CIO Magazine August 2011 Issue by Sreekanth Sastry

VOL/06 | IssuE/10 parag deodhar, Bharti AXA general Insurance, says criminal profiling can help defeat the trend of planting snitches in companies.

BuSineSS

technology

leaderShip

IndIa’s most exhaustIve InformatIon securIty survey

Inside the

Criminal

Mind They broke into your enterprise. Now it’s time to hack into their minds. Page 44

August 15, 2011 | `100.00 ww w.CIO.IN

Cover_August2011_Final.indd 84

View from the top Marten Pieters on It’s role in growing Vodafone.

At the Speed of Light RInfra fixes power cuts 80 percent faster.

Page 64

Page 74

8/12/2011 8:51:36 PM

Juniper’s revolutionary approach to network architecture is setting the stage for the next wave of innovation.

Game changing ideas are happening everyday. But in the connected world, those ideas often struggle to see the light of day, due to the enormous computational demand needed to make them real. Of course, this level of compute power is often held up by one thing: the network itself. Until now. The Juniper approach delivers unprecedented network performance. The type of performance that’s ready for new ideas and new development everywhere the network works. It’s time for a new network. To learn more, visit juniper.net/apacdatacenter

JN_IN_IDG_FP_V1.0.indd 3

Þ Inbound Response Management Priya Sharma, 1800 209 3062, 022 - 67083830, Juniper@dnbindia.in

7/27/2011 1:16:34 PM

From The Editor-in-Chief

Publisher, President & CEO Louis D’Mello E d i to r i a l Editor-IN-CHIEF Vijay Ramachandran EXECUTIVE EDITOR Gunjan Trivedi Features Editor Sunil Shah Senior Copy Editor Shardha Subramanian Senior correspondents Anup Varier, Sneha Jha, Varsha Chidambaram Correspondent Debarati Roy Trainee Journalists Jay Anil Maniyar, Shweta Rao, Shubhra Rishi Product manager Online Sreekant Sastry

Keep It Flowing

The culprit is the data or information gap within the supply chain which makes a mockery of all forward planning.

Custo m Pu b l i s h i n g

“We buy only enough to fit into the plan of production… if transportation were perfect and an even flow of materials could be assured, it would not be necessary to carry any stock whatsoever. ” – Henry Ford

When Henry Ford wrote these lines in 1922, he was describing what decades later was referred to as a just-in-time inventory strategy. A strategy, which cuts down waste, aligns production with demand and dramatically improves efficiency and ROI for an organization. And, the best bit about is that it works just as well as whether the economy’s booming or in a depression. Over the years many organizations, typically in the manufacturing sector, have adopted it in some form or the other—from the Piggly Wiggly supermarket chain’s restocking policy to the iconic Toyota Production System that it inspired. And, of course, the acronyms and jargon that have accompanied it are legion: stockless production, continuous flow manufacturing (CFM), world class manufacturing (WCM), lean manufacturing... The benefits are undoubtedly high. And, yet, there are issues that can derail the system. The major problem with just-in-time operations is any large change in supply or demand leaves both suppliers and downstream consumers vulnerable. Among other terms this is referred to as the ‘Bullwhip Effect’—when distorted information within a supply chain causes excessive inventories, lost revenues, messed up production schedules and bad customer service. I wonder how many organizations, despite full order books, are groaning under stock pile-ups or missed delivery schedules or customers that are refusing to pick up orders. The culprit, quite obviously, is the data or information gap within the supply chain which makes a mockery of all forward planning. While not advocating spending on technology for its own sake, I believe that creating capabilities that improve reaction time not only increases business confidence, but it also reduces operational cost, which pays for these investments. How is your organization geared up to maintain information flow? Write in and let me know.

Principal Correspondents Aditya Kelekar, Gopal Kishore, Trainee Journalist Vinay Kumaar Design & Production Lead Designers Jinan K V, Jithesh C.C, Vikas kapoor Senior Designers Pradeep Gulur, Unnikrishnan A.V. Designers Amrita C. Roy, Sabrina Naresh, Lalita Ramakrishna Production Manager T. K. Karunakaran Ev e n t s & A u d i e n c e D e v e l op m e n t Vice President Events Rupesh Sreedharan Sr. Managers projects Ajay Adhikari, Chetan Acharya, Pooja Chhabra Asst. manager Tharuna Paul Senior executive Shwetha M. Management Trainees Archana Ganapathy, Saurabh Pradeep Patil, Sales & Marketing President Sales & Marketing Sudhir Kamath VP Sales Sudhir Argula Asst. VP Sales Parul Singh AGM Marketing Siddharth Singh Manager Key Accounts Kalyan Basu, Minaz Adenwala Sakshee Bagri Manager Sales Varun Dev Asst. Manager Marketing Ajay S. Chakravarthy Associate Marketing Dinesh P. Asst. Manager Sales Support Nadira Hyder Management Trainees Anuradha Hariharan Iyer Arpit Mudgal Benjamin Anthony Jeevan Raj, Javeed Budhwani, Rima Biswas Finance & Admin Financial Controller Sivaramakrishnan T. P. Manager Accounts Sasi Kumar V. Asst. Manager Credit Control Prachi Gupta

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Vijay Ramachandran, Editor-in-Chief vijay_r@cio.in 2

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

IDG Offices in India are listed on the next page

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Content,Editorial,Colophone.indd 2

8/12/2011 8:31:56 PM

CUSTOM SOLUTIONS GROUP CHECK POINT

EXECUTIVE VIEWPOINT TRADITIONAL SECURITY SOFTWARE LACK VISIBILITY IN THE CLOUD Bhaskar Bakthavatsalu from Check Point, talks about alternative to disparate, stand-alone security systems, as security environments become more complex.

BHASKAR BAKTHAVATSALU Regional Director, India & SAARC Check Point Software Technologies

How is it possible to bring together cloud computing and security? Cloud computing represents a very big challenge for security, and enterprises should be made aware of the risk of plunging too quickly into cloud computing while ignoring critical security considerations. Most companies take to cloud services for the business advantages they provide, so that they can achieve more with less. This attribute is achieved by infrastructure-sharing through virtualization. It is important to consider the security controls that support virtualization without compromising performance expected from data centres. Last but not the least, operations security is critical, hence monitoring security events, logs retention, and incident handling should be based on ITIL or other best practices frameworks. Most public cloud initiatives operate on a high level of trust in their security provider, but there is no strong legal framework backing this trust. On most occasions, it is not very clear in which part of the world the data is. According to Morgan Stanley’s 2010 CIO Cloud survey, data security and the loss of control are enterprises’ biggest concerns when it comes to cloud computing, followed by data portability and ownership, regulatory compliance and reliability. Security, after all, is about control, and enterprises should be careful as to not give up their control of business-critical applications.

Is there any difference in security measures for the private and the public cloud? On a cloud platform, there are several methods to ensure the security of the connection and authenticate it, but not many ways to ensure that the data is isolated and protected from other users. In a private cloud, three important aspects of security need to be considered and deployed. These are virtualizing the security controls, securing the virtualization and virtualizing the security management. In the public cloud, this becomes difficult, since the environment is not always open and it is shared. How does the cloud affect the market of security products – does it require a change for existing arrangements and preparation of the new solutions? One cannot import existing security tools from the physical to the virtual infrastructure, so securing cloud environments requires specific security policies and solutions. Virtualization creates an additional layer within the IT infrastructure, where traditional security software, designed for physical environments, lack visibility. This can cause potential vulnerabilities on the network if appropriate risk attributes are not realized and resolved. Operations’ security framework needs to facilitate stronger ‘segregation of duties’ and effective standard operating procedures to ensure smooth functioning and faster recovery, in case of any incident or disaster. Virtual environments violate the fundamental assumption of the strong perimeter defense, and hence traditional security measures become obsolete. Virtualization and cloud computing are also dynamic environments, which further raise the bar for protection. While providing

security for virtual environments, enterprises must take these dynamics into account. As a leader in security solutions, what solutions do you offer for the cloud? Check Point’s security solutions allow IT to move faster towards cloud computing by leveraging the benefits of virtualization. Check Point today extends its leadership to virtualized environments with solutions that are easy to deploy. A prime example would be Check Point’s ‘Virtualized Security Gateway’ that provides comprehensive security for virtual environments. Check Point’s ‘Software Blade Architecture’ delivered with a variety of options, includes the industry’s fastest security appliance. This offers scalable performance for data centers and is capable of an unprecedented performance of more than one terabit per second of firewall throughput. The appliances deployed at the perimeter of the Cloud Infrastructure offer the NSS Certified protections of up to 97.3% effectiveness on Intrusion Prevention along with the first NSS certified Next Generation Firewall. Depending on the services the cloud service provider is delivering to the customers, additional software blades besides the firewall, IPS, and gateway antivirus can be deployed. These include URL filtering and application control for Web 2.0 security and identity access. This interview is brought to you by IDG Custom Solutions Group in association with

From The governing board

Gov e rn i n g BOARD Alok Kumar VP & Global Head-Internal IT& Shared Services, TCS

The Next Wave Social media and mobility are sweeping across corporate IT promising to bring tectonic shifts in the way IT is consumed. Today, social media and the consumerization of IT are invading enterprises like never before. Although these technologies are still in the initial stages of enterprise penetration, potentially they can bring about sweeping changes to the enterprise IT landscape. And they are throwing up a host of opportunities and challenges before organizations. For the first time, they will give enterprise IT the potential to link enterprise applications and human interactions to IT platforms. In terms of security and control, social media and mobility will create a new set of paradigms for managements. Enterprises will need to devise effective ways to regulate something which is by definition viral. One of the things that organizations need to comprehend in this new paradigm is that a straitjacket security model will not deliver. Enterprises will also have to fundamentally re-architect their security infrastructure to manage mobility devices. It calls for a lot of self-regulation and self-policing. I think the biggest impact of all this is going to be that in other parts of enterprise IT: End users will start to expect the same paradigm of transparency, self-regulation, and self-policing. Social media and mobility will open up new frontiers. From an internal perspective, mobility will bring productivity gains by providing employees access to corporate resources outside the office and beyond work hours. The trend will fuel new expectations from enterprise users. The IT department will have to take on the onus of managing these mobility devices. End users will expect applications to be available on their mobility devices. This will require additional effort in terms of designing user interfaces. To meet this requirement, CIOs will have to recruit user interface specialists or hire an outsourced service. The consumerization of IT will change the status quo of enterprise IT. It will expand the scope of corporate IT. It will increase the awareness of new-age technologies among end users, making it easier to push newer generation solutions to enterprise users. I believe that the role of senior management is fairly critical in the adoption of both these technologies. Senior management should be the proponents of these technologies. There is not greater advertisement than having a CEO access a BI application on a mobility device as he travels the country. Itâ&#x20AC;&#x2122;s a clear indication to the salesforce about the efficacy of these platforms.

Amrita Gangotra Director-IT (India & South Asia), Bharti Airtel Anil Khopkar GM (MIS) & CIO, Bajaj Auto Atul Jayawant President Corporate IT & Group CIO, Aditya Birla Group C.N. Ram Group CIO, Essar Group Devesh Mathur Chief Technology & Services Officer, HSBC Gopal Shukla VP-Business Systems, Hindustan Coca-Cola Manish Choksi Chief-Corporate Strategy & CIO, Asian Paints Murali Krishna K SVP & Group Head CCD, Infosys Technologies Navin Chadha IT Director, Vodafone Essar Pravir Vohra Group Chief Technology Officer, ICICI Bank Rajeev Batra CIO, Sistema Shyam Teleservices (MTS India) Rajesh Uppal Executive Officer IT & CIO, Maruti Suzuki India S. Anantha Sayana Head-Corporate IT, L&T Sanjay Jain CIO & Head Global Transformation Practice, WNS Global Services Sunil Mehta Sr. VP & Area Systems Director (Central Asia), JWT V.V.R. Babu Group CIO, ITC

Bangalore: Geetha Building, 49, 3rd Cross, Mission Road, Bangalore 560 027, Phone: 080-3053 0300, Fax: 3058 6065

Manish Choksi is Chief-Corporate Strategy & CIO, Asian Paints

Delhi: New Bridge Buisness Centers, 5th and 6th Floor, Tower-B, Technolopolis. Golf Course Road, Sector 54 Gurgaon- 122002, Haryana Phone: 0124-4626256, Fax: 0124-4375888 Mumbai: 201, Madhava, Bandra Kurla Complex,Bandra (E), Mumbai 400 051, Phone: 022-3068 5000, Fax: 2659 2708

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Content,Editorial,Colophone.indd 4

8/12/2011 8:32:01 PM

contents august 15, 2011 | Vol/6 | issue/10

Case Files 74 | reliance infrastructure giS For Reliance Infrastructure, repairing cut cables quickly and creating power infrastructure within 30 days of a customer request wasn’t easy. But its IT head knew that only IT could deliver speed. Feature by debarati roy

80 | etisalat Crm Under pressure to break into the Indian telecom market, Etisalat DB Telecom takes a route none of its rivals has: A partner relationship management system. Feature by sneha Jha

COVER: PHOTOGRAPH BY MERI YAADEIN STUDIO / COVER DESI GN BY VI KAS KAP OOR & U NNIKRISHNAN AV

82 | Jones Lang LaSalle

4 4

CLoud SCm Using a cloud-based SCM application, project managers at property consultant Jones Lang LaSalle spend more time delivering results and less time doing routine chores. Feature by anup Varier

44 | Security

6 4

Cover STorY | CriminaL mindS Cyber criminals continue to outsmart technology and stupefy both governments and enterprises with their ingenuity. It’s time to beat them at then own game: Hack into their minds. Feature by by gunjan t trivedi, Varsha Chidambaram, and debarati roy

Survey SurveY | gLobaL inFormaTion SeCuriTY SurveY Enterprises worldwide are pulling past their economic troubles, and that’s reflecting in the security function. Companies in India are faring much better than many others, even as a new normal sets in. Compiled by sunil shah and shardha subramanian vieW From The ToP:

VOL/6 | ISSUE/10

“it plays a significant role in capacity planning and making sure that we can serve more customers,” says marten Pieters, md & CeO, Vodafone essar.

REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 1

contents

(cont.) departments 2 | From the editor-in-Chief Keep It Flowing By Vijay Ramachandran

4 | From the Governing Board IT Trends | The Next Wave By Manish Choksi, Asian Paints

11 | trendlines

5 7 4

20 | alert

68 | Argue with Your CEO—And Win

FeaTure negoTiaTion Can’t persuade the CEO to approve your project? These 13 tips, culled from current and former CIOs and communication consultants, will get the CEO to see your perspective when arguments about IT spending ensue. Feature by meridith levinson

Columns 26

Communication |Six Mistakes You Still Make Patches |Zero-day Exploits Are Over-hyped

103 | essential technology Colocation | Living Together Virtualization | Fast Forward

112 | What We’re reading Book Review | The Talent Masters By Vijay Ramachandran

| Cios and the Cyber Law

CYber LaW The long hands of India's cyber laws just got longer and whether you like it or not it affects you. Column by Pavan Duggal

| audit agitation

underCover oFFiCer What do you do when your customers want you to do an independent security audit and your CEO doesn’t? Column by Anonymous

346

| The Proactive Cio

STraTegiC Cio If you’re anything less than a proactive IT leader, then you’re a leader only in your eyes. Here’s how to become that person. Column by Al Kuebler

6 a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

4 0

aLTernaTive vieWS: is there a glass Ceiling in it? they pilot planes and they run business. But is a glass ceiling in It limiting women? two CIOs debate.

VOL/6 /6 | ISSUE/10

The spirit of innovation Our innovations are driven by our desire to be ahead of the competition as well as satisfying our customer’s needs. We are recognised for having the most advanced and complete range of UPS systems on the market, due to our commitment to reinvest 10% of our annual turnover into R&D. > > > > > >

UPS from 550 VA to 5400 kVA Static Transfer Systems (STS) DC and AC power systems Communication software Power management solution Battery management solution

PUB 7570133

TRUE ON-LINE DOUBLE CONVERSION

SOCOMEC UPS INDIA PVT LTD · B1, II Floor, Thiru-Vi-Ka Industrial Estate · Guindy, Chennai - 600 032 · Ph: +91 44 39215423 · Mob: +91 9790968731 · info.ups.in@socomec.com www.socomec-ups.co.in · Toll Free No. 1860 200 0808

pub_7570133_222x276.indd 1

02/08/11 09:41

Cio online

.in CIO adverTiSer index

alcatel Lucent - EMg

42 & 43

[ CI O MENTOR ]

Check Point software technologies t

3+ Flap

Dell India

19, 71 + Belly Band

learn from the best

HID India

It's hard being a leader. You have to juggle multiple roles, align with business, and stay on top of multiple trends. But you don't have to do it alone. t take advice from CIO's governing board. Read on the mentor tab on cio.in.

Hitachi Data systems India

HP Converge Infrastructure

HP Networking

38 & 39

HP storage

IBM India

Juniper Networks India

IFC+Flap

Riverbed t technology India

IBC

Rsa

sas Institute (India)

schneider Electric India

23 & 37

singapore telecommunications t

9 & 10

socomec

[ BO O K CLUB ]

[ DEBATE ]

is there a glass Ceiling in it? We invited two CIOs to kick-start a debate on career strategy. Read all about it in alternate Views (page 40). Which side are you on? We also have more debates for you on www.cio.in Does Age Come in the Way of Technology Adoption? ayes Vs Nays a Business-IT Alignment: Are Templates a Solution? ayes Vs Nays a >> www.cio.in/cio-debates

Conversation starter

symantec software solutions

tata Consultancy services t

83 to 90

t tata t teleservices trend Micro t

28 & 29 security Booklet

t tulip t telecom

tyco Electronics Corporation India t

Books have been known to spark conversations and on page 112 you can find the genesis of one. Learn what your peers think of a book and then visit the all new CIO Book Club section online and join the conversation with your peers.

>> www.cio.in/bookclub

[ CEO VIEW ] it's happy to help

Find out how Vodafone Essar's CEO & MD Marten Pieters is taking It's help to serve its increasing customer base and making it the country's second largest mobile service provider.

>> www.cio.in must read @ cio.in 8

>> Alert: six security Mistakes You still Make >> Column: security's audit agitation >> Feature: How to argue with Your CEOâ&#x20AC;&#x201D;and Win

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Corrigendum The custom case study on Trent (Stocktaking Simplified at Trent), was carried inadvertently without any approval from Mr. Vikram Idnani, Head-IT, Trent Ltd. We sincerely regret this, and the consequent distress caused to both Mr. Idnani and Trent Ltd.

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

VOL/6 | ISSUE/10

8/12/2011 8:32:49 PM

EXECUTIVE VIEWPOINT BILL CHANG Executive Vice President (Business), Singapore Telecommunications Ltd Bill Chang joined SingTel in November 2005 as the Executive Vice President of Business Group. The Business Group serves SingTelâ&#x20AC;&#x2122;s domestic and global corporate customers with a full range of InfoCommunication Technology (ICT) services. Bill has more than 18 years management experience in leading ICT companies and is actively involved in industry committees, task forces and advisory work.

Fully Managed Services for END-TO-END COMMUNICATION NEEDS Enterprises today require ICT solutions that can help them sustain growth, scale up quickly and reduce costs and complexity at the same time.

Bill Chang says that SingTel provides innovative cloud based ICT services in an elastic pay as you grow model.

Read Full Interview

Custom Solutions Group singtel

What are the innovative solutions that are currently driving the ICT segment? Previously the IT industry solved problems to help customers become more agile through outsourcing. At the same time, the telco industry solved a similar set of challenges via managed services. What is happening is that these two are now beginning to converge. Enterprises today require ICT solutions that can help them sustain growth, scale up quickly and reduce costs and complexity at the same time. Innovation is a critical component of our ICT strategy. Over the years we have continuously expanded our ICT offerings with innovative business propositions to help organizations increase agility, improve productivity and reduce cost. We have transformed into a leading Managed Services and Cloud Solutions provider in Asia Pacific. In fact, SingTel was named as the best Managed Service Provider in APAC by F&S in 2010 and 2011 and, by ComputerWorld – Hong Kong, in 2011. What are the major challenges faced by organizations in implementing ICT solutions? IT departments of enterprises have become more critical and strategic to the enterprise and are responsible not only for managing the enterprise’s technology infrastructure, but also for implementing technologies that will optimize resources, improve business processes and help the organization become much more efficient. A major challenge faced by organizations today is to manage multiple vendors providing different aspect of the ICT solutions (telecommunications, software, hardware, systems integration). This includes ensuring network security, compliance, business continuity and the need to upgrade or replace their IT systems to keep up with the technology changes in the business environment. To avoid such hassles, many organizations would prefer to deal with a single solutions provider that offers end-toend managed services. What are SingTel’s offerings in the world of managed ICT services? Through our innovations, SingTel offers enterprises a comprehensive suite of managed ICT services solutions over our secure, reliable and award winning IPVPN network. These industry leading services

include Managed Hosting Services, Managed Converged Communication Services, Managed Security Services, Managed Network Services and Managed Application Performance Services. To help enterprises harness the full potential of ICT services and to increase the productivity of their knowledge workers, scale their operations cost-effectively and create sustainable growth, we had taken the bold step to be one of the first few telcos to introduce Cloud Computing solutions with SaaS and IaaS, which offer cost savings of up to 90% and 73% for businesses, respectively.

Over the years SingTel has continuously expanded its ICT offerings to help companies improve productivity and reduce cost.

Cloud computing is leading the shift for enterprises to move from a capex model to an opex model. How is SingTel driving this shift and delivering ICT services on demand? Cloud Computing has been one of the hottest topics in the ICT industry, with a stream of hardware, software, and other networking products being launched. The financial crisis combined with a need to change the way ICT services are delivered, in an elastic pay as you grow model has driven the growing interest in cloud based services. With cloud services adoption, enterprises can expect to gain key benefits in terms of costs and efficiency and improve their time to market. The value of cloud computing goes beyond technology: for businesses in the region and around the world, it is an increasingly vital business resource for swifter time-tomarket and costs reduction. To meet the increasing demand in cloud computing solutions, SingTel PowerON was launched in September 2010. It is an end-toend suite of cloud-based services covering Applications on-demand, Infrastructure ondemand, Connectivity on-demand, Managed Services on-demand.

PowerON offers an unparalleled combination of flexible and scalable computing resources delivered via our private and highly secure network. Our professional services and partnerships with industry leaders provide cloud aspirants with peace of mind and an intelligent, scalable and robust foundation for growth. These help enterprises to achieve greater business agility, improve productivity and lower costs significantly. To quote Joseph Ferri, Chairman of the Judges at the Asia Communication Awards, “SingTel was a worthy winner of the Best Cloud Service at the 2011 Asia Communication Awards for their SingTel PowerON service. The provision of cloud based services marks a major strategic shift for network service providers as, in addition to network operations, they move to become service organisations. In this respect, SingTel PowerON was a very strong entry offering a one-stop-shop for businesses and already promoting a satisfied customer base.” Going forward, what are SingTel’s plans for the Asia Pacific region? SingTel has the most ambitious plan among telcos in the region to move beyond connectivity. Our strategic objective is to be the leading “ICT experience provider,” a one-stop shop for ICT services for enterprises in Asia-Pacific, and a leader and shaper in cloud services. SingTel has made an early entry in the market on multiple fronts. Our Managed Services and cloud computing thrusts are starting to pay off. Our attitude to service development through innovation and customer experience focus is helping businesses to reduce complexities and costs, yet, increase their agility and go-to-market capabilities. These are the key winning formulae for businesses in the Asia Pacific region.

For more information, visit info.singtel.com/large-enterprise or Ipvpn.asia

This Interview is brought to you by IDG Custom Solutions Group in association with

EDITED BY sharDha suBramanIan

new

hot

unexpected

India Vs America: Whose Code Is Best?

QUICK TAKE:

—By Meridith Levinson

It in high definition

t e c h n o l o g y There’s TV over the Internet, there’s TV in your smartphone and then there’s the idiot box in your living room. But with the arrival of High-definition (HD) TV, the idiot box has gained respect. With over 30 HD channels in India, HD TV has enhanced user experience. And increased IT’s workload. Varsha Chidambaram spoke to Venkat Iyer, sr. VP-IT, STAR India, to understand how he is it taking on the challenge.

What’s the future of HD TV in India and how are you preparing to meet it? Today, we have four channels on HD. Going forward, we will migrate more channels to HD based on business needs. Also, quite a few of our channels are run from regional locations like Kolkata and Chennai where production facilities are located. Hence, we have to create additional infrastructure at all these locations. What new IT challenges does HD TV bring? The size of standard definition (SD) video of say 30

Vol/6 | ISSUE/10

on mainstream programming languages, such as C, Java and SQL, where they scored eight percent higher on C and nine percent higher on Java and SQL. Gild's data shows that American software developers are particularly good at Web programming. Not surprisingly, American developers also have a better grasp of the English language, as noted in their scores on tests of their English communication skills, which were 33 percent higher than Indian developers. "If I'm a CIO looking to hire programmers in India who are going to be working on mainstream programming languages, I'll find good people there. If I'm looking for Web programmers, I'm better off looking for those people in the US," says Sheeroy Desai, CEO, Gild.

IllUStratIon by pradEEp gUlU r

If there were ever an IT Olympics, in which software developers could compete to solve programming problems, it would take place on Gild, an online career development community where IT professionals from around the world do just that. Based on the results of Gild's various assessments, the site recently compared Indian programmers' math, logic, software development and communication skills with those of American programmers. According to Gild's data, Indian programmers appear to be better at math and logic than American programmers. The Indian developers who participated in math and logic assessments outscored their American counterparts by 11 percent. But Americans lead at software development. They slightly outperformed Indian developers

S o f t wa r e

minutes will be about one GB, but with HD it's about 20 GB. Hence, the bandwidth, storage and routing needs are way higher. Also, investment tends to increase. How are you tackling this problem? We have outsourced the production and post-production processes. However, we still need to take care of network requirements. There isn’t much time between a program being created and aired but within this duration the data (program) has to reach the uplinking site. We had to build network redundancy so that it reaches on time.

Venkat Iyer

Are you looking towards cloud computing as a solution to your storage woes? With HD storage requirements skyrocket. That's why our HD data is stored by our outsourced partner at an outsourced datacenter in a private cloud and a backup is archived within our organization. REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 1

Does Hiring Shortterm Managers make sense? VOICES:

S t a f f M a n a g e M e n t Reliance Industries recently announced that it’s hiring short-term managers for its projects. Would a similar hiring model work for the IT department as well? Debarati Roy finds out whether CIOs would like to hire short-term managers for their projects.

Tech-savvy Talking Cars With consumers these days living ever more mobile and connected lives, it seems only natural that we'd move toward a more connected automobile. Last year about 4.5 million cars were sold worldwide with "telematics" (information systems joined with telecommunications), by 2015 that number will increase five-fold to about 22.7 million vehicles, according to IHS iSuppli. Connected cars will come in a variety of flavors. Some may allow for interaction with the vehicle, such as through voice-activated commands. Yet others could have a purely safety-related purpose, knowing when to send for help in the event of an accident. Most of the time, the radio acts as the entertainment and information hub of the automobile, and various peripherals hook into it. Pioneer, among other companies, is turning that concept on its head with the App Radio. Connect an iPhone or iPad to it, and all of the audio available on the mobile device pipes into the car. Pioneer has released an API to its partners so that they can develop apps to take advantage of the radio's capacitive touchscreen. You can use the screen to select, manage, and control audio streams. Considering people's increasing dependence on Internetconnected devices, it was only a matter of time before tech companies and automakers capitalized on the trend. One of the first companies to offer in-car Internet was Autonet Mobile. The company offers a unit that allows for easy installation into any vehicle and provides both 2.5G and 3G data coverage, with data rates similar to those of standard wireless broadband options. Voice-recognition technologies have improved enough to become an economical addition to the automobile, on a wide scale. Such systems are intended to allow the driver to interact with the car with minimal distraction and to perform many basic commands. One of the first companies to commit to voice recognition was Ford, which created the Sync platform through a partnership with Microsoft. The technology is available on a wide range of vehicles at prices that put it within the reach of many consumers. Other companies, such as Audi, BMW, and Mercedes, all offer similar systems, though mainly in higher-end models. —By Ed Oswald

V. SEETARAmAIAh, GM-IT, Paradeep

Phosphates

trendlineS

“This wont work for IT in the long run. To be able to contribute significantly, IT staff needs to work closely with an organization. Also, short-term managers would need to demonstrate extraordinary skills in adapting to new environments. Otherwise, projects will suffer due to the short-term manager’s assumptions, extrapolations and experiments.”

ShAILESh JOShI,

Head-IT, Godrej Industries “It’s a positive trend. The rate of attrition in the IT department is pretty high. Employees usually leave within a month’s notice and with short-term managers CIOs will know exactly when a mid or senior level manager is scheduled to leave. Hence, this will make way for a smooth hand-over.”

SUDhIR K. mITTAL,

CIO, Samtel “I don’t think hiring shortterm managers makes sense. The IT team hinges on the in-depth understanding of people and processes. And a constant change of people will disturb team building, and processes will suffer due to a lack of co-ordination. Also the constant process of learning and unlearning might hamper individual productivity.”

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

Vol/6 | ISSUE/10

ImagE by ph otoS.com

i n n o vat i o n

Everything Cloud Computing Under One Roof

Introducing Cloud Zone on CIO.in where you can dive deep into the latest in the

Cloud Zone

world of Cloud Computing and stay updated on issues like public & private clouds, SaaS, PaaS, IaaS, DaaS, Managed Services and more.

Get In the Zone Today!

Brought to You by

Galaxy Tabs Get Onboard american airlines will deploy 6,000 new galaxy t tab 10.1 tablets onboard some of its international and transcontinental flights in business and first class later this year. the move marks the first time an airline has offered a branded tablet onboard an aircraft to provide in-flight entertainment, american officials say. american didn't reveal the maker of its current personal entertainment device used on its planes, which will be replaced with the galaxy t tab 10.1 on some of its international flights. the galaxy t tab 10.1 is Wi-Fi enabled and is the slimmest on the market at 8.6 mm (about a third of an inch). It runs the android 3.1 mobile operating system. customers will be able to use the devices to purchase wireless service on american's planes equipped with Wi-Fi to check e-mail and browse the Internet, among other functions. american and Samsung are working on which specific features it will offer without the need for Wi-Fi, such as movies, tV shows and games, a Samsung spokeswoman says. Samsung plans to customize the tablets for in-flight entertainment needs, including expanding the memory allotment, she says. a specific amount has not been determined. —by matt hamblen

The Chronicles of Indians Online Total Hours Spent Online: 12.5 (World average: 23.1) Average Age: 25-34 years Sex: males spend more time online

than females across age groups, except 35-44 year-olds.

Activities: Search/navigation, social networking, e-mail; downloads; community (the amount of time Indians spend in these activities beats world averages).

Most Visited Retail Sites: computer

software, consumer electronics, computer hardware, comparison shopping, books.

Source: State of the Internet in India, 2011

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

Life Saver App There are hundreds of thousands of apps available, but can any of them save your life? A free app from Global Alert Network could possibly save your life, or at least get you to work on time. The Global Alert Network app is linked to the US mobile traffic and weather alert system. Traffic and weather alerts are not new, but the Global Alert Network app uses the GPS capabilities of your smartphone to deliver location-aware alerts that are relevant to you where you are right now, and it does so without needing any interaction from the user. The app runs in the background and "wakes up" to issue alerts based upon established account preferences. Traffic alerts are issued relative to your current location and route, and weather alerts are issued in relationship to your immediate surroundings. The Global Alert Network website explains the unique value of the app. "There are no keys to push, no other applications to launch, and no need to touch the phone at all." This is especially valuable for alerting users of impending traffic or weather issues without distracting them while they are driving. Another app that aids navigation is the Garmin StreetPilot. It uses real-time traffic conditions and automatically re-routes people around any backups to keep them moving and get them to their destinations on time. But, that functionality only works if you are actively using the Garmin app for navigating. It doesn't provide any value if your iPhone is sitting idle. A recent University of Utah study found that drivers on mobile phones are more impaired than drivers with blood alcohol content. Other studies report that distracted driving has passed alcohol-related incidents to be the number one killer of teens. An app that can alert you to impending serious conditions without taking your focus off the road could be a lifesaver—for you, and the vehicles around you.

Mobile appS

—By Tony Bradley

Vol/6 | ISSUE/10

InFograp h by p radEEp gUlUr

trendlineS

deviceS

CUSTOM SOLUTIONS GROUP RSA

CIO 2 CIO

TAKE A HOLISTIC APPROACH TO AVOID APTs

Vishal Salvi of HDFC Bank talks about what organizations can do when APTs go mainstream, based on the recent report by the Security for Business Innovation Council, a group of industry’s top security leaders from Global 1000 enterprises to discuss security concerns, convened by RSA.

VISHAL SALVI, CISO & Senior VP, HDFC Bank As the CISO & Senior VP of HDFC Bank, Vishal is responsible for driving the InformationSecurity strategy and its implementation across HDFC Bank and its subsidiaries. His strong academic background and experience in the IT security industry has helped HDFC reap various business benefits.

What are the most prevalent threats for data in Indian organizations? It is not easy to specify just one or two security threats as significant because almost all of these attacks are combinations of technology and social engineering. In fact, in most of the high profile security breaches that have taken place, the primary component has been people and not technology. This is the reason the industry has to strengthen its focus on training employees and make the right changes within policies and frameworks, so that the employees do not fall prey to security threats. What are the inherent weaknesses in the IT infrastructure and how can organizations strengthen it to avoid advanced persistent threats (APTs)? The current challenge with information security is the amount of change and innova-

tion taking place in the IT landscape. These challenges are widespread among the areas of cloud computing, server virtualization, IT consumerization and the exponential growth of data. This is certainly magnifying the challenges in terms of security design. Hence, information security is playing a catch-up role in terms of ensuring security by identifying gaps and trying to fix them as and when they manifest. Also, awareness on the need for secured practices, with respect to data, is not ingrained in the human mind by default. This gives rise to the need for proper employee training on the ‘do’s and ‘don’ts, when it comes to securing sensitive data. And with the penetration of social media platforms into enterprises, the line demarcating personal and official information has become hazier. So, organizations need to change their perspective about this whole challenge and take a holistic approach to prevent APTs. How can large organizations manage APT incidents? There is no such thing as 100% security. There are nearly 23 different aspects that organizations need to concentrate on at any given point of time, in order to improve information security. None of these aspects can be ignored because they have the potential of becoming the weakest link in security. All that CIOs/ CISOs are expected to

LOOKING THROUGH THE MAGNIFYING GLASS - THE RSA VIEW The distinction between “conventional threat” and an “advanced persistent threat” is not clear cut. The SBIC report describes APT as a continuum rather than an entirely distinct category. Also, the line between conventional and advanced threats changes over time as adversaries adapt techniques and expand goals. APTs are highly targeted, wellfunded, well-researched, designed to evade detection, and multi-modal and multi-step (multiple vectors). While more conventional attacks might seek for example, credit card data by “combing the neighborhood” for organizations that leave the proverbial back door unlocked, today’s APTs focus on a specific mission to obtain high-value digital assets.

do right now is to learn from the recent APT attacks and strengthen areas that have been weak for a long time. Apart from this, they should also focus on building awareness strategies and take steps to change human behavior. Last, but not the least, all these improvements have to be carried out in months, than in years. How can CIOs go about convincing their respective managements to invest in improving data security? The recent attacks have created heightened awareness in the minds of business heads and IT heads. On the positive side, you can look at this as an opportunity to educate people about the impact APTs have on businesses and formulate strategies to build a comprehensive security solution. As far as IT is concerned, there are a lot of regulators who have been acting proactively to bring about the necessary changes. For example, the RBI has been keenly insisting on banks to improve their information security. That is exactly what the recent information guidelines, issued in April 2011, suggest. Even the TRAI has issued new guidelines for telecommunication industries to strengthen their information security framework. Given the above, it would not really be difficult to convince the management to take steps to strengthen data security.

This Interview is brought to you by IDG Custom Solutions Group in association with

trendlineS

i n t e r n e t Which gender reigns supreme in the world of online professional networking? According to new data from LinkedIn, it's the men across the globe. The reason: According to Nicole Williams, LinkedIn's connection director, women tend to equate networking with " schmoozing" or handing out business cards. "In reality," she says, "[networking] is about building relationships before you actually need them." To declare a winner, LinkedIn developed an online professional networking savviness ranking, a formula that examines the ratio of connections that men have versus those of women, and the ratio of male members to female members. LinkedIn also sliced the data by industry, surfacing some interesting

tidbits. In female-dominant industries, such as cosmetics for example, it's the men who, once again, beat out the women in online professional networking. According to LinkedIn, they're the ones sending out more invitations to connect and they have larger networks.

Super Botnet Strikes millions of pcs around the world appear to have been quietly infected by the dangerous tdSS 'super-malware' rootkit as part of a campaign to build a giant new botnet, researchers from security firm Kaspersky lab have discovered. malware and botnets come and go, but tdSS is different. First detected more than three years ago, tdSS (also known as 'tdl' and sometimes by its infamous rootkit component, alureon), it has grown into a multi-faceted malware nexus spinning out ever more complex and dangerous elements as it evolves. In recent weeks, Kaspersky lab researchers were able to penetrate three SQl-based command and control servers used to control the activities of the malware's latest version, tdl-4, where they discovered the Ip addresses of 4.5 million Ip pcs infected by the malware in 2011 alone. If active, this number of compromised computers could make it one of the largest botnets in the world. the tdl-4 malware has also added technical and economic capabilities to its features list, including some that are out of the ordinary for botnets, the researchers say. making use of the malware's bootkit design—it infects the master boot record of a pc to allow it to load before other programs—it attempts to clean rival malware from an infected pc, searching for up to 20 different malware types. this stops other programs interfering with its activities as well as hurting their commercial activities. "cybercriminals are trying to future-proof themselves," says fellow Kaspersky researcher, ram herkanaidu. —by John E dunn M a lwa r e

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

Other top industries in which men are savvier online professional networkers include medical practice; hospital and healthcare; law enforcement; and capital markets. On the flip side, in male-dominant industries such as tobacco and ranching, female professionals are savvier networkers than their male counterparts. Other industries in which females dominate networking include alternative dispute resolution; alternative medicine; and international trade and development. LinkedIn data analysts say this could be because women have to work harder to break into male-dominated industries, and vice versa. A few areas in which men and women were equally as savvy: Market research, media production, dairy, individual and family services, and paper and forest products. Here's what you can do to increase your "savviness ranking," according to LinkedIn: Prepare before events. Before you attend a conference or networking event, review where other attendants work, what position they hold, their tenure at the company and if you have connections in common. Move beyond your networking comfort zone. Seek out groups based on what you're passionate about so you can meet professionals who share your interests. Give kudos to others. LinkedIn cautions that networking should not be solely about what you can get from others. Instead, treat your stream of connections' updates as your professional dashboard. If you see that a connection just got promoted or landed a new client, send them a message to congratulate them to start some dialogue.

—By Kristin Burnham

Vol/6 | ISSUE/10

Il lUStratIo n by p radEEp gUlUr

Job Networking: It's a Man’s World

BYOD: You Can’t Say No

trendlines

IT departments also seem unaware that people are using devices like smartphones and tablets to access company apps. CIOs say they thought 34 percent of staff were using a smartphone to access business apps. But 69 percent of workers say they used smartphones, whether personal or corporateowned, for business apps. Nor are IT departments moving to support mobile devices. Seventy-six percent of IT staff say they had no plans over the next 12 months to modify internal business apps for tablets and smartphones. An even greater proportion, 89 percent, had no plans to modify customer-facing apps for tablets or phones. Security is the biggest barrier to letting workers use their own devices at work, with 83 percent of CIOs saying security concerns were holding them back. IDC says CIOs should consider cloud or managed services to more easily manage those devices. "Consumerization of IT is happening whether IT supports it or not; 'just say no' obviously isn't working," IDC says. —By Nancy Gohring

illustration by pradeep gulur

More people are bringing their own tablets and smartphones to work but IT departments have been slow to support them and may not even be aware of the trend, according to a report funded by Unisys and conducted by IDC. IDC surveyed more than 2,600 information workers and 550 CIOs in nine countries and found that CIOs aren't aware of how many people use their own devices at work and how extensively they use those devices to access corporate applications. Eighty-seven percent of CIOs say workers get their smartphones and other mobile devices from the company, and that the company covers their costs. Yet more than half of employees with iPhones, Android phones and iPads say they bought the devices themselves, according to the survey. The use of employee-purchased devices is up compared to last year. IDC found that 40 percent of devices, including PCs, smartphones and tablets that people use to access business apps are owned by the workers. That's up from 30 percent last year. Nearly 10 percent of respondents say they use a personal tablet for work. IT M a n a g e m e n t

You’ve Got the Power and prefer you to others. The attraction may be based on warmth, wisdom, personality, shared experiences, common values or physical appearance. Universally, attraction power is one of the most potent power sources, and high ratings here can more than triple a leader's influence and effectiveness. How to Plug In: Take pride in your appearance. Go out of your way to be open, friendly, kind, and considerate. Show a sense of humor. Learn to tell a good story. Be yourself.

Here's a look at four power sources and ways to plug in and increase your professional voltage.

Career

Knowledge Power. Your knowledge power represents what you know and what you can do. It embodies your talents, skills and abilities, as well as your wisdom. Leaders who rate high in knowledge power are three times more influential than their counterparts. How to Plug In: Develop an area of distinctive knowledge, skills or capabilities. Apply your knowledge to achieve results or advance your organization. Write about what you know on blogs and in social media. Attraction Power. Your attraction power reflects your ability to draw people to you—to cause them to like you CIO.IN

Vol/6 | ISSUE/10

Trendline_July011.indd 17

Character Power: Your character power is based on others' perceptions of your honesty, integrity and humility. Regardless of who you are in every other respect, the power of character matters. Leaders need to remember that the rules apply to everyone.

How to Plug In: Be honest, humble and even-handed. If your character is justly called into question, accept responsibility, and act to make things right. Consider the consequences of your choices, decisions and actions. Network Power: Your network power is derived from the depth and breadth of your connections with others. Leaders rated high in network power are twice as inspirational and three times as influential as their lower-rated counterparts. How to Plug In: Develop a reliable expertise in an important area. Be accessible, responsive and helpful. Do favors for people (no strings attached) Build connections outside of your organization and physical location. —By Terry R. Bacon

To find the hottest jobs in the Indian market visit itjobs.cio.in

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 1

8/11/2011 1:15:47 PM

c o m p I l E D B Y d e b a r at I r oy

best practices

Unrestrained Sto-rage!

trendlineS

over the next decade, enterprises will have to tackle data 50 times its size today—with a staff that will grow only 1.5 times. Given the state of storage, CIOs are probably praying that the world ends in 2012. because if it doesn’t, then over the next decade, they face the daunting task of managing an incredible growth in storage—with a team that isn’t growing quite as fast. according to the 2011 Idc-Emc digital Universe Study, over the next decade, the number of files will swell 75 times. and the amount of information managed by enterprise datacenters will expand by 50 times. these numbers are confounding, but cIos can’t afford to ignore them. Especially because the number of people managing that growth isn’t increasing. according to the study, the pool of It staff will only rise 1.5 times today’s numbers. no one expects the number of It staff to grow in proportion, but the huge difference could easily heighten the risks of data leaks. all the more because only half of information that should be protected, is protected according to the report. that's why cIos are turning to technologies like virtualization and cloud. as a result, 2010 was the first year during which more virtual servers were shipped than physical ones. and though the cloud accounts for less than 2 percent of It spending today, Idc estimates that by 2015, nearly 20 percent of data will be touched by cloud service providers. meaning that somewhere in a byte’s journey, it will be stored or processed on the cloud. perhaps as much as 10 percent of the data will be maintained in a cloud.

lay doWn organizational processes with specific analytical and managerial skill sets that can help the business extract value from all that data. new tools from mobility to real-time bI can help.

InVEStIgatE new tools for creating metadata. also determine which big data projects will have the most ‘bang’, along with the requisite data sets and analytical tools.

maStEr virtualization. not just server and storage virtualization but also app. Start working on selfprovisioning and self-service. move what you can to the cloud—it's inevitable.

Digital Universe: The Big Bang Theory

75%

The Need for Information Security: across Various data types

Of the digital universe is generated by individuals but enterprises have some liability for 80 percent of information at some point in its digital life. SoUrcE: Idc-Emc dIgItal UnIVErSE StUdy

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

Trendline_July011.indd 18

Lockdown Confidential Custodial Compliance Privacy 2010

2015

Vol/6 | ISSUE/10

alert

Enterprise Risk management

Six Mistakes You Still Make F

IMAGES by PHOTOS.COM

or years, we’ve heard security professionals lament the way they are perceived. Terms such as “the place where good ideas go to die” and “the department of no” weren’t uncommon just a few years ago. But that is changing—slowly, according to security leaders and this year’s Global Information Security Survey. Yet even as CISOs get a better rep, challenges still exist when it comes to conveying security’s message to company leadership, and staff users. Three infosec veterans point out communicatins mistakes CISOs still make when trying to get everyone on board with security.

Not Conveying Security’s Vision Lorna Koppel, director of IT security with manufacturing firm Kohler Company, has been in security for decades. “Things were so much simpler then. The threats were not as complex

and as targeted,” she says. “Now our jobs are more complicated because we have to still deal with all the noise and threats that are automated, but we also need to be prepared for the more complex and advanced methodology.” For Koppel and her team, that means there is a delicate line that needs to be straddled between how security is handling current threats, and what it plans to be doing in the future. “We’ve spent a lot of time looking at our vision. Where are we going? What is our strategy?” says Koppel. “It’s really hard for security people because we are reactive. We can get caught up just fighting the fire. But we also have very clear projects.” She says she requires her team to be forward thinking. “I think the mistake some people fall into is dealing with

findings

Only a Few Aren’t Effective A majority of contingency plans seem to work. Here’s why the few that don’t, fail. Lack of training Delay in implementation Incomplete plan Lack of management support Lack of partner cooperation

67% 48% 26% 26% 18%

latest. Let me deal with what’s my plate now. Then I’ll fit in the proactive stuff. But you don’t make any progress on making life better for the company or yourself.”

Neglecting to Relate Security to Everyone Koppel believes everyone in an organization, not just the security team, needs to understand how security is working for them. That m eans listening to user pain points and creating solutions with that in mind. In a recent initiative to implement an identity management solution, Koppel and her team focused on issues users with the existing infrastructure before going forward. The result was giving users one place to go and synchronizing all passwords across multiple applications. Koppel says while the

65%

Of Indian enterprises

have a contingency plan, which 73 percent of CISOs say is very effective.

Source: Global Information Security Survey

Alert.indd 18

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Vol/6 | ISSUE/10

8/11/2011 3:45:48 PM

Next-generation reputation-based technology The fastest, most effective endpoint protection anywhere Built for virtual environments

Symantec Endpoint Protection 12 TM

It takes just seconds for today’s polymorphic malware to mutate into millions of threats, but now it has met its match. Introducing Symantec Endpoint Protection 12—simply the fastest, most effective reputationbased protection ever created.* Improve the security of your information, devices, and employees. Download the Symantec Endpoint Protection 12 trialware at www.symantec.com/in/sep12/

* Sources: PassMark Software, “Enterprise Endpoint Protection Performance Benchmarks,” February 2011. AV-Test GmbH, “Remediation Testing Report” and “Real World Testing Report,” February 2011. Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.

SEP12_222x276_CIO.indd 1

alert

EntErprisE risk managEmEnt

new system wasn’t the platinum standard from a security perspective, it significantly bettered the security situation throughout Kohler. That’s because while users only had to have one password, it was required to be a strong password, something many were neglecting to use before. “Now when I sit down with people throughout the company and tell them I’m the person behind it, they say ‘Oh, you’re the one!’ and are usually very pleased,” says Koppel. “If we can solve problems for the user, we can also give them tighter security controls and they don’t mind.”

failing to Make the Business Case for Security As security’s profile in business has risen significantly in the last decade, so has the CSO/CISO’s status among executives. But Roger Dixon, head of IS with global investment-management company Invesco, says that despite the increased emphasis on security, executives and employees alike glaze over when technical talk begins. Folks outside the security department are simply looking for someone to give it to them in terms they can understand, he says. “They expect to bring a security question to security and get an answer

that relates to the business, not how it relates to IT. You need to be able to present and bring security across all areas of the organization.”

Neglecting to Realize that Timing is Key “The biggest lesson I’ve learned is timing,” says John Kirkwood, global CISO of Royal Ahold, which owns American grocery chains such as Stop & Shop and Giant. In his previous job, Kirkwood was the first CISO at both American Express and Credit Suisse. He remembers a time when his security message was ignored by most—then 9/11 occurred. Several highprofile viruses made their impact soon after. Those who once ignored him think he’s pretty smart now, says Kirkwood. But rather than feeling a sense of smug satisfaction, he says it’s taught him something about picking battles. “If you say the right thing to the right person at the right time you will get a lot of movement. If you aren’t cognizant of when an organization is receptive, you will find that your message will be lost.” Kirkwood points to PCI-related technology as an example, and says he knew for many years it was something organizations should be investing in for

[OnE :: LinEr]

“With C CiOs also expected to become business leaders, the need for a dedicated resource to handle is is increasing. this change is already apparent in large enterprises and is picking up in smEs.” RaMkuMaR Mohan, head-IT & CISo, oRbIS RaMku

their own protection. But it wasn’t until compliance requirements heated up and breaches became headlines that business began to have an interest. “A few years ago, if I said we need to spend a few million to do this, I would have been a pariah. But if you pick your battles according to timing, you’ll be extremely successful. You can’t fight everything every day.”

forgetting that Your Role in Communication Alters Often Kirkwood says he mentally prepares for meetings by going over e-mails, figuring out what role he will be called up to play among co-workers that day, and tailoring his approach accordingly. “Am I going to be a leader, an advisor? Or maybe a publisher of bad news? It varies, but I don’t have to be the leader in all cases. I don’t have to be the teacher or the advisor in all cases. But I have to have that ability because I will be asked to do those different roles at different times.”

failing to Recognize When Communication is a Waste Sometimes you can make every effort at effective communication, but it won’t make a bit of difference. That’s because there are times when being a good security leader means understanding communicating isn’t worth your energy. Dixon says he spent two years in a position, banging his head against a wall, trying to communicate security’s importance, only to find leadership couldn’t care less. Dixon felt the organization was really just looking for a figurehead to fire when something went wrong, so he left. “I didn’t follow my gut and spent two years not being able to do what I needed to do,” says Dixon. “When you are doing [job] interviews and discussing what the business is, unless the company and management has some understanding and support for security, it doesn’t matter how good you are, you aren’t going to get anywhere with security.” CiO Joan goodchild is senior editor, CsO, a sister publication to CIO. send feedback on this feature to editor@cio.in

a u g u s t 1 5 , 2 0 1 1 | REAL CiO WORLd

VOl/6 | ISSUE/10

Now, align your data centre architecture to your business needs in just seconds 5 4

1 3

2 Management 1 Cooling 3 Physical security End-to-end monitoring Rack-, row-, and A single-seat view and management room-based cooling for monitoring and software for greater options for greater surveillance efficiency and availability efficiency

4 Power 5 Rack systems Modular power distribution Any-IT, vendor-compatible and paralleling capabilities rack enclosures and on UPS for loads from accessories for 10 kW to 2 MW high densities

Only APC by Schneider Electric InfraStruxure adapts quickly to your specific business needs Introducing Next Generation InfraStruxure

The flexibility of the InfraStruxure architecture:

Whether you have just acquired a new company or must increase its ever-expanding customer or inventory database capacity, you’re most likely facing pressing demands on your company’s IT infrastructure. Your existing data centre infrastructure may not be able to handle these up-to-the-minute changes. That’s where APC by Schneider Electric™ steps in with its proven high-performance, scalable, data centre infrastructure. As the industry’s one-of-a-kind, truly modular, adaptable, and ‘on-demand’ data centre system, only InfraStruxure™ ensures that your data centre can adapt effectively, efficiently, and, perhaps most important, quickly, to business changes.

InfraStruxure data centres mean business

We say that InfraStruxure data centres mean business. But what does that mean to you? The answer is simple. A data centre means business when it is always available, 24/7/365, and performs at the highest level at all times, is able to grow at the breakneck speed of business, lets you add capacity without waiting on logistical delays (e.g., work orders), enables IT and facilities to keep pace with the business in a synchronized way, continues to achieve greater and greater energy efficiency — from planning through operations, is able to grow with the business itself, and supports — instead of hinders — business.

The triple promise of InfraStruxure deployment

InfraStruxure fulfils our triple promise of superior quality, which ensures highest availability; speed, which ensures easy and quick alignment of IT to business needs; and cost savings based on energy efficiency. What better way to ‘mean business’ than to enable quality, speed, and cost savings — simultaneously?

Classification of Data Centre Operations Technology (OT) Management Tools

> Executive summary

Contents 1 2 7 7 9 10

Turn any room into a worldclass data centre. InfraStruxure

can be deployed on its own as a modular, scalable, customized solution that’s easy to design, build, and install for small and first-time data centre environments.

Extend the life of your data centre. Existing data centres can

add on InfraStruxure components to existing architecture and, for increased value, use our management software.

Scale up with step-and-repeat modular architecture for large data centres. Medium/large environments can deploy InfraStruxure as a zoned, pay-as-you-grow, scalable architecture solution.

Discover which physical infrastructure management tools you need to operate your data centre… download White Paper #104 today! Visit www.apc.com/promo Key Code 93828t Toll Free 1800 4254 877/272

©2011 Schneider Electric. All Rights Reserved. Schneider Electric, APC, and InfraStruxure are trademarks owned by Schneider Electric Industries SAS or its affiliated companies. email: esupport@apc.com • 132 Fairgrounds Road, West Kingston, RI 02892 USA • 998-5037_IN

11-7-28 上午9:56

Enterprise Risk management

Zero-day Exploits Are Over-hyped

omputers lacking patches for long-known vulnerabilities potentially face more of a hacking risk than from zero-day exploits, or attacks targeting vulnerabilities that haven’t been publicly disclosed, according to new research from Secunia. Finding an unknown vulnerability and crafting an exploit requires advanced skills, says Stefan Frei, research analyst director at Secunia. Those types of exploits are highly valuable since no patch exists and can be sold on the black market. However, there are plenty of software vulnerabilities for which patches have been engineered but never applied by users, in part due to the fractured way companies release patches. Targeting those vulnerabilities is much easier for hackers, says Frei. For its latest study, Secunia gathered data from 3 million Windows XP computers running its Personal Software Inspector (PSI), a free product that scans a computer to find out if its software programs have up-to-date patches. PSI will automatically install patches for many programs if one is lacking the needed updates. Secunia found some interesting changes in the vulnerability landscape compared to a few years ago. Of the top 50 programs on a typical Windows XP computer, 26 are made by Microsoft and the remainder from third-party vendors. In 2006, 55 percent of the vulnerabilities in those top 50 programs were in Microsoft’s software or its OS. But by 2010, Microsoft’s share of total vulnerabilities fell to just 31 percent. But overall the number of vulnerabilities in those top 50 programs rose from 225 in 2007 to 729 in 2010. 24

Alert.indd 22

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

That is due to a dramatic rise in problems found in with third-party software, according to Secunia’s statistics. Some of those most common programs were Adobe’s Reader and Flash applications, the Firefox browser, Apple’s QuickTime multimedia application and Java, Frei says. Consumers often haven’t applied patches since there is no universal tool for updating all software on a computer at the same time. Secunia said there are 14 different update mechanisms for those top 50 programs. But it has become somewhat easier since Microsoft, Adobe, Apple and Mozilla and some others will automatically deliver patches for their products if configured to do so. Statistics show that Microsoft’s update mechanism appears to have the most success. Secunia found that for the fourth quarter of 2010, only 2 percent

It’s a Numbers Game

alert

of Microsoft programs were considered to be insecure on the computers they surveyed, while between 6 percent to 12 percent of third-party programs were insecure due to absent up-to -date patches. For enterprises, patching all of their programs can be expensive and time-consuming since they have to ensure patches don’t cause problems with other systems. But Frei says the only way consumers and companies can defend themselves is by patching. “Zero day [threats] get the attention of many people, and there’s not a lot we can do against zero days,” Frei says. But for vulnerabilities that have been fixed, “patching is very effective to eliminate those risks.” CIO Jeremy Kirk is a writer for IDG News Service. Send feedback on this feature to editor@cio.in

If it sometimes appears that just about every company is getting hacked these days, it’s because they are. In a new survey by Ponemon Research, 90 percent of respondents said their companies’ computers were breached at least once by hackers over the past 12 months. Nearly 60 percent reported two or more breaches over the past year. More than 50 percent said they had little confidence of being able to stave off further attacks over the next 12 months. Those numbers are significantly higher than similar surveys and suggest that a growing number of enterprises are losing the battle to keep malicious intruders out of their networks. “We expected a majority to say they had experienced a breach,” says Johnnie Konstantas, director of product marketing at Juniper. “But to have 90 percent saying they had experienced at least one breach and more than 50 percent saying they had experienced two or more, is mind blowing,” she says. It suggests “that a breach has become almost a statistical certainty,” these days. The Ponemon survey comes at a time when concerns about the ability of companies to fend off sophisticated cyber attacks are growing. Over the past several months, hackers have broken into numerous supposedly secure organizations, such as security firm RSA, Lockheed Martin, Oak Ridge National Laboratories and the International Monetary Fund. — By Jaikumar Vijayan

Vol/6 | ISSUE/10

8/11/2011 3:45:58 PM

Pavan Duggal

Cyber Law

CIOs and the Cyber Law The long hands of India's cyber laws just got longer and whether you like it or not it affects you.

f you are the CIO of your company then apart from many other challenges that you deal with on a daily basis, now you also need to take into consideration an additional area of compliances. This area of compliance has come thanks to the amended Indian cyber law. The question that would occur to any CIO is: Why should I look in Indian cyber law? Isn’t that the job of the legal department? Nothing, however, could be further from the truth. Today, the Indian cyber law is increasingly becoming a centre stage force, one that impacts any company’s operations and activities done using computers, computer systems, computer networks, and data and information in the electronic form. The Indian cyber law is India’s ‘mother legislation’ and impacts all activities within the physical boundaries of India that are associated or connected with the use of computers, computer systems, computer networks, computer resources and communication devices, and data and information in the electronic form.

The Long Road Cyber Law

Illustration by P HOTOS.COM

The Information Technology Act, 2000, was initially meant to be an e-commerce-enabling legislation and focused on providing a legal framework that provided legal validity and enforceability to e-commerce transactions. Over time, there were demands for a change in the law so that it could keep up with changing times. Meanwhile, a lot of other developments took place. The Baazee. com case generated tremendous discussion on the liability of network service providers. The Government of India set up committees at various points in time to look at proposed amendments. Then the 26/11 Mumbai attack occurred. These attacks reminded the Government of India of how technology could be misused to 26

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

Coloumn_cyber law.indd 26

Vol/6 | ISSUE/10

8/12/2011 8:30:08 PM

Pavan Duggal

Cyber Law

impact the sovereignty and integrity of India. Within a month of the attack, the Information Technology (Amendment) Act, 2008 was passed. These amendments came into effect from on the 27th of October 2009. The amended Indian cyber law covers a wide spectrum of activities. Some focus areas of the amended cyber law are mentioned here. For the first time, the Indian cyber law has defined the concept of cyber security in a legal manner. Cyber security is defined under Section 2(1)(nb) of the amended Information Technology Act, 2000, to mean protecting information, equipment, devices, computer, computer resources, communication devices and information stored in them from unauthorized access, use, disclosure, disruption, modification or destruction. Various service providers and stakeholders have been straddled with various duties and obligations for the purposes of protecting and preserving the cyber security of computer systems and computer networks. The law has increased liability of paying damages by way of compensation for a variety of activities that are done using computers, computer systems, and computer networks. Further, diminishing the value and utility of electronic information residing in a computer resource without authorization has been made a ground for seeking unlimited damages by way of compensation. Compensation up to Rs 5 crore per contravention can be sought under the Information Technology Act, 2000. In summary, adjudicatory proceedings while the sum of damages by way of compensation beyond Rs 5 crores can be sought in a court of competent jurisdiction.

The Privacy Law Further, the law has gone ahead and elaborated on the liability of legal entities who handle, deal with, or process sensitive personal data. Any legal entity who handles, processes, or deals with sensitive personal data, is required to maintain reasonable security practices and procedures to ensure the protection of the confidentiality of such data. If they fail to follow reasonable security practices and procedures while handling, dealing with, or processing sensitive personal data or information, and thereby cause loss to any person, then the affected person can sue them for unlimited damages by way of compensation. On 11th April, 2011, the Government of India has notified rules and regulations under the amended Information Technology Act, 2000. The Government has not only defined nuances of various broad parameters given under the Act but has also sought to set up a parallel data protection legal regime. On the same day, the Government of India has notified four sets of rules which are commonly known as Information Technology Rules, 2011. These rules have not only defined what constitutes sensitive personal data, but also define various parameters for security that needs to be adhered to while dealing with sensitive personal data.

Vol/6 | ISSUE/10

Coloumn_cyber law.indd 27

The law now provides that sensitive personal data or information means such personal information which consists of information relating to: Passwords; financial information such as bank account, credit card, debit card, or any other payment instrument details; physical, physiological, and mental health condition; sexual orientation; medical records and history; biometric information; any details relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise. So if you are a CIO and your company deals with these kinds of sensitive personal data or information then you need to be concerned. You need to ensure compliance with the law. You further need to ensure that your organization complies with reasonable security practices and procedures. As a CIO, you need to ensure that relevant reasonable security practices are followed by your organization. Further, the amended Indian cyber law has come up with new parameters for liability of intermediaries. Intermediaries

The question that would occur to any CIO is: Why should I look in Indian cyber law? Isnâ&#x20AC;&#x2122;t that the job of the legal department? Nothing, however, could be further from the truth. have been defined in very broad terms to mean with respect to any particular electronic records, any person who on behalf of another person receives, stores, or transmits that record or provides any service with respect to that record. If your company is an intermediary, then as a CIO, it will be prudent for you to ensure that company is compliant with these mandated rules. Non-compliance with these parameters will expose not just the top management of your company but also you to two kinds of liabilities: Civil liability of imprisonment and fine; and also criminal liability of paying damages by way of compensation. The new amended Indian cyber law has brought in a new era of compliances impacting data and information in the electronic form. Every CIO has now to ensure that compliance under the Indian cyber law is done effectively. Only in ensuring such compliances is the nirvana for the future. CIO Pavan Duggal is advocate, Supreme Court of India; Chairman, Assocham Cyberlaw Committee; head, Pavan Duggal Associates; and President, Cyberlaws.Net. Send feedback on this column to editor@cio.in

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 1

8/12/2011 8:30:08 PM

Coverstory_BI_Option1.indd 50

9/2/2011 4:51:18 PM

Coverstory_BI_Option1.indd 51

9/2/2011 4:51:20 PM

Undercover Officer

Anonymous

Audit Agitation What do you do when your customers want you to do an independent security audit and your CEO doesn’t?

y CEO is a psychopath. No, really he is. He’s a lying, manipulating, amoral, selfish, screaming-like-amadman, intellectually challenged, dysfunctional excuse for a human being. And those are his good qualities. But, surprisingly, I read recently that I am not alone in enjoying such a CEO. It’s actually quite common for psychopaths to become CEOs. So much so that a company in the UK now specializes in employee testing to try to identify and hopefully retrain those exhibiting psychopathic tendencies before it’s too late, and they are taking the express train to the top of the corporate ladder. Too bad this company didn’t exist while my piece of work was in his formative corporate years. I tell you all this not for sympathy, but so that you can imagine my discomfort when I had to approach my CEO and explain what a SAS 70 was and why we needed it. For those who don’t know, a SAS 70, or Statement on Auditing Standards No. 70, is an internationally recognized standard developed by the American Institute of Certified Public Accountants. A SAS 70 audit represents that an IT services provider (for example, a financial services organization)

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Anonimous_colunm.indd 2

has been through an in-depth audit of its control activities, which generally include IT, security and related processes. The Sarbanes-Oxley Act of 2002 makes SAS 70 audits even more important to the process of reporting on effective internal controls at IT services organizations. That’s because the reports signify that a service organization has had its control objectives and control activities examined by an independent auditing firm. And I had to explain all this to a man who has the patience and temper of a two-year-old with a diaper rash. I approached the CEO’s office with a queasy feeling of resignation and trepidation.

It Wasn’t Exactly a Tea Party “Mr. Blowhard is running late,” his attractive administrative assistant informed me. “He’s very busy these days,” she continued, with a slightly irritated frown.

Vol/6 | ISSUE/10

9/2/2011 5:02:40 PM

Undercover Officer

Anonymous

Great, I thought, I can enjoy my misery stew a little while longer. I sat in an overstuffed leather chair in the waiting area outside his office. Inside, I could hear Blowhard screaming at his latest victim, his voice rising steadily in a paroxysm of hysteria. Suddenly the door banged open and out the CEO sprang. His bald head sported beads of sweat. He thrust out his arm, directing the way out. “And don’t you dare come back here until you get it right!” he shouted. His unfortunate victim slithered past him. Let me interrupt for a moment and tell you that I’m not making this up. My CEO is really this bad. Only a few identifying details in this story have been altered, and the names of the ignorant and incompetent have been changed to protect their privileged status. “Who’s next?” he demanded. His assistant pointed at me. Maybe I should have worn barbeque sauce to this meeting, I thought. “Get in here!” he yelled, and stomped back into his office. I followed him at a safe distance. He turned suddenly and thrust his face an inch from mine. “What do you want?” And a good morning to you too, sir, I thought. “Well, we have been getting a lot of requests from our clients to provide SAS 70 documentation on our information security controls and practices.” “I don’t care about that. I want to know what you’re going to do about passwords.” I thought for a moment. What did he mean? Do away with them? Implement two-factor authentication? I decided to bite. “Is there a problem with passwords?” I asked. “I couldn’t remember my password this morning! I had to wait until my secretary logged me on. I don’t like

Who’s the Boss? To learn more about the CSO’s role, read our CIO Debates on Whom Should the CSO Report to? on www.cio.in c o.in

Vol/6 | ISSUE/10

Anonimous_colunm.indd 3

What doctor would knowingly put the lives of his patients in danger? By the same reasoning, what security professional would knowingly put the security of his network at risk? waiting. Waiting is money. I want you to do away with passwords.” With a dismissive wave of his hand, he headed back to his desk. I decided to ignore the obvious violation of policy prohibiting the sharing of passwords. I cleared my throat. “That’s actually not a good idea, sir.” He stopped and wheeled to face me. “Why not?” he said. I could have counted the number of veins sticking out on his forehead. “Don’t you ever disagree with me!” “Without passwords,” I continued, “anyone could get into your computer. That means they could read all of your files, your e-mails, even send e-mails under your name. That could put the company at risk.” “There’s nothing on my computer that’s sensitive! We’re an open company.” The irony did not escape me. But then again, only poets get paid for pointing out irony. “Someone could send an embarrassing e-mail from your computer. Say they wrote to The New York Times or a major client.” He thundered, “They could do that now by creating a Gmail account with my name on it.” “Yes, but the e-mail wouldn’t be from our company’s domain and....” “Domain? You come in here and waste my time by talking security technobabble! This isn’t the CIA!” “Actually, I came in here to discuss what our clients have been asking for a SAS 70. It’s a third-party assessment of our security.” “Are you telling me you’re not doing your job?” He was turning crimson. Maybe I should have updated my resume and put more money in that rainy-day fund.

“Let me explain,” I said. “There are regulatory requirements like SarbanesOxley that require companies to check the security of their information services providers. To our clients, we are an information services provider. Our clients are asking us for an independent, thirdparty assessment of our information security practices so that they can be assured that we aren’t endangering their computing environment.” “What does it cost?” he demanded. Now we were getting down to business. “Because of the size of the company and the services we provide, it will probably cost us around a quarter of a million.” “What?! You want to spend a quarter of a million dollars for a piece of paper?” “Our clients....” “If they don’t have anything better to do, then tell them to take a hike! Now get out of here!” “But....” “I said get out!” he shouted. The door slammed behind me. Great. Now what? I trudged back to my desk and contemplated my options. Not only had I not gotten approval for the audit, but I had actually been given an order to get rid of passwords, which would have been crazy. I got out a legal pad, drew three columns and labeled them “Option,” “Pros” and “Cons.” In the first column, I put the password order. We could implement a biometric sign-in, which would allow us to drop the password and go with just the biometric identifier. But that would involve a lot of effort and money, and no one else in the company was complaining about passwords. I also had an obligation as a security professional not to weaken security by doing away with passwords. What doctor would knowingly put the lives of his patients in danger? By REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 1

9/2/2011 5:02:40 PM

Undercover Officer

Anonymous

the same reasoning, what security professional would knowingly put the security of his network at risk? Chances are the CEO would never bring it up again. The first decision was made: Ignore the password order. Next came the decision on the SAS 70. This was a different matter altogether. I wasn’t exactly putting the security of the company at risk by not doing the audit, but it was clearly important. My first option: Order the SAS 70 on my own. I couldn’t do this for two reasons. One: If the CEO ever found out, then he actually would have a good reason to fire me. Two: Because of the price tag, I would never be able to get it by the purchasing department without his permission. Under the option column I wrote, “Go back to the CEO and hope that he is in a more receptive mood.” I considered that option for about as long as it took to think it up. Was I taking dumb pills? Given his previous psychotic behavior, I knew that day would never come.

Next I scribbled, “Go around the CEO to the board of directors.” The pros were obvious. Surely those people would sympathize with me. The cons, however, were significant. I might get the board to order the SAS 70, but it would be a public rebuke of the CEO’s leadership in his presence and would reflect poorly on me. I don’t think the CEO, my boss, would easily forget that episode. I quickly ruled out that option. The last option was to simply wait and do nothing. If a SAS 70 was truly important, then let the regulators come in and demand it. Or, if it was really important to our clients, then let them require that we do the audit to keep their business. Apparently, those were really the only things that would get the CEO’s attention. I was convinced that nothing I said would change his mind. I circled the last option with an air of false bravado. That’s where I am currently. I’m waiting for the proverbial shoe of fate to drop or, perhaps more appropriately, to

give me the boot. But, I figure, how is this any different from all of the other jobsecurity risks a CSO faces? Couldn’t a hacker break in tonight and ransack our network? That might earn me a trip to the unemployment line. Or what about the ever-present risk of a cable-seeking backhoe severing a major data link and causing us to lose millions of dollars in a single day of trading? I knew a CISO at a major investment bank who had been fired for that unfortunate happening. No, I figure it’s best to be philosophical about these kinds of professional risks. You should do the best you can so that you can sleep well at night. And you should always keep your contacts with the headhunters up-todate and your relations with them on the best of terms. CIO

This column is written anonymously by a real CSO. Send feedback on this column to editor@ cio.in

Cloud Zone Brought to You by

At the Cloud Zone on CIO.in you can dive deep into the latest in the world of Cloud Computing and stay updated on issues like public & private clouds, SaaS, PaaS, IaaS, DaaS, Managed Services and more.

Get In the Zone Today!

Everything Cloud Computing Anonimous_colunm.indd 4

9/2/2011 5:02:40 PM

CUSTOM SOLUTIONS GROUP HP CONVERGED INFRASTRUCTURE SOLUTIONS

CASE STUDY

Biocon Leverages HP Bladesystem Matrix to Deliver Affordable Biotech Innovation Biocon recognized the need for an advanced IT infrastructure, that addresses growing business IT demands, power and cooling challenges in the data centre.

stablished in 1978, Biocon Limited is India’s leading biotechnology enterprise. Biocon and its two subsidiaries, Syngene and Clinigene, form a fully integrated biotechnology corporation with a focus on biopharmaceuticals, contract research and clinical research. Biocon needed to upgrade its IT infrastructure to continue with its impressive performance. Although the number of end-users had increased rapidly, the IT systems had not kept pace. While the company recognized the need for a more advanced IT infrastructure, it also wanted to address power, cooling and floor space challenges in the data centre.

TRANSFORMATION VITAL As part of its forward-looking IT convergence project, Biocon sought to consolidate its workload onto a virtualized environment, moving to scale-out storage, and adopting service-oriented management and delivery strategies. Biocon also wanted to build a private cloud infrastructure to augment its growing business requirements. After almost three months of deliberation, Radhakrishnan G, General Manager - Systems at Biocon, decided on an HP solution consisting of BladeSystem Matrix and the HP EVA 8400. The HP BladeSystem Matrix is one of the few solutions which are certified to work with the Microsoft hypervisor-based server virtualization technology - Hyper-V. The fact that Biocon and HP have worked together for more than a decade was also a crucial factor for Radhakrishnan as it ensured a proven track record of service and support. Radhakrishnan was certain that he did not want to modernize his data centre piecemeal in order to avoid complexity and keep resources from being under-utilized. “That would have resulted in repetitive, time-consuming purchase orders, service agreements, and management approvals. The HP solution helped avoid that, as it provided a complete infrastructure platform that plugs into our environment and changes with our business In fact, Biocon is the first Indian pharma companies to deploy the HP BladeSystem Matrix,” he says.

The HP BladeSystem Matrix and the HP EVA 8400 solution was shipped to Biocon’s data centre, fully-tested and pre-configured by HP and regional implementation experts to facilitate fast and reliable deployment and start-up. The solution was put into production with minimum downtime and zero business disruptions. “The whole implementation and migration was so seamless that it appeared like it was done with the click of a button,” says Radhakrishnan.

AT A GLANCE Company BIOCON LIMITED Industry Biopharmaceuticals Offering Research-driven, global healthcare solutions

BENEFITS For Biocon, the HP solution offers considerable advantages. By creating pools of shared virtualized resources that are available on demand, Biocon has been able to reduce the number of physical machines, driving out complexity and lowering maintenance costs. More than 30 traditional servers and two storage arrays were consolidated, moved to an HP Blade System environment and virtualized. Previously, there was a lack of

“The migration to the HP solution was tranquil, comfortable and as simple as the click of a button.”

flexibility in day-to-day operations to quickly adapt IT infrastructures and services to changing user requirements and situations. Now, new applications and services are provisioned in hours rather than weeks or months, increasing business agility and improving the user experience. “The HP EVA 8400 allows us to seamlessly provision storage while growing our applications by adding virtual servers and EVAs dynamically,” says Radhakrishnan. “The BladeSystem Matrix also improves our ability to easily maintain service levels with built-in disaster recovery. With a simple mouse click, we can move workloads to other servers or sites, improving recovery time. This redundancy in the data centre is essential to build our strategic licensing partnerships globally.” “We believe that an organization is as dynamic and effective as its people, and our green, highly responsive data centre environment will help us navigate the challenges of innovation and business expansion in the next decade, with IT playing an active role in better business outcomes,” Radhakrishnan concludes. This feature is brought to you by IDG Custom Solutions Group in association with

RADHAKRISHNAN G General Manager - Systems, Biocon Ltd.

CONVERGED INFRASTRUCTURE SOLUTIONS

Al Kuebler

Strategic CIO

The Proactive CIO If you’re anything less than a proactive IT leader, then you’re a leader only in your eyes. Here’s how to become that person.

et me be very clear: As an IT professional wishing to make a lasting and strategic impact on your enterprise, you must be a proactive partner in realizing what its leaders wish to achieve. The value of IT is under assault every day. I know that many of you will protest that the attacks on IT simply aren't justified. Well, some of them are, though I agree that many of them are not. That isn't the point, really. I've seen wellintended and capable IT leaders attacked for problems with business profitability and growth that were completely the responsibility of the business unit making the attack. When it happens, what matters is not whether the attack is justified; the important thing is how the IT leader addresses it. IT leaders who believe that what they are doing is an isolated and reactive specialty and the only thing in the enterprise that is worthy of their focus are often caught off balance by such attacks. And they usually end up being replaced.

Relationships are Everything

Illust ration by ph otos.com

For the reactive IT leader, it's simply incomprehensible that anyone in the business leadership might not fully understand or appreciate what IT does. More often than not, this is why such managers spend so little time explaining to business peers what they're up to. In their minds, the necessity of what the IT function does is so obvious that it's inconceivable that it would ever have to be spelled out for anyone with the mental capacity to run a business unit. The proactive IT leader, on the other hand, is better equipped to handle such an attack, because he or she has strong relationships that run deep throughout the enterprise 34

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Coloumn_IT Leader.indd 26

Vol/6 | ISSUE/10

8/11/2011 4:26:14 PM

Al Kuebler

Strategic CIO

The proactive IT leader determines which business leaders influence their success. You must find out what their goals are. Your value is proportional to the degree to which you can help them achieve their success. that make it possible to understand the problem at its root and suggest ways that technology can help overcome it. More importantly, though, if the IT function is a proactive partner to the enterprise and every business in it, it would be just plain silly to attack it. The proactive IT leader is keenly aware that the IT function will have value only if it benefits the enterprise and if those benefits are clearly understood at all levels, both in the company and in the IT function itself. I like the phrase "part of it, proud of it" as a way to express how the proactive IT community relates to the business it serves. Once these goals are understood, the principles and objectives necessary to achieve them almost suggest themselves. All the same, I will provide you with some guidelines to help you get on the right path. Learn about the business your function serves, and get involved in making it better. If you believe that IT professionals don't need any particular insight into the nature of the business they serve, then you have bought into a destructive myth. IT leadership cannot remain isolated from the business it serves. A proactive leader seeks to understand as much as possible about how the enterprise acquires customers and makes money, strives to see its business performance goals from a shareholder perspective, uncovers the things restricting strategic achievement, and absorbs every part of the annual report. With that information, the IT leader can prepare a list of initiatives that the IT function could pursue to avoid cost, improve service and increase revenue. Depend on others to define the value of your efforts. The proactive IT leader determines which business leaders can influence his or her success. Those people are IT's clients. You must meet with each of them and have wideranging discussions to find out what their goals are. Your value will be proportional to the degree to which you can help them achieve their success. Ask them how your IT function could make things better for them. Their answers will direct your team's efforts. And remember, this is not a one-time exercise. Repeat these meetings routinely; don't wait until there is a crisis. Build a creative IT organization. Creative organizations are more flexible, move much faster, and are much more competitive. That requires stripping away bureaucracy, so that decisions for action can be made at every level in the IT function. And it requires making it clear to your staff

Vol/6 | ISSUE/10

Coloumn_IT Leader.indd 27

that when their initiatives lead to mistakes, their careers won't suffer. Your staff members need to feel safe and know there is little or no risk associated with being creative. Allowing for risk-free mistakes is probably too radical, but do set an example by tolerating most mistakes, especially when initiative is involved. In fact, a mistake made by a trusted and experienced employee who has taken initiative on behalf of a client can be invaluable if it is turned into a lesson that is openly shared. When no mistakes are made, then no creative initiatives are being undertaken, and that means no growth, or worse. Embrace change. Astute IT management accepts that the IT function will adapt as the business and technology worlds around it change. But we all resist change and the more experienced we are, the more we fear to venture. However, it is essential to embrace the idea that change is not only anticipated--as it must be in the world of IT--but is also very beneficial to the enterprise. In fact, the IT function is a powerful business change agent. Most CEOs know this and expect their IT management to show them how the introduction of emerging technologies and new approaches can accelerate and improve their strategic business performance. Business general managers increasingly look to IT to introduce change through beneficial ideas that arise because of IT's unique perception of the entire enterprise. I can guarantee you that change will happen anyway; you might as well lead it. Measure quality in IT services. This is one of the most critical factors in making IT a proactive partner to the business. You are not going to get blind acceptance of what IT is doing, and acting as if you should is a careerlimiting move. Measuring IT quality involves jointly setting service-level standards, providing recognition for joint accomplishment, showing the enterprise that the IT function is not resting in terms of its performance and productivity, leading the way in continuous improvement, and much more. Doing all of this has become easier as IT best practices have matured. The payoffs are improved IT productivity and the endorsement you will get from your business peers. Hire the best people, and hold on to them. You can't have a creative IT organization without the best people. It's a lot of work sorting out the best and finding ways to attract them and keep them, but it's worth it. The surest way to outperform the competition is to have better people than them. And of course, REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 1

8/11/2011 4:26:14 PM

Al Kuebler

Strategic CIO

we all know that outcomes don't turn out the way we planned them. But if we have the best people and they are properly organized and motivated, they will be able to deal with the unexpected things that are sure to come. Benchmark the IT function. This lets you show how your internal IT function outperforms other commercial offerings available to the company, at a lower cost. And if a non-strategic service can be done cheaper, faster and better by an external provider, you have an obligation to the stockholders to suggest moving to it. It's also important to realize that benchmarking can pinpoint areas that need attention. Just be aware that benchmarking by itself can lead to mediocrity. Getting your IT services to the point where they are considered "commercial grade" is just your starting point for continuous improvement. Take this seriously, or your stockholders will soon have the burden of paying the profit margin of an outside commercial IT service provider. And with the IT function farmed out, there won't be much left for a CIO to do. Know your numbers. You have to be prepared to answer questions such as: "How much has the IT function's productivity improved over the last three years?" "How has the IT function helped the enterprise avoid cost, improve service or increase revenue? By how much?" "Why should a stockholder want to give any CIO any increase at all?" "How much would the company spend if it outsourced the entire IT function?" "Does the IT function deliver useful information to the business, and how does that quantifiably help the company's competitive position, in terms of profit?" If you don't have answers, no worries; you'll get them. Or else. Have a clue about what the IT future holds. As an IT leader, it is part of your job to keep an eye on what is going to be coming in the technology sphere and introducing your enterprise to the ways it could benefit from it. If you are not aware of what is going on, you risk proposing investments in technology at the end of its technical life, and at much too high a price. When you do your research homework properly, you will know when a new technology has reached the maturity your organization needs before it becomes over-priced because of demand. The senior management committee will appreciate your research and forethought as you provide carefully considered advice on acquiring the IT capacity the company needs. You want your IT function to work together as a team, so be a good team member yourself. The first step is to realize that your behavior will A Better CIO clearly signal whether or not you are a supportive member of To find out how you can increase your team. This will be noticed. your impact, read 20 Minutes to Meet regularly at all levels with Success. Visit www.cio.in/mustread parts of your IT organization, in c o.in small enough groups so that you 36

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Coloumn_IT Leader.indd 28

Benchmark the IT function. This lets you show how your internal IT function outperforms other commercial offerings available to the company, at a lower cost. can know their names and functions and have one-to-one exchanges to better understand the challenges they face. It's wise to remember when you were in similar positions and to ask things such as "What do you need to be more productive?" Every second of these meetings, you'll be carefully observed for authentic team member behavior. Listen to your team members' concerns and questions, and keep in mind that if someone bothered to ask you about something, then he or she has the expectation that you might actually do something about it. Therefore, if possible, you must, and if you can't, then you need to explain why truthfully. Take notes so that you can follow up with appropriate actions when you can. If training is needed, fund it. If better equipment is needed, arrange for it when you can. Don't look back. What you design and produce today with care and love will be completely dismantled and rebuilt by your successors. Savor your successes, but keep them in the past. Keep your focus on moving your team forward to their next worthy achievement. Did I say all this would be easy? I hope not. But if you think that something from the list above will be particularly difficult for you because it just isn't one of your strengths, well, recognizing your weaknesses is itself a strength. The way you deal with that is to identify someone who has the strength you lack and ask that person to join your team. Every person I have ever approached in this way has appreciated the recognition, and working together only magnified the rapport we had. And don't forget, building rapport both within your team and among your peers is one of the main tasks of the proactive IT leader. CIO

BAl Kuebler was CIO for AT&T Universal Card, Los Angeles County, Alcatel and McGraw-Hill and director of process engineering at Citicorp. He is also the author of Technical

Impact: Making Your Information Technology Effective, and Keeping It That Way. Send feedback on this column to editor@cio.in

Vol/6 | ISSUE/10

8/11/2011 4:26:14 PM

CHANGE

the rules of networking with the power of convergence.

HP READIES ENTERPRISES FOR THE FUTURE WITH FLEXNETWORK ARCHITECTURE SUBHODEEP BHATTACHARYA, Director, HP Networking, India.

Customers are looking for vendors driving a systemic change in networking to eliminate complexity, improve agility and increase performance, says Subhodeep Bhattacharya.

legacy networks through convergence and simplification, enabling organizations to deliver innovation, speed and performance. The new level of flexibility enables clients to focus on preparing their organizations for the demands of the future.

How can businesses focus on innovation while reducing their dependence on legacy hardware? To ensure success and a competitive advantage, enterprises need to shift resources from maintenance of complex legacy networks to innovation. HP Converged Infrastructure is key to an Instant-On Enterprise. In a world of continuous connectivity, the Instant-On Enterprise embeds technology in everything it does to serve customers, em-

Can you tell us more about the FlexNetwork architecture? The HP FlexNetwork architecture unifies the network through three modular building blocks that share a common management layer. FlexFabric: Simplifies data center infrastructure with converged network, compute and storage resources across both virtual and physical environments to accommodate hybrid cloud computing models. FlexCampus: Improves performance, lowers latency and increases security for

ployees, partners and citizens with whatever they need, instantly. A core component of the HP Converged Infrastructure, the HP FlexNetwork architecture converges network silos by ensuring protocols are implemented consistently across all networked devices throughout an enterprise. The architecture unifies networks in the data center, campus and branch to ensure consistency, security and performance. It transforms

CUSTOM SOLUTIONS GROUP HP NETWORKING

While Cisco can require 30 separate management tools for data center, campus and branch networks, HP delivers single-pane-of-glass management with the HP Intelligent Management Center (IMC) across all the modular building blocks of the HP FlexNetwork architecture. HP IMC version 5 provides a unified view into the virtual and physical data center network to accelerate service delivery, simplify operations and boost How can organizaavailability. It tions avoid propriSingle architecture network automatically discovers etary technologies that unifies network virtual machines, virtual lead to vendor lock-in? switches and their relaSingle-vendor, propri‘silos’ to increase tionship to the physical etary approaches, lock in flexibility for network, overcoming the customers while driving virtual, mediachallenges of adminisup cost and complexity trating increasingly virwith different architecrich and cloud tualized, service-oriented tures required at each environments ” data centers. point in the network, inAn upcoming version of cluding data center, camHP IMC is planned to add pus and branch. This lack automatic synchronization of convergence and inof network connectivity information with creased complexity make it difficult to roll HP Virtual Connect technology for server out new applications and services. blades and further automate the process The HP FlexNetwork architecture of creating a server profile, moving a step adheres to open standards across the closer to one-button cloud provisioning. modular building blocks that make up the architecture. Solutions based on this architecture allow clients to bring How can organizations make the move existing network investments forward, to HP FlexNetwork Architecture? reducing total cost of ownership today HP Technology Services offerings can help while preparing organizations to embrace clients migrate from proprietary legacy the future. networks to the HP FlexNetwork architecture and for moving off proprietary network protocols like Cisco’s EIGRP, to stanHow can organizations simplify physidard routing protocols OSPF v2 and v3. cal and virtual network management? Additionally, new networking services are Faced with IT sprawl, the complexity of now available for key business initiatives multitier deployments and increasing deincluding video collaboration, network mand for virtualization, clients can turn security and FlexManagement. HP also to the HP FlexNetwork architecture to offers a complete set of lifecycle services simplify their networks and prepare their for each modular building block to support organizations for demanding, servicethe planning, design, implementation and oriented computing models such as cloud, operation of enterprise networks. mobile computing and virtualization. identity-based access of multimedia content across converged wired and wireless networks. FlexBranch: Extends and simplifies network and security at the branch, integrating bestof-breed technologies for service delivery. FlexManagement: Eliminates the complexity of multiple management systems with singlepane-of-glass management across the HP FlexNetwork architecture.

Product Showcase

HP V1810 Switch Series HP V1810 Switch Series devices are basic smart managed fixed configuration Gigabit Layer 2 switches designed for small businesses looking for key features in an easy-toadminister solution. The series has three models: 8-, 24- and 48-port 10/100/1000 models. The 24port model includes two dual purpose combo SFP ports, and the 48-port model has four additional true Gigabit SFP ports (52 total active ports), for fiber connectivity. All models support flexible deployment options, including mounting on walls, ceilings, under table, or desktop operation. They come with an anti- theft protection Kensington Lock slot. The 8-port model can optionally be powered by an upstream Power over Ethernet (PoE) switch. The V1810 switches support QoS traffic prioritization and security features such as Denial-of-Service prevention.

HIGHLIGHTS Customized operation using intuitive web interface Flexible connection and deployment options Layer 2 operation at wire speeds VLANs and Link Aggregation support HP Lifetime Warranty

Alternative Views

CIO ROle

Is there a glass Ceiling in It? They pilot planes, they run businesses, and they have been to space and back. But is a glass ceiling in IT limiting women from taking the corner office? Two CIos debate.

n the initial stages of your career, gender bias isn’t an issue. But as women move up the corporate ladder, the existence of the glass ceiling is more pronounced. Generally, thanks to the glass ceiling, women are unable to make it to senior management. And this is true not just at the CIO level but even at lower positions. Also, I feel gaining entry into the midlevel is difficult. And even after making it and delivering results, when you opt to shift jobs, you have to start a level or two lower and work your way up again. Women in IT do not usually get the upward movement on shifting jobs that men generally do. So you have to prove yourself all over again in a new organization. Even modern organizations—when faced with a choice between an equally qualified man and woman—would choose to promote the man and justify it as playing safe. Along with technical

expertise, business expects IT leaders to understand business and women aren’t considered to be strong enough to propel the business forward. The perception within organizations is that IT and finance, to some extent, are best left to men. That’s why there aren’t that many women CFOs. Another issue is that to be able to reach the CIO position, senior management’s approval is an imperative. And not all in that cadre consider women as capable of understanding the business and financial aspects of a CIO’s role. There are also doubts with respect to a woman’s ability to handle business communication effectively. Not everybody is comfortable taking IT investment advice from a woman. It is a bit against the tide. Internal perceptions need to change and only support from stakeholders will encourage women to move up in IT.

“Modern organizations—when faced with a choice between an equally qualified man and woman—would —would choose to promote the man and justify it as playing safe.” —Meenakshi Agrawal, VP-I T, Mumbai International Airport

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Alternative_Views.indd 34

Vol/6 | ISSUE/10

CIO ROle

personally believe that there is no glass ceiling in IT. It is true that IT companies start with nearly a 50:50 male to female ratio and end up with only a 90:10 ratio at the top. But I don’t think this can be attributed to a glass ceiling. The real reason is that as the job gets demanding, women choose to opt out of the race. You don’t see such a stark contrast in industries like banking because women have been a part of these industries for about three generations. I probably belong to the first generation of women CIOs in India and it is also due to the fact that IT as an industry is very new and young in the country. I also think that the current IT scenario is favorable to women at all levels. Today, any employee can be given the option of working from anywhere. This ensures that I can work from home, while I am traveling, or on vacation. Having said that, I wouldn’t advocate less stressful jobs for women. If you want equal opportunities, you should be willing to undergo the same rigor. You can’t have concessions because you are a woman. Today, even a man in a double income family faces similar pressures of running a family.

“If a woman has delivered results and displayed the capacity to handle pressure then she will be promoted.” —Asmita Junnarkar, CIO, Voltas If a woman has delivered results and displayed the capability of handling the pressure that comes with a senior position then she—and not an equally qualified man—will be promoted. I personally would promote the one who is willing to take more responsibilities and is delivering better results. If a woman chooses her home over her career then she will experience the adverse impact of her own decisions. And that has nothing to do with a woman’s gender but only to do with her priority at that point in time. Also, when a woman chooses to shift jobs she need not compromise on her experience and position. With lateral shifts, you can grow horizontally. And I also don’t believe that problems are compounded as you move up. On the contrary, with added responsibilities, women have more flexibility. CIO

As told to Anup Varier. anup Varier is senior correspondent. send feedback to anup_varier@idgindia.com

GE5BF:CEA=B; 6HF=B9FF

G<ECH;< >H8=7=CHF 5DD@=75G=CB C: =G

IN THIS ISSUE

/` P`[[`u GolT^Jll mk?^lP`k]?mT`^ T^ ?HmT`^ tTlTm V[a%[`&fdT`eYad_Xde

Alternative_Views.indd 35

P hoToS By foToCorP

Alternative Views

83| ASSEMBLY LINE WONDERS TAFE builds new synergies and revitalizes its existing PLM solution.

88 | BEYOND BOUNDARIES Dhiren Savla, CIO, Kuoni Travel Group, talks about the changing roles of CIOs.

AN IDG CUSTOM SOLUTIONS INITIATIVE

9/2/2011 5:09:21 PM

CUSTOM SOLUTIONS GROUP ALCATEL-LUCENT

CASE STUDY

ENABLING TOP CLASS CONNECTIVITY

ACROSS FOUR SEASONS

ince its inception in 1960, the Four Seasons Group of Hotels has cultivated an international reputation for hospitality, efficiency, quality and innovation. The Canadian company has 73 hotels in major cities and resorts in 31 countries, with more than 25 properties currently under development. The Four Seasons Mumbai opened in May 2008 in the Worli district, an emerging neighborhood in the heart of the city. Its 200 spacious rooms span more than 30 floors and offer breathtaking views of the Arabian Sea.

NEED FOR CONNECTIVITY Four Seasons Mumbai was looking for a single converged network for highperformance voice, data and video that would go beyond high speed Internet to offer more sophisticated services like enhanced guest mobility within the hotel and its shops, personal voicemail, direct numbers, multilingual voice guides, WiFi access, voiceover-WLAN and network security. The hotel needed technology that would revolutionize its guest services without alienating the non-technical guests. It also wanted to increase revenue and boost hotel staff productivity and efficiency by integrating its systems. To achieve these ambitious goals, Four Seasons-Mumbai turned to Alcatel-Lucent’s local Business Partner, ABS India. ABS India conducted a detailed site survey of the hotel to determine the best convergence solution. Since the property was new, ABS India was able to deploy a tailor-made package without worrying about a legacy communications system. The chosen solution incorporates a wide range of innovative Alcatel-Lucent products to improve hotel operations as well as guest experience. The communications infrastructure is built on the OmniPCX Enterprise Communication Server, OmniSwitch LAN switches and OmniAccess Wireless LAN switches, and is managed using OmniVista Network Management.

IMPROVED GUEST EXPERIENCE Ethernet connectivity is provided to the hotel’s rooms using OmniSwitch LAN switches (OmniSwitch 9000 and OmniStack 6200). This enables guests to connect to wireless access points and use IP phones. Since the LAN switches power the IP phones and wireless access points, there was no need for the hotel to invest in additional power outlets.

“Our guests are extremely happy with the entire service value chain, including the communication systems.” Adarsh Jatia,

Executive Director, Four Seasons Hotel, Mumbai

SIMPLIFIED ADMINISTRATION By integrating the Alcatel-Lucent OmniPCX Enterprise Communication Server with its Property Management Software, the hotel gained access to voice billing information. The deployment also enables workflow and notification features and the use of a centralized key service for multiple hotels. Ultimately, the solution supports the communication needs of all guests, whether they are in their rooms or common areas. The OmniAccess Wireless LAN solution supporting voice-over-WLAN has 375 WLAN access points (Alcatel-Lucent OmniAccess™ AP61) and one centralized wireless switch (Alcatel-Lucent OmniAccess 6000). The configuration of each access point is centrally managed; the Wireless LAN switch is the single point of configuration,

Four Seasons hotel’s guests’ perception of quality and innovation improves with the introduction of secure, high-performance communications solutions

management, security (one point of entry) and troubleshooting for the entire wireless LAN and its users. Currently the hotel personnel are using 50 Alcatel Lucent Mobile IP telephones.

HEIGHTENED SECURITY The Four Seasons-Mumbai solution includes a highly secure network firewall with antivirus, anti-spam, and intrusion detection and prevention capabilities. The hotel has also deployed the Captive Portal mechanism, which is built into the Alcatel-Lucent Omni Access 6000 WLAN controller. Captive Portal is an effective method for authenticating users in situations where it is either impossible or undesirable to configure all devices with pre-shared keys or client software.

ON-TIME, HASSLEFREE DEPLOYMENT It took 3-4 months to install the solution in the hotel, and another month to integrate the system with various applications and test its performance. “The deployment was well planned, and ABS India completed the work within the specified time frame. A team of experienced engineers and a dedicated project manager monitored progress and kept us up to date,” said Adarsh Jatia, Executive Director, Four Seasons Hotel, Mumbai. He was particularly pleased with how ABS India and Alcatel-Lucent managed the customer relationship: “ABS India and Alcatel-Lucent are, both, very client-friendly organizations. They supported us every step of the way.”

This feature is brought to you by IDG Custom Solutions Group in association with

Cover Story

Security Special

Cyber criminals continue to outsmart technology and stupefy both governments and enterprises with their ingenuity. It’s time to beat them at their own game: Hack into their minds.

Criminal By Gunjan Trivedi, Varsha Chidambaram, and Debarati Roy

Reader ROI: How cyber criminal profiling can help The workings of the underground market and the costs of different types of data New trends in the threat landscape

coverstory_criminal_minds.indd 44

no matter how big your brand, how highly placed you are in the capitalistic conglomerate, or how many resources you put into security—is safe from cyber criminals. Worse, the romantic elusiveness (think Anonymous) which used to be associated with cyber criminals, the tag of the anti-hero, is making a comeback. It doesn’t help that their status as legends, in a Robin Hood-esque way, is reinforced when they stay a step ahead of the law or of CISOs. The only way, it seems, to get them off their pedestal, is to get ahead of them. It is time to stop playing helpless victim and start putting a face to these faceless attacks. And one way to do that is to get inside their minds and predict their next move. Hard? Yes. Impossible? No, not with the use of psychology and behavioral sciences. Cyber criminals are after the same things as traditional criminals: Fame, money and love. They are victims of their own stereotype, of their own habits. Criminal psychologists have made great strides in understanding the criminal mind. And it’s only a matter of time before some of those learnings percolate in the world of cyber crimes. In the meanwhile, CISOs need to protect their organizations against new trends in the threat landscape (Pg 54). And they also need to find new ways to put a cost on the benefits of security. The workings of the underground market (Pg 60) should help do that. Fore-warned is fore-armed.

P hoto by Meri yaade in studio

Google hacked, Facebook Hacked, CitiGroup Hacked, RSA hacked! No one—

8/22/2011 12:38:59 PM

46 Criminal profiling extends to cyber crimes.

54 New security trends in the threat landscape.

M nds 60

The cost of your data in the underground market.

Pull-out The Global Information Security Survey, 2011.

Parag Deodhar, Chief Risk Officer, and VP Process Excellence and Program Management, Bharti AXA General Insurance, says criminal profiling can be especially useful during the process of recruiting as the trend of planting snitches in companies increases.

coverstory_criminal_minds.indd 45

8/22/2011 12:39:02 PM

Cover Story

Security Special

i Criminal M nds Which of the following is most likely to get stopped and interrogated at the JFK International Airport? a) An eccentric scientist carrying exotic species of insects? b) Charlie Sheen? c) A brown-skinned man wearing a robe? If you’re thinking C then you’re probably aware that criminal profiling is a practice that law enforcement agencies around the world use. In fact, it’s being used so much that it’s given profiling a bad name. But the basic premise is sturdy: Bad guys are predictable because they are creatures of habit. And that’s why criminal profiling is beginning to spread to the cyber world.

Reading Minds For years now, forensic psychologists and behavioral sciences have been working in collaboration with law enforcement agencies to integrate psychological science into criminal profiling. The most popular method of criminal profiling, offender profiling, aims to identify criminals based on an analysis of their behavior while they engage in the crime. The underlying rational is simple: If behavior is common across crimes, it is probably the same criminal because behavior is related to the psycho-socio characteristics of an offender. Behavior is revealed by the choices offenders make while committing a crime. This could include their modus operandi, the location of the crime, and the weapon of choice among others. This information is then combined with other pieces of physical evidence, and compared with the characteristics of known personality types and mental abnormalities to develop a practical working description of an offender. This study of the psyche of a criminal is considered ‘the third wave’ of investigative science. Criminal profiling began being used as a tool for investigation as far back as the beginning of the 20th century. The role of profiling first garnered interest following the infamous Jack, the Ripper killings in England. “Traditional policing systems like the Kotwali system, too, had a system of recording behavioral traits of criminals to arrive at some sort of a profile of a

By Varsha Chidambaram

criminal,” says S. Murugan, deputy inspector general of police, Cyber Cell, Bangalore. But it’s only recently that the science has really caught the fancy of the public. TV shows including CSI CSI, the Mentalist, and Castle have all gotten on the study-the-mind-of-a-killer bandwagon. In reality though, much more ground needs to be covered. “The criminal profile practice in India is largely done by the police with the help of forensic experts. But there is not a great degree of psychoanalysis of offenders,” admits Murugan. “The current practice of criminal profiling is based on crime scene characteristics and demographic details; it does not include much of behavioral tendencies and personality traits,” continues Dr. S.L. Vaya, director, Institute of Behavioral Science at the Gujarat Forensics Science University, which claims to be the first of its kind in India. Part of the problem is the controversy surrounding the effectiveness of criminal profiling, along with lack of empirical evidence supporting its effectiveness. But recent research points that criminal profiling is estimated to have a success rate of 77 percent in assisting traditional investigations.

Role Playing The world of cyber crime significantly reshuffles the rules of criminal investigation. Unlike traditional crime scenes, evidence often exists only in the cyber-world; in a computer, a network, or the Internet. The weapon of choice—also a computer, a network, or the Internet—is volatile and easily contaminated or destroyed. And that’s why CIOs and CISOs need to build robust ecosystems that can create accurate and reliable logs and audit trails. But even that has its limitations. While log and audit trails could lead security analysts to a perpetrator, most often the trail ends at a computer, a server or a network —not the face behind it. As a result only five percent of cyber criminals are caught and prosecuted. It is this faceless dimension of cyber crime that compounds its challenge. And that’s why the use of profiling will almost certainly grow over time. “I think the concept of profiling is an excellent step. However, since most of cyber crimes are faceless attacks, what would be great is if we could extend

Recent research points out that criminal profiling has a success rate of 77 percent in assisting traditional investigations.

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

coverstory_criminal_minds.indd 46

Vol/6 | i SSue/10

the concept of profiling to websites or URLs that are most likely to send malicious content or associated with criminal activity,” says Manish Dave, CISO, Essar Group. If cyber criminals rely on the pseudoanonymous nature of the Internet and technology to camouflage their true identities, it is up to security leaders to use another method to locate them. Fortunately, a cyber criminal’s facelessness doesn’t extend to other telling signs of crime: Motivation, MO, and signature behaviors. And criminal profiling relies heavily on such clues. “Criminal profiling can also be especially useful during the process of recruiting. As the trend of planting snitches in companies increases, it would be a great tool to keep in mind while conducting background checks of employees,” says Parag Deodhar, chief risk officer, and VP process excellence and program management, Bharti AXA General Insurance.

The Outlaws

Vol/6 | i SSue/10

Manish Dave, CISO, Essar Group suggests extending the concept of profiling to websites or URLs that are most likely to send malicious content or associated with criminal activity.

For CISOs, the following two categories are those to study. That’s because they usually harbor the most malicious intent and they pose the highest threat to enterprises. Internals. These are employees, former employees or contractual employees. Their intent to damage a company’s system is primarily based on revenge for perceived grievances. Their attacks aren’t based on technical skill but rather on a precise knowledge of the level and type of security present within an organization. In their report The Insider Threat to Information Systems authors Eric Shaw, Keven Ruby, and Jerrold Post define such internals as Employee CITIs (Critical Information Technology Insider). According to them, Employee CITIs use their knowledge and access to internal information resources for a range of motives in addition to revenge, including greed, ego gratification, to resolve a personal or professional problem, to protect or advance their careers, to express their anger, to impress others, or a combination of these. Michael Lauffenberger, a 31-year-old programmer for the General Dynamics Atlas Missile Program, is an example. He reportedly felt unappreciated for his programming work on a parts tracking system. That led him to planting a logic bomb in the system that was designed to erase critical data after he resigned. REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 1

P hoto by FotoCorP

Most of the work in cyber criminal profiling has been done around hackers. For the sake of general understanding, it needs to be said that cyber criminals are not the same as hackers. Cyber criminals use the electronic medium to commit theft, embezzlement or any other punishable offence. Whereas hackers are just exceptionally-skilled computer geeks. That said, a large of number of cyber criminal analyses have attempted to profile hackers on the basis of their hacking expertise level. The common profiles are: Toolkit Newbies. They are largely technology novices, with very low technical skills and know-how. They use ready-made, pre-prepared software and depend on how-to documentation downloaded from the Internet. Cyber-Punks. They are generally capable of writing short programs themselves, which they use mainly for defacing Web pages, spamming, credit card or personal information theft, identity theft, and telecommunications fraud. These cyber-criminals are mostly like to brag about their skills and accomplishments. Coders. They write code aimed exclusively at damaging other systems. They have ulterior motives and spread spywares and Trojans for this purpose. Old-guard hackers. They are highly qualified, without criminal intent, who embrace the original ideology of first generation hackers. Their interest lies in the intellectual, cognitive side of hacking. Hacktivists. These are political activists and have grown in popularity in the last year. They may or may not be well funded but always have some social or political agenda. However, any hidden ulterior motives are possible too.

8/22/2011 12:39:25 PM

Creative100_Double Spread_Entertainment.indd 1

9/2/2011 5:17:05 PM

Partners

Cio100 is proud to present the musical genius of Colonial Cousins—the Duo of Leslie Lewis and hariharan—who collaborated in 1996 to win several awards including the Best Album at the Channel [V] viewer’s choice award for their unique style of music.

26-27 August 2011 the MArriott, Pune

eVent By

hosteD By

By invitation only

Creative100_Double Spread_Entertainment.indd 2

9/2/2011 5:17:13 PM

Cover Story

Security Special

He anticipated returning to rescue the company as a highly-paid and valued consultant. Another rather infamous example is Jay Beaman, a regional PC manager for the King Soopers supermarket chain. Beaman and two clerks were charged in an intricate computer fraud that cost the supermarket over $2 million (about Rs 9 crore) over two years. Investigators described their motives as beginning with financial necessity but quickly escalating into greed and ego. Among the strategies Beaman and team used was manipulating the computer accounting system to funnel certain purchases into a dummy account. At the end of every day, they encashed the money and deleted the account, thereby erasing any trace of their fraud. In both examples, employees used their knowledge and access to critical systems to create crisis. In fact, Beaman was able to use his position to both commit and cover up his fraud, emphasizing the vulnerability of organizations to trusted employees. Professional criminals and cyber-terrorists. Professional criminals specialize in industrial espionage and intelligence operations against governments, national security agencies, and organizations that deal with highly-sensitive information, and represent the highest class of risk. They are highlymotivated, highly-trained, highly-focused and have easy access to sophisticated tools and technologies. Like all mercenaries,

they usually have the support and the backing of large-scale, organized crime syndicates. One such ring was recently uncovered. The cyber-banking fraud ring, working from multiple geographies, went after the accounts of medium-sized companies, towns, and even churches in the United States. Before they were caught by law enforcement agencies in US, UK, Ukraine and the Netherlands; members of the ring managed to steal $70 million (about Rs 315 crore). According to the FBI, using a Trojan horse virus known as Zeus, hackers in Eastern Europe infected computers around the world. The virus was carried in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the malicious software installed itself on their computers, secretly capturing passwords, account numbers, and other data used to log into online banking accounts. The hackers then used this information to take over bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of â&#x20AC;&#x2DC;money mulesâ&#x20AC;&#x2122;. Many of the money mules in the US were recruited from overseas. They created bank accounts using fake documents and phony names. Once the money was in their accounts, the mules could either wire it back to their bosses in Eastern Europe or turn it into cash and smuggle it out of the country. For their work, they were paid a commission. Last year, the FBI along with the law enforcement agencies of the UK, Ukraine and Netherlands executed numerous warrants to

P hoto by FotoCrP

Dr. S.L. Vaya, Director, Institute of Behavioral Science at the Gujarat Forensics Science University, strongly believes that forensic psychological profiling of criminals will be increasingly useful in catching offenders.

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

coverstory_criminal_minds.indd 48

arrest more than 27 persons across multiple countries in one of the largest cyber criminal cases FBI claims to have ever investigated.

Getting Psyched Motivation, method, and maturity: These are three of the more important parameters used in cyber criminal profiling. Though very little documentation exists about the psychological tendencies that drive perpetrators to criminal behavior, their behavioral manifestations can also be used against them. It’s important to remember that cyber criminals, too, are largely victims of their own stereotype. Some of those stereotypes suggest that they have an above average IQ, great technical and problem-solving skills, are dissatisfied or de-motivated by unchallenging environments at school or work, suffer from dysfunctional or impaired social relationships, and tend to rebel against authority. There has been some work associating psychological diseases with the cyber criminals. Infamous hackers such as Adrian Lamo and Ryan Cleary are reported to have suffered from Asperger’s Syndrome, a form of autism characterized by significant difficulties in social interaction. Adrian Lamo, now a threat analyst, gained media attention for breaking into several high-profile networks including The New York Times, Yahoo!, and Microsoft, and later got embroiled in the Bradley ManningWikiLeaks scandal. Nineteen-year-old Ryan Cleary was more recently accused of being involved with the LulzSec group and hacking the UK’s Serious Organized Crime Agency website. Cyber criminals, reports suggest, prefer the predictability and structure of computer-based work to the dynamics of relationships. They spend significantly more time online than is necessary for their work, frequently report losing any sense of the passage of time while on-line, and find that their on-line activities interfere significantly with their personal lives. They are more likely to be independent, self-motivated, aggressive loners, who make poor team players and feel entitled to be a law onto themselves. In addition to these psychological disorders associated with the criminal mind, there are several behavioral tendencies and manifestations that can also be attributed to criminal profiles. Some of these are: Introversion. Criminal confessions are often the most potent tool for profilers. But the appallingly low rate of cyber-criminal convictions makes for a small pool of research. However, the majority of the arrested hackers and those, which have responded to surveys, indicate they are withdrawn, uncomfortable with other people, and are introverts. Traditionally, computer professionals are associated with introverted-ness. But with cyber criminals introversion is accompanied by a history of personal and social frustrations (especially anger toward authority), ethical ‘flexibility’, a mixed sense of loyalty, entitlement, and lack of empathy. Apathy. There have been many documented anecdotal accounts of the lack of concern by hackers over the systems they have attacked. Many of the written interviews with convicted

Vol/6 | i SSue/10

coverstory_criminal_minds.indd 49

Tell-tale Signs Rohas Nagpal, President, Asian School of Cyber Laws, has been involved in the investigation of numerous cyber crimes and believes that there are indicators of an imminent crime that CIOs should watch out for. Taking very few or no holidays. Generally, says Nagpal, criminals are scared to take holidays because someone will discover what they are up to. Unhappy employees who have a sudden change of heart. Formerly disgruntled employees who suddenly seem to have overcome their unhappiness even though their demands have not been met must be put under the microscope. They may be planning or executing a cyber attack against their companies. A sudden increase in spending on luxuries. There are a number of well documented cases of criminals who have been embezzling from their companies for years, but got caught because they seemed to be living out of their means. —V.C.

hackers portray them as being more concerned with fulfilling their own material needs regardless of the consequences. Misplaced Sense of Entitlement. Although hackers are selfconfessed loners and have under-developed social skills, they appear to have a strong desire for affiliation, acceptance, and approval. Research suggests that individuals who engage in deviant cyber behavior, when encouraged, are willing to discuss and brag about their exploits. Take the case of a network administrator, the face behind a multi-crore source code theft at one of India’s largest software companies. When forced into a confession, he revealed how his desperation for social affiliation led him to commit the crime. In order to show-off his IT skills to a girl he recently met on a social networking site (the girl seemed to have expressed fascination for hackers and their intelligence), he went on to draw network diagrams and security mechanisms including root passwords of his company on paper tissues at the coffee table. The girl, reportedly, kept throwing those tissues into an ash tray, which a waiter emptied every so often. The waiter later confessed that he was paid Rs 5,000 to hand over all the tissues to a suspected Israeli REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 1

Creative100_Double Spread_Airtel.indd 1

9/2/2011 5:18:45 PM

Partners

Alvin Lee—inventor, author, motivational speaker and entrepreneur from singapore—will share his story of why it is important to ‘Build Castles in the Air’. he gave up a career to pursue a dream and went on to win the prestigious us oppenheim toy Portfolio gold Award for his invention, BeachWorks.

26-27 August 2011 the MArriott, Pune

event By

hosted By

By invitation only

9/2/2011 5:18:53 PM

Cover Story

Security Special

national at another table, who later hacked into the organization from that coffee shop. The criminal was never caught. More and more of such behavioral manifestations, tendencies, and stereotypes are being constantly studied and analyzed by psychologists and doctors to develop psycho-analytical profiles of such cyber world offenders. “Though research in this field is plenty, there is no integration of research outcomes with actual case studies (field work), thus the level of sophistication required to be regarded as reliable scientific evidence to support criminal investigation is lacking,” laments Dr. Vaya.

i Trends in Secur ty

But she strongly believes that forensic psychological profiling of criminals will be increasingly useful in catching offenders. “It is like if the country had a data bank of DNA or fingerprints of all its citizens, it would help make nabbing criminals much easier. Similarly, having a clear understanding of people’s behavior to understand their personality traits by forensic behavioral analysis would help develop a data bank of “psychological signatures” of all suspected persons which would help identify criminals and preempt their moves.” CIO Varsha Chidambaram is senior correspondent. Send feedback on this feature to varsha_chidambaram@idgindia.com

By Varsha Chidambaram

From the Internationalization of organized crime to APT, here are new areas of risk that security leaders need to watch out for.

individuals with deep financial backing—a trademark of internationalized crime. “Today, cyber crime has gone international. It can no longer be traced to a college whiz writing code in his basement. It is organized crime, much like the mafia. There are powerful, geographicallydispersed actors in this scheme,” says Krishna Sastry Pendyala, asst. government examiner, Cyber Forensic Division, Directorate No matter what indicator you choose, cyber crime is getting of Forensic Science. increasingly serious, forcing enterprises to respond with equal Carl Leonard, senior research manager, Websense Security Labs, gusto. But given how hard it is to catch cyber criminals, the smart agrees. “The sophistication of attacks we are seeing today requires money is on prevention. Enterprises need to ensure that they are various skill sets. It indicates that cyber criminals with different levels aware of the three new trends in the threat landscape and ensure of expertise are organizing themselves to create these attacks. And that they are protected against them. these attacks are originating from various geographies and targeting various geographies.” Trend 1: Internationalization of Organized Crime The internationalization of cyber crime is only likely to grow Highlights: More organized in global terms, resulting in an because being part of the cyber mafia is a lucrative business. increased access to funds and resources. Allows a single criminal According to Deloitte, the underground market— to attack from multiple locations, confusing primarily selling corporate data—is estimated investigators. Benefits from a lack of international at $100 billion (about Rs 450,000 crore), and collaboration. growing. “With ambivalent cyber laws, and a lack When Stuxnet hit India last year, it sent alarm of international co-operation, cyber criminals are bells ringing in the highest offices of the country, enjoying a free run,” says Pratap Reddy, director, after all, India was the third-most infected country Cyber Security, Nasscom. in the world. Some even speculated—since ISRO It’s important to differentiate between two types is a Siemens customer—that it was the cause of international criminals: Those motivated by behind a glitch on the INSAT (Indian National politics and those motivated by money. Anonymous Satellite System) 4B satellite. Whether that’s true and LulzSec, for example, fall into the category of or not, Stuxnet was undoubtedly one of the most international criminals, with political intent. The sophisticated and targeted attacks till date. criminals behind the attacks on Lockheed Martin, Stuxnet flummoxed everyone: Analysts, or Sony Playstation, for instance, were motivated security experts, intelligence officers, and by critical information that could be sold. government agencies. But there’s one thing that But, motivation aside, they have one thing in they all agree on: Stuxnet was not the work of Kanwal Mookhey, common: Their ability to mobilize geographicallyan individual. It was a masterpiece created by a Founder, Institute of dispersed foot soldiers. collection of highly-brilliant, highly-motivated Information Security

“In conducting forensic exercises, we see that attacks originate from multiple locations. But, that is often a diversion tactic.”

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

coverstory_criminal_minds.indd 50

Vol/6 | i SSue/10

Sesanka Pemmaraju, IT director and CISO, Hitachi Consulting India, is taking both operational and non-operational routes to de-risk social media.

we conduct interactive training sessions which have a mix of video and text to keep awareness levels high and employees interested,” he says. The growing focus on security is even being witnessed in manufacturing companies. Take the Essar Group for instance. Essar has instituted a multi-layer security policy encompassing all business units. “We have extensive security armor involving the latest security tools such as DLP, GRC, end-point protection, and encryption. The current global threat landscape suggests that BYOD (bring your own device) may well be the next challenge. As a proactive measure to mitigate risks attached to end-points, Essar Group has taken a lead to adapt desktop virtualization,” says Manish Dave, CISO, Essar Group.

Trend 2: The Growth of Social Media Highlights: Has a direct correlation with the rise of spear phishing and socially engineered attacks. Social media adoption within the enterprise is unstoppable. From using it for sales leads to brand building or just giving a new generation of staffers access, social media is inexorably going from nice-to-have to must-have. According to data from GISS, 49 percent of Indian enterprises intend to increase access to social media. REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 1

Photo by SureSh P hoto graP hy

“While conducting forensic exercises, we see that attacks originate from multiple locations—but, often, that is a diversion tactic. The attackers are really the same person or set of persons. The real problem that plagues not just India but the entire world is the difficulty in tracking down and nailing these cyber criminals,” says Kanwal Mookhey, founder, Institute of Information Security and author of several books on information security. “The unprecedented wave of successful assaults that we see around us today is because hackers are grouping themselves together,” says Pendyala. One of the biggest barriers in the fight against international cyber crime rings is inter- and intra-national collaboration. However, that’s changing. According to the Global Information Security Survey (GISS) 2011—that’s run by PwC and CSO magazine (a sister publication to CIO)—Indian IT and security leaders are ready to give up some of their old resistance to letting the government take more control—the first step towards more collaboration. About 75 percent of Indian security leaders, for instance, are willing to support the governmentmandated intrusion-penetration and identity-threat monitoring standards. And about 65 percent would support a government implementation of mandatory adoption of real-time threat analysis. “The need of the hour is to enhance collaboration with various international bodies (government bodies, industry and, for profit / not for profit bodies) working in the areas of enhancing cyber security and cyber crimes prevention, so as to bring in increased cooperation into cyber crime investigations,” says Reddy. The Interpol has a wing called the IT Crime Working Group. It’s a group of top cyber crime investigators from across the globe who meet to discuss the latest strategies to fight cyber crime. “While there has been effort to boost international co-operation to fight cyber crime, it is very time-consuming and often frustrating to the investigators,” says S. Murugan, deputy inspector general of police, Cyber Cell. In the meanwhile, CISOs are ensuring that security, in general, is tightened. “Being a financial services company, security is one of our top concerns. We have various levels of confidential data, with security becoming progressively stronger at each level. Not even top management has access to all sensitive data; it is based on a need-to-know basis,” says Parag Deodhar, chief risk officer and VP process excellence and program management at Bharti AXA General Insurance. He’s also making sure that the company attacks security holistically. “We put a lot of emphasis on the people and process part of security. Instead of having lengthy security handbooks,

8/22/2011 12:40:07 PM

P hoto by SharP iMage

“The use of social media is no longer a choice; it is a necessity to do business,” says Jamuna Swamy, Head-Information Security Practice, Hexaware Technologies.

“The use of social media is no longer a choice; it is a necessity to do business. If the enterprise does not engage and respond to comments, it will start losing customers, investors, and members,” says Jamuna Swamy, head-Information Security Practice, Hexaware Technologies. But few enterprises are ready either strategically or tactically for social media: Only 30 percent say the use of social networking is part of their organization’s security policy—and less than half (42 percent) monitor employee postings on blogs or social networks. Two threat vectors emerge from this trend: An increase in spear phishing and socially-engineered attacks. “Social media plays a significant role in spear phishing attacks. Since these attacks are targeted at specific victims, cyber criminals craft an attack that would lure them more effectively,” says Anand Naik, director of Systems Engineering for India and SAARC Region, Symantec. Already, an increase in spear phishing attacks is apparent. Since March this year, there has been a spate of spear phishing attacks targeting RSA, Epsilon, JP Morgan Chase, Sony, Oak Ridge National Laboratory, Lockheed Martin, Citi Group, Gmail, and The IMF. According to a recent report by Cisco (E-mail Attacks: This Time It’s Personal), spear phishing levels have jumped threefold in the last 12 months. And for good reason: They are more profitable for the bad guys. The report points out that for a single e-mail campaign, mass phishing has an open rate of 3 percent and a click through rate of 5 percent—compared to 70 percent and 50 percent for a spear phishing campaign. The result? The value 56

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

coverstory_criminal_minds.indd 52

per victim of a mass phishing attack is about $2,000 (about Rs 94,000), compared to $ 80,000 (about Rs 37.6 lakh) for a spear phishing campaign. The other threat vector—socially-engineered attacks—is also growing, although at a slower pace. About 27 percent of Indian enterprises have been victims to social engineering attack in 2011, up from 22 percent last year, points GISS data. Clickjacking is another method of executing a social engineering attack that works by fueling human curiosity on a social network. Clickjacking is defined as an activity that encourages somebody to click on a video, open a PDF file, or browse through a website. The ultimate goal is to encourage someone to perform a certain action. Clickjacking is most commonly noticed on Facebook. Let’s say a friend posts a ‘shocking video’ on Facebook. If the post tickles your curiosity enough you’d be tempted to watch the video. But when you click on the play button, you notice that instead of the ‘shocking video’ you’ve gone and ‘liked’ the video and it goes as a news feed to all your friends. “In click jacking a malicious code or a hidden component of a website sits on top of a video button, for example. So while you think you’re pressing the play button you’re actually executing a social engineering attack,” says Websense’s Leonard. In response, CISOs are pushing more money and focus at the problem. In the next year, 43 percent of Indian enterprises plan Vol/6 | i SSue/10

Cover Story to increase security spending related to social media, 40 percent promise to make social media security strategy a top priority, and 50 percent say monitoring employee postings on social networks is also a top priority. “In a number of security awareness training exercises we carry out for our customers, we include slides on how social networking sites can be used for social engineering, says Bharti AXA’s Deodhar. At Hitachi Consulting India (formerly Sierra Atlantic), IT director and CISO, Sesanka Pemmaraju is taking both operational and nonoperational routes to de-risk social media. He publishes desktop wallpapers with pictorial representation of multiple scenarios along with do’s and don’ts. “We are also in the process of integrating DLP and a rights management system (RMS) to enable tight monitoring of various actions performed by employees internally to prevent any leaks and avoid information landing in the wrong hands,” he says.

Security Special

hunts down the crown jewels. APT attacks depend on their ability to get inside an organization and stay hidden in plain sight. This differs greatly from the smash-and-grab style of more unsophisticated cyber thugs. What makes these attacks more lethal is that they are guided by external entities with a high degree of human involvement. Think of an APT attack as a remote-controlled car creeping about your system with the controls in the hand of a criminal. “What makes them tricky to deal with it is that they function diligently, step-by step, avoiding detection for long periods of time,” says Deodhar. Krishna Sastry Pendyala, So do CISOs in India need to start Asst. Government worrying? Depends on how they profile Examiner, Cyber Forensic risk in their organizations. “Organizations Division, Directorate of that have strategic, national, or military Forensic Science significance have a higher threat profile,” says Godbole. “Also, known names or brands in the commercial world or those that hold information that can be exploited may be equally at threat. It’s very important to determine whether your organization falls in Trends 3: The Emergence of Advanced Persistent Attack these buckets.” Highlight: These are targeted, sophisticated attacks. Aim is to Currently only 35 percent of organizations in India have a steal data, not destroy. Remains undetected for long periods of strategy to combat APT, according to GISS. Over 85 percent time. Requires advanced protection like deep packet inspection of these rely on traditional intrusion detection or intrusion and network forensics. prevention systems to counter APT. The attack on RSA in March is among the most audacious But while basic security practices such as patch management, security breaches this year. It started when attackers sent an vulnerability assessment and configuration management will e-mail with an Excel file titled “2011 Recruitment Plan”. The ensure APT entry points are secured; this new threat will need mail was only sent to 12 people within the organization and went more sophisticated protection like deep packet inspection, straight to their junk folders. Eleven of them deleted the e-mail, network forensics, and robust net flow analysis tools. In the one didn’t. But one click on the attachment was enough for the next year, 64 percent of Indian organizations say that APT will attackers to sniff around the network, determine key servers, and drive security spending, which is lower than the Asian average then slowly get access to them. It was only a matter of time before of 70 percent. hackers extracted private keys that were at the heart of RSA’s “Organizations that are high on a criminal’s radar would need security algorithm. to hire or train expert malware analysts capable of analyzing That’s the power of APT (advanced persistent threats). APT is data to identify the activities of malware and bots to identify characterized by sophisticated, directed, and persistent attacks. APT,” says Godbole. The sophistication is the result of multiple experts building up The more visibility and context you have around the status an attack to target specific organizations in a systematic and of your security environment, the more prepared you will be to persistent manner. respond to threats when they strike. Because it’s not a matter of “Unlike some malware that result into random infections, if you are going to be attacked, the question is when, and how APTs are directed attacks on specific entities,” explains Sandeep quickly will you be able to respond when it happens. CIO Godbole, member ISACA India Task Force. “And their objectives are much more sinister and serious.” “ATP attacks require meticulous preparation before the actual attack. In this case, the criminal gathers detailed information about the target; the network infrastructure, the security deployed, etcetera,” say Leonard. A significant characteristic of an APT attack—which is also a determining factor for its success—is its ability to remain Varsha Chidambaram is senior correspondent. Send feedback on this feature to undetected for long periods, creating a longer window as it varsha_chidambaram@idgindia.com Vol/6 | i SSue/10

“Today, cyber crime has gone international. It is organized crime, much like the mafia. There are powerful, geographicallydispersed actors in this scheme.”

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 1

Creative100_Double Spread_TCS.indd 1

9/2/2011 5:19:56 PM

Partners

hear the Ceo perspective on how technology is playing a critical role in redefining business models, and why it is imperative that Cios understand itâ&#x20AC;&#x2122;s importance in transforming business.

26-27 August 2011 the MArriott, Pune event By

hosted By

By invitation only

9/2/2011 5:20:05 PM

Cover Story

Security Special

Data On Sale

By Debarati Roy

What data and how much it’s being sold for in the underground economy can help IT and security leaders put a price on their efforts—and help tweak their security strategies. In January 2011, UCO Bank’s Shani Shingnapur branch in Maharashtra was celebrated as the first bank without locks on its doors. Shani Shingnapur is famous for its houses without doors because villagers believe that Shani (a Hindu god) punishes theft. The question is: Would the bank dare do away with cyber locks? Obviously not. They know that valuable data transforms into currency, lots of it. Leave a cyber door open and before you know, cyber criminals are holidaying in Las Vegas, at your cost. A Symantec report on data theft called the Underground Economy estimates that the value of total value of goods (mainly data) advertised in the underground economy is worth over $276 million (Rs 1,240 crore). And that was in 2008. Today, Maninder Bharadwaj, director, Enterprise Risk Services, Deloitte, pegs the size of the black market for data—just in India—at about $1 billion (Rs 4,500 crore).

What’s On Sale There’s limited research on the workings of the underground data market. But recent research (January 2011) by Panda Security is eyeopening. Credit card details can start as low as $2 (Rs 90) and can go up to $90 (Rs 4,000) for cards with complete information, including the victim’s address, CVV2 number, driving license number, secret questions and answers. Bank credentials start from $80 (Rs 3,600) and reach $700 (Rs 31,500) for an account with guaranteed balance. Details for online accounts cost anything from $80 (Rs 3,600) to $1500 (Rs 67,500) for accounts with guaranteed balance. According to Symantec’s 2008 report, e-mail accounts (like the ones the hackers of Epsilon were after) are sold by the megabyte. The cost for these can range anywhere from $0.30 to $40 (between Rs 13 to Rs 1,800) per MB. But it’s not just data on sale. Physical credit cards cost around $190 (Rs 8,550), with the cost of card details additional. One can buy a physical card

cloner for anything from $200 (Rs 9,000) to $1000 (Rs 45,000). The cost of a fake ATM is about $35,000 (Rs 15 lakh).

What the Black Market Looks Like In the data theft market, supply outstrips demand. According to Symantec, credit card data makes up about 30 percent of the total goods advertised on hacker sites and outstrips demand by 7 percent. Financial accounts are also on bulk sale, with supply forming about 20 percent of the market. Credit card details are hot. Though they make up only a third of advertised goods, they are worth over 55 percent of the total value of advertised goods. Once bought, these credit cards are a gold mine for criminals. Symantec estimates that if criminals sucked each account dry, they could make about $5.3 billion (Rs 23,850 crore). The second most popular data type on sale is information that could be used for identity theft at 16 percent of the market. Next is financial accounts, making up 8 percent of the market. But the latter are relatively fast-moving items because they are easy to cash out, providing immediate monetary gain. The average balance of financial accounts was around $40,000 (Rs 18 lakh). If these figures make it seem like it’s only credit cards or passwords that are on sale, that’s wrong. “Today, you can purchase entire portfolios that include every conceivable piece of data, from mother’s maiden name to family pet name,” says Shane MacDougall, principal partner at Tactical Intelligence, and a hacker at the DEFCON Hacking Conference. “Everything is up for sale, from pre-made credit cards, to ATM’s with built-in skimmers. It’s truly an eye-opening experience.” There is also a growing business focus among hackers. Like businessmen, they are beginning to focus on ROE (return on effort). That’s leading to a shift from random hacking to taking orders for a fee. The reason is simple. Attacking a company for its data is more profitable—and represents a guaranteed payout—for hackers than trying to steal hundreds of credit card numbers, putting them up for sale, and waiting until someone makes a bid. “The cyber-underground economy has shifted its focus to the theft of corporate intellectual capital because customers (people or organizations ordering an attack) can pay a big fat check in one go,” says Vinoo Thomas, technical product manager, McAfee. Data theft of this type is typically ordered for by rival organizations, governments, lobbyists, and the

Rs 4,000 The cost, at the high end, of credit card details in the underground economy.

A U G U S T 1 5 , 2 0 1 1 | REAL CIO WORLD

coverstory_criminal_minds.indd 54

Vol/6 | i SSue/10

8/22/2011 12:40:11 PM

Cover Story media. “Data including IP, business models, industrial designs, or something as basic as the details of someone’s next ad campaign could be of immense value to your competitor,” says Thomas. What does this imply for enterprise? A re-look at their risk stance. “It would be ideal to shift the approach from ‘what is important to us’ to ‘what is important to them’,” says Thomas.

Black Market Operations In the world of organized cyber crime, the word hacker is a generic term that encompasses a vast network of interconnected resources, each one an expert in their own field. Each as his own work profile and come together to complete a package that includes creating malware, finding potential victims, and being a ‘mule’ to collect money. Hackers trade data on the Internet using special hacker forums or IRC (Internet relay chat). “What better place can a computer geek choose other than the World Wide Web? They know how to camouflage themselves, are masters of the medium, and cannot be bound by the jurisdiction of a single country,” says Bhardwaj. The anonymity of the Internet, emboldens hackers to step out of the dark alleys of the underworld. Today, it’s become relatively simple to come across these underground forums on the Internet. Between July 1, 2007 and June 30, 2008, Symantec observed 69,130 distinct active advertisers in underground economy and counted 44,321,095 postings. The potential worth of the top-10 most active advertisers was $18.3 million (Rs 82 crore). And the potential worth of the top seller in the underground economy was $6.4 million (Rs 28 crore).

Security Special

“Most initial contact with hackers or data vendors is made through ICQ (an instant messaging tool) or a similar messaging service. Once vetted, you have access to underground exchanges,” says MacDougall. Today, forums like Cvv2deals.Web.com and Carders.cc are currently active on the Internet. The preferred modes of payment for transactions are payment processors and services like Western Union, Liberty Reserve, WebMoney, among others. According to Symantec, such transactions account for 63 percent of the total transactions.

Changing with Times Like any smart business, hackers in the underground economy are adapting to new market needs. Today, for instance, everything—from the tools and the skills required to commit a crime—can be bought and sold on a single platform, allowing for a turnkey projects. “There exists a mind-bogglingly sophisticated business model that evolves incessantly to react to market needs. Without that dark edge, any entrepreneur would be jealous of this model,” says Jay James, principal partner, Tactical Intelligence. “What’s funny and yet ironical is the fact that most sites that sell data operate like legitimate businesses. You’ll commonly see ‘try before you buy’, ‘free delivery for physical goods’ (card cloners and fake ATM’s) and there are even ‘money back guarantees!” says MacDougall. What’s next? Information on EMI? CIO Debarati Roy is correspondent. Send feedback to debarati_roy@idgindia.com

Security Zone Introducing Security Zone on CIO.in where you can dive deep into the latest in the world of digital security and stay updated on issues like risk management, cyber-crime, data security, compliance, governance, privacy, DLP, identity management and business continuity

Get In the Zone Today!

Everything Security coverstory_criminal_minds.indd 55

8/22/2011 12:40:12 PM

Creative100_Double Spread_Dell.indd 1

9/2/2011 5:21:47 PM

Partners

Cio, in partnership with Dell, is proud to introduce a new special award that honors 5 Cio s for their stellar role in using it as the backbone for building an efficient enterprise.

26-27 August 2011 the MArriott, Pune By invitation only

event By

hosteD By

9/2/2011 5:21:55 PM

VIEW

from the TOP

Marten Pieters, MD & CEO, Vodafone Essar, says IT has helped the company serve more customers, conquer rural India, and make Vodafone India’s second largest mobile service provider.

What do CEOs and other C-level executives expect from you? Read all about it in View from the top. Visit www.cio.in/ceointerviews

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

VFTT_August011.indd 86

IT’s Happy to

Help By Anup Varier

Marred by scams, battered by competition, and fighting for space. There isn't a better way to describe the rather distressing story of the telecom sector in India. With over 14 players in a spectrum war—that’s a mere 6-7 MHz, unlike less populated countries such as Germany that enjoy about 140 MHz—the Indian telecom sector seems to be struggling. Yet, it has grown a healthy 15 percent over last year. And Vodafone Essar has been a large part of that growth story. The Indian arm of the world's largest private mobile phone company, reported a near nine percent growth in its revenue last year. This is attributable largely to a 30 percent increase in the company's customer base and a substantial—17 percent—jump in its data services revenue. Not to forget, it recently dethroned BSNL to become the country’s second largest mobile service provider by revenue. And that’s something the company’s MD and CEO, Marten Pieters, admits wouldn’t have been possible without the help of IT.

CIO: What do you think of the low tariff rates and telecom scams in India?

Marten Pieters: The telecom industry has done a lot for this country. The mobile industry has brought to India in 10 years what no other company, industry or government, has in a 100 years. Connectivity is so important not just for keeping in touch but also to stimulate business and drive the economy and democracy as a whole. The uprising that we saw in Egypt would have never happened if social

Vol/6 | ISSUE/10

8/11/2011 5:09:20 PM

Marten Pieters expects I.T. to: Further inorganic growth Explore rural geographies

Photo by k apil Sh ro ff

Serve more customers

networking were not available at the scale that it is today. Mobile technology has a huge impact on the society and improves our quality of life. But in India, the image of the industry has been tarnished by bad stories of scams and bribery. And at a time when India is in urgent need for massive investments in terms of infrastructureâ&#x20AC;&#x201D; not just in terms of roads etcetera, but in terms of communication infrastructureâ&#x20AC;&#x201D; the negativity that surrounds the telecom industry is not good news.

Vol/6 | ISSUE/10

VFTT_August011.indd 87

If the situation persists, it will only grow more and more difficult to put money into new development projects. Not many foreign investors are ready to put money into Indian telecom players nor are banks ready to provide financial backing except for the top players in the industry. The shareholders are also not ready to support new ventures in the telecom sector. India needs to see this industry as an integral part of society and not as a cow to be milked dry.

So, how does IT help Vodafone stay ahead in India's competitive telecom industry? India has developed very good operating models that are unseen in other parts of the world. We have a very strong outsourcing model prevalent here. We have outsourced a lot of our IT to solid IT providers. We are also combining assets where there is no real competition, for example, sharing the cost of towers and such infrastructure helps drive down costs.

REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 1

8/11/2011 5:09:27 PM

View from the Top

We also believe in inorganic growth and try to maintain uniformity in the use of IT in business processes. This streamlines the business and makes it more cost effective. It is a really tough journey because we are trying to change the engine of a jet plane while it is still in the air. We do not have the luxury of taking down our networks so that the IT systems can be put in place because we keep adding new customers by the minute. We believe in driving out costs by creating scale. By adding new customers every month, and being supported by a robust IT backbone, we are able to achieve the scale that leads us on the path to profitability. IT plays a significant role in capacity planning, and making sure that we can serve more customers with the assets in hand.

Telecom is a tightlyregulated sector. How does IT help keep pace with dynamic norms? Telecom in India is over-regulated and complicated. But being an MNC we have vowed to live acccording to the law of the land that we operate in. We have very strong systems that ensure that our people comply with all the mandates put forward by our regulatory department. We also indulge in periodical checks to ensure that everything is compliant. Also, our IT team helps us tackle regulations with respect to information security and the quality of equipment. This is important because there are heavy fines for non-compliance in these areas. Moreover, it also helps maintain transparency in our call charges. We take the help of IT to make sure that all this happens in more or less automated fashion.

How was your experience with MNP? We always knew that while it is important, it is not a game changer. The Indian customer is quick to complain. While we acknowledge that the quality of service could be bettered, 66

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

VFTT_August011.indd 88

“IT plays a significant role in capacity planning and making sure that we can serve more customers.” —Marten Pieters

customers are always looking for a reason to jump operators. I haven’t seen customers put so much energy into something that is essentially of very low value. MNP for India was special from a customer perspective but the effects that were witnessed were similar to what has happened elsewhere. MNP is not something that has structurally changed our outlook to the market. It is not an acquisition tool for a service provider. It’s there for the customer and gives him the option to change providers. It’s a decision that is primarily driven by the level of service a customer receives in a particular location.

Once M&A regulations are eased, would Vodafone consider consolidation? Consolidation within telecom in India depends largely on the sustainability of the smaller players. The question is also around the very idea of consolidation. The only reasons for telecom companies to

merge would be either for customers or for spectrum. Acquiring a smaller player for its customers doesn’t make sense because these are not loyal customers. They are there because of the low tariffs that smaller operators charge. When you raise tariffs you will lose them. Even otherwise smaller providers have very few customers to interest a bigger player. In terms of spectrum, the money that has been invested by these operators for networks and the losses they have made so far will be an excess amount. And that we will have to compensate them for; it also doesn’t justify the price of the spectrum they hold. There are very few good deals. Moreover, the existing M&A in the telecom norms are not stimulating to consolidation. There is a limit of 40 percent market share either in terms of revenue or customer base in a circle on a telecom operator in India. Plans are afoot to reduce this to 30 percent. So a consolidation among the bigger players is not possible. And a consolidation of smaller players doesn’t really help because even together they are still only a very small percent of the market.

With limited spectrum, how are you ensuring quality with cost-effectiveness? The lack of spectrum is the biggest issue we face. My colleagues in Germany have, on an average, 140 MHz of spectrum available whereas in India we are allotted just six to seven MHz of spectrum per operator. Operators in India serve at least 10 times more people per MHz of spectrum when compared with international cities like London. In order to serve such a large customer base in India, we have different network topologies and we need to repeat the use of spectrum much more often than elsewhere. This necessitates more towers but they are costly and the general public is also worried about radiation. This may not be justified but these perceptions do exist. It is also true that since we are pumping so many voice calls within so little spectrum,

Vol/6 | ISSUE/10

8/11/2011 5:09:31 PM

View from the Top

the quality is not great when compared to international standards. I believe that, as an industry, we need more spectrum. The sad part, however, is that there are 14 operators in the country but at least six to seven of them are not using the spectrum allotted to them. These small operators put together account for less than 4 percent of the market but are still sitting on close to 24 MHz of spectrum to serve very few customers. We find ourselves in this position because the regulations have failed. I think that it is in everybodyâ&#x20AC;&#x2122;s interest that the operators that have the most customers are allotted maximum spectrum so that the quality can go up. Moreover, in the rural areas there is a lacck of constant power. So all the towers in those areas need to be fueled by diesel generators and this makes the telecom industry one of the biggest consumers of diesel in the country.

What are the growth prospects of mobile Internet services in rural India? We think that Internet access in the rural areas is an absolute must. Apart from the broadband facilities being driven by the government, we need to work on bringing broadband Internet to rural India. People in rural India need it more than the urban centers. For example, for entertainment in a city like Mumbai, people could go to a library, watch a movie, go to a book shop, or just hangout in a coffee shop or a pub with either a laptop or friends. In the rural areas, a person might have a radio or probably a TV. But even for TV they need power and uninterrupted power supply is still not available in many parts of the country. So from that perspective, Internet would open up a world of opportunity not only in terms of entertainment but also things like healthcare and education. So, I personally believe that the Internet has a far higher value for people in rural India as compared to city dwellers.

Vol/6 | ISSUE/10

VFTT_August011.indd 89

How is IT helping capture this largely untapped market?

SNAPSHOT

Vodafone Essar

We are also witnessing a new generation of smartphones and tablets and it is suddenly far Presence: easier to access the Internet. For the rural areas, we 30 countries In India, these advances are looking to connect with No. of Circles: come together as a perfect content providers. We think 23 storm. We believe the price it is important to provide the points are still too high for apps that drive education. Headquarters: Mumbai mass adoption and that these We are trying to organize this need to come down but many content and package it to fit CiO: people are trying to locate the the various screen types in the Navin Chadha services they want and can right format. afford. Earlier, people were We are also set to introduce looking for value in voice and SMS services the Webbox. A sleek QWERTY keyboard, and now they need to figure out the tariff the Webbox, with a built in data card, plans for data and Internet services based uses standard RCA connectors (a type of on their needs. Price plans are typically electrical connector commonly used to carry related to the volume of data consumed and audio and video signals) to plug into TV it is generally difficult for people to translate sets and convert any standard domestic TV volume to a service. So it will take some time into an Internet portal. We will first make for them to come to terms with this shift. it available to schools and combine it as an education package so that schools can use it as a tool to get content from the Internet. What efforts are under way Another solution catering to the financial to encourage 3G adoption? woes of rural workers employed in cities When we launched our 3G services we is mobile money transfer service. This is provided it at 2G rates for a month. This aimed at mobile customers who do not have we reasoned would help people to get a bank account and allows them to deposit acquainted with the various services on and withdraw cash via local agents, and offer. We also had super weeks that provided transfer money to other mobile phone users. gaming, e-mail, movies and other services In the absence of such a service, workers free for a week each. This was basically have to send money back to their families in aimed at teaching people to use these rural areas through means which are often services without the risk of encountering a expensive or very risky. bill shock. We are also trying to ensure that customers have a good supply of terminals. Very few What impact has 3G had people have really good terminals that can on mobile Internet access use the goodies of 3G. I think that we also need in India? to make it easy for our customers to access The introduction of 3G is driving the these services. For this, we are working with adoption of Internet access in India far content providers to organize and package wider than before. The fixed line Internet the offerings in an easily accessible manner. penetration is far below par in India when For example, when the Cricket World Cup compared with that of similarly placed was going on a lot of people utilized our countries. The fact that 3G allows Internet mobile TV services. CIO access on the move drives its usage. There is also the influence of social media which was not prevalent five years ago. This Anup Varier is senior correspondent. Send feedback on directly drives mobile Internet adoption. this interview to anup_varier@idgindia.com

REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 1

8/11/2011 5:09:34 PM

Argue with Your CEO—And Win Can’t persuade the CEO to approve that infrastructure upgrade or software development project? The following 13 tips, culled from current and former CIOs and communication consultants, will get the CEO to see your perspective when arguments about IT spending ensue. Arguments with the CEO are an inevitable aspect of the CIO role, whether they’re knock-down-drag-out battles or civil attempts to persuade the CEO on IT matters of importance. They arise in large part from CIOs’ inability to communicate on the CEO’s level and from CIOs’ and CEO’s diverging views on how best to spend the company’s money. CIOs who’ve never previously reported to CEOs may be particularly wary of arguing with their corporate commander in chief, and understandably so. Ending up on the wrong side of the debate could put a bullet in their careers. But CIOs who think they should avoid any confrontation with their CEOs are mistaken. Not every CEO wants to be surrounded by yes men; some encourage debate and dissention. “You’re not just there to be an order-taker,” says Peter Kretzman, a former CIO and CTO turned IT consultant. Adds Bill Rosenthal, CEO of Communispond, a leadership development firm that specializes in communication, “The more successful CEOs recognize that a diversity of 68

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Feature_argue_with_ceo.indd 50

By Meridith Levinson Reader ROI: Traps to avoid when talking to the CEO The importance of studying your CEO How to set yourself up for success

Vol/6 | ISSUE/10

8/11/2011 5:39:33 PM

Negotiation opinions often makes their organizations run better.” Scrapes with the CEO don’t have to end badly. The trick to squabbling with the CEO—and winning (that is, convincing the CEO of something that will truly make your organization more successful)—is to understand your CEO’s leadership, personality, communication and decisionmaking style. You also need to speak in business terms (surprise, surprise) and remain respectful. Current and former CIOs and communication consultants share 13 more tips—learned from firsthand experience—for persuading the CEO. Consider your enterprise’s culture. CIOs who are joining organizations that have had nothing but problems with IT can expect battles on every front, since their CEOs will be gun-shy about starting new projects when previous efforts failed. CIOs in failure-ridden environments will likely have to navigate steering committees and portfolio management processes to get the green light on IT spending, says Mitch Davis, CIO of Bowdoin College in Brunswick. To build credibility in these organizations, CIOs must respect these processes and prepare bulletproof business cases for IT investments, says Davis. Consider your CEO’s style. Some CEOs like to take risks and pride themselves on their quick decision-making, while other CEOs are much more conservative. CIOs need to know which style of CEO they’re working for so that they know which communication techniques to use to influence them, says Lisha Wentworth, a senior consultant with Ouellette & Associates and a contributing author to the book, Unleashing the Power of IT. Davis knows that his boss, Bowdoin President Barry Mills is an ENTJ (extroverted intuitive thinking judging), according to the Myers Briggs personality type index, which means that Mills is quick to grasp complexities, absorb large quantities of information and make decisions. Thus, Davis knows to be succinct with his explanation of projects he thinks the college should pursue. He also knows to address Mills’ specific concerns about IT, which are, what effect will the project have

Vol/6 | ISSUE/10

Feature_argue_with_ceo.indd 51

on people; will it enable the college to move faster; and will it enable the college to make more money. Rosenthal, the communication consultant, says he once worked for a boss who said no to everything. The boss, it turned out, said no to filter people who weren’t serious about their ideas or requests. “I realized over time that to be persuasive, I had to accept two no’s to get an audience,” says Rosenthal. Speak in business terms. Nick Goss, CEO and managing consultant of Polardene, says the arguments he’s observed between CIOs and CEOs and that he’s had as a former CIO and CTO stem from a failure to speak the CEO’s language. “If you’re couching any IT expenditure or effort in non-business terms, two things

development. Goss knows this is difficult but he says activity-based budgeting will prove to the CEO that IT is not simply a cost center. Be brief. Ouellette & Associates’ Wentworth says one of the mistakes CIOs make when trying to persuade the CEO is being long-winded. “CIOs don’t get to the point,” she says. “They go on and on, and CEOs don’t have the time to listen to them.” Arguments ensue when the CEO gets frustrated by a CIO who carries on about technology. Focus your pitch on what you want to do, the cost of the effort and the business outcome. If your pitch interests the CEO, she’ll dig deeper, giving you the opportunity to provide her with more information.

Scrapes with the CEO don’t have to end badly. The trick to squabbling with the CEO—and winning—is to understand your CEO’s leadership, personality, and decision-making style. are going to happen,” says Goss. “One is, you’re not going to be understood. Second, you’re not going to be relevant to the CEO’s agenda because CEOs are worried about growing top line revenue, expanding into new markets, increasing the stock price, reducing operational risk and improving the public perception of the company. When you’re talking to them, you have to couch your objectives in terms of their objectives.” For example, if you’re making a case for a bigger IT budget, Goss recommends breaking your various IT costs down according to the business activities they support. “Typically, an IT budget is couched in terms of IT silos: The datacenter costs this many millions of dollars. Application development costs this many. Staff development that many. Maintenance costs that many, etc.,” says Goss. Instead, show what percent or amount of datacenter costs support a particular business activity or outcome. Do the same for the other elements of the IT budget, such as maintenance and application

Anticipate the CEO’s questions. Kretzman says seemingly obvious questions sometimes flummox IT leaders as they make a business case to the CEO. “I’ve seen tech people put together discussions that don’t have any reference to the cost or timeline [of a project] because they get so caught up in the technology,” he says. Be prepared to answer the obvious questions the CEO will ask, which include: How much will it cost? When can we have it? What else gets pushed aside if we do it? Goss says a “completely reasonable question” caught him off guard when he was making a case for firewall technology while working as the technical director for IT outsourcing company Digitas. The question: “Why do we need to spend this much money? Why can’t we just spend 80 percent?” Goss says he had no immediate answer to the question because he hadn’t anticipated it. Goss realized the COO, who asked it, was trying to figure out what level of risk the company might incur if it spent less money REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 1

8/11/2011 5:39:34 PM

Negotiation on firewall technology. Goss went back to the drawing board, and he and his staff rewrote their case in terms of risk. Goss then received approval for the investment. Don’t take the CEO’s questions personally. Arguments can erupt when a CEO’s questions push a CIO back on his heels and make him defensive. Push aside your ego and realize that the CEO’s job is to ask questions. “A CEO got to where he or she is by being a critical thinker, and a critical thinker doesn’t just accept what they’re told,” says Kretzman. “They look for the weak side [of arguments].” Give the CEO realistic answers. Nothing frustrates CEO more than a CIO who over-promises and under-delivers. “CEOs get impatient and frustrated when

they can’t get clear answers to questions, or when they get answers that they don’t have confidence in,” says Kretzman. “If you say a project will cost this much and you’re always wrong by 50 percent and off schedule by six months, sooner or later that will lead to an argument.” Unrealistic cost and schedule estimates also erode a CIO’s credibility, adds Bowdoin’s Davis. “It’s better to go in with the right project at the right price and explain why it has to be this way than to build something that won’t be as stable,” he says. “You’ll reduce trust in IT across the company and with the CEO.” The medium is the message. PowerPoint won’t always make your point. Sometimes you have to get creative when you want to convince the CEO to back an organizational change.

For example, Davis created a video when he wanted to automate certain HR processes, such as hiring and payroll. He knew that Bowdoin’s president didn’t want to mess with HR and that the only way to convince his boss was to show him just how broken the business processes were. So Davis made a video that showed exactly what it took to hire someone and pay them. The CIO showed the video to Bowdoin’s trustees, who gave him their blessing, and the president soon followed.

Take Down that Persona

CIOs adopt a variety of personas when they pitch ideas, says Jeff Thull, author of Exceptional selling and president of the Prime Resource group. roup. Instead of helping to prove their case, these personas often create barriers to effective communication. Here, according to Thull, are five personas CIOs adopt that can cause other C-level executives to react negatively.

The Teenager

The Parent

The Professor

The Policeman

The Doctor

Most of our behaviors are learned from our families. If you ever watched an older sibling try to get Dad to lend him the car, you saw a presentation that included healthy servings of selfjustification and whining. according to Thull, the less sophisticated a person is about communication, the more he draws on learned behaviors. CIOs should be careful to avoid the whiny note when explaining their ideas.

The flip side of behaving like a teenager is acting like a parent. Do you remember how Dad or Mom either tried to bribe you into cleaning your room or threatened you in the thundering tones of absolute authority? CIOs need to remember that a) they’re speaking to adults and b) they have no special position or authority inside the boardroom. Neither wheedling nor bribery nor thundering is going to work.

a lot of IT people assume the role of professor. They act as if they have all the answers, and they get frustrated when the student--like, the CFO--isn’t learning fast enough. Impatience with your peers is always a mistake. If you’re trying to convince someone that a new approach or project has merit, present the value proposition, outline the risks (fairly), and then shut up and let your peers connect the dots. They’re usually just as smart as you are.

If you assume an accusatory tone when speaking with your peers, at best they’re going to feel defensive and at worst downright annoyed. If something is going wrong, start by asking a question. What do they think is the problem? Making it a conversation will prevent people from feeling attacked or lectured. Remember: No one handed you a badge when you became CIO.

If you must assume a persona, this is probably the best one. Prior to prescribing a course of treatment, a doctor makes sure the patient understands what’s wrong. If your peers aren’t aware that there’s a problem, they won’t be receptive to the cure. It’s important that CIOs have metrics to make their case. But don’t carry this persona too far. Your peers will not wait months to see you or sit in your waiting room while you practice your putting.

—By Margaret Locher 70

a u g u s T 1 5 , 2 0 1 1 | REAL CIO WORLD

Feature_argue_with_ceo.indd 52

Vol/6 | ISSUE/10

8/11/2011 5:39:38 PM

CUSTOM SOLUTIONS GROUP DELL

ADVERTORIAL

FLUID DATA STORAGE

Driving Flexibility In The Data Center Eight Must-Have Technologies for Efficient Enterprise Data Management

oday’s dynamic business landscape is no place for complex, inefficient storage systems with dead-end growth paths. The demand for data continues to explode, and ready access to that data is more critical than ever. With Dell Compellent, enterprise data is actively, intelligently managed throughout its lifecycle so you can constantly adapt to changing business conditions. There are eight must have Dell Compellent technologies that combine to create new levels of efficiency and flexibility while cutting cost now and in the future: FLUID DATA ARCHITECTURE: D e l l Compellent storage is enabled by a dynamic Fluid Data architecture that efficiently manages data at the block-level. Specific information about each block is captured in flight throughout the day to provide realtime intelligence for dynamically storing, migrating and recovering data. Empowered by this intelligence, built-in storage automation optimizes the provisioning, placement and protection of data throughout its lifecycle. Business applications are implemented faster, information to make decisions is always available, new technologies are instantly deployed and data is continuously protected. STORAGE VIRTUALIZATION: Dell Compellent lets you virtualize storage at the disk

level as well. Storage virtualization not only consolidates resources and reduces disk costs, but also dramatically increases system flexibility. It amplifies the benefits of server virtualization. Administrators no longer need to allocate particular drives to specific servers. Users can quickly create hundreds of virtual volumes to support any virtual server platform and optimize the placement of virtual applications without wasting time, money or disk space. THIN PROVISIONING: Dell Compellent Thin Provisioning software, called Dynamic Capacity, completely separates allocation from utilization, eliminating preallocated but unused capacity. Administrators can provision virtual volumes of any size upfront, yet only consume physical capacity when data is actually written to disk. They can even reclaim capacity from volumes provisioned with legacy systems using Thin Import. AUTOMATED TIERED STORAGE: With Dell Compellent, since data is actively, intelligently managed at the block level, manually moving data between tiers is a thing of the past. Using unique Automated Tiered Storage software, known as Data Progression, Dell Compellent dynamically classifies and moves data to the optimum tier based on actual usage. SPACE-EFFICIENT SNAPSHOTS: With Dell Compellent, snapshots are space-efficient because Data Instant Replay™ software

Dell Compellent Thin Provisioning LEGACY Traditional SANs

COMPELLENT Dynamic Capacity Advantage

doesn’t require a full-mirror image or subsequent full-volume clones. In fact, only changes in data since the last snapshot, or Replay, need to be captured - dramatically reducing the amount of disk space required. The integrity of enterprise application data that spans multiple virtual volumes is protected using Consistency Groups. THIN REPLICATION: Dell Compellent Thin Replication™ technology - Remote Instant Replay - provides affordable, verifiable and simplified multi-site data protection leveraging space-efficient Replays. Following initial site synchronization, only incremental changes in data need to be replicated. This cuts hardware costs, reduces bandwidth requirements and significantly expedites recovery. UNIFIED STORAGE RESOURCE MANAGEMENT: Dell Compellent storage is designed to help administrators manage more data in little time. This is largely because of the built-in efficiency and intelligent automation of Dell Compellent storage. It is also because Dell Compellent storage features an intuitive, point-and-click interface that provides a complete view of the entire storage environment through a single pane of glass. OPEN, AGILE HARDWARE PLATFORM: Dell Compellent storage is designed for persistence. Administrators can scale from entry-level to enterprise on the same platform incrementally in line with business needs. You have the freedom to choose the technologies that support your IT infrastructure today, and readily adapt to change tomorrow. And you don’t have to repurchase your base software license when you upgrade controllers to integrate new technologies.

Unused Allocation

Vol A

Data Unused Allocation Data

Thin Import

Disks Not Purchased

Vol A Vol B

Vol B

This feature is brought to you by IDG Custom Solutions Group in association with

Unused Allocation Data Data

Negotiation Get other people to back you. Another strategy for winning arguments with or persuading the CEO is to build an army of supporters. Davis employed this strategy when he was trying to convince his boss to invest in a multimillion-dollar student information system to replace a costly, inefficient home-grown system. First, he spent a year rallying the support of students and faculty, who began pushing the president for the upgrade. The president still wasn’t convinced. So Davis worked on reducing the cost of the project and getting the trustees to back him. Three years later, when the president saw that the college community was behind the project—and all the business process changes it was going to create—he gave it the green light. Play to the CEO’s desire to be successful. A second reason why Bowdoin’s president authorized the student information system implementation was because doing so would make him very popular on campus, given the support the project had from students, faculty and trustees, notes Davis. If the president put the kibosh on the project, he might have become the enemy of everyone in the community. Watch your pronouns. Don’t make the CEO look stupid. If you’re having trouble getting through to your CEO and you’re starting to get frustrated, an argument can take an ugly turn. And the more emotional the argument gets, the more likely you are to lose it. So take a breath and be careful of what you say and how you say it. For example, says Wentworth, instead of telling the CEO, “You don’t understand,” which makes the CEO look stupid, say, “I’m not sure if I was clear in the advantages I was trying to stress.” Then, you take ownership of the problem and give the CEO the opportunity to ask questions. “He won’t ask you to tell him more if you’re telling him he doesn’t get it,” Wentworth notes. Put your job on the line. One of the most dramatic statements you can make to demonstrate that undertaking a certain project is in your company’s best interest is to tell your CEO—in all seriousness—that you’ll leave if the project isn’t successful. “There is no cover for a CIO who works for a president [or CEO],” says Davis. “It’s a no-excuse environment. The projects 72

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Feature_argue_with_ceo.indd 54

Influencing Stakeholders

Members of the CIO Executive Council weigh in on how CIOs can prompt decisions on the part of business stakeholders over whom they have no authority.

Find the root of the problem. I spend a lot of time listening to people, trying to triangulate from many stakeholders what really is the problem that I’m supposed to be solving. I will speak with stakeholders one-on-one, get details from each of them, use that information when talking with others. Most people in the CIO role are pretty intuitive, good analysts and problem solvers, and usually we’re right on the money with our instincts. But the higher we go, the more we can sometimes get ahead of ourselves with solutions that we think are right, but may not be best for the business. We need to take that step back and look for what others see as the root cause of the problem—the real issue we’re trying to solve. —Julie Ouska, CIO & VP-IT, Colorado Community College System Relationships don’t maintain themselves. You’re only as good as your last meeting. Even though you’ve gained an alliance with a stakeholder, it continually needs to be nurtured because people don’t just shut off their information intake. The stakeholder may understand your position and justifications, but once you walk out of their office, someone else could walk in with another idea. If you’re going to work to nurture a relationship, it can’t be done haphazardly. For me, it’s like making rounds. I set myself regularly scheduled time to follow up on what we talked about the last time, and I try to keep everything very informal—just stopping by or seeing if they have time to chat because that stops it from becoming just another required meeting. — Sam McMakin, CIO, American Chemistry Council Ask for input; don’t dictate. Whether working with people who are below you or working with peers, if you ask for someone’s help, they are more likely to respond well than if you tell them what you want done. Asking doesn’t mean that you’re weak or that you’re not in charge. By putting a question mark at the end of the sentence, what you’re really saying is, “I respect your judgment and expect you to give me feedback that will help get this done.” —Athelene Gieseman, CIO, Stinson Morrison Hecker —M.L.

are too big and there’s too much money associated with what you’re doing to say it’s not going to work.” Know when to fold. “If you’ve presented your case in business terms and the CEO says you still can’t do it, suck it up,” says Goss. So what should a CIO do when the CEO is saying no to a project, budget or timeline that you know for a fact will endanger the company? Kretzman left a job where the CEO was leaning on him to implement a CRM system on a timeline that Kretzman knew was way too aggressive. The CEO wanted the company to begin using the software as soon as it was installed. Forget training. Forget a phased approach. Kretzman knew

this was a disaster waiting to happen, so he high-tailed it out of the company. Kretzman says the CRM implementation was a disaster and that the company ended up abandoning the software at a high cost. If Kretzman had stayed, he would have been associated with a failed project. A CIO should leave a doomed project the same way any other executive should leave a company engaging in fraudulent activity, notes Kretzman. “If a corporate counsel or a CFO is told to turn a blind eye to illegal activity, you have to be willing to exit the position,” he says. CIO Meridith Levinson covers careers, project management and outsourcing for CIO.com. Send feedback on this feature to editor@cio.in

Vol/6 | ISSUE/10

8/11/2011 5:39:39 PM

casefiles real people

* real problems * real solutions

At the Speed of

Light

It was a tall order. For Reliance Infrastructure, repairing cut cables quickly and creating power infrastructure within 30 days of a customer request wasn’t child’s play. But its IT head knew that only IT could deliver speed. By Debarati Roy “The phenomenon of emergence takes place at critical points of instability that arise from fluctuations in the environment.” —Fritjof Capra, The Hidden Connections There are two reasons why Capra’s books adorn Prashun Dutta’s cabin. The more obvious one is his love for quantum physics and the less is the fact that Capra is Dutta’s source of inspiration. When Dutta, took charge at Reliance Infrastructure (previously Reliance Energy), as senior EVP (IT & Quality), the power sector was standing on the cusp of a revolution that was 54 years in the making. That year, the Electricity Act, 2003, was passed and it liberalized the power sector, opening it up to private players. But it came with a caveat that’s been haunting private power players since that day: The Act made it mandatory for electricity suppliers to extend new connections faster or pay a penalty. “The conditions were challenging and unstable,” remembers Dutta. “Along with the opportunity, came the expectations of better service, better customer satisfaction, and better performance. But like Capra says, these were also the conditions that spark the emergence of ideas.” And those ideas are still ensuring that Reliance Infrastructure stays way ahead of its competition.

Case Files.indd 56

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Vol/6 | ISSUE/10

8/11/2011 6:00:51 PM

p hoto by srivatsa shan dilya

High-Tension Wires Veiled by the magnificence of the Gateway of India, the luxuries of The Taj Mahal Hotel, and the luminosity of the Queen’s Necklace, lies the sad reality of Mumbai’s tarnished power wires. Running over thousands of kilometers, dodging floody waters and the like, Mumbai's power cables are making life hard for electricity suppliers. Providing uninterrupted electric supply to its existing customers and quickly provisioning Mumbai’s rapidly growing population with new electricity towers is a huge task. And if a majority of customers are large industrial units or corporates—like that of Reliance Infrastructure—fixing wires at a snail’s pace means losing customers. With over 2.8 million customers in Mumbai, Reliance Infrastructure couldn’t take chances. Spread over 384 square kilometers, Reliance Infrastructure owns underground cables that run over 8,000 kilometers. The company has over 5,700 transformers spread over five zones in suburban Mumbai. That means, without a holistic view of its assets, customer locations and work sites, the company wouldn’t be able to quickly fix cut cables and create power infrastructure. In addition, says Dutta, “We needed to streamline our processes, increase the accuracy of our data, and improve outage response time.” The solution to both problems lay in a dual strategy: Implementing a global information system (GIS) and integrating it with SCADA (Supervisory Control and Data Acquisition). The company had inherited SCADA from BSES which allowed it to monitor and remotely control its networks, electric grids, energy accounting, and load management for balancing the supply of electricity on a distribution network. SCADA and GIS together provide Reliance Infrastructure with a visual presentation of data to empower the company with end-to-

Vol/6 | ISSUE/10

Case Files.indd 57

Prashun Dutta, senior EVP (IT & Quality), Reliance Infrastructure, reduced the time it takes to fix outages by 80 percent.

end visibility into its operations. This includes equipment history, outage notification, and work orders based on customer’s calls. Dutta chose a GIS suite from ESRI to provide a single view of the entire electric distribution network spread across its five divisions in Mumbai. He then implemented ESRI’s ArcGIS desktop clients (a software which helps

discover patterns, and trends in data, consolidate and integrate data and display it as points on a map), ArcGIS Schematics (extension to ArcGIS for desktop that allows rapid checking of network connectivity), and ArcIMS (Arc Internet Map Server). The GIS system maps the entire network of Reliance Infrastructure on a visual 3-D map.

REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 1

8/11/2011 6:01:05 PM

Case File | Reliance Infrastructure

But if the system was to take on the insurmountable challenge of repairing cables and creating power infrastructure fast, it needed to increase its levels of automation. Dutta decided to integrate GIS, SCADA, and the company’s ERP systems. The IT team at Reliance Infrastructure integrated GIS with SAP Plant Maintenance and billing, and customer care services. The Microsoft .NET framework allows the creation of Web services within SAP. GIS applications use these Web services to provide multiple user access to the same data. Armed with his new system, Dutta was now ready to conquer time itself.

Keeping the Lights On In a presentation on India’s power sector to the Ministry of Power, Salman Zaheer, a senior energy economist at the World Bank, says

Case Files.indd 58

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

that almost 60 percent of Indian firms rely on costly generators to run their businesses. Zaheer also says that large industrial estates and commercial set-ups are willing to pay higher prices to electricity utilities—on the condition that services are efficient. This includes fewer outages, and shorter blackouts (by lowering the time it takes to fix a blow transformer, for instance), less voltage fluctuation, no billing hassles, etcetera. Conventionally, whenever there is an outage, customers dialed into Reliance Infrastructure’s call centers to log a complaint. The division office from the area in question would be alerted and then engineers and linemen would take inputs from SCADA. But this information wasn’t specific, meaning it could only indicate that the problem lay within any two specific points within 300 meters of the network. Then, engineers needed to consult maps that depict the layout of the network and its cables. An outage usually occurs due to a problem either in the cable or at the points where the cables join. After locating the joint, a team needed to dig up the cables for restoration work—a process that took two to three hours. “The entire process could be extremely cumbersome because maps needed to be carried back and forth. We are an 80-yearold company, and some of these maps were created when the cables were laid,” says Dutta. Dutta k n ew that he needed to introduce an Outage

Management System (OMS) which could provide the engineers with information to help them figure out where the problem lay (on the network) in the least amount of time. The OMS application was layered on top of the GIS platform to integrate all essential data—from SCADA, customer information, work orders, and the electric network from GIS. This information is integrated with enterprise applications like SAP and Domino. Now whenever an outage occurs, a customer complaint is registered in SAP from the call center and the system alerts the zonal office. The engineers at the office then use the data from SCADA and GIS in combination with other tools to figure out the exact point of the problem. “With the new systems, any given division is mapped with an online link to a scanned image of the map of that area, giving the engineer access to all the data that he wants on one screen,” says Dutta. The system can also pull out historical and geographical data from SAP and GIS to give the engineers a 360 degree view of the possible vulnerabilities in that area, like: If the area is prone to outages due to flooding, or incessant rain etcetera. The system also gives critical information like the distance of the affected area from the nearest zonal office. And once the spot is identified, the system sends an SMS alert to the field staff closest to the area to fix the problem. “Earlier, figuring out a problem required the experience of a core engineer. Now, with the amount of data available, even a semi-skilled resource trained on GIS can provide engineers with quality information,” says Dutta. This extremely complex yet efficient mechanism has helped the field force at Reliance Infrastructure cut the time it takes to figure an outage problem from five hours to about an hour. “Apart from the time needed for excavating the wires, which cannot really be improved, we have significantly managed to reduce the time to resolve a problem and improve customer satisfaction,” says Dutta.

Vol/6 | ISSUE/10

8/11/2011 6:01:16 PM

The data that drives our world is evolving. Innovations in virtualisation, cloud computing, automation and sustainable IT aren’t just transforming your data centre — they’re opening up a new universe of possibilities for your business. Because when there’s no centre, everything is within reach.

Data has no centre As a trusted Cloud Ecosystem Integrator for its world-class clients, Infosys leads the way by adopting cloud internally. From boosting performance by seamlessly migrating to a cloud infrastructure, to reducing its environmental footprint by adopting innovations in green IT, Infosys is transforming its data centre in partnership with Hitachi Data Systems. Learn how at:

hds.com/nocentre

HDS-16451 CIO Magazine India • Infosys • FP • 22.23cm x 27.6cm • Material due: July 26 for SWOP • Posting Date: August 15

Case File | Reliance Infrastructure

Maximum City, Maximum Power There’s a reason why Mumbai is called the Maximum City. Its growing population is stretching its boundaries and crowding the suburbs. And demanding power. A 2011 study conducted by IIT Mumbai, found that the increasing daily power demand of Mumbaikars living in the suburbs alone will almost double from the current 1,697 MW to 3,284 MW in 2030. Going by these numbers, the study suggests that Reliance Infrastructure, India’s largest private sector enterprise in the power industry and the main supplier to Mumbai

a new connection could be extended. Also, the team needed to determine the amount of load the existing wires in that area could carry and calculate how the network would behave with the new load. “Network planning for expansion with its various connotations, both manual and procedural, could become an exercise that could take over four to five weeks,” says Dutta. Often, when Reliance Infrastructure received a request for a new connection, the builder wouldn’t have started construction at the site. In such cases, a temporary connection would be extended to the construction site. “Once the building was complete, the

“We have brought down the time it takes to extend a new connection from 31 days to seven days. But the ultimate goal is to achieve it in four days.” —Prashun Dutta, Senior EVP (IT & Quality), Reliance Infrastructure builders would demand a connection. But suburbs, would need to lay an additional then we often realized that the construction 670 kms of wire network with advanced space was completely exhausted and there transformers in the next five years. The was no space for us to build a grid or install exercise could cost Reliance Infrastructure a transformer,” says Dutta, “Procuring over Rs 700 crore. inventory at such a short notice was also a At the same time, Reliance Infrastructure problem and lead to unnecessary delays.” was also under pressure to ensure that its But GIS has changed that. Now, when customers got electricity connections fast. builders apply for a new connection, they According to Section 43(1) of the Electricity are asked to provide a tentative date for the Act 2003, an organization is liable to penalty completion of construction. The system alerts if it can’t give a customer a connection within or reminds the engineers of that date in the 30 days of a request. respective zonal office, five times during the Earlier, when a customer requested for a entire period at regular intervals. This helps new connection, he had to suffer in the hands them keep a tab on the progress of the building of numerous manual processes that resulted and be prepared. in unnecessary delay. After the validation of “Thanks to GIS, we have managed to the documents submitted by the customer shrink the time it takes for network planning (land ownership documents, details of the and expansion from five weeks to a couple of proposed requirements of the property to days,” says Dutta. be constructed, etcetera) a team of engineers Not just that, the would visit the site of Case Studies system organized how installation. Reliance Infrastructure This was followed by To learn more about customer works too: It helped the a detailed study of the service read BSES Wins Over company keep track of underground cable network Customers with CRM on www.cio. in that area to figure out the in/mustread. c o.in digging permissions, for instance. closest point from where

Case Files.indd 60

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Because the company owned underground cable structure, it needed to obtain Right of Way (ROW) permission from the Brihanmumbai Municipal Corporation (BMC). These permissions are obtained at a cost and are valid only for a specific period in time. “We apply for thousands of permits a year, and manually keeping a track of their expiry, and the transactions involved for each of these permits was impractical,” says Dutta. That’s why—with GIS—engineers fill in permit requests on an app in the system which then calculates the values that need to be filled in the request form (like, how much distance of digging is required, how long it might take, and how much it needs to pay). Once permission is obtained, it is uploaded on the system with the expiry dates and other details. The system also alerts users when a permission is about to expire. “Since we now know where a project is being proposed, and places we have permission to lay more cables, we can optimize resources and save time,” says Dutta. There are monetary benefits as well. For example, if an engineer filled a request for digging up a five kilometer stretch for laying new cables, the company would have to pay a stipulated amount to BMC. In cases where the final area excavated was only three kms, the company needed to retrieve the extra amount paid. The system calculates and alerts Reliance Infrastructure about the money due from BMC. “This means that everyone associated with Reliance Infrastructure, employees, and customers are happy,” says Dutta. But all this automation makes the job for the employees hassle-free. What’s in it for customers? “We have brought down the time taken to extend a new connection from 31 days to almost seven days. But the ultimate goal is to achieve it in four days,” says Dutta. And, given his track record, he will. CIO

Debarati Roy is correspondent. Send feedback on this feature to debarati_roy@idgindia.com

Vol/6 | ISSUE/10

8/11/2011 6:01:16 PM

ANALYTICS Build on your future.

SAS® Analytics help you discover innovative ways to increase profits, reduce risk, predict trends and turn data assets into true competitive advantage. Decide with confidence.

Scan the QR code* with your mobile device to view a video or visit sas.com/india/build for a free Harvard Business Review report.

For more information please contact Jaydeep.Deshpande@sas.com.

*Requires reader app to be installed on your mobile device

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. © 2011 SAS Institute Inc. All rights reserved. S75378US.0611

Etisalat DB Telecom

Under pressure to break into the Indian telecom market, Etisalat DB Telecom takes a route none of its rivals has: A partner relationship management system.

The Indian telecom sector is moving from a primary sales structure to a channel-based one, says Badri N. Subramaniyan, CIO, Etisalat DB.

Case Files.indd 62

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

The Organization:According to one estimate the number of telecom subscribers in India will grow from the existing 860 million to 1.2 billion by 2017, offering telecom players vast avenues for growth. Lured by this potential, UAE-based Etisalat, resolved to direct investment in India. Today the company, which is a JV between Etisalat and DB Group, currently operates in 15 circles under the brand name, Cheers. The Business Case: As it attempts to play catch up, Etisalat is banking part of its success on how well it man-

* By Sneha Jha

ages its partners including distributors, dealers, and retailers. “The top contenders will be those who engineer their processes and systems based on a well-executed holistic partner relationship management (PRM) strategy,” says Badri N. Subramaniyan, CIO, Etisalat DB Telecom. “The telecom sector in India is moving from a primary sales structure to a channel-based one. We see the fostering of an FMCG-like model which means that the company has to efficiently manage its entire channel ecosystem.” It’s an important opportunity that no other telecom player in India, Subramaniyan says, has tried to leverage. If Etisalat could understand its retailers and dealers better, it could engage them better, create more loyalty—and ultimately entice them to push Etisalat products. The Project: “We formulated a PRM solution that acknowledged the existence of a partner eco-system—an often complex network of inter-dependent entities collaborating with the end-customer,” says Subramaniyan. The system enables Etisalat to view its partners comprehensively and with accurate data. “Placing accurate partner data within a single master data repository provides us with the means to formulate a cohesive partner program that fully leverages the capabilities of our partners and help them deliver their business goals.

That sort of ‘partner intelligence’ also facilitates dramatic improvements in the quality, relevance, and timeliness of partner communication,” says Subramaniyan. PRM also enables Etisalat to analyze the true value of its partners based on both qualitative and quantitative measures. This, combined with analytical and scorecarding processes, enables Etisalat to assess the strategic status of its partner, and which ones they really want to invest in. The Benefits: The PRM solution has revolutionized partner development at Etisalat. Today, armed with a deeper understanding of its partners, Etisalat can tailor training curriculum to specific profiles, says Subramaniyan. For partners, the PRM ensures that incentives are more accurate and more timely, improving partner ‘buy in’ and increasing loyalty. “One of the most important, yet least wellorchestrated partner process is the provision of sales leads. Lead management programs can help to ensure that properly qualified leads are directed to the partners best able to close them. Automation through PRM ensures that the right leads get to the right people in a timely fashion,” says Subramaniyan. CIO Send feedback on this feature to sneha_jha@idgindia.com

Photo by Fotocorp

casefiles

Vol/6 | ISSUE/10

8/11/2011 6:01:26 PM

26-27 August 2011 the MArriott, Pune Visit www.cio100.in

Cio100 Partners

Using a cloudbased SCM application, project managers at property consultant Jones Lang LaSalle spend more time delivering results and less time doing routine chores. The Organization: Jones Lang LaSalle is among the world’s largest financial and professional services firms specializing in real estate. In India, the property consultant offers companies like UBS and Accenture, a bouquet of services from finding new office space to and managing multiple properties. It also advices property developers like DLF on driving projects on-time and on-budget with its project and development services (PDS) wing. The Business Case: The success of the PDS wing depends on the ability of its 350 project managers (PMs), working at about 70 client locations, to focus on project management and quality control. But too much of a PM's time was wasted on one tedious task: Dealing with reams of tenders. That’s because each construction project requires hundreds of individual components, from cement to carpets, which need

Case Files.indd 64

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Jones Lang LaSalle

to be sourced from separate vendors. With multiple vendors applying for each component, PMs were faced with a mountain of tenders. On an average a PM spent up to 15 weeks selecting and approving a vendor for a greenfield project and up to 10 weeks for a fit-out project. The Project: Manoj Sharma, head-IT, JLL, envisioned an in-house solution to ease this problem, but he quickly realized that given the large number of factors to incorporate into the application, his in-house approach needed to change. He looked for alternatives in the cloud and found them. But before finalizing on a vendor, Sharma decided to do more homework. “I went through Gartner’s Quadrant which helped me understand each service provider’s strengths and weaknesses. I also looked at trends in the cloud-based supply chain management market before proceeding,” says Sharma. His groundwork helped him build a list of eight key parameters for a SaaS service provider to qualify. They were: information security, data ownership, product’s success and acceptability in the market, physical locations of its datacenters (because of latency), flexibility of customization, service level terms and conditions, response time on application errors and bugs, and their IT support help desk availability. “Most of our project teams work on site, which have

* By Anup Varier

Manoj Sharma, Head-IT, Jones Lang LaSalle, created an eightpoint scorecard to help him shortlist a cloud vendor.

poor Internet bandwidth. So we also tested the application’s performance on the corporate network during peak hours, on broadband connections, and on data cards,” says Sharma. Sharma built a questionnaire based on these parameters and scored vendors. Short-listed companies were called to for a proof-of-concept. Only after this level of deliberation was a partner selected. The Benefits: The cloud app gives the PDS wing a much more organized view—and therefore, more visibility—of hundreds of tenders. This allows PMs

to identify the right vendor faster. “We expect a saving of at least 45 percent in terms of man hours thanks to the tool,” says Sharma. This lowers the number of project managers required per project, bringing down man power costs, and freeing up resources to pursue more projects. Additional features of the app, including automation and templates in the pre-qualification process, helps JLL save anywhere between 45-95 percent of a project manager’s time. CIO Anup Varier is senior correspondent. Send feedback on this feature to anup_varier@idgindia.com

P hoto by Dr lohia

casefiles

Vol/6 | ISSUE/10

8/11/2011 6:01:33 PM

AN IDG CUSTOM SOLUTIONS INITIATIVE IN ASSOCIATION WITH

TRANSFORMING BUSINESS THROUGH JUDICIOUS APPLICATION OF IT

PLUS INTERVIEW

The need to cut down its production time drove TAFE (Tractors and Farm Equipment) to build new synergies between its research and manufacturing teams and to revitalize its existing PLM solution.

Dhiren Savla, CIO, Kuoni Travel Group, talks about the changing role of CIOs and how they can act as a bridge between IT and business.

TRANSFORMERS CASE STUDY

Company Tractors and Farm Equipment Limited (TAFE) Industry Manufacturing Offering Tractors and Farm Equipment

ASSEMBLY LINE

WONDERS

The need to cut down its production time drove TAFE (Tractors and Farm Equipment) to build new synergies between its research and manufacturing teams and to revitalize its existing PLM solution.

CUSTOM SOLUTIONS GROUP TATA CONSULTANCY SERVICES

igsaw puzzles are the stuff that give problem-solvers a high, and with a few pieces missing, the task can become even more challenging. Just a few years ago, TAFE was in a similar predicament: individually, the manufacturing, design and the operations units performed very well, but a missing link between the units cast a spoke in their coordination attempts. As in traditional manufacturing companies, TAFE had different departments catering to design and manufacturing. Though the two teams interacted at regular intervals, they reported to their respective department heads. Cross-functional team work had been an established practice in the organization, but the sheer enormity of the projects being executed simultaneously created some hurdles. The priorities of the design and research teams for individual projects weren’t always synchronized. In effect, the time taken for product development was high, and TAFE knew that if they had to retain their leadership position, they would have to cut down on the development time. Among other things, a longer product development cycle meant that a particular tractor model ran the risk of being outdated when it hit the market.

MARKET DYNAMICS Being in the market for more than 50 years and having a consistent profit-making record, TAFE had a very good understanding of the tractor business. The market was characterized by alternate periods of two-three years of low demand followed by a similar period of high demand, a pattern TAFE had learnt to make the most of. When the company sensed a pick-up in demand, it ramped up production while investments in R&D remained steady irrespective of market conditions. Being in tune with the market had helped ensure the company’s profitability. Around ten years ago, the company had decided to set its eyes beyond the Indian horizon. It began exporting to the developing world as well as to the industrialized countries, the latter pushing it to raise its bar in quality and innovation. Over the years, it had emerged as India’s largest exporter of tractors. In 2006, when the company’s management took stock of market developments, they found that, in parallel with the development of new tractor models, the customer had also evolved. Carrying new aspirations, the customer was no longer ready to wait for years to buy tractors of better designs. TAFE realized that to leverage its strong design competencies, it needed a way to speed up the time taken in its process of product development. It had

to restructure some of the company’s processes. An important aspect was properly plugging in the ‘missing link’ – that is, to have a seamless workflow between the design and manufacturing teams. Moreover, though TAFE had a PLM solution, its capabilities were not fully utilized. When TCS was roped in as a consultant in the second half of 2006, it prepared a set of recommendations to work through these issues.

THE COMPANY TAFE is a US$ 1.3 billion tractor major incorporated in 1960 at Chennai in India, in collaboration with Massey Ferguson (now owned by AGCO corporation, USA). TAFE acquired the Eicher tractors business, its engine plant at Alwar and transmissions plant at Parwanoo through a wholly owned subsidiary “TAFE Motors and Tractors Limited” in 2005. A member of the Amalgamations Group of Chennai, this company has four plants in India involved in tractor manufacturing at Mandidheep (Bhopal), Kallidaipatti (Madurai), Doddabalbur (Bangalore) and in Chennai and a new overseas plant in Turkey. Apart from being among the top three tractor manufacturers in the world, TAFE is also involved in making diesel engines, gears, panel instruments, engineering plastics, hydraulic pumps, tea gardens and passenger car distribution through other divisions and wholly owned subsidiaries. The company manufactures the Eicher brand of tractors at its plant near Bhopal at Mandidheep, diesel engines at its plant at Alwar and transmission components at Parwanoo. The company has a strong base of more than 15 lakh tractor owners.

As a change management tool, PLM helped in the smooth transformation of our process.” P N RAO, Senior Chief Engineer - R&D, TAFE.

TRANSFORMERS CASE STUDY

FULL THROTTLE

50%

systems existed during the With TCS as a consultant, TAFE transformation, the IT team had constituted a steering committo ensure seamless integration tee comprising its president between them. “This is never compromised in any of our IT and senior management to carry out the transformation. implementations,” he said. The reduction in Rao notes that the PLM enOne of the most significant product development changes that the steering hancements changed the way cycle time, which TAFE operated. “It empowcommittee brought about was one of the ered our operational teams was to realign the structure to collaborate and make deof the organization so that objectives of the PLM sign changes early on before teams were grouped accordimplementation. investing in the appropriate ing to projects rather than tools,” he said. departments. This meant Even activities such as that a particular team could testing of the vehicle were integrated in the new well have design and manufacturing staff workworkflow, which was mapped in the PLM with ing together. This enabled the team to cut down the now-enhanced capabilities. The product on time spent in coordinating between the differfabrication planning cycle now took into account ent departments and improved the teams’ persuch factors as the ideal testing time for the formance. P N Rao, Senior Chief Engineer, R&D, vehicles, which was during monsoon. Efficient TAFE, says that it took time for the company to planning ensured that resources were optimally realign, but, with a firm management backing, utilized. In effect, the new workflow helped cut the system fell in place. down the production time. “One of the objectives The structural changes at TAFE were of the PLM implementation was to cut down the accompanied by an exercise to extend those product development cycle time by 50% and we capabilities of the PLM system that were earlier are heading towards this goal,” said Rao. unexplored. “As a change management tool, PLM helped in the smooth transformation to the new process. This included digital workflow DATA IS KING connections across functions and restructuring For TAFE, the design data of the various products the organization structure for quick decision is invaluable for a number of reasons, not least of making,” said Rao. which is the fact that reviewing the design sheets The enhancements on the PLM system weren’t of of past models helps designers to learn from the touch-and-go type. Integration issues cropped up, their mistakes, improve on the current models complicating the task of the IT team. S Ramakrishnan, and come out with better ones in the future. As Chief Information and Technology Officer, TAFE, such, data integrity, as data passes through varisays that since multiple platforms for running IT ous systems, is of paramount importance.

TAFE’S RESEARCH COLLABORATIONS TAFE has a number of associations with industry and technology leaders such as AVL of Austria, Warwick Manufacturing Group of the UK, Carrara and Ricardo from Europe and from Massey Ferguson in its pursuance of product quality and overall excellence. TAFE Motors and Tractors Limited has technology transfer agreements with Ricardo of UK for engines and with SISU of Finland for higher HP tractors.

AGCO: TAFE has an ongoing collaboration with AGCO Corporation, Duluth, Georgia. AGCO is one of the world’s largest manufacturer and distributor of Agricultural Equipment, selling its products in over 140 countries. The collaboration has lasted for 50 years and is built on mutual trust and respect for each other’s competencies. These competencies are individually and collectively leveraged for mutual benefit.

CUSTOM SOLUTIONS GROUP TATA CONSULTANCY SERVICES

For its PLM, TAFE had deployed PTC’s Windchill, primarily because of its closeness and nativity with ProE (the company’s major CAD platform) and user preference. “At every stage of implementation of the transformation process, especially blueprint finalization and the subsequent amendments, data integration and integrity were discussed in depth and put in place,” says Ramakrishnan. The touch points with SAP were decided, and exchange of data between Windchill and SAP was documented. TAFE’s internal SAP team played a major role in accomplishing this. Moreover, a slew of change management issues also had to be addressed. As is true with any software package, there were areas where there was no perfect fit for some of the good practices that TAFE had been following for years. “The steering committee came out with an appropriate solution to address this issue. The TAFE IT team, along with the project core team, helped ensure that the adaptation was carried out properly,” Rao said. “All interfaces were developed by our internal team and deployed in association with TCS. Our entire IT operations, including SAP roll outs and portal development, are being done by our own internal team,” says Ramakrishnan. TCS remained a consultant during the system go-live stage, after which the system was managed entirely by TAFE’s in-house team. A full-blown implementation of PLM solution on the Windchill platform having all the required interfaces with SAP and email/SMS alerts for timely closure of project activities provided the manufacturing major with many ways to leverage its internal competencies. Prior to the transformation, the company had a large number of sub-processes for every tractor model, all of which had to be represented in the new system. “Ours has definitely been a good example for many in manufacturing segment and we would be one of the very few in the country to implement PLM on such a scale,” Ramakrishnan said.

INCREASED VISIBILITY To increase visibility of project status across the company, a dashboard of reports were implemented in Windchill. Later, a full-feature dashboard from SAP/Business Objects was implemented, which enabled project monitoring on a real-time basis by top management and project managers. “Dashboards have served to enhance visibility of project status, provided performance scores of the various teams and enabled decision-making and balancing of resources to enable project delivery,” said Rao.

At every stage of implementation, data integration and integrity were discussed in depth.” S RAMAKRISHNAN, Chief Information and Technology Officer, TAFE

The new system also helped resolve differences between the engineering bill of material and the manufacturing bill of material.

TEAM WORK The process transformations placed a lot of demands on the IT team. “Our internal team had to play a big role in the implementation and process transformation,” said Ramakrishnan. “Our major responsibility was to ensure that the PLM was not a stand-alone system, but a solution which integrates neatly with the other platforms like SAP, BroadVision and MS Exchange-Messaging system.” There were other tasks critical to the success of the transformation that the IT teams had to handle. “We had to implement changes that were required to be made in SAP to suit the corresponding PLM flow,” Ramakrishnan said. “We also had to ensure that all required data from SAP was available to PLM in the correct format, and make appropriate changes in the SAP masters,” Ramakrishnan said. The new PLM capabilities had to process a much larger volume of design data, implying that the hardware and networking infrastructure had to be resized and the required high-availability features had to be put in place. “Our IT infrastructure team carefully planned the requirements to handle current and future volumes and designed the hardware pieces for our datacenter accordingly,” Ramakrishnan said. TAFE has benefitted greatly from the new workflow and used the new PLM capabilities to its advantage. It has grown its business by cutting down on production time and expanding to newer markets.

TRANSFORMERS INTERVIEW

BEYOND BOUNDARIES In today’s knowledge-based economy, the functions of the CIO are becoming increasingly complex and multi-dimensional. Dhiren Savla taks about the changing roles of CIOs and how they can act as a bridge between IT and Business.

DHIREN SAVLA, Chief Information Ofﬁcer, Kuoni Travel Group, India

Custom Solutions Group TATA CONSULTANCY SERVICES

With the resurgent economy and businesses preparing for imminent growth, how critical have the roles of IT and the CIO become? Today, IT has become an integral part of all sectors, ranging from services and manufacturing to government. IT is becoming more and more critical not only for the growth of a business, but also for sustaining itself in a competitive market. With the changing customer profile and their needs along with geographical dynamics, effective use of technology can bring clear differentiation. If an industry does not change with time, it may lose its relevance in the coming years. The role of CIOs has become extremely important for various businesses. Besides being responsible for IT delivery, they play several roles bridging across different functions. This includes being a change agent, a strategic advisor and an innovation leader among other responsibilities.

The increasing focus on business-IT alignment also implies an increasing dependence on technology for core business processes. Should CIOs then be a technology expert first or is understanding business more important? Today, CIOs are business leaders who also know technology. They should understand the business and more importantly, business priorities and needs. CIOs need not be technology experts but they should have adequate understanding of technology nuances. Technical expertise can be brought in by technical staff and various partners. Mathematics or physics is not as powerful as applied mathematics or applied physics! So success or failure of IT and hence the CIO, is directly linked to how well technology is applied to meet business needs.

When IT has to cater to multiple internal stake holders/ departments, and at the same time there are fewer people to do it, how do you think IT heads should prioritize their projects? IT is one function which gets to work with almost all departments within an organization. While doing so, there is always a requirement from multiple sections and finite resources to fulfill those demands. In my view, IT should be used to save money (operational efficiency) and business should invest the money saved back in IT to make more money (supporting growth). Projects that bring operational efficiency, enhanced revenue or tighter controls should always take precedence. While managing priorities, internal negotiation skills of a CIO come handy and by showing the big picture and returns on various initiatives, CIOs can normally get management support and buy-in.

How can CIOs effectively balance flexibility and scalability while efficiently addressing dynamic business needs? CIOs spend significant time in planning for short, mid and long term needs. They also need to have the ability to respond to unanticipated change. By getting involved in various business-decision making processes, CIOs can get visibility to various dynamic business needs. In extremely dynamic markets

like today, CIO need to be creative to build flexible, predictable and scalable IT landscapes. In today’s dynamic environment, we have to create a capacityon-demand model for people, infrastructure and other IT areas. And while creating a scalable setup, CIOs should always ensure that they have the option of scaling up as well as scaling down.

Not all technology projects can be measured with a numbers yardstick (for instance, security). Some business heads argue that all projects need to have demonstrable RoI. What is your take on that issue? Every single investment or project would have RoI. When we try to look at RoI as purely a number game, we are making a mistake. For instance, cost of information security initiative can be easily justified for meeting regulatory requirements, avoiding third party liabilities and avoiding loss of reputation. In cases like that, cost incurred for not taking up this initiative would clearly outweigh the cost incurred for taking it up. CIOs also perform a sales function here where they have to sell the concept to internal stake holders. When CIOs give valid justification, it’s not very difficult to get support from other leaders. By engaging with various stakeholders, CIOs can change an organization’s mindset from cost to value.

What do you feel about the total outsourcing of IT? Why do you think large enterprises in India are still hesitant to take the plunge? There is an ongoing debate about in-sourcing and outsourcing. In my view, enterprises should talk about right-sourcing. I believe that total outsourcing of IT in some form is an achievable reality. Enterprises can retain their core functions internally and can out-source the rest to the partner. By doing so, one gets a flexible and sustainable IT framework which also brings about a higher degree of technology know-how and external perspective. Given a choice, I would prefer a success linked outsourcing strategy wherein risks and rewards are equally shared. Most of the enterprises do some form of outsourcing but total outsourcing is not done too often. When international clients look at total outsourcing, they also get cost arbitrage which Indian companies do not. At several occasions, the ‘not done by me’ syndrome prevent CIOs from taking bold decisions. Having said that, we have some of the most interesting and forward looking outsourcing deals taking place here.

Transformers is brought to you by IDG Custom Solutions Group in association with

Indian National Centre for Ocean Information Services (INCOIS) is an autonomous body under the Ministry of Earth Sciences that provides ocean information and advisory services. Post the Indian Ocean Tsunami, INCOIS wanted an information system that could help mitigate oceanic disasters. An accurate early warning system to issue timely alerts was required. Tata Consultancy Services (TCS) developed a GIS based solution consisting of ICT infrastructure for real time data reception, processing, warning generation and dissemination. As one of the world's fastest growing technology and business solutions providers, TCS leveraged its expertise in Geospatial Technology Solutions to enable real time online monitoring of all data sources. There by enabling online alerts. This proved invaluable when INCOIS detected an earthquake off Sumatra within 13 minutes and promptly issued a Tsunami alert to Andaman. Helping INCOIS save human lives by issuing alerts on time. And of course, enabling INCOIS to experience certainty.

26-27 August 2011 the MArriott, Pune Visit www.cio100.in

Cio100 Partners

GREEN IT STUDY & AWARDS 2011 F

or the second year in succession, we undertook a nation-wide survey in tandem with the Green IT Enterprise Awards. The awards were held by the CIO magazine, in association with APC by Schneider Electric. Through our survey, we sought to find out about CIOs’ purchasing practices, their management’s attitudes and the energy-conservation culture among the employees. We also asked for information on what was ticking internally – from blades to virtualization, to alternative energy sources, to cooling and intelligent buildings.

Methodology Based on the gravity of the questions, they had been assigned different weights. Responses were tabulated and then compared and a ranking was arrived at. We then looked at specific sustainable computing initiatives that had been evangelized and deployed, and inspected whether they had created business and green value. Of these organizations, 22 percent were from manufacturing, 19 percent represented banking and financial services, a little over 13 percent were into software services and ITeS, 6 percent came from the automobile sector and another 6 percent were telecom companies, while the rest represented miscellaneous verticals. All the enterprises had more than 1,000 employees.

Key Findings A majority of the organizations have been taking proactive steps to limit their carbon footprint. Programs to reduce usage of technology-related consumables have got the strongest push. Some CIOs are still wary of recycled products. Though 91.5% percentage of CIOs have purchasing practices that favour energy-efficient products, the percentage of CIOs who favor purchasing recycled products is 67%. For a detailed analysis, please read our online report at www.cio.in/greenit-study/2011

Top 5 Industries with Top-Level Green IT Initiatives

Ranking of the top-5 industries with Green IT practices in place 72%

IT/ITeS Mining Banking Manufacturing Telecom

70% 66% 65% 63%

Few examples of Top Level Green IT initiatives: Commitment from senior management Programs to encourage employees to save energy Purchase energy-efficient products

Purchasing Practices Turn A Green Leaf Some CIOs are wary of recycled products. In contrast, more CIOs favor energy-efficient products.

91.5% CIOs have purchasing practices that favor energyefficient products

67% CIOs favor purchase of recycled products

Presented by:

Video Conferencing Is In

79.5% 87.9% of the organizations mandate the use of videoconferencing/ have cut travel budgets

of the organizations have videoconferencing systems installed

IT Purchases Go Green

76%

68% 67%

Favor external service providers who are committed to save energy and carbon reduction

Have installed energyefficient HVAC and building favor purchasing recycledautomation controls products Has replaced servers more than 3 years old with new energy-efficient models

In the Datacenterâ&#x20AC;Ś

62%

of the enterprises have revised their data center layout (or design) to reduce power usage while

49%

use dashboards / management software to monitor data center power consumption and HVAC cooling.

Divided on Outsourcing We asked if they have outsourced the operation, optimization, monitoring and maintenance of data center power consumption and cooling infrastructure

46% 44.5%

Have Outsourced

Plan to Outsource

Virtualization Makes Inroads

85%

have implemented server virtualization to reduce the number of servers needed

Alternate Energy. Not Hot

Only 18% of the organizations use alternative energy supplies (e.g. solar, wind) to power IT facilities or systems

TOP 10 GREEN IT ENTERPRISES

Presented by:

Based on the results of the Green IT survey, CIO magazine and APC by Schneider Electric recognized ten IT leaders who have taken several initiatives to make their organizations sustainable and energy-efficient.

t the leadership summit in Bangalore last month, APC by Schneider Electric, in association with CIO Magazine, recognized ten winners of the 'Green IT Enterprise' study. In the study - of power savings and efficiency practices, over 200 respected Indian corporate businesses were asked to share information on their green IT initiatives. While most of the respondents were very much aware of the need for more efficient energy utilization with respect to their technology infrastructure, the winners were those who had a plan to do something about it and a plan for follow-through as well. In order to reduce their organization's carbon footprint, the winners have taken several initiatives, from promoting paperless offices, e-commuting, placing intelligent energy management systems, to

"We will continue to deploy devices and applications that consume less energy to furthur lower our carbon footprint. Our new datacenters will be environment friendly units to optimize power and cooling resources." S.Ramasamy, Executive Director (IS), Indian Oil Corporation Ltd

We will be using smarter, smaller and less power consuming devices which will help us to lower our power consumption by several folds. Prashanth M.J, CTO Technology, Firstsource Solutions Ltd.

installing energy-efficient devices and making buildings green. Smart improvements made at the servers and storage front have resulted in almost immediate and dramatic changes. All the winners are well down the virtualization road, with a high percentage of their servers and desktops virtualized. As new gadgets are rolled out each day, e-waste management has sought immediate attention. The winners are engaging themselves in lifecycle assessment of all their products visa-vis environmental concerns. This has resulted in their replacing old CRT monitors and desktops with LCD monitors and thin clients. “CRT monitors, besides consuming higher power, also generate more heat, thereby adding more load on air conditioning,” said Jagdish Lomte, CIO, KEC International Ltd. Working toward the “paperless office” is another green goal with a proven return on investment. Paper exacts a heavy toll on the environment. Each of the winners is drastically reducing paper-intensive processes — with online forms and scanned

GREEN WINNERS BHARTI AIRTEL BPCL ESSAR GROUP FIRSTSOURCE SOLUTIONS FORBES MARSHALL GROUP OF COMPANIES HSBC INDIA IOCL KEC INTERNATIONAL TCS WELSPUN GROUP documents — through process automation. According to Silajit Samaddar, Head - IT Operations, HSBC India Limited, the banking corporation has reduced more than 850 devices such as printers, scanners, fax and photo copiers to 360 multifunctional devices. Finally, as with most top-level players, the differentiation is often subtle and in small degree. So, the motivation for each of these CIOs stemmed not from the chance for shortterm recognition, but from the foresight that energy conservation and green best practices went beyond the catch-all phrase of `corporate social responsibility.' There were ten CIOs who walked away with the awards, but the real winner that night was definitely the environment.

"We will enable our employees to bring their own device and work from anywhere. This will reduce their commute. We will also be replacing about 10,000 desktops with low powered thin clients using desktop virtualization." Jayantha Prabhu, CTO, Essar Group "We will be extending our green IT initiatives across the organization. These include server virtualization and consolidation, reducing greenhouse gas emissions and efficient recycling of equipment waste." Sharat M. Airani, Chief-IT (Systems & Security), Forbes Marshall Group of Companies "We will be looking to bring energy efficiency in our datacenters. In fact, going forward, this will be one of the most critical review parameters for our datacenters." Mukund Prasad, Director - Corporate Strategy, Business Excellence & Group CIO, Welspun Group "We will be focusing on datacenter consolidation projects to see significant energy savings, carbon emission reduction and improved infrastructure resiliency. We will also be using tools which can switch off inactive desktops." Silajit Samaddar, Head - IT Operations, HS BC IIndia Limited “New Green data centers, proper recycling of e-waste are some initiatives we plan to implement in the near future. Besides, we are taking up power saving measures through consolidation and virtualization on blade servers.” Anil Kumar Kaushik, General Manager IS Infrastructure & Services, BPCL "We plan to carry out the successful green IT initiatives in our acquisitions also. Virtualization and Information Security are two other areas through which we plan to take the green initiative further." Jagdish