cTo forum
Technology for Growth and Governance
May | 07 | 2011 | 50 Volume 06 | Issue 18
Cloud Strategy: What a CIO Needs to Know | The Holy Grail of Information Security | Hedging Future Energy Costs
Servers and switches are on the backburner. Indian CIOs are now talking about RoI and TCO. But is it all that they need to break into the C-suite? |
Page 26
Volume 06 | Issue 18
No Holds Barred
A 9.9 Media Publication
APTs Need a Comprehensive Architecture Page 42
Best of Breed
IG is Everyone’s Problem Now Page 17
I BELIEVE
Dare to be Disruptive Page 04
AD
editorial Rahul Neel Mani | rahul.mani@9dot9.in
From Today to Now – How technology will shape our lives!
D
uring my recent visit to the United States, I got an opportunity to hear and personally meet Kevin Kelly Senior Maverick and founding Executive Editor of the famous ‘Wired’ magazine. Other things aside, Kevin is most known for his ongoing campaign to create a full inventory of all living species on earth. The goal of this campaign is to make an attempt at an "all species" web-based catalog in just one generation. In very simple language, Kevin explained ‘six’ major trends that
will shape up the technology universe in the future. The trends he mentioned are: 1. Growing number of screens around us and how we deal with them 2. Growing importance of interactivity – a two way street 3 .Sharing of information through cloud and widespread networks 4. Death of web pages and advent of live streams like twitter, Facebook and RSS 5. Access replacing the ownership of digital stuff
editor's pick 04 Dare to be Disruptive
It is more satisfying to join a team in trouble and lead it to success. As a leader, a CIO should be challenging his peers and team to achieve more.
6. Generating information instead of copying It was mesmerising to hear Kevin during that one hour. And in the end he made a motherhood statement: “Wherever the attention flows, money follows.” The statement has deeprooted connotations. Given the speed with which technology is changing and advancing, it's arguably true that change too will come about faster. And most of the above mentioned six trends are certainly the areas where human attention is flowing. Talk about any one or each one of them. Screens are the most apt example of where the attention is flowing today. Be it screens of the PC, TV, Tablet or mobile, humans seem to be caressing them more often than anything else. So much so that the whole focus of advertising has shifted to those screens.
The time is not far when these screens will merge into one (one screen for all) and become a lot more participative, interactive and responsive. Similarly, there is a visible shift from simple web pages to live streaming. It is not untrue that a static web page will vanish soon. Twitter, Facebook and RRS feeds have already done half the work. This whole revolution is pointing towards a new future…A future that will move away from ‘PC to cloud’, from ‘me to we’ and from ‘today to now’.
The Chief Technology Officer Forum
cto forum 07 MAY 2011
1
May 11 C o v e r D e s i g n b y P C A N OO P
Conte nts
thectoforum.com
26 Cover Story
26 |Back to the Future Indian
Columns
04 | I believe: Dare To Be Disruptive As a leader, a CIO should be challenging his peers and team to achieve more.
CIOs have started talking about RoI and TCO. But is it all that they need to break into the C-suite?
By Aniruddha Paul
56 | View point: The Hatred of Software Licensing Licensing policies are one of the most hated in any organisation. By steve Duplessie
Features
Please Recycle This Magazine And Remove Inserts Before Recycling
2
Copyright, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o Kakson House, Plot Printed at Silverpoint Press Pvt. Ltd. D- 107, MIDC, TTC Industrial Area, Nerul, Navi Mumbai- 400706
cto forum 07 may 2011
46 | Tech for Governance Information Security Policies and Procedures Policies are integral to any security programme. By alexander Hamerstone
The Chief Technology Officer Forum
www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur Editorial Editor-in-chief: Rahul Neel Mani Executive Editor: Yashvendra Singh Senior Editor: Harichandan Arakali Assistant Editor: Varun Aggarwal DEsign Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Sr. Visualiser: PC Anoop Sr. Designers: Prasanth TR, Anil T, Joffy Jose Anoop Verma, NV Baiju, Vinod Shinde & Chander Dange Designers: Sristi Maurya, Suneesh K, Shigil N & Charu Dwivedi Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi
14 A question of answers
14 | “We are the catalysts for cloud deployments” Josh Tseng - Technical
Director, Riverbed, talks about the growing market of WAN optimisation and the company's focus areas. 37
42
RegulArs
01 | Editorial 08 | Enterprise Round-up
advertisers’ index
37 | next horizons:green it, beyond the datacentre The less obvious ways CIOs can contribute to corporate sustainability. By Chris Boorman
42 | NO holds barred: Steve Robinson, GM, Worldwide, IBM Security Solutions, on the reasons for the company's continued growth.
IBM SCHNEIDER SCHNEIDER SAS JUNIPER EMC DELL MICROSOFT
IFC 05 07 11 13 25 IBC BC
This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.
advisory Panel Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, CIO, Pidilite Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, CIO, Cairns Energy Sales & Marketing National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager: Rachit Kinger (9818860797) GM South: Vinodh K (09740714817) Senior Manager Sales (South): Ashish Kumar Singh GM North: Lalit Arun (09582262959) GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284) Production & Logistics Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Published, Printed and Owned by Nine Dot Nine Interactive Pvt Ltd. Published and printed on their behalf by Kanak Ghosh. Published at Bunglow No. 725, Sector - 1, Shirvane, Nerul Navi Mumbai - 400706. Printed at Silver Point Press Pvt Ltd., A-403, TTC Ind. Area, Near Anthony Motors, Mahape, Navi Mumbai-400701, District Thane. Editor: Anuradha Das Mathur For any customer queries and assistance please contact help@9dot9.in
The author brings 19 years of experience to his job, as Head, IT Change Delivery, at ING Vysya Bank Ltd. Paul is currently in charge of IT enabled business transformation at the bank.
Photo by Radhakrishna
I Believe
By Aniruddha Paul IT-Head, ING Vysya Bank Ltd
Dare To Be Disruptive
As a leader, a CIO should be challenging his peers and team to achieve more. A question that I always ask myself and my team is, 'Do you think you can be considered a success just by being a part of a successful organization or would you rather be remembered by joining a team in trouble and helping them achieve success?’ The latter is significantly tougher but infinitely more satisfying. The key to being a turnaround artist is being disruptive, and this is a
4
cto forum 07 may 2011
The Chief Technology Officer Forum
current challenge planning for the next set of it change initiatives to help take ing vysya bank to the next level.
lesson that I learnt early on in my career, when I was with a premier organisation in the IT solutions space. I was a solutions expert, based in Pune, as part of a team servicing the enterprises in the industrial belt in the region. An important reason I was there was that the company was trying to turn around the business in the region. One day, around the time we were working on presenting the next year's plan, including revenue targets and so on, a senior executive walked in and wanted to know what we would achieve the following year. When this executive, whose role included the responsibility for the company’s performance in the region, heard we were expecting to grow a certain rate, he challenged us: “How can you say this, when the least I expect is that you grow at a rate that will put you on par with the kind of market share the company enjoys elsewhere?” There was a lot of consternation in the team, with people grumbling “how can he ask this of us, when he knows of all the constraints faced by us in this region?” and so on. What the executive wanted was for us to grow not the 10-odd percent we thought was realistic, but the 400 percent needed to bring the company’s share in this weak region on par with the zones where it enjoyed as much as 30 percent market share. The moral of the story is that in this case, the supervisor was convinced it was do-able and wouldn’t take no for an answer: sure enough, while it took us the next two to three years, we did bring the company’s market share in the region up to the level he’d envisaged. If, when required, a leader is not disruptive enough in challenging his peers and his team, the organisation he works for will suffer.
AD
LETTERS COVE R S TO RY
LEADERSHIP
LEADERSHIP
VANDANA AVANTSA CIO, Motherson Sumi Systems
ANNIE MATHEW CIO, Mother Dairy
AMRITA GANGOTRA Director – IT, India & South Asia, Bharti Airtel
COVE R S TO RY
REENA MALHOTRA Deputy General Manager (IT), MTNL.
CTOForum LinkedIn Group
A few women have broken into the male bastion called CIO. They are role models for a whole new generation of aspiring women IT leaders.
Join close to 700 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at:
By Yashvendra Singh
CTO FOR UM
NEENA PAHUJA CIO, Max Healthcare
ASMITA JUNNARKAR CIO, Voltas
Techno logy for Growth and
Gover nance
PUNEET KAUR KOHLI CIO, Marvel Group
WOMEN LEADERS
Making the Cut Makin g
Wome n Lead
THE IMPO
RTAN
CTO FORUM
21 APRIL 2011
T 3Cs FOR A CIO | THE DIFF ERE
26
THE CHIEF TECHNOLOGY OFFICER FORUM
e
rs the C ut
NCE
A few wo CIO. Th men have br ey are oken int ro o of aspirle models for the male ba a sti ing wo men IT whole new on called genera leaders tion . |
BETWEE N DOIN
Amrita Gangotra Direc South tor – IT, India Asia, Bhart & i Airtel
G IT AND INFOSEC
THOU GHT LEADE R
| VALU E
Legal Ch allen With Cl oud ges Compu ting
THE CHIEF TECHNOLOGY OFFICER FORUM
CTO FORUM 21 APRIL 2011
IMAGING BY PC ANOOP
T
o boost team productivity, a large number of organisations today want to bridge gender diversity at all levels. They have realised women have those extra qualities that men lack. Women by nature are team players and possess the strength of getting into details to solve problems. They have more patience, and can take higher levels of stress, irrespective of whether it is home or workplace. Women bring in that required focus and commitment to finish the job on time. The reason for this could be that they have another job to be done at home. Attributes such as self belief and a fighter attitude are common for both males and females to succeed in any sphere of life. However, for women, unflinching support from the family is of utmost importance to make it big in life. There is a saying that behind every successful man there is a woman. Likewise, behind every successful woman, there is a complete family. Professions with odd working hours have always deterred women from taking them up. In the field of IT, there are a sizeable number of women in the applications development and support space but few in the area of network infrastructure. The running around and late nights associated with network management comes across as a big deterrent for women. For a woman CIO to be competent, she needs to have a complete knowledge of application, infrastructure and security. Till now, infrastructure had been a grey area for women. Going ahead, this scenario could change with improvements in areas of social networking, video conferencing and remote management. There are tools that enable one to remotely manage the network without being present in office. While the next generation of women CIO aspirants could find the going April | 21 | 2011 easy with these new developments, thereVolum has been | 50of women e 06a generation | Issue CIOs that has done the tough act of balancing home and office, 17 broken the glass ceiling, overcome all odds, and emerged triumphant In the following pages, you will come across women CIOs who took the path less traveled and excelled in their endeavours.
27
PAGE 26
Annie Math ew CIO, Moth er Dairy Asmita Junn CIO, Voltaarkar s
OF INNO
PAGE 50
NEXT HORI ZON
VATION
Paralle Data Mlised ining Securit y
PAGE 44
I BELIE VE
e 06 | Issue 17
Volum
View ProfitIT as a Centre
PAGE 04
A 9.9
Media
Publicatio
n
what are the Attributes of a good CTO? What are the prerequisites for a CTO role ?
I see the CTO's role as that of a technology leader bridging the gap between the commercial requirements of the enterprise and the technology support of those requirements. An effective CTO should be able to guide the efficient implementation of IT strategy of the business.
www.linkedin.com/ groups?mostPopular=&gid=2580450
Some of the hot discussions on the group are: The Cloud is all air and no substance Do you think cloud is going to die a quick death of SOA or is it going to make big headway into the enterprise? Is it old wine in a new bottle? What does it lack in making a convincing case? Its real and all about today and tomorrow. However, you have to bring it back to a realistic service that gives tangible benefits. There are a great deal of 'cowboy' stories and not many who really understand it.
—Ronald Kunneman, Director at Digitra
cto forum 07 may 2011
The Chief Technology Officer Forum
http://www. thectoforum. com/content/3gdevices-willattract-morecyber-scamsters
view it as a profit centre
A CIO should connect business strategy with tech architecture. “The role of CIOs is to become a bridge between a company's business strategy and the enabling technology architecture.”
WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community.
6
Harvinder S Rajwant, Vice President, Borderless Networks – Security, Cisco Systems talks to Varun Aggarwal about the increasing threats on the mobile platform, fired up by 3G.
Opinion
RIChard WArd, Head of Technical, WIN Plc
Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com
CTOF Connect
To read the full story go to:
http://www.thectoforum.com/content/view-it-aprofit-centre ajay satyarthi Senior GM-IT, videocon telecommunications ltd.
AD
news Inside
Enterprise
Brocade Unveils Vision for the Virtual Enterprise Pg 10
Illustration BY Shigil N
Round-up
Cloud Service Sourcing Immature and Risky Gartner's special report examines key issues facing the future of cloud sourcing.
The $820 billion IT services market is changing quickly and dramatically, as cloud computing and offshoring become mainstream, and senior IT managers should take steps to manage inherent risks and unexpected costs during the cloud services revolution, according to Gartner. During the next few years, market dynamics will determine whether cloud-enabled outsourcing will be the demise of traditional outsourcing, if it will lead to the convergence of services and products currently marketed "as a service," or if it will result in nextgeneration outsourcing.
8
cto forum 07 may 2011
The Chief Technology Officer Forum
Cloud-driven business and IT services include all types of solution that are developed, bundled and packaged as outsourcing service offerings for which the business or IT service provider uses one or more cloud computing technologies within the solution's overall architecture. Gartner refers to these services as "cloud-enabled outsourcing service offerings." These services can be delivered directly by a cloud provider or via a service aggregator for the delivery of pre-engineered and configurable business solutions in a timely and cost-effective manner.
77 Data Briefing
Million
Users’ data stolen in an attack on Sony PlayStation Network
E nte rpri se Round -up
They KAZUO HIRAI Said it
photo BY photos.com
Sony Corp.'s recent inability to protect the personal information of over 77 million of its PlayStation Network users highlights the risk of data leaks via hugely popular online gaming systems. "I deeply apologise to our very important customers for causing trouble," Sony Executive Vice President Kazuo Hirai said with a deep bow at a press conference.
