many, I can tell you. It’s hard to get people to see the forest through the trees sometimes – even when the data stares them in the face. The bigger truth is: smart companies don’t spend time figuring out where the ball was – they attack where it’s going to be.