APeJ IT Services Market to reach $52.9 Billion by 2011 Year on Year growth of 8.7 percent. The total Asia Pacific excluding Japan (APeJ) IT Services spending in 2011 is expected to grow by 8.7 percent over 2010 riding on dual waves of outsourcing services (especially on the application side) and new IT projects specifically on “Cloud” and “Smart Infrastructure”, finds Springboard Research, a leading innovator in the IT Market Research industry. The Springboard Research report “APeJ IT Services Report - 2010” further found that the market is estimated to reach 52.9 billion by 2011, with China, Australia and India contributing 72 percent to the total spending. The research shows that 64 percent of the IT services spending come from discrete services, majorly infrastructure support and integration related services and the remaining 36 percent from outsourcing services. Developing countries like India and China are also leapfrogging and adopting these new technologies and business models while driving the markets’ volume, thanks to a fast adoption of more traditional services such as managed services (India) and IT outsourcing (China). These cumulatively drive the growth of IT Services in the region. As cloud computing continue to gain market prominence, everything is increasingly being packaged / productised as a service to replace CAPEX outlays in favor of more variable OPEX spending.
“We apologise for the inconvenience that this matter has caused consumers and for the potential unsolicited emails that may occur as a result of this incident. We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers’ confidence.”
—Kazuo Hirai, Group CEO, Sony Computer Entertainment Inc.
photo BY photos.com
Quick Byte ON SECURITY
North Korea was responsible for paralysing the National Agricultural Cooperative Federation’s computer network in April in a second online attack in two months linked to the Kim Jong II regime, the Seoul Central District Prosecutors’ Office has said. The Chief Technology Officer Forum
cto forum 07 may 2011
9
Illustration BY Shigil N
E nte rpri se Round -up
Brocade Unveils Vision for the Virtual Enterprise Introduces
Brocade CloudPlex, an open architecture for Cloud-Optimised networks.
Brocade has introduced a new technology architecture that outlines the company’s vision and the technology investments it will make to help its customers evolve their data centers and IT resources and migrate them to the “Virtual Enterprise”. Brocade intends to deliver on this vision through the Brocade CloudPlex architecture, an open, extensible framework intended to enable customers to build the next generation of distributed and virtualised data centers in a simple, evolutionary way that preserves their ability to dictate all aspects of the migration.
What is unique about the Brocade Cloudplex architecture is that it is both the foundation for integrated compute blocks, but it also embraces a customer’s existing multi-vendor infrastructure to unify all of their assets into a single compute and storage domain. Brocade CloudPlex meets the goal of the Brocade One strategy, designed to help companies transition smoothly to a world where information and applications can reside anywhere by delivering solutions that deliver unmatched simplicity, nonstop performance, application optimisa-
The currently available components are: Networks comprised of Ethernet fabrics and Fibre Channel fabrics as the flat, fast and simple foundation designed to scale to highly virtualised IT environments
Global Tracker
net, with a restriction of just 10 points, followed by the US with a restriction score of 13. The most restricted Internet is for users in Iran, Cuba and China.
10
cto forum 07 may 2011
The Chief Technology Officer Forum
10
13
SOURCE: ‘Freedom on the Net’ (FOTN) report by the Freedom Institute for 2011
Freedom of Internet Use
Estonia has the freest Inter-
tion and investment protection. Virtualisation has fundamentally changed the nature of applications by detaching them from their underlying IT infrastructure and introducing a high degree of application mobility across the entire enterprise,” said Dave Stevens, chief technology officer at Brocade. “This is the concept of the ‘Virtual Enterprise’ that we feel unleashes the true potential of cloud computing in all its forms – private, hybrid and public.” Through the CloudPlex architecture, Brocade will help its customers scale their IT environments from managing hundreds of virtual machines (VMs) in certain classes of servers to tens of thousands of VMs that are distributed and mobilised across their entire enterprise and throughout the cloud. According to Gartner, the expansion of VMs not only improves automation and reduces operational expenses, it is the primary requirement for IT organisations to migrate to cloud architectures. Gartner advises that “IT organisations pursuing virtualisation should have an overall strategic plan for cloud computing and a roadmap for the future, and should plan proactively. Further, these organisations must focus on management and process change to manage virtual resources, and to manage the speed that virtualisation enables, to avoid virtualisation sprawl.” The Brocade Cloudplex architecture will define the stages and the components from Brocade and its partners that are required to get to the Virtual Enterprise. The stages comprise three main categories – fabrics, globalisation and open technologies – with some of these components being available today while others are in development or on the roadmap of Brocade’s engineering priorities.
Multiprotocol fabric adapters for simplified server I/O consolidation High-performance application delivery products necessary for load balancing network traffic across distributed data centers.
AD
E nte rpri se Round -up
Illustration BY photos.com
Worldwide IT Services Revenues Returned to Growth in 2010 Increased 3.1 percent to $793 Billion in 2010.
Worldwide end-user spending on IT services totaled $793 million in 2010, a 3.1 percent increase from 2009 revenue of $769 billion, according to Gartner. "There is little doubt that the effects of the global recession of 2008 and 2009 are still very much being felt, but the market for IT services bounced back in 2010 after a 5.1 percent revenue decline in 2009," said Kathryn Hale, research vice president at Gartner. IBM retained its No. 1 market share position
in IT services in 2010, with a revenue increase of 2.6 percent returning $56.4 billion in revenue and accounting for 7.1 percent of the market (see Table 1). With arguably the weakest revenue performance in the top five, HP grew its IT services revenue less than $100 million, or 0.3 percent, in 2010. Fujitsu, at 3.5 percent annual growth in IT services and revenue of $24.1 billion had a solid year in 2010 in U.S. dollar terms. Accenture returned perhaps the strongest numbers within the top 10 in 2010, growing revenue $1.3 billion to $22.2 billion, a growth rate of 6.1 percent. "Among the more than 300 vendors tracked, acquisitions affected more than 10 percent of total revenue, in a market where no provider has more than 7 percent market share," said Dean Blackmore, senior research analyst at Gartner. "Although global sourcing makes the location of a provider's headquarters increasingly less relevant, we found that India-based vendors continue to grow above the market average and, therefore, continue to gain market share," Blackmore said. "In a market that grew 3.1 percent in 2010, Indiabased vendors collectively grew 18.9 percent, increasing their market share from 4.8 percent in 2009 to 5.5 percent in 2010." Software support showed the highest growth in 2010 at 6.6 percent. Weaker performances came from process management and hardware support, both of which grew approximately 1 percent less than expected growth. Consulting and development/integration services came in slightly above expectations as organisations that had put investments on hold began investing again in 2010, particularly in the second half of the year.
Fact ticker
Google Chrome Eyes 12 Percent Share Chrome OS to be
launched soon.
Google's Chrome Web browser notched 11.9 percent market share through April, a modest gain from 11.5 percent through March, according to Net Applications. Apple's Safari share grew to 7.1 percent from 6.6 percent through April. There were no big market share losers for the month, though Chrome appeared to continue to nip at its rivals.
12
cto forum 07 may 2011
Microsoft Internet Explorer continued to lose share, dipping from 55.9 percent to 55.1 percent for the month. IE 9 has doubled its usage share on the new Windows 7 platform from 3.6 percent last month to 7.5 percent in April. Mozilla Firefox dropped a bit to 21.8 percent from 21.6 percent. Google's Chrome team is launching a new stable release every few
The Chief Technology Officer Forum
weeks, though it is unclear if this is helping market share. Google March 22 launched Chrome 11 to its Chrome beta channel with support for the HTML5 speech input API. The stable version of the browser just revved with 27 new bug fixes, with bug hunters earning $16,500 for their finds as part of the Chrome rewards program. Chrome has been growing steadily for the last year. The browser will be interesting to track once computers based on the Chrome Operating System roll out in June or July as promised.
container dc
C
isco Systems is moving its Unified Computing System, or UCS, into the portable container data center market, similar to what IBM, the former Sun Microsystems (now part of Oracle), Hewlett-Packard, DellMicrosoft and SGI (formerly Rackable) have been doing for the last seven or eight years. On May 2, the company said it has now made available the Cisco Containerised Data Center as an alternative to address the computing and networking needs of both public and private sector organisations. This intended development was first announced in March 2010. This gives Cisco another way to sell its UCS—a pre-configured IT hardware and software package upon which the company has been banking heavily to expand its market reach. The UCS' network-centric data center infrastructure authorises partners such as EMC, BMC, NetApp, VMware and Intel to provide components that Cisco does not make. These portable data centers come in standard 40 by 8 feet and smaller-size 20 by 8 feet shipping containers for transport on ships and trucks. All the necessary servers, storage and networking equipment are crammed into these containers; all that's needed on location are electrical power and cooling-fluid sources.
AD
A Question of answers
Eyeing Growth: With WAN optimisation gaining popularity, Riverbed will be expanding its layer 7 capabilities.
14
cto forum 07 may 2011
The Chief Technology Officer Forum
PERSON' S NAME
J os h T sen g
A Question of answers
Josh Tseng | riverbed
“We are the
catalysts for cloud deployments” With the advent of cloud, organisations are increasingly looking at how they can optimise their WAN infrastructure. Varun Aggarwal spoke to Josh Tseng Technical Director, Riverbed, about the growing market of WAN optimisation and the company's focus areas. What are the key trends that you see in WAN optimisation? WAN optimisation is one of the fastest growing markets in IT and Riverbed is a leader in the market. Now it’s a major market projected by IDC and many other analysts, and is growing at a significant rate. The total market today is estimated at more than a billion dollars and going to grow even more. The reason for this growth is additional product and technology. This is a technology adopted by many companies, 80 out of 100 top companies are our customers. But there is lot of innovation that can take place.
What kind of innovation can we expect to see in this space? The enterprise environment is a very diverse environment. Every application works in a different way and thus WAN optimisation is incomplete without a tighter integration with these applications. What is key for WAN optimisation is to become more aware at layer 7 of the TCP/IP protocol. The app level intelligence is the area where there is lot of scope in terms of innovation. However, you need to invest into developers, engineers, test facilities etc to do this and Riv-
erbed is in the right position to do that. Tighter application integration would be our key focus area. What are the new developments in the cloud computing space? We have a number of products for the cloud. Currently we are working with Amazon for our Riverbed Cloud Steelhead. The product is purposebuilt for public cloud computing environments. We released the product for Amazon and going forward we will target other cloud providers. One of the major challenges with cloud computing is sending and
The Chief Technology Officer Forum
cto forum 07 may 2011
15
A Question of answers
receiving large volumes of data, putting tremendous pressures on the bandwidth requirements. For this, we’ve come out with Riverbed Whitewater, which is a deduplication solution for cloud storage. It helps in providing optimisation and deduplication to minimise data transfer bandwidth and storage capacity needed. This solution is the most granular solution available in the industry with data chunks as small as 100 bytes. Because we can recognise byte level repetitive patterns, our solutions require you to transfer the least amount of data to the cloud, saving both bandwidths as well as cloud storage costs. How much do you think has cloud computing affected WAN optimisation market? While cloud computing has fueled the growth of WAN optimisation, the reverse holds true as well. For example, our products are considered by many of our customers as a pre-requisite for moving to the cloud. We have customers telling Microsoft, Amazon and Google that they will not move to the cloud unless these companies have Riverbed in their data centre. And this includes several fortune 500 companies. Our leading customers are already adopting cloud computing and as more and more enterprises move into cloud, they will realise that moving without WAN optimisation is difficult. Amazon’s N. Virginia data centre suffered a cyber attack recently, which actually led to many customers losing their data. What kind of impact would this event have on cloud computing? Amazon has to learn a lot internally. I think clouds are still evolving and trying to build the right processes. However, what happened to Amazon could have happened to any private data centre. That was
16
cto forum 07 may 2011
The Chief Technology Officer Forum
J os h T sen g
“WAN optimisation solutions help companies run faster and more efficiently, thereby saving time.”
unfortunate event. Amazon needs to spend time with IT professionals and put in place the right processes, hence, minimising the risks. They also have to put in place new data centres and improve redundancy for risk management. Risks have to be covered. The attack was is a lesson to be learnt. Some enterprises will never go for external data centre because of sensitive data. For eg. banks are least likely to move into (public) cloud. What measures can enterprises take to prevent data loss over cloud? Primary data will be the responsibility of the cloud provider. But as far as secondary data or the backup and archival data is concerned, enterprises need to deploy solutions like Riverbed Whitewater for cloud storage. With least amount of data redundancy, organisations would have higher budgets to have mirror images of their data with different cloud providers. Therefore, even in case all the data centres of one cloud provider go down, you’ll still have your data intact with another cloud provider.
things I Believe in AN W optimisation is one of the fastest growing markets in IT. he key to WAN T optimisation is to become more aware at layer 7 of the TCP/IP protocol. hile cloud W computing has fueled the growth of WAN optimisation, the reverse holds true as well.
Are SMBs and enterprises both looking at cloud? Adoption is growing leaps and bounds in the US. The US is leading in tech innovation and many fortune 500 companies are moving into cloud and testing Riverbed with it. Many of them are also doing pilots. Showing the increase growth of clouds, analysts say that Amazon’s revenues from cloud would exceed its retail revenues in just a couple of years. What are Riverbed’s focus areas? We would be looking at expanding our layer 7 capabilities, ie. tighter integration with enterprise applications. We are also positioning ourselves as catalysts for those who want to move into cloud. WAN optimisation is going to be highly popular. WAN optimisation solutions enable organisations to run business faster and more efficiently, saving time and cutting the cost of IT infrastructure. There is a continued need for WAN optimisation in India and Riverbed is best suited to meet the needs of the enterprises. We are also making sure that we offer most advanced capabilities to our customers. For this, we release the largest number of software updates compared to our competition at any given time.
Features Inside
Amazon, the Media and the Future of Cloud Pg 20
Best of
Cloud's Transformation: The Softer Side Pg 24
Illustration BY Anil T
Breed
Cloud Strategy: What a CIO Needs to Know Pg 22
IG is Everyone's 54% Problem Now Data Briefing
medium businesses in india are currently using smart phones.
More reasons why CIO should be investing in IG. By Barclay Blair
I
n my earlier column, Making the Case for Information Governance (in the 7 March, 2011 issue) we looked at three reasons that information governance (IG) make sense: 1.We can't keep everything forever; 2.We can't throw everything away; and 3.E-Discovery. In this column, I want to build on this list by
adding three more reasons why CIOs should be investing in IG:
Reason 4: Your employees are asking for it if you just listen “When you start to actively address your organisation's information overload challenges and give people the guidance and tools they need to work more The Chief Technology Officer Forum
cto forum 07 may 2011
17
B E S T OF B R E E D
i n f o r m at i o n g o v e r n a n c e
effectively, amazing things happen. They start to make better decisions. They finish projects faster. They generate new ideas. And they drive business growth.” - Basex Information Overload Exposure Assessment IG makes sense because it helps knowledge workers separate “signal” from “noise” in their information flows. By helping organisations focus on the most valuable information, IG improves information delivery and improves productivity. Study after study shows that most knowledge workers feel overwhelmed by the amount of information they have to deal with. One AIIM International study found that “sheer overload” is the biggest problem with email as a business tool. [i] Another study says that most professionals spent way too much time looking for information and feel they could not handle any “increases in information flow.”[ii] Yet another study claims that companies in the U.S. lose $900 billion worth of employee productivity each year due to information overload. [iii] My experience with implementing IG programs has taught me that, after a period of initial resistance, most knowledge workers appreciate the clarity that IG policies and technology provide. Rather than struggling to invent their own “filing system” and worrying about the trouble that they may face if they get it wrong, the majority of employees quickly understand the value of IG and make it part of their daily routine. The deluge of poorly managed, redundant, irrelevant, and unclassified information that most knowledge workers face today is huge and growing. IG can improve productivity and reduce the impact of information overload by helping organisations: Classify information better so it can more easily be found. Get rid of unnecessary information so employees don't have to weed through it. Better target and personalise information for individuals and communities. Provide better access to information while still meeting confidentiality and information protection requirements. Assign resources and technology to information commensurate with its value.
18
cto forum 07 may 2011
The Chief Technology Officer Forum
IG makes sense because it is a proven way for organisations to respond to new laws and technologies that create new requirements and challenges. Reason 5: It ain’t getting any easier
demonstrated an increasing appetite for the regulation of IT and information. Increas“By far the biggest mistake people make ing federal and state regulation has driven when trying to change organisations is demand for IG products and services. to plunge ahead without establishing a The current administration, as well as high enough sense of urgency in fellow regulators in nations across the globe, managers and employees. This error is have demonstrated an increasing appetite fatal because transformations always fail to for regulation; an appetite that seems only achieve their objectives when complacency to be increasing in the wake of the recent levels are high.” global economic crisis that is widely seen - John P. Kotter, “Leading Change,” Haras having a root cause in inadequate govvard Business School Press, 1996. ernment oversight and regulation. This is IG makes sense because it is a proven way likely to drive legal and regulatory changfor organisations to respond to new laws es that will create new IG requirements and technologies that create new requirefor organisations. ments and challenges. The problem of IG And information is getting more complex. will not get easier over time, so organisaThe growing business use of Web 2.0 tions should get started now. technologies such as blogs, wikis, and Every day the pile of unmanaged inforsocial networking tools, along with other mation in your organisation grows. Every developments such as cloud-based applicaday the habits of your knowledge workers tions, are making information manageget more ingrained. Every day new techment more challenging. The emergence nologies enter your enterprise and create of such technologies is a challenge to new sources of unmanaged risk. Every day trational command and control methodolotechnology gets more complex. Every day gies and thinking. courts and regulators grow more sophisThe reality today is that each knowledge ticated and demanding when it comes to worker is his or her own records manager. information management. Responsibility for the creation and manTime will not make the information management of information is agement problem any easier. highly distributed and a new More regulation of informageneration of Internet-based tion management is expected. tools and applications only Beginning as early as the encourage this trend. 1970s (with privacy law directed of information In addition, technologies at the federal government) and today is like Google Wave create new intensifying in the early years difficulties. Products that blend of the new millennium (with electronic together formerly discrete comSarbanes-Oxley and the revised and under the munication, collaboration and Federal Rules of Civil Procedure), governments, regulators, stewardship of IT content creation tools challenge the long-standing focus on “the and standards bodies have
98%
i n f o r m at i o n g o v e r n a n c e
B E S T OF B R E E D
Reason 6: IG is the future of organisational culture “While detailed knowledge of a single area once guaranteed success, today the top rewards go to those who can operate with equal aplomb in starkly different realms.” - Daniel Pink, “A Whole New Mind” IG makes sense because it reflects the future of organisational culture – diverse groups working together to solve complex problems. IG can help to foster this culture and lead organisational change. In the bestselling book, A Whole New Mind, Daniel H. Pink argues that the future belongs to those who can see across boundaries to envision the “connections between diverse, and seemingly separate, disciplines.” He posits that this ability is becoming essential to the success of individuals and organisations. This theory is directly applicable to IG. IG, with its legal, technology, records management, and business elements, is by nature multi-disciplinary. Success in IG is synonymous with the ability to peer beyond the confines of one discipline to understand how each discipline connects with the others to solve the problem. In Managing the Crowd: Rethinking Records Management for the Web 2.0 World, Steve Bailey suggests that “[r]ecords management has ... long been defined by the narrowness of its focus” But, records management shouldn’t be singled out. Just as records management has clung to the idea that it should only worry about one narrow class of information (i.e., records -often in paper form), IT has largely refused
Illustration BY PHOTOS.COM
document” and usher in a world where we no longer manage discrete piece of information. The “wave” of information created by these tools is an ever-changing Hydra that pulls information from a variety of sources and blends them together into an environment that cannot be “retained” or managed using traditional approaches. As technology and the new forms of information created by that technology grows more complex, IG provides the foundation from which we can build processes and techniques to properly manage that information. IG isn’t getting any easier so the time to act is now.
“Corporate governance structures mostly have not evolved to address the complex issues of IG.” to take management responsibility for the information flowing through its systems. Business leaders and attorneys have their own form of blinders that are a barrier to the connected thinking and problem solving that IG requires. As a consultant, I have many times sat in windowless rooms drinking terrible coffee and mediating between these groups. Although this is rewarding work, the pattern is always the same: nobody understands that they are all trying to solve the same problem. Each group is more than willing to share their discipline’s view of the problem (often using their “outside voices”), but nobody believes that they “own” the IG problem as a whole. And, in most cases they are right. Corporate governance structures mostly have not evolved to address the complex issues of IG. The result? When the committees and task forces and working groups have all come and gone, nobody is on the line -- in their career and their paycheck -for the success of the IG effort. The flipside of this is equally true. When everyone owns a task, nobody in particular owns the task. Thus, nobody can be held accountable. Corporate structures aren’t very good at holding groups responsible, at least at the task level. In mediating such sessions, I am most
successful when each group learns -often through a traumatic experience -- to empathise with the others (incidentally, another “right brain” quality that Pink points out as essential). Any guesses as to what the catalyst for this empathy is the majority of the time? Yep, lawsuits and investigations. Major business events that require legal, IT, records management, and business to work together -- often under enormous pressure -- to solve a common problem.
—Barclay T. Blair is a consultant to Fortune 500 companies, software and hardware vendors, and government institutions, author, speaker, and internationally recognised authority on a broad range information governance issues. He is the founder and principal of ViaLumina Group, Ltd. His blog,Essays in Information Governance , is highly regarded in the information governance community. Barclay is the award-winning author of several books, including Information Nation, and is currently writing Information Governance for Dummies. Barclay is a faculty member of CGOC (www.cgoc.com). —This article appears courtsey www.cioupdate. com. To see more artciles regarding IT management best practices, please visit CIO Update.com.
The Chief Technology Officer Forum
cto forum 07 may 2011
19
B E S T OF B R E E D
c lo u d
Amazon, the Media, and the Future of Cloud
A
The future of cloud remains no fundamentally different post-Amazon-outage than it did before. By Dennis Drogseth
t the end of last year and into this year I did a fivepart series on strategies for adopting and assimilating cloud. My overall message was, and remains, that good service management disciplines and technologies still apply -- though the need for some unique planning and more dynamic approaches to traditional service management technologies are well advised.
Since cloud is a hodgepodge of technologies and internal and external services, trying to build a cohesive strategy, to optimise cloud can lead to a lot of circular motion. But one way to avoid this is NOT to put cloud first as that mysterious (and actually fictitious) "endgame;" as in the “journey to the cloud,” but to focus on key business objectives for IT and then see how and where cloud fits best. As I’ve said more than once, the “journey to the cloud” from a purely logical perspective makes no more sense than the “journey to VLANs.” But “cloud” has many parents beyond technology itself and these include aggressive marketing campaigns by the likes of Amazon EC2 and other service providers and vendors selling infrastructure and related products and services. It should be pointed out that many of those service providers are simply repackaging hosted services provided under other names, but who have adopted “cloud” for obvious marketing reasons. After all, if a service is delivered over a network, and can be flexibly provisioned (which can mean many things) and extended to “on-demand” needs (which can mean many things) and accounted for based on usage (which can also mean many things) you get to call it “cloud” (and be fairly faithful to the National Institute for Standards and Technology (NIST) definition).
Culpability
Illustration BY Shigil N
But even more than marketing, the media has itself largely been the “creator” of “cloud.” Cloud’s prevalence in our minds would be nowhere near what it is without inflated media attention (a.k.a, “hype”), which, yes, I realise that I’m contributing to right here. You can view it as an expression of age and its accompanying moral fatigue that I feel absolutely no shame in doing this. However, as everyone knows or should know by now, the media thrives on creating trends and then destroying them, much in the way that demented children in horror flicks like to tear up their dolls and other intimates. Media does this, ostensibly, because it
20
cto forum 07 may 2011
The Chief Technology Officer Forum
c lo u d
B E S T OF B R E E D
sells, which logically means that we, the reading public, are the true demented children here. And so “cloud” (internal/external, SaaS, PaaS, IaaS, etc.) is finally getting to the point where the media should be hungry for pins, if not actual machetes, to stick in “Cloud Barbie" and, if not render her headless, at least remove a finger or two. Given that, the media I’ve read to date regarding recent Amazon's EC2 outage seems pretty responsible. But not so much that the over-arching specter of a demise in cloud preeminence isn’t looming, or at least present enough to sustain the impression of drama. First of all, for a few of the more salient "facts" up to the date of writing this column as of April 26th: On Thursday, the 21st of April, at 5:16 a.m., Amazon's Service Health dashboard reported connectivity problems impacting its Relational Database Service affecting a broad area especially along the U.S. East Coast. This disabled some fairly popular websites such as Foursquare, HootSuite, Quora and Reddit, all of which are back up at the time of writing this column. At 10:35 a.m. on Sunday, April 24, Amazon reported that "We're in the process of contacting a limited number of customers who have EBS" (Elastic Block Storage) "volumes that have not yet recovered and will continue to work hard on restoring these remaining volumes." On Monday, April 25, Amazon reported that engineers were still working on issues surrounding its EBS. Amazon is planning to provide a detailed "post-mortem" of the For instance, 70 percent of cloud deployments have required root cause surrounding its outage and that its workers are "dig“redoing” or “rethinking” (EMA data) and Compuware data indiging deeply" into the event. cates that North American companies estimate organisational/ These specifics, obtained through fairly consistent technical media business losses of about $1 million a year from degraded perforcoverage at least, are in large part characteristic of the coverage mance from cloud-based applications. The estimate is somewhat itself. However tones have ranged beyond this to headlines signallower in Europe at $775,000. Dialogs with deployments have ing that Amazon got a “black eye” from the outage (reasonable underscored a number of obvious risks, including security risks, enough) to “Amazon’s cloud nightmare” to “who gets the blame?” e.g. “Who knows what Google thinks is a violation of privacy?” Mass media, or at least the New York Times , have been reasonably when it comes to managing data. responsible; as Steve Lohr's headline read, Amazon’s Trouble Raises It should be stressed that “performance” issues are far more perCloud Computing Doubts. It should be noted that in most cases, vasive and harder to gauge than absolute outages. Amazon’s misforreal opinions came from analysts like myself (though not from me tune has, as is typical, been dramatised in the media by the obvious. personally – until now, of course). But the future of cloud remains no fundamentally different postThe articles I looked at also contained some good advice, such as: Amazon-outage than it did before. It is neither salvation nor end Any system that concentrates too much critical data in one place game but an array of new technologies and services that, ironically, becomes vulnerable. as they mature and become more effectively assimilated, will lose If using cloud, design around it, just as you would back up in media visibility as the media moves on to something any external critical service such as failover to newer and more controversial. internal resources Leverage a variety of cloud service options from different providers both to assess relative quality and cost, and to minimise impact of outages and —Dennis Drogseth is VP of Boulder, Colo.-based Enterprise of smbs to pay degraded performance (my words summarising Management Associates, an industry research firm focused on for cloud several sources). IT management. Dennis can be reached atddrogseth@enterEMA and other research also indicates that skeptiprisemanagement.com. services within cism towards cloud wasn’t just waiting for Amazon’s next three years —This article appears courtsey www.cioupdate.com. To see conspicuous outage to happen. It was there before hand; due to both native IT skepticism and lessons more articles regarding IT management best practices, please learned from early cloud adoptions. visit CIO Update.com.
Cloud has many parents beyond technology itself and these include aggressive marketing campaigns by the likes of Amazon, EC2 and other service providers and vendors selling infrastructure and related products and services.
39%
The Chief Technology Officer Forum
cto forum 07 may 2011
21
B E S T OF B R E E D
c lo u d
Cloud Strategy: What A CIO Needs to Know
CIOs who build the right ecosystem will successfully ride this transformative technology. By Roger Camrass and Suhel Bidan
PHOTO BY PHOTOS.COM
P
erhaps more than any other executive in the C-suite, as CIO you understand transformative technology – from the birth of the microprocessor in 1974 (and the associated birth of the digital world) to the current e-commerce revolution. IT has always been in the forefront of significant change, and cloud is no exception. It bears many of the hallmarks of a new IT mega-trend – lots of hype, plenty of misunderstanding and a time span of 10 years before its full effects are felt. Unlike previous mega-trends, cloud looks like it will be more than just another stra-
22
cto forum 07 may 2011
The Chief Technology Officer Forum
tegic advance -- it could well be as profoundly game changing as the printing press was to Western Civilisation. Cloud is the key that will unlock corporate change at a level that greatly exceeds all earlier strategies, including outsourcing (1980s), off-shoring (1990s) and webbased market channels (2000s). Cloud presents a unique opportunity to virtualise almost every aspect of corporate activity – starting with IT. That presents you with the rare opportunity to reinvent your role as CIO and have a dramatic impact on your organisation’s valuecreating abilities.
Using cloud, you now have the potential to expand your responsibilities into broad shared services and, ultimately, into architecting the entire business structure. To make that happen, you must be proactive in adopting cloud, although timing remains the biggest challenge. To navigate these uncertainties, you will need to adopt a sense-and-respond approach by establishing an incubator model within your IT organisation that senses demand and links to emerging capabilities on the supply side. A number of forces are now converging to accelerate the adoption of external services based in the cloud. For example, there’s the web and the growing adoption of open standards and utility platforms for more practical sharing of resources and facilities. Against this backdrop, as CIO you can take one of two approaches in re-inventing your IT environment. You can manage the whole of shared services (including IT, finance, procurement and HR). Or, you can focus on transforming the business as a whole as a 'business architect' or 'chief optimisation officer' -- helping the CEO fashion streamlined organisations that exploit the tools of digital business and consider their impact on strategy, structure and process. It’s a huge opportunity for the CIO who can grasp it. CIOs are at the heart of the business because you are the gateway for innovation. Initially, cloud will primarily affect your IT organisation; but cloud’s impact will race
c lo u d
from infrastructure to software, then envelope an organisation’s business process and its key value-creating elements. Agility and flexibility are two of the key values of Wipro Consulting’s vision for the 21st Century Virtual Corporation. The adoption of these attributes assumes the externalisation of all non-core related activities to utility operators. Cloud provides the perfect platform for such development. Using private/public cloud-based models to provide the majority of business processes, we can imagine a virtual corporation that does little more than develop brand, define product and orchestrate external alliances. Sound familiar? That’s exactly what Coca-Cola, Dell and Cisco have been doing for years.
Cloud providers fall into roughly four groupings: 1.Consumer-based utilities such as Google and Amazon, who, with surplus compute power, are looking for new sources of shareholder value; 2.Traditional IT vendors such as IBM, HP, Microsoft and AT&T; 3.Service integrators, who are going to orchestrate this new environment; and 4.Niche players, who see many new opportunities in areas such as security and service brokerage. In our experience, few companies demonstrate a comprehensive cloud response to internal IT needs even at basic compute, storage and desktop levels. CIOs are concerned about security, technical integration, acceptable service levels and data protection regulation. With the exception of a few well-published success stories, most CIOs merely see cloud as a means of converting CAPEX (associated with fixed IT assets) into OPEX (pay as you go). Current cloud expenditure remains minimal. We recently surveyed CIOs about their IT expenses on cloud-related services. Only 20 percent reported that they allocated more than 10 percent of their budget to cloud. Almost half have designated less than 2 percent.* What will change your mind about adopting cloud? Ramped-up deployment of business initiatives topped the list of drivers in our informal survey. CIOs we surveyed are also intrigued by the conversion of IT capital expenditures to operational
The challenge confronting IT suppliers and corporate IT customers alike is how to make a smooth transition into the new virtual environment and prove tangible benefits. expenses. They embrace infinite scalability for storage and computing as well as IT agility. Collaboration ability is seen as an asset, as are the large-scale benefits achieved by combining cloud with mobility. Most CIOs expect cloud penetration to rise to 40 to 50 percent within the next five years.** The challenge confronting IT suppliers and corporate IT customers alike is how to make a smooth transition into the new ‘virtual’ environment and prove tangible benefits. We recommend an adaptive approach based on a sense-and-respond philosophy that originated with Stephen Parry in his book Sense and Respond. It includes the creation of business analyst teams who stimulate and capture demand as it arises. We define this approach as a ‘cloud incubator’ that can sense and respond to interest both at the demand (business customer) and supply (cloud vendor) extremes.
B E S T OF B R E E D
IT areas, such as general office and support processes. This cloud strategy requires a tactical approach in which you apply three distinct layers that test and refine a broad range of new cloud tactics in a rapidly developing environment and establish a stable future operating pattern. These layers are: 1.Business Engagement — providing skills, methods and tools to enable business customers to assess, quantify and prioritise cloud-based service opportunities. 2.Solutions Architecting — offering multi-disciplinary teams who can transpose business requirements into cloud services by testing and validating new operating models. 3.Industrialisation — scaling up the new Cloud-based operating models into fullfledged service platforms. Smart CIOs will meet this historic challenge head on, building now. Those who will succeed are those who effectively apply the sense-and-respond approach and construct the right ecosystem for their cloud transformation. —* Between October and December last year (2010) we surveyed more than 50 CIOs and IT Directors, almost 90% of them from global organisations about their IT expenses on cloud-related services. Only 20 percent reported that they allocated more than 10 percent of their budget to cloud. Almost half have designated less than 2 percent. ** In our 2010 survey of IT executives, most CIOs said they expect cloud penetration to rise to 40 to 50 percent within the next five years. The challenge confronting IT suppliers and corporate IT customers alike is how to make a smooth transition into the new ‘virtual’ environment and prove tangible benefits. —About the Authors Roger Camrass is Senior Practice Partner for Business Transformation at Wipro Consulting Services, Europe, and the author of "Atomic: Reforming the Business Landscape Into the
We also see a proactive but carefully measured cloud strategy that includes: virtualising servers and data centers in anticipation of computing and storage “on demand” through new vendor arrangements; and testing public cloud services in non-core
New Structures of Tomorrow." Suhel Bidan, is Senior Manager, Wipro Consulting's Business Transformation Practice, Europe. —This opinion was first published in CIO Insight. For more such stories please visit www.cioinsight.com.
The Chief Technology Officer Forum
cto forum 07 may 2011
23
B E S T OF B R E E D
c lo u d
Cloud’s Transformation: The Softer Side Cloud will see significant transformations of people, roles, and skill-sets.
A
fter having spoken to numerous customers and vendors, it's clear to me that cloud computing's operational transformation necessarily triggers structural changes in the IT organization - as well as in the rest of the enterprise. Overheard at a conference late last year, an analyst I was briefing illustrated it this way:A Converged infrastructure requires a converged organization to operate it. I'm convinced we'll see significant internal transformation in the future - not of technology, but of people, roles, skill-sets, and organizations. As evidence, just take a look at the organizational transformation EMC's IT department has gone through in the past 3 years (HT to Chuck's Blog) Consider this: The Role of the CIO: Today the CIO is orchestrator of technologies, if not a technologist him/herself. Governance of the technologies/vendors is perhaps secondary because "keeping the lights on" is such a dominating task. In the future, the role will shift from technologist to where the CIO (and IT overall) will become a service portfolio and governance manager... Regardless of whether the services are generated internally or externally. Implication: CIO's will need new skills, policies, processes. IT Organizations: Referring again to Chuck's blog (and excellent illustrations therein) the IT organization will shift from siloed / distinct organizations to a set of unified service organizations leveraging a common services infrastructure. Implication: change management, goal changes, departmental funding changes. Individual Skill-sets: Today's IT skills (esp. in larger organizations) are specialized around applications, servers, networking, backup, etc. each which aligns with the organizational structures, above. However, in the future many of these functions will either become more automated and/or combine with (be embedded within) other service management functions. Implication: new skills training, certifications, processes. Supporting Services: As IT transforms, so will adjacent organizations and services - like finance, lines-of-business, legal/compliance, vendor/partner management. How IT is measured and accountedfor, related-to as a business partner, and how it dovetails with external partners/providers will necessarily shift. Implication: need for change management and new organizational design.
24
cto forum 07 may 2011
The Chief Technology Officer Forum
PHOTO BY PHOTOS.COM
By Ken Oestreich
Looking forward, if these transformations occur even at a modest level, I would expect too see other broader-scale industry-wide changes in these and related areas. 1.CIO roles will shift to governance & vendor management (perhaps even modeling supply-chain management) 2.Organizational & change-management resources (firms facilitating change specific to IT transformation) will be in higher demand 3.IT skills development will re-invent itself; new training and certifications (e.g. cloud architect) will become the norm. Fewer special-purpose technologists will be needed, in favor of a new breed of "converged" technologists 4.Entirely new categories for job recruitment will emerge to find and place this new talent 5.IT financial management skills development, training etc. will be in further demand as IT shifts from being a high-dollar capital expense to becoming an on-demand business resource/enabler. In the future I'll continue to reflect and blog about what I'm hearing in the market. But we should all be keenly aware of the non-technical impacts of the IT technology shift. And, if you know of examples today, do share —Ken Oestreich is a marketing and product management veteran in the enterprise IT and data centre space with a career spanning start-ups to established vendors.
AD
COVE R S TO RY
leadership
Call it business compulsion. Servers and switches are on the backburner. Indian CIOs are now talking about RoI and TCO. But is it all that they need to break into the C-suite? 26
cto forum 07 may 2011
The Chief Technology Officer Forum
COVE R S TO RY
leadership
IMAGING BY pc anoop
T
he CIO’s role is defunct! Well, in the current scheme of things, and its future outlook, it certainly seems so. Over the last decade and a half, CIOs have managed to make a huge transition. From having a back-office position and managing the server room, they have come to the fore and are today adding value to the business. But, as they say, change is the only constant. Technology is increasingly becoming standardised, and new models such as cloud computing and SaaS are emerging. With technology taking care of itself, the CIO in the next couple of years would be as good as dead. The time is again here when the CIO will have to make another quantum leap. For the CIO who has weathered the last 15 years to reach the level where he is today, it will take that extra effort to break into that elusive group – the C-suite. What does the future hold for a CIO? Can he leverage his cross division knowledge to break into the C-suite? Is there life beyond the boardroom? More Power to the CIO!
INside 24 | Changing Times 26 | The Whipping Boy 36 | Contemporary CIO Roles and Challenges 35 | What Lies Ahead 36 | What Type of Leader Are You?
The Chief Technology Officer Forum
cto forum 07 may 2011
27
COVE R S TO RY
leadership
Changing Times C
The last 15 years have seen a perceptible change in the role of a CIO. He has evolved from an EDP manager to one who adds value to the business.
hange is the only constant. True to this saying, India has undergone a drastic change over the past decade and a half, moving from an agribased economy to a knowledge economy. The shift in economy has seen an evolution in the way business is done. From almost a free-run to cut-throat competition, and from witnessing steady CAGR to the financial downturn, the scenario has changed a lot for corporates. Today, their mandate is to do more with less. This transition has had serious implications for the role of a CIO. We connected top CIOs in New Delhi and Bangalore over Polycom's hi-definition video conferencing solution to discuss their journey over the years.
The CIO Then About 15 years back, there were few companies that offered the designation of a CIO. Even if there was the designation, the person did not play the role of a CIO in the
true sense. The main responsibility of the person in-charge of IT was to take care of the server room. As Vijay Sethi, CIO, Hero Honda avers, “There may have been designations of CIOs in the past but in effect, they were only MIS and EDP managers. Nobody was seen as having the influence or capability enough for the CIO role.” IT deployments of today’s size and nature were unheard of in organisations in those days. “Those were the times when an organisation felt the job was done when ERP was implemented. Today, ERP is plumbing,” says a CIO, on conditions of anonymity. While in today’s ERP, processes for more than 30 industries are embedded, there was not a single business process on IT a decade back. This was also the reason why the IT head in a company could afford to know everything on technology and nothing on business. "For the past 10-15 years, the CIO was
“Today IT is the need of a company and so are IT chiefs. For an organisation, a CIO is important for decision support.” —Rajeev Batra, CTO, MTS India
28
cto forum 07 may 2011
The Chief Technology Officer Forum
leadership
ensconsed in the security of technology. He did not speak the business language,” says the CIO. It is not just the traditional sectors such as manufacturing that have seen the CIO’s role transforming. Even new and emerging sectors have witnessed the CIO’s role changing in the relatively short time span. As Subramanya C, Senior VP and CTO, Hinduja Global Solutions, says, “Even though the CIO always had a front-end role in a BPO company, there has been a marked change in the way he functions. In the early 2000s, a CIO had to sit in front of the client and 95-98 percent of the time talk about
“Today, IT is the need of a company and so are IT chiefs. For an organisation, a CIO is important for decision support,” echoes Rajeev Batra, CIO, MTS India. With the demands from IT changing exponentially, the role of the CIO (and the IT team) have undergone a significant change. “As companies are short on resources, they can’t have so many people just doing IT. The CIO should, therefore, lead his team in ading value to the business. There should be a conscious shift away from the ERP and CRM deployments towards looking at getting more business for the company,” believes Sandeep Parikh, CIO, Microsoft.
COVE R S TO RY
getting more business. They have to today look at the business capability map,” says Parikh. For some verticals, however, the CIO has always been a crucial and imporatant role. The ITeS is one such vertical. As Subramanya, says, “A CIO in a BPO has to be constantly focused on the business, keep adding value and bring out innovative solutions. As services sector does not bring out any tangible product, technology has to add value to the services.” “As compared to a decade back, today, I talk about giving the clinet innovative solutions – chat services, feedback on social media etc. In other words, we convince him that we will
“In the early 2000s, majority of a CIO's time was spent discussing pricing, people and quality. Today it's all about innovation.” —Subramanya C, CTO, Hinduja
price, people and quality. The scenario is no longer the same today.” So how different is the role of today’s CIO? What additional responsibilies is he shouldering, and what have been the drivers for this change in his role?
The CIO Now A noticeable change that has happened over the years has been the recognition of the the CIO role itself. According to Ratnakar Nemani, CIO, Himatsingka Seide, "I got this opportunity becasue my company has realised the need to have a CIO. Before my becoming the CIO, the company never had even an IT head let alone a CIO.” Nemani was the company’s CFO before the job demanded him to become the CIO. Today, Nemani is the CIO of the company with four group companies under him, and finds that “CIO is an exciting role to play.”
In line with this, an increasing number of CIOs are becoming business savvy. They are giving up their refuge in technology, and are communicating with peers in business language. However, Batra thinks otherwise. According to him, a CIO can’t be too much away from technology. “While he can pass the nitty-gritty on to the team below, a CIO even today needs to be in touch with technology. He has to know the architecture of the technology, the investment going into it, and then align it with business,” he says. Today, a CIO has to act as an innovator. With competition increasing, companies have to stay ahead of the competition all the time. A CIO, therefore, has to create value for the business. He has to come up with innnovative solutions in quick succession as the competition will be copying them in six months time. “The CIO and his team have to look at
provide support in any medium,” he says. The profile of a CIO has changed dramatically over the years, and continues to do so. According to experts, the CIO’s role is important during the implementation of a project. After that, 90 percent of his time is spent towards maintenance. Going forward, with new technologies emerging, a CIO would have to look at better utilising his time and resources. As an industry expert avers, “A large part of a CIO’s time today is spent in ‘as is’ (maintenance) activity." "Two-three years from now cloud computing would catch up. The CIO would then have to become more of a technology provider. Moving from the current role of maintaining the IT infrastructure, the CIO would have to look at how he is spending his time. He would have to look at alternative models of provisioning, governance and security, the expert adds.”
The Chief Technology Officer Forum
cto forum 07 may 2011
29
COVE R S TO RY
leadership
The
Whipping Boy The CIO is the quintessential whipping boy in a corporate. What prevents him from moving into the core of a company?
T
he CIO is the quintessential whipping boy in any corpoarate. He has to shoulder the blame if anything goes wrong in the organisation. Although his role has transformed from being a cost centre to a profit center, the CIO still has not been able to become a part of the C-suite in an organisation. A CIO is also a functional head just like other functional heads such as CMO, COO and the CFO. Unlike for a CIO, however, the career path of other functional heads mostly leads them to the boardroom or to the seat of the CEO. Why then is it so tough for a CIO to get into the shoes of a CEO or get inside the boardroom? “The CIO is still not the center of executive within the company. The CIO has to build credibility and show the value that he is adding. This credibility journey for a CIO is still on,” answers Rajesh Uppal, CIO, Maruti Suzuki India. It has been tough for a CIO to move up the ladder and enter the core also because he does not have a direct role in an organisation as compared to the sales or pre-sales team.
“The CIO has to build credibility and show the value he is adding. This credibility journey for a CIO is still on.” —Rajesh Uppal , CIO, Maruti
30
cto forum 07 may 2011
The Chief Technology Officer Forum
As Subramanya C, from Hinduja says, “It depends on the organisation’s dynamics. In most organisations, a CIO does not have an exposure to the customer in contrast to the pre-sales and the sales team, which are accorded more importance. That the CIO has been a laggard when it comes to getting into the core of a company is also a factor of the size of the company.” “However, a CIO should not just look at the position of a CEO. A more sales savvy CIO can get into the role of a COO or the Head of the Sales vertical,” he says. Sanjay Jain, Group CIO, WNS Global Services, says, “The challenge arises from the lack of P&L (profit and loss) management expertise. It is necessary that a CIO exposes himself to major business functions like sales, operations, marketing, consulting etc. This rounded exposure to business will go a long way for a CIO.” There are certain verticals that offer better and faster growth opportunities for the role of a CIO. Therefore, an EDP manager, looking for a fasttrack move into the core, should look at such verticals. “An EDP manager in any manufacturing company will take a lot more time to become a COO as compared to an EDP manager in an ITeS company. In the latter, IT is the core for delivery, which puts the spotlight on the CIO,” says Subramanya. Meanwhile, former CIO, S R Balasubramanian, who has worked in several top corporates avers, “A CIO should feel proud of being the technology head and simply do away with the complex he has. He can’t be a CEO unless he proves to be a good CIO.” “He must ensure to give precedence to business, and make technology subservient to business. He would then be the executive most sought after and would be an appropriate choice to lead the business,” he adds.
COVE R S TO RY
leadership
A
ccording to a recent WSJ article entitled "The View From the CIO's Office" the role of today's CIO has not just changed but rather their roles have gone through an expansion of responsibilities. Below are some of the more important key points from the interviews:
1. It's the need to be business people with a background in technology rather than the other way around. 2. The ability to properly leverage the cloud. 3. CIOs must provide business automation and continually increase and automate more and automate things deeper into the business. 4. IT is embedded in the business. The challenge is that there is now a convergence of consumer technology in the enterprise. It is creating completely different dynamics. 5. CIOs have to provide solutions and information and enable the business across lots of different platforms that are changing at a very rapid pace. You've got security implications because of this. User expectations are higher than they were previously. 6. As a CIO we have adopted a practice of self-service, enabling folks to get at the information, get at the tools they need to use and do it themselves. People can write their own reports. They can pull their information down on whatever device they want. If they want to have an iPad, and pull information down, we've enabled that. We just need to make sure we can wipe the data clean in case of an emergency. 7. We have a strategy we describe as application-centric, device-agnostic. We believe devices will continue to evolve, and the competitive advantage will not be there. The competitive advantage will be in the application, which is what will differentiate us from our competitors. The applications will transcend the devices they run on.
Contemporary
CIO Roles & Challenges mation, and the majority of it is unstructured. The ability to find all that information for the average employee is getting more and more difficult. We're investing in enterprise search capability. 9. CIOs must provide the ability to operate in real time, rather than analysing what happened yesterday, last week, last month, last quarter—trying to see what is happening now as we speak, and the ability to intervene immediately if we need to make an adjustment. The ability to control, to track, to monitor what is happening in-store, whether displays [or] promotions in store, and the ability to then adjust on the fly.
Three CIOs were interviewed about the challenges they face in their roles as corporate CIOs. By Jim Finnan
10.CIOs must provide for the ability for people to video-connect anytime, anywhere, any place, because our companies are a truly global operation. 11.CIOs must provide the ability to predict, do modeling and "what if" analysis. We're creating some automation to [analyse] what is happening, why it is happening, so that we can focus all of our energies on how to improve what we have to improve. Cross-posted from CIO Zone This article is printed with prior permission from
8. One thing we're struggling with is a really good way to manage and search all the information. We're growing so much infor-
www.infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
The Chief Technology Officer Forum
cto forum 07 may 2011
31
COVE R S TO RY
leadership
What Lies Ahead A There are several options for a CIO as he looks to elevate his career. It is up to him what he wants to do and how much risk appetite he has. By Varun Aggarwal
32
cto forum 07 may 2011
The Chief Technology Officer Forum
ll your life, you’ve been working hard to reach to the top in your domain. And today, when you’ve achieved the position of a CIO in your organisation, what lies ahead? For some, this may be their ultimate goal and they would like to retire from their work life as a CIO. After all these years of hard work, you certainly deserve a time out. However, not all are satisfied with the top most position as an IT leader in their organisation. So, what can they possibly achieve in their career. Options are aplenty but in order to pursue the options, CIOs need to move out of their comfort zones. “The choice is whether the CIO considers himself or herself a technologist who ensures IT works at all times or a business leader who has a good understanding of technology and one who had to work with other business leaders in the organisation on how IT can be used to help business achieve its objectives,” opines Vijay Sethi, Vice President IS and CIO, Hero Honda Motors Ltd. Ask any CIO about their aspirations and a majority would respond that they aspire to become the CEO of a company. There is a logical reasoning behind this aspiration.
“The choice is whether the CIO considers himself a technologist who ensures IT works at all times or a business leader who is a perfect fit for business.” —Vijay Sethi, CIO, Hero Honda
leadership
COVE R S TO RY
“I now want to become an entrepreneur and do something beyond IT. IT is no more a challenge for me.” —Asmita Junnarkar, CIO, Voltas
CIO is perhaps the only person in an organisation who knows the strengths and weaknesses of every department of the organisation, right from Finance to Marketing to HR to Operations. For years, the CIO has been working closely with each of these departments, trying to understand and alleviate their pain points, while at same time build innovative solutions to help each department grow in different ways. Therefore a CIO is well positioned to take up the role of a CEO in any organisation as he would better insights into the organisation and would know what would or would not work in the organisation’s favour.
photos by Subhojit Paul & Jiten Gandhi
CEO of an IT company The role of the IT department has already evolved from just a support function to a strategic function. Instead of trying to support individual applications for each department, CIOs have started delivering IT services to each department based on their needs. The internal customers for a CIO has already been acting like an external customer. Centralising and consolidating the organisation’s IT infrastructure has played a big role in driving this change. Thus, making the CIO work like a CEO of an IT arm of the organisation. Many organisations including the National Stock Exchange have demerged their IT department into an independent IT organisation (NSE.IT) wherein the CIO takes up the role of a CEO of the new firm. While, the newly-turned CEO would continue to work like a CIO, he needs to look at driving value out of IT. He can possibly be handling not just internal but
also certain external customers. Therefore, from loosely built plans that were focused around supporting the organisation’s IT needs, the CIO now would require to bill the organisation for each and every services offered. Therefore, a strong business proposition should be built around each and every solution and service. The new CEO would have to move above technologies like cloud or SaaS etc and build compelling business solutions for its clients (who were previously the internal employees).
Chief Innovation Officer Though a very loosely used term, the Chief Innovation Officer needs to work exactly like the CEO of the IT arm which we just talked about. However, in this case what is expected out of him would not be much. Therefore, going beyond the call of duty is something that the CIO needs to look at. An Innovation Officer has higher chances to sit in the boardroom than a Chief Information Officer. The former talks business and offers solutions to help drive business growth whereas the latter talks technology which helps in smooth operations of the company. Both skill sets are highly important and therefore, while ensuring that the lights are on, the CIO needs to see how he can enable new revenue streams for the organisation.
Entrepreneur
of an IT company with some additional risk factors attached. All it takes to start an IT firm is to get the right people on board and some funding. The rest you already know what to do. You just need to pump in a super dose of adrenaline into the organisation and work a lot more on people management to get going with such a venture. As long as a CIO has the passion and determination, he can convert any business idea into a profitable venture. In fact, there are many CIOs who want to become an entrepreneur but want to make sure that its beyond IT. Take for example, Asmita Junnarkar, CIO, Voltas. Junnarkar feels as far as IT is concerned, she’s already achieved what was there to achieve. “I now want to become an entrepreneur and do something beyond IT. IT is no more a challenge for me and I want to venture into something that is challenging as well as exciting,” she opined.
Conclusion While we’ve tried to cover most of the options that the CIO has as the next step in his career, this is by no means the only options. The career options for a CIO are beyond what the CIO can do, and is rather what he aspires to become. If he is ready to move out of his comfort zone and passionate enough to follow his dreams, then only sky is the limit.
For the real risk takers, the best career option is to become an entrepreneur. And, as you’d realise there is no dearth of options for starting a new venture. Starting an IT consultancy is as good as becoming a CEO The Chief Technology Officer Forum
cto forum 07 may 2011
33
COVE R S TO RY
leadership
What Type of Leader Are You? T The CIO’s role has become synonymous with leadership. Let us look at the various archetypes of a CIO as a leader. By Daniel Gingras
34
cto forum 07 may 2011
The Chief Technology Officer Forum
he role of the CXO, particularly the CIO is primarily one of leadership, but it’s the one thing we generally never get trained for. Ironically, it has become the “definition” of the CIO in recent time as the job becomes increasingly complex and specialised. The “true” CIO is focused on leading his organisation but, more importantly, leading the entire organisation in the acceptance and management of change. Moving the organisation to accept the strategic nature of IT requires two ephemeral qualities not taught in most academic programs: Salesmanship and Leadership. Certainly salesmanship can be taught, in fact, it’s a growth industry. Look around and you’ll find every conceivable type of sales training program available.
Most, of course, have little to do with the type of sales we’ll be doing, which is both consultative and based on influence without authority. We’re trying to convince the management and then the organisation as a whole as to the value of our vision for using technology to create a true competitive advantage for the organisation. Then we need to convince them of the architecture and implementation details necessary to execute that vision. I always advise people to start with the old gem, How to Win Friends and Influence Peopleby Dale Carnegie. Need more help? Take the Dale Carnegie course. Of course, if you really want to hone your skills, ask to go out with the sales force (if you have one in your organisation) and try selling your company's service or product. When I was a CIO, I required all of my
leadership
managers to spend at least three days on the road with the sales force. Nothing changes your perspective more than having to try to sell what your company makes or does. It’s the hardest job in any organisation, which is usually why it’s the most highly compensated. Leadership is another issue. By and large great leaders are a product of their early development. If you were a Boy Scout or participated in other leadership oriented organisations in your developing years, or if you were in the military, you were taught how to lead. These experiences can’t be duplicated and their value is incalculable. That doesn’t mean if you didn’t participate in these experiences you’re lost. If you focus on leadership and make it a priority, you can develop yourself as a truly great leader. Want an example of truly great leadership, read ENDURANCE : Shackleton’s Incredible Voyage by Alfred Lansing. Shackleton lead an expedition aboard the sailing vessel HMS Endurance to the South Pole in 1912. Unfortunately, the voyage went horribly wrong and the expedition became stranded in one of the most inhospitable places on the planet. Sir Ernest Shackleton led the expedition and although the ship was crushed by the ice, he took one of the smaller boat and sailed thousands of miles, climbed over an frozen mountain range to find help and then lead them back to save every one of his men. Buy the book and read it. Would you take your role as leader so seriously that you would risk your life on what was considered a certain-death mission to save your team? It’s a great question.
Orchestra Model The CIO has a unique challenge as a leader. Although he or she might have once been pretty technical, as he’s moved more into management, his skills generally fall behind his staff. So he must lead and motivate a group of extremely talented individuals; keeping them focused on a single vision. I liken this to the role of a conductor. You should be hiring the best cello player available in the marketplace. They’ll be able to play much better than you ever could hope to, but you’ve got to keep them playing the right music, at the
right pace, and in cooperation with the rest of the orchestra. You need to insure all of the members practice and are great at what they do. You need to keep them motivated, and you need to insure that there are enough “ticket sales” to keep the whole organisation moving forward.
Leadership Types There are dozens of archetypes of leadership and hundreds (if not thousands) of books written about the types of leadership and what they mean so this may not be a comprehensive list. More just a starting point to think about how you lead. The Tyrant - This is the most toxic type of leader. This leader believes “fear and intimidation” is the right motivational structure. I’ve worked for such leaders, which suck the lifeblood from you as you struggle to meet their expectations. Sometimes they’re reasonable, but often you get a tyrant who has unreasonable expectations. If you’re working for such a leader, you know it. Update your resume and get out of there. You will never thrive in this environment and it will atrophy your career and personal growth. You need to remember that it's work not your life and if work makes your life miserable then do something about it.
The CIO has a unique challenge as a leader. Although he might have once been pretty technical, as he's moved more into management, his skills fall behind his staff .
COVE R S TO RY
The Ostrich - This type of leader locks himself in his or her office and doesn’t want to hear the details of any problems in the organisation. “Take care of it,” is usually the answer: no direction, no coaching, no participation. This is not a leader, it’s someone holding the job who doesn’t understand their responsibility to the organisation. Every leader should recognise that they have a responsibility both to the organisation at large, but more specifically to the people under their leadership. If you’re not focused on growing your organisation’s capabilities, satisfaction, and value to your company, you should be doing something else. The Seagull - Typical of a leadership structure where the organisation is remotely located from the leadership, this leaders flies in, dumps on the staff, then flies away. They may have additional attributes of some of the other leaders, but the primary characteristics of some of the other caustic types. The Politician - In general the “politician” has become a pejorative term, and rightfully so. Politicians are generally self-centered, looking to boost their positions on the backs of their followers. They’re more than happy to take credit for the work of others, completely focused on self aggrandisement— generally at the expense of their followers or their organisation as a whole. You can prosper somewhat with a politician as a boss if you focus on making them look good, but recognise that you’ll never get credit outside of your organisation from the politician. Don’t worry though, word will get out and people will recognise your value. Don’t emulate the politician, rather try to develop a more inclusive leadership style. The Inspirational Leader - This person is a joy to work for, he’s an evangelist who makes you want to come into work every day. He leads from the front, and you’d be willing to follow him into hell. He or she can have a number of sub attributes, but in general think of them as the tough old sergeant in the WWII movies who leads men in a charge against the enemy machine gun. They might also be more like a “preacher” who gets you all fired up to do the right The Chief Technology Officer Forum
cto forum 07 may 2011
35
COVE R S TO RY
leadership
thing but at the end of the day you feel great about working for this person. They’ll make sure you grow and that the technology adds real value to the organisation. Make sure things are getting done, however, because there is a small subset of this type which is ineffective in execution. They’ll motivate everyone, but nothing will get done. Luckily though, this mutation is generally rare. The Coach - In the end, developing the people who follow you in your mission has to be a primary duty of the great leader, and this involves no small part of coaching. Sometimes it means delivering the difficult message “Your performance needs to improve,” but it’s always done in such a way that you feel better for receiving the message. You know the person truly cares about your development and growth, and that delivering constructive criticism is a part of growing. In fact, you should be wary of a leader who always praises. Either their expectations are too low, and you’re not
36
cto forum 07 may 2011
The Chief Technology Officer Forum
being stretched and thus not growing, or they’re not really concerned about you and are just backslapping you at every occasion. A really great leader knows he or she has to develop his followers and that that means challenging them and giving them opportunities to fail, but supporting them in their failures so that they learn. So, what’s the best style? Maybe no single style, but a combination of a number of styles. I try myself to be a combination of inspirational leader and coach. But, occasionally, I find that neither of these styles works with someone who has spent most of their time under a toxic boss like the tyrant. I have to modify my style to fit the individual, to insure that I understand exactly what they want. This is the essence of true leadership: reconciling the needs of the individuals in the team with the organisational mission. Make no mistake, it’s tough to do, but it’s the essence of the CIO's role. And if you’re a CIO, or aspiring to be one, then this is where you should concentrate your efforts.
How do you find out if you’re a great leader ? Ask. Survey your staff, your peers and your superiors. Get them to give you 360-degree feedback and support this concept within your organisation. Get details of where you need improvement not only from your boss but from your staff. Make it a formal process, and more than once a year … once a quarter if possible. If you don’t ask, you’ll never grow as a leader.
—Daniel Gingras has been CIO of five major companies and is a partner at Tatum, LLC. , a nationwide professional services organisation of seniorlevel technology and financial executives who take on leadership roles for client companies. He has more than 30 years of IT experience and teaches computer science at Boston University. He can be reached at dan.gingras@tatumllc.com. This article appears courtsey www.cioupdate. com. To see more articles regarding IT management best practices, please visit CIOUpdate.com.
NEXT
HORIZONS
Features Inside
Hedging Future Energy Costs CIOs have several opportunities to cut their carbon footprints. Pg 39
PHOTOs BY PHOTOS.COM
W
Green IT: Beyond the Datacentre The less obvious ways CIOs can contribute to corporate sustainability. By Chris Boorman
ith increasing frequency, CIOs are being asked to play a major role in meeting the challenges of sustainability, reducing energy consumption and CO2 emissions and other ecological issues that have become the focus of corporate and public attention. This is appropriate, because IT organisations are clearly part of the problem. But they are also uniquely equipped to be part of the solution, not only in their own domain of datacenters, desktops and mobile deployments, but throughout the entire organisation. In this post I’ll touch on some of the less obvious ways CIOs can contribute to corporate sustainability, as well as those that reside in their own domain.
Green Opportunities Beyond the Datacentre CIOs who want to make a green contribution beyond the management of IT assets The Chief Technology Officer Forum
cto forum 07 may 2011
37
N E X T H OR I Z O N s
green tech
can begin by reaching out to fellow executives and determining where there are energy-related issues that technology can address. Most CIOs have relationships with major vendors with applications that can directly or indirectly help reduce energy consumption in multiple areas of operation, but their peers are often totally unaware that these solutions exist. The trick is connecting the problem with the solution. Here are a few specific areas of operation that may be promising. Facilities Management - Many CIOs have already cooperated with facilities management on the issue of data center energy the road every morning and evening makes consumption, but there are a host of other a major contribution to energy savings and problems where information technology greenhouse gas reduction. can increase the efficiency of the facilities Paperless Transactions - Anytime the use management function and thereby reduce of paper can be eliminated from a transacenergy consumption. For example, pretion, the environment and the company dictive analytics based on historical data doing the elimination both win. The funda(assuming the data is clean and accurate) mental question to ask is “Do we really need can determine what system modifications to mail our customer/vendor/channel partand behaviours will have the maximum ner this invoice/statement/notification?” impact on energy efficiency, so organisaIn many cases, the answer is no. Financial tions can be assured that the dollars dedicatservices companies have taken a leadered to green initiatives are being well spent. ship role in this area, working to eliminate Logistics - The transportation of any item paper wherever possible (and touting the from point A to point B requires energy, environmental benefits of this strategy to and making transportation more efficient their advantage). In many other companies, has a direct impact on energy consumption. however, paper transactions continue to be In many companies, substantial improvethe norm – usually due to habit, rather than ments are possible through technology. any real business benefit. There are a variety of enterprise applications to help companies develop more efficient transportation of goods across entire supply The Ongoing Greening of IT chains, improving everything from delivery As I previously mentioned, these examples routes to the time trucks spend idling their of areas where proactive CIOs can look engines. Now that GPS monitoring is ubiqoutside of their domain for opportunities uitous, systems can also be developed to to launch green initiatives. But no review monitor events in real time and make more of the green opportunities for CIOs would efficient use of vehicles. be complete without at least touching on Telecommuting - Encouraging employees the opportunities within the IT organisato work from home, whether tion, even though many are well full-time or part time, can have known to CIOs. a substantial positive effect According to the Departon a company’s environmenment of Energy, datacenters are tal impact – and bottom line. responsible for three percent of energy For example, as organisations of total U.S. Energy consumpencourage employees to work tion, and that figure is expected consumption remotely there are significant to double by 2015 -– which in U.S. by data benefits including reduced amounts to $7.4 billion worth centers. to grow of energy. Right now, the averleasing costs, furniture, cubical rental costs, power, water and so age 125,000 square foot data to 6% by 2015. on. The absence of vehicles on center has an annual energy
Although it sounds like a sales pitch, the math for replacing older servers with new, energy-efficient models is genuinely compelling.
3%
38
cto forum 07 MAY 2011
The Chief Technology Officer Forum
bill of roughly $3 million. These economic measures translate into millions upon millions of kilowatt hours of electricity, the production of which releases huge amounts of CO2, the primary "greenhouse gas." In other words, IT really is a substantial part of the problem. But the good news is CIOS can be and are part of the solution. Virtualisation - Most IT organisations have vigorous virtualisation initiatives in full swing already. Server Refresh - Although it sounds like a sales pitch, the math for replacing older servers with new, energy-efficient models is genuinely compelling. Each generation has new features that support energy efficiency, and these extend down to the chip level. Attention to Detail - There are numerous best practices that have a small impact in themselves, but deliver significant power savings in the aggregate. They range from the arcane (power distribution unit sizing) to the obvious (hot and cold aisles in datacentres) to the adventurous (using ambient air to supplement data center cooling systems in the winter). These best practices are for the most part well known, and when staff are incented to save energy, as opposed to merely “keeping the lights on,” they will be implemented. Desktop Management - Many organisations operate literally thousands of desktop computers with little or no attention to energy management. Simply making sure that standard, built-in power-saving options are properly set can by itself result in significant energy savings. In addition, there are applications available that enable even greater control - and greater savings. Data Management - This is the least
green tech
obvious strategy, but for some companies it could pay dividends. Numerous solutions are available (including solutions from my company) that can significantly reduce the volume of data that needs to be stored, through techniques such as retirement, compression, de-duping and the like. Less data means fewer storage devices, less electricity consumed, and fewer non-renewable resources lost.
The Cost Factor One of the most attractive aspects of projects that improve energy efficiency is that they often have an attractive ROI. In contrast to many environmental initiatives related to pollution, reducing energy consumption almost always has a quantifiable financial benefit. This is important. Projects that help improve the environment and the bottom line are rare. Earth Day
N E X T H OR I Z O N S
should be seen as a reminder that looking for these opportunities can pay off in more ways than one. —Chris Boorman is the Chief Marketing Officer at leading data integration vendor Informatica. Follow him on Twitter @chboorman. This article appears courtsey www.cioupdate. com. To see more articles regarding IT management best practices, please visit CIOUpdate.com.
Hedging Future Energy Costs
CIOs have several actionable opportunities when it comes to reducing the carbon footprint. By Pam Baker's
"Despite some leadership by Yahoo!, Akamai, and Google, lack of transparency masks continued reliance on coal by Facebook and others to power the growth of cloud computing," said Casey Harrell, spokesperson for Greenpeace International.
Illustration BY Shigil N
D
espite the brouhaha over climate change in certain U.S. political circles, the science, proven to be real by armies of scientists in multiple countries, is being taken seriously by several industry giants. Google, for example, announced just last week that it purchased 100MW of wind power via Google Energy. Google isn't just investing in clean energy it is committing to buy that wind energy for a fixed price per kilowatt over the next 20 years, in part to power its massive data centers. Google's blog explains the move: "the long term purchase agreement of renewable energy at a predetermined price partially protects us against future increases in power prices." Certainly hedging future energy costs is a savvy move considering that the cloud will bring extreme data center growth to many of the largest Internet companies. But make no mistake, Google is specifically aiming to reduce its environmental footprint despite the anticipated mega-growth in its near future. Of course, not all Internet companies are as committed to going green.
The Chief Technology Officer Forum
cto forum 07 MAY 2011
39
N E X T H OR I Z O N s
green tech
53%
online. The report shows that companies like Akamai Indeed, Greenpeace just released a study, How dirty are doing some best-in-class disclosure (actually pubis your data?, that highlights the rapidly growing envilishing monthly bills to their clients on their footprint ronmental footprint of the online world and offers an and assessing their kilowatt hours of electricity per evaluation of both good and bad energy choices made megabyte of data delivered) but most cloud companies by leading Information Technology (IT) companies of energy are nowhere near as transparent as they should be such as Facebook, Google, Apple, Yahoo and others. consumed by (especially compared to their rhetoric around transHow dirty is your data? showcases the enormous facebook is parency in other spheres). amount of electricity required to power "the cloud" and finds that the IT industry, despite significant advances sourced from 2. In terms of buying clean energy to power their in energy efficient data center design, is both largely coal. services, this will really differ depending on the size ignoring the importance of using renewable power as a of the company and the location. There are green top criterion for locating new infrastructure and is not energy purchasing programs (directly from utilities) transparent in disclosing its energy use. in most states. This would account for electricity that companies "We expect these companies to play a pivotal role in ensuring use directly, i.e., server racks inside a company HQ and other inwe move to clean, safe renewable energy system and avoid future house IT. However, the bulk of a company's IT electricity use is disasters like Fukishima (Japan's nuclear reactors that blew up likely in their servers, which are most likely either located in coduring the recent earthquake and tsunami)," Gary Cook, Greenlocation facilities or captive owned and operated data centers. peace IT policy analyst said. "We think consumers want to know In the case of co-location facilities, CIO's need to make it that when they upload a video or change their Facebook status known that they prefer to do business with companies that power that they are not contributing to toxic coal ash, global warming or their services with low carbon/clean energy. future Fukishima's." Where companies own and operate their own facilities, companies should mimic Google and Yahoo, who are profiled in Among the key findings in the Greenpeace report are: the report as companies that both site their facilities near clean 1) Some companies have a coal intensity greater than the U.S. grid power sources and, in Google's case, get creative in their renewaverage. One of the most popular social media companies, Facebook, able energy mitigation strategies. is among the most dependent on coal-powered electricity at 53.2%. "In a twist of a well-known quote from one of my favorite movies Field of Dreams , "If you ask for clean power, companies will 2) Yahoo and Google seem to understand the importance of a come." So ask. renewable energy supply. Yahoo has sited near sources of renewable "Google has made it clear they prefer renewable energy energy, and Google is directly purchasing clean power. and they have had no shortage of providers (large and small) approaching them for their business," said Harrell. "If CIOs 3) Of the 10 brands graded, Akamai, a global content distribumake the same ask, it will help drive change within the IT sector, tion network, earned top of the class recognition for transparand allow them more choice." ency; Yahoo had the strongest infrastructure siting policy; IBM and Google demonstrated the best overall approach to reduce their current footprints.
What You Can Do In terms of actionable items for CIO's, some of this depends on the size of a company, and CIO's of IT companies specifically will have more opportunities for action. "Since we are trying to make our own IT footprint 100% renewable powered, I can give you the suggestions we've given our own CIO/Head of IT," said Greenpeace's Casey Harrell.
—A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma
1. Contact your various IT vendors and tell them to be transparent with energy usage data. This will help CIOs understand the scope of their energy footprint -- the first place to start when trying to solve a problem is to know what it is! Greenpeace's report shows that this is a place where many cloud vendors can and should improve. Hearing from their clients will help drive this change. Many companies are investing in accounting for their carbon emissions (filing with Carbon Disclosure Project, etc.) and as they shift more and more of their IT power to the cloud, their cloud providers need to help companies account for their power
40
cto forum 07 MAY 2011
The Chief Technology Officer Forum
magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).
— This article appears courtsey www.cioupdate.com. To see more articles regarding IT management best practices, please visit CIO Update.com.
AD
NO HOLDS BARRE D
42
cto forum 07 may 2011
PERSON' S NAME
The Chief Technology Officer Forum
S t e v e R o b i nson
NO HOLDS BARRE D
APTs need a
comprehensive architecture Steve Robinson, General Manager, Worldwide IBM Security Solutions talked to Varun Aggarwal during his visit to India about various new threat vectors, including smart grid security, Advanced Persistent Threats and mobile.
DOSSIER Company: IBM Established: Endicott, New York Headquarters Armonk, New York Services: Hardware, Software, Consulting, IT service management key subsidiaries: Tivoli Software Lotus Rational Informix
There have been allegations that smart grids can lead to a complex security problem for a country making them more vulnerable for a cyber war. You comments. Smart grids have opened up an issue that you’re dealing with systems that are highly connected and may not have the same protection like the traditional IT systems may have. Various sensors in such grids can be lying in the open and it is often a lot easier to break into these sensors than to break into a data center. So, there are a lot of discussions starting to take place on how do we improve the security in embedded systems and how do we trust those sensors for sending us the right information. IBM has got involved in the embedded security domain. We bought a company called Telelogic about three years ago, which is popular for doing embedded designs and embedded programming. Many vendors including LG you our technology to make their devices smarter like smart refrigerators etc. We also have some work at IBM
research called Trust Us, wherein we can put a key check on the sensors to test the data that is being sent and wipe the data, if required, infiltration can be detected. So instead of a passive communication, we can have an active communication with a remote server. We are making these sensors tamper proof. There are also other issues with embedded systems. Stuxnet, for example was focused on Siemens Controller systems and Windows as the operating system. We’re also in discussion with many medical device manufacturers that are running Windows operating systems. A typical smart medical device has a life of 15 years and often the Windows is not patched in the device’s entire life cycle. I question if Windows is the right operating system for these controller systems and medical devices or there are more hardened operating systems for them. Our BigFix solutions are now moving to these non-traditional systems to search for unpatched devices across the network. We’re not there yet, but gradu-
ally extending to more and more such devices. There’s so much of programming that’s started to get into embedded devices including the smart phones that there aren’t enough skilled programmers who can write secure code for embedded systems. There’s a huge skillset gap in this industry and a lot of education needs to provided there. The good thing is that security solutions for PCs and smart phones are also moving to other devices like Tablets etc. Advanced Persistent Threats are becoming a common threat vector and studies suggest that employee education is good but not enough to mitigate these risks. What do organisations need to do to safeguard against these threats? We just released our X-Force report and tried to define what an APT really is. I agree with you that they are becoming more and more complicated. However, there are certain security measures that organisation still need to take. Take the case
The Chief Technology Officer Forum
cto forum 07 may 2011
43
NO HOLDS BARRE D
S t e v e R o b i nson
of Epsilon data breach, or RSA breach. Hacked used simple social engineering tools like spear phishing and phishing e-mail to succeed. There is no one solution to solve the APT threat and I think organisations need to pick up the game. You need to build a robust security framework. Follow good network security, follow good data protection, follow good encryption. Research around X-Force report is wrapped around certain IPs where the attacks were coming from. You you can get into the game by adding IP reputation technologies into your IPS and managed services so that these attacks can be blocked. At the end of the day it comes down to the domains of security the areas you focus on that APTs uncover by doing the right things to block them. But do you think typical enterprises would have the expertise to build such level of security for themselves? Well, I think most of them wouldn’t. And therefore, we see organisations increasingly seeking expert support through managed security services to do some very advanced security work for them. We manage security environments for 4000 customers. Small organisations find it really hard to cover their risks by completely securing their environments against the advanced threats. Many enterprises are looking for managed security to outsource common perimeter security while they focus on unique elements of their security. Some of the managed security players are also putting into place a super cyber team with highly skilled security professionals. Some our customers giving us their log information, all their data, and asking us to analyse their security loopholes so that we can plug all the holes. So, managed security is being seen for both common functionalities like Firewall and perimeter security as well as very high end security. What would be the biggest threat vectors going forward? We’re focused on a hand full on areas. Some are external threat vectors and some are internal. There is still a lot of issue with internal threats. It is quite common for some employees to send out sensitive spreadsheets through their personal mail accounts from office.
44
cto forum 07 may 2011
The Chief Technology Officer Forum
“Lots of CIOs have started reporting to the board instead of chasing compliance. They are letting security drive compliance for them.” Mobile security seems to be on every one’s mind. Most firms are either moving or being forced to move towards device of choice to let employees manage their mobile device. In some cases, employees are even responsible for buying their laptops. This is a great cost saving but also has a lot of security challenges. Some of the issues are what policies do you establish for these devices, what enterprise applications can be put on these, do we partition the device or not and treat it as private as well as a work device. Then how do you manage it, wipe it and control it in case it is lost. There are solutions coming up to address these issues but there aren’t any complete solutions yet. Cloud and virtualisation would be the next big threat vectors. Organisations are leveraging virtualisation and cloud to optimise their resources and reduce costs. There are a lot variants of cloud and we do a lot of work with customers to see if the model of the cloud should be private, public or hybrid. Managing risks in these environments would be critical going forward as organisations start to put their critical data over the cloud. There’s a general trend in the security domain that every system, every device, every user needs to be protected equally. I think this would go through some changes. We’re seeing people focusing on user roles, reclassification of roles data, understanding,
understanding data policy, data risks, data motion etc. And then start to put smaller parameters around key users and key assets within the organisation. Finally, we’re getting some core technologies that allow us to handle some large data issues around security so that we can integrate data from various security tools and analyse them in real time. Banks have used for many years to protect against credit card frauds, looking for patterns of fraud and based on the behaviour of usage they are alerted for frauds. We are starting to see similar technologies in security. We’ve seen cases where the same ID has logged into the network from two different geographical locations simultaneously. That should set off a security alarm. However, there are tons of data coming in from various devices like firewalls, IPS, log information etc and you need the capability to suck all this data together and analyse it in real time. How do you see the CISO role changing and evolving? CISOs previously used to do security for compliance. Now, they are turning it upside down. CISOs now need to build to secure, and if you can prove security, you can always get compliance. So, you need to put risk assessment in place, meet with the board, do an annual risk assessment. We’re seeing a lot of CISOs have started reporting to the board as instead of chasing compliance, CISOs are driving security and letting security drive compliance for them. CISO is now becoming a risk advisor for the organisation. I think CISOs are gradually becoming business leaders and they are headed in this direction over time. What would be your focus areas in terms of acquisitions? We’d be looking at fairly mature companies with proven technologies which also work with our existing technologies. Our BigFix acquisition was tightly integrated with our systems management capabilities and went well with some of the security things that we were doing. So, we’re not looking for companies with technologies that work in a standalone environment. What we’re looking for is something that can complement and accelerate our existing core offerings.
AD
T E C H FOR G O V E R N A N C E
policy
5
POINTS
P OLICY SETS are different in each environment policies DELINEATE the laws for an organisation ertain policies C may be confidential
PHOTOs BY PHOTOS.COM
E nsure policies work in concert consider business need before distributing policies
Information Security
Policies and Procedures
Although it is a disheartening job, the importance of policies and procedures can’t be undermined. By Alexander Hamerstone
46
cto forum 07 MAY 2011
The Chief Technology Officer Forum
policy
T E C H FOR G O V E R N A N C E
a thousand dollars for a laptop, you were instead out tens or hundreds of thousands of dollars in fines after a cardholder data breach? Or worse, in the case of HIPAA, you find yourself with tremendous legal bills or in jail. (I am aware that is an extreme case, but it is illustrative.) As far as information security, every organisation will have a unique set of foundational policies. While there will be many that are common to all organisations, the unique qualities of each organisation call for custom policies. How then, do we determine what basic The Differences Between Policies, Propolicies we need? I have found that one of cedures, and Standards the simplest ways to determine which poliIt is important to understand the differcies are essential is to look at all applicable ences between a policy, procedure, and stanregulations, laws, standards, and contracts dard, and the functions of each. and perform a gap assessment. Policies delineate the laws for an organiFor example, if you are subject to the PCI sation. Procedures and standards describe DSS, a good way to start is to take a copy of how to implement policies. A simple analthe standard and identify every place where a ogy is that of a red light. The policy, or law, policy/procedure is required. PCI requires a requires that drivers come to a complete policy on visitors to your facilities. stop at any and all red lights. As such, part of being compliant with PCI The procedure, however, will describe will be developing a visitor policy per the how to operate the brake, operate the clutch, specific requirements of the standard. An etc. The standard would describe what types important caveat: having a policy in place of brakes and tires are appropriate. does not equal compliance. An exception process would describe the An auditor will not only look for the policy, circumstances under which the policy may they will also look for evidence that the policy be violated -- here, an emergency vehicle. is enforced. So, for our example of a visitor Knowing which policies are necessary in policy, the auditor will want to see associated your environment can be a challenge. Most visitor logs and will check to see if they are organisations will have at least some forissued a visitor badge per the policy. malised policies. Careful readers will note I slipped in menMany of these are in response to legal tion of another document, the visitor log. In requirements (HR policies) or specific incimany cases, documentation leads to more dents. After someone leaves their laptop in documents. In this case, you will also likely the car trunk for 6 hours on a 100 degree need to develop training programs. day, a policy on the care of equipment is Procedures for the receptionist to follow generally issued. will ensure that they are correctly logging With policies and procedures, it is essential visitors. An awareness program allows to be proactive rather than reactive. In the employees to understand the case of the melted laptop, it policy exists. would be far better to have instiKeep in mind it is important tuted a policy regarding equipto review contractual obligations. ment care prior to the incident. Involving your legal department That may be a simplistic scegrowth of is always recommended. nario where the company is out a thousand dollars for a laptop, —Cross-posted from SecureState enterprise but it illustrates a point. This This article is printed with prior permission software market proactive posture becomes far from www.infosecisland.com. For more in 2010. more important when applied features and opinions on informa-
Policy writing can be a daunting
task, and one for which many are not overly enthused. However, Policies and Procedures are an integral part of any information security programme. Not only do they provide direction and accountability, many specific policy elements are a requirement of specific laws, regulations, and/or standards. In this multipart series, I will work to help you become comfortable writing policies and their associated procedures. Before we get started, there are a few things that are important to know. Policy sets are different in each environment. With information security, the number of policies as well as the breadth of each policy will vary depending on the complexity of the environment as well as the sensitivity and criticality of the information. There are other factors that will affect information security policy development as well. For example, it is common that some of the elements of an Acceptable Use Policy will already be covered in basic HR policies and employee handbooks. It is essential that different departments work together to ensure that policies work in concert and do not contradict each other. It is also essential to determine the audience for any given policy. For most users, the Acceptable Use Policy will determine the rules for their access. Network Security Policies, Access Control Policies, and System Access Logging and Maintenance Policies will have IT departments as their audience. It is also important to note that certain policies may be confidential according to an asset classification program. A Network Security Policy delineating requirements for protections such as connection restrictions or intrusion protection and detection may be valuable for an attacker. It is vital to consider business need to know when distributing policies.
8.5%
to more complex situations. What if, instead of being out
tion security and risk management, please refer to Infosec Island.
The Chief Technology Officer Forum
cto forum 07 MAY 2011
47
T E C H FOR G O V E R N A N C E
securit y
The Holy Grail of Information Security
T
Heard of the list of most needed inventions? Authentication ranks as the Holy Grail of security.
hese are the sorts of inventions that, if realised, would overcome technological hurdles that are preventing mankind from reaching our most cherished dreams. Room temperature super conductors, advanced nanotechnology and practical fusion power are just a few. There are a number of inventions like this that are needed to make information security a reliable, efficient and low cost process. And chief among them is the Holy Grail of information security: an un-spoofable identity authentication mechanism. Just think of it! A way for people and machines to know with a certainty that it is you andonly you that they are communicating with. No more worries that someone will steal your identity and empty your bank accounts. No problems with cyber criminals impersonating IT personnel and stealing information or crashing systems. Think of the money and time you could save on complex intrusion detection and prevention systems and complicated processes. It is fun to contemplate. But, unfortunately, it is all just wishful thinking. Despite years of concentrated thought and effort, nobody has a clue how to make it work! There are just three ways known to authenticate identity: n Using something you know n Using something you have or n Using something you are When talking about authenticating yourself to a computer system, something you know is typically a user name, a password or an encryption key. I think all of us know that despite all efforts to keep these mechanisms secret and secure, it doesn’t prevent intruders from getting them.
48
cto forum 07 MAY 2011
The Chief Technology Officer Forum
By Brent Huston
The problem is that people have to know them, they need to store them and they need to use them, and that makes them vulnerable. So something you know isn’t the answer. Let’s go to the second mechanism: something you have. In the computer world this is usually a smart card, token or the like. Combined with a user name and password, this mechanism provides another layer of security that can be very effective. But it is far from perfect. Smart cards and tokens can be stolen or misplaced. Perhaps a certificate authority or token provider’s servers are compromised. Some mechanisms can be reverse engineered. So, the upshot is, you can add something you have, to something you know and get better, albeit far from perfect, identity authentication. But the cost you pay in dollars and personnel hours has just gone way up.
securit y
T E C H FOR G O V E R N A N C E
identity, but still doesn’t render it impossible. And So let’s go to the final possible authentication mechaimagine the added burden in money and inconvenience nism: something you are. For computer systems this using all three mechanisms would mean to your organiis presently typically finger prints or retinal scans, sation! Seems like way too much just to protect some although other possible mechanisms include facial recfinancial data or health information, huh? ognition, voice recognition, heuristics (behavior matchGrowth of So, please, let’s all of us spend some thought trying ing) and DNA matching. worldwide to find the perfect identity authentication mechaThis mechanism, once again, provides added security operating nism. It may be like trying to come up with perpetual to the identity authentication process, but still is not permotion, but if you do manage it, I guarantee you the fect. For one thing, this kind of authentication mechasystem market in rewards will keep you and yours in clover for the rest nism works best in person. If a fingerprint, for example, 2010 over 2009 of your lives! is transmitted it really travels as a series of electromagnetic signals and these can be spoofed. But even in per—Cross-posted from State of Security son, this type of mechanism can possibly be spoofed. —This article is printed with prior permission from www.infosecisland.com. So adding something you are to something you have and someFor more features and opinions on information security and risk managething you know once again makes it much more difficult to spoof ment, please refer to Infosec Island.
7.8%
Importance of SoA for ISO 27001
T
SoA should not be considered as just one of those “overhead documents” that have no use in real life.
he importance of Statement of Applicability (sometimes referred to as SoA) is usually underrated - like the Quality Manual in ISO 9001, it is the central document that defines how you will implement a large part of your information security. Actually, the Statement of Applicability is the main link between the risk assessment & treatment and the implementation of your information security - its purpose is to define which of the suggested 133 controls (security measures) from ISO 27001 Annex A you will apply, and for those that are applicable the way they will be implemented. Why it is needed Now why is such a document necessary when you already produced
By dejan kosutic
the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons: First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased; however, in SoA you also identify the controls that are required because of other reasons - i.e. because of the law, contractual requirements, because of other processes, etc. Second, the Risk Assessment Report could be quite lengthy - some organisations might identify a few thousand risks (sometimes even more), so such a document is not really useful for everyday operational use; on the other hand, the Statement of Applicability is rather short - it has 133 rows (each representing one conThe Chief Technology Officer Forum
cto forum 07 MAY 2011
49
T E C H FOR G O V E R N A N C E
c e r t i f i c at i o n
trol), which makes it possible to present it to management and to keep it up-to-date. Third, and most important, SoA must document whether each applicable control is already implemented or not. Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented - e.g. either by making a reference to a document (policy/ procedure/working instruction etc.), or by shortly describing the procedure in use, or equipment that is used. Actually, if you go for the ISO 27001 certification, the certification auditor will take your Statement of Applicability and walk around your company checking out whether you have implemented your controls in the way you described them in your SoA. It is the central document for doing their on-site audit. A very small number of companies realise that by writing a good Statement of Applicability you could decrease the number of other documents - for instance, if you want to document a certain control, but if the description of the procedure for that control
A very small number of companies realise that by writing a good SoA, you could decrease the number of other documents needed. would be rather short, you can describe it in the SoA. Therefore, you would avoid writing another document. Why it is useful In my experience, most companies implementing the information security management system according to ISO 27001 spend much more time writing this document than they anticipated. The reason for this is they have to think about how they will implement their controls: Are they going to buy new equipment? Or change the procedure? Or hire a new employee? These are quite important (and sometimes expensive) decisions, so it is not
surprising that it takes quite a lot of time to reach them. The good thing about SoA is that it forces organisations to do this job in a systematic way. Therefore, you shouldn't consider this document as just one of those "overhead documents" that have no use in real life - think of it as the main statement where you define what you want to do with your information security. Written properly, SoA is a perfect overview of what needs to be done in information security, why it has to be done, and how it is done. —Cross-posted from ISO 27001 & BS 25999 blog This article is printed with prior permission from www. infosecisland.com. For more features and opinions on information security and risk management, please refer to Infosec Island.
Hide time | BOOK REVIEW
Author: Ken Blanchard and Sheldon Bowles
“Kids know they have to take up basket ball if they want to earn big money�
Old wine in a new bottle The book reinstates the
fact it's possible to become rich, even in adverse circumstances, if you try to do so in an intelligent manner. If somebody would tell you the secret formula of becoming rich in a short span, in all probability you'll take it for a small consulting fee. Big Bucks claims to be that formula, though without the right ingredients. Written by Ken Blanchard and Sheldon Bowles, the book puts up simple business rules in a 200 pages advisory for those who want to become overnight millionaires. Big Bucks a story of Len, a young man searching for the secret to moneymaking and his adventurous journey with Rabbi Silver, Father Murphey, Pastor Edwards and the moneymakers from their congregations. It uses a business parable to demonstrate how to overcome three challenges -- the test of joy, the test of purpose and the test of creativity to achieve financial success The book reinstates the fact it's possible to become rich, even in adverse circumstances, if you try to do so in an intelligent manner. It says that one can't stay profit-
able if he chases away customers or mistreats his employees. However, despite having a packaging that is bound to attract eyeballs, the book comes as nothing but a jerry-built attempt of explaining things which have been taught by various management gurus of the previous era. Have fun what you are doing, make sure your customer is happy, be creative and help others to succeed and so on. Didn't we all know that? Yes, but still a majority of us are not even near to that "millionaire" tag. And here I was expecting some real game changing steps or examples, at least to affirm author's claim to help people becoming super rich by reading this epitome of good breeding. However, the book reminds us of several substantial management rules that are vital to the resolution of a crisis. The author is at his best at explaining that it's extremely important to set right priorities at right time else, failure
ABOUT THE REVIEWER
Jatinder Singh is a Senior Correspondent with IT Next magazine. You can reach him at jatinder. singh@9dot9.in
is on cards. "It takes a 13 year old kid about two minutes to figure out that if he wants to earn big money at a sport he'd better sharpen his basket-shooting skills or turn out for batting practice rather than for volleyball," is an insightful take at all those who crib at what they are doing. It underlines the same old rules that by focusing on concepts like commitment, intensity, purpose and even fun, anyone can build personal wealth and financial security. Nevertheless, I would have rated this book far better had the author projected this as a road map to become an efficient entrepreneur. However, the author seems to be in a hurry to cash in on some emotional values of people. As the author says, the world is full of people looking for ways and schemes to make money, Big Bucks certainly falls under that attempt. My take: A reference manual for first generation entrepreneurs, not impressive for serious readers. The Chief Technology Officer Forum
cto forum 07 may 2011
51
E V E N T R E P ORT
C lo u d c o m p u t i n g
Event Private Cloud: The Future of Enterprise Computing
Be it elasticity, ease of use or up-scaling or down-scaling IT infrastructure, cloud gives the flexibility of IT deployment.
Cloudscape Delhi session in progress. The participants were quite enthusiastic to know how cloud will change the way enterprise consume technology in the future.
Cloudscape Mumbai session was attending by over 17 CIOs large enterprises discussing on wide-ranging issues facing the technology.
F
or most enterprise IT organisations, years of innovation, expansion, and acquisition have resulted in sprawling infrastructure that stretches the limits of manageability. While the individual IT systems and applications in service are often well considered and expertly implemented, the sheer scale of the ongoing IT investment itself has emerged as the dominant concern. Also, most enterprises now find themselves with too many platforms, too many technologies,
52
cto forum 07 MAY 2011
The Chief Technology Officer Forum
There is apoint.A participant at the Kolkata roundtable making his point to his peers.
c lo u d c o m p u t i n g
E V E N T R E P ORT
Cloudscape Kolkata session in progress. The participating CIOs, drawn from a variety of businesses and verticals engaged in a 2-hour long discussion on the pros and cons of private cloud. Majority of the participants agreed that it makes sense to have a cloud strategy for long term benefits.
Lighter moments. CIOs engaging with Roland Slee, VP, Database Product Management, Oracle Corp for expert views.
Dhruv Singhal, Senior Director, Sales Consulting, Oracle India making a point during the roundtable session.
too many domains of expertise, and too many vendors to coordinate and manage. In response, a number of technologies and practices have become staples for large enterprises. However, what has clearly emerged as the next generation strategy, is the adoption of a more centralized, automated, and elastic infrastructure – a Cloud Computing Infrastructure. To take this discussion to a logical conclusion and further dispel the hype around cloud computing, CTO Forum in association with Oracle organised five-city CIO Roundtable Discussion series named ‘Cloudscape’. The roundtable discussions were held in the cities of New Delhi, Kolka-
ta, Chennai, Bangaluru and Mumbai during March-April 2011.
The key areas discussed during various roundtables focused around: How to building a practical Cloud roadmap How to transforming on-premises IT assets into a Private Cloud Can Private Cloud be a custom solution to suit the needs of large corporates? Can there be predictable performance and meaningful service levels in the Cloud environments? Speaking during roundtables at various places, Dhruv Singhal, Senior Director Sales Consulting, Oracle India said, “The
two most visible benefits of cloud computing are speed and cost. Through self-service access to an available pool of computing resources, users can be up and running in lesser time. Making adjustments to computing capacity also becomes faster, due to the elastic and scalable grid architecture. Since cloud computing is a pay-peruse model, operates at a high scale and is highly automated, the cost and efficiency of cloud computing is very compelling.” The event was attended by senior CIOs and IT decision makers in all five cities.
The Chief Technology Officer Forum
cto forum 07 MAY 2011
53
E V E N T R E P ORT
solution centre
Event Conquering Data Centre Challenges
With new technologies come new challenges for CIOs to manage the data center. Dell, meanwhile, is helping CIOs to create an efficient data centre.
The group sessions with IT heads as part of Dell’s product demonstrations during ‘Conquer Datacentre Management Challenges’ workshop, in progress.
I
n an attempt to underline the challenges faced by Indian organisations with regard to their datacentre management and find some intrinsic solutions, CTO Forum hosted a focused event, Conquer Datacentre Management Challenges Workshop, in Bangalore on March 25, 2011. In partnership with Dell India, the Forum initiated a full day Virtual Integrated System (VIS) workshop, which revealed key strategies that can help in overcoming the challenges. Surprisingly, the datacentre management challenges were more attributed to virtualisation and cloud computing, which is becoming pervasive across datacentres. The topic drew attention from CIOs and Senior IT managers who sought answers to
54
cto forum 07 may 2011
The Chief Technology Officer Forum
IT Heads join to watch the product demonstration in separate groups during Dell’s workshop on ‘Conquer Datacentre Management Challenges’.
address the inherent challenges that they face. There were 42 participants who raised key concerns around how virtualisation and cloud computing brought in a new set of challenges. Dell India’s Head –R&D, (pls mention the name) welcomed the gathering by emphasising upon the transformation that the company has undergone in its R&D focus over the years. “Dell, which has been traditionally known as the hardware company, has made
The IT Head from the audience trying to find answers to datacentre related challenges from Dell executives during the Q&A.
a conscious effort to be known as a solutions company that can provide complete packaged solutions to its customers,” he said. The key point of discussion was to understand how Dell enabled its customers in addressing data centre challenges while making provision for next generation heterogeneous platforms with Dell solutions. Some of the key solutions revolved around new consoles, embedded management,
solution centre
E V E N T R E P ORT
Suhas Mhaskar, GM-Corporate IT, Mahindra & Mahindra Limited making his comment at the session in Mumbai.
Sitaram VV, National Manager, Enterprise Solution Marketing, Dell India, Viswanathan Balakrishnan, Product Manager-PG Enterprise Marketing, Dell India R&D Centre and Ramesh Rajgopalan, Director, Solutions Engineering, Dell India respond to audience queries as part of Q&A.
on open architecture and standardised platforms, providing modular approach to the process of streamlining virtual environments. Another way of driving efficiency, as Sitaram emphasised, would be around simplifying the technology infrastructure using virtualisation and consolidation to eliminate redundancies and pool Sundar Ram, VP, Technology Sales, Oracle APAC, presenting Oracle's Architectural Framework during the roundtable in New Delhi. resources to improve operational efficiency. Viswanathan Balakrishnan, Product toolkits and utilities as part of Dell’s Open Manager - PG Enterprise Marketing, Dell Manage Systems Management portfolio. India R&D centre, another key speaker at Starting his key note by listing out the chalthe workshop, guided the audience through lenges concerning data centre infrastructure various solutions that Dell carries as part of including, backup, hardware, software, DR, its offerings. and entire infrastructure lifecycle, Sitaram As per Balakrishnan, the key benefit that VV, National Manager Enterprise Solution Dell brought to the customer table is its Marketing, Dell India, threw up certain key strategic partnership with varied technology solutions that could respond to the concerns. vendors like Symantec, VMware, Microsoft, While unified storage, storage virtualisaEMC etc., which helped in addressing modtion, open tools and utilities formed the core, ularity and open management aspects. the most recommended solution that SitaThe floor was then open for a Q & A sesram stressed upon was the Dell Virtualised sion with the customers, who discussed Integrated System (VIS) architecture that cretheir specific challenges under varied techated a path to data centre transformation. nology environments. According to him, the efficient data centre The forum also initiated an exclusive could be driven by the VIS, which is based
group session for demonstration of Dell solutions. The audience was spread across five groups, G1 - G5, with live product demos around VIS (AIM/Creator Live product), embedded management, industry leading consoles integration and Open Manage tools & utilities. The VIS architecture was showcased in VIS Delivery Centre with VIS infrastructure performing around Intelligent Hardware and driving the data centre transformation. Participants were introduced to embedded management solutions and their performance, including iDRAC6, Lifecycle Controller, Unified Server Configurator and other solutions that controlled the server operations. Dell executives demonstrated the firm’s comprehensive consoles such as IT Assistant, Dell Management Console, Chassis Management Controller and partner consoles and show-cased its features in driving efficiency. Open Manage tools and utilities formed the highlight of the event, as it centred around the legacy OS and efficient management of Dell servers from within the OS in an Open environment. The tools included OpenManage Server Administrator, System Build & Update Utility, System Update Utility, Deployment Tool Kit, Repository Manager and Dell Firmware Update Packages. Dell acknowledged the partners by presenting souvenirs. The Chief Technology Officer Forum
cto forum 07 may 2011
55
VIEWPOINT steve Duplessie | steve.duplessie@sbcglobal.net
The Hatred of Software Licensing
I’m no expert in this area so this is just what I took out of a few heated conversations. The hatred seems to come in two categories. First, people hate CONFUSING licensing. This appears to mainly be the fault of the behemoths who buy up tons of little guys and then have a hodgepodge of software, each with a myriad of licensing options and/or requirements. This, I understand. People hated Symantec/Veritas for this reason, but I don’t hear much about that anymore, so I’m guessing they simplified things. I do remember back in the day when it was just Veritas, users hated the complicated licensing mess Veritas handed them. And back then, Veritas only had a handful of different products. I can only imagine the nightmare that happens when you are as large and diversified as Symantec (or CA, or Microsoft, or any other mega-huge software company). I also remember taking the better part of a day trying to figure out exactly what we needed to buy when little 10 person ESG dropped Notes for Exchange. I’m still not sure we did it right. The CONFUSION hatred is obvi-
56
cto forum 07 MAY 2011
The Chief Technology Officer Forum
ous–as is the solution: stop thinking that just because YOU (people who work for the vendor and deal with it all day every day) understand your ridiculous licensing requirements, those of us who don’t spend every waking moment of our lives thinking about that do. We don’t. No one in the outside world wants to be a licensing expert on your software. Cut it out. We have real jobs. Dealing with licensing b.s. distracts us from those jobs. The second camp invokes even more hatred and vitriol: the F* You licensing Policy. Let’s use a totally random example, say, Oracle. Oracle licenses by the amount of cores in your cluster. More cores, more dough. This ALMOST was reasonable when all machines were effectively single stacks, but today it’s a downright crime. Have a 64 core machine? Using 32 cores to run Oracle and the other cores to run web servers? Tough crap. Pay for 64. Either turn them off, or pay for them, whether you use them or not. You end up with the most expensive 32 core machine on the planet.
Illustration BY Shigil N
Rarely can you find a topic that invokes more hatred in IT than licensing policies.
About the author: Steve Duplessie is the founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com
Running virtualisation so you can use all that extra horsepower that you gained by consolidating your servers into a far more efficient package? Good for you, except now you have to go explain to the CFO that while you saved a ton of dough via consolidation and virtualisation, it’s going to Larry the Benevolent, not to your business. Revolutions occur for much less. If this isn’t the modern day tech equivalent of “let them eat cake,” I don’t know what is. It’s rude and insensitive, and it provides ZERO value back to the buyer. I mean no one likes to pay a billion bucks for licensing, but at LEAST you get to run the app. This is paying a billion extra bucks, for NOTHING. Every empire gets toppled eventually. Those who are hated by their people topple faster. Then people smash your picture with their shoes. There are companies designing (redesigning) servers just because of this problem. Why do I have to have folks spend time and money redesigning perfectly good servers just because one company won’t play nice with the rest of us? Because they can. And that sucks.
AD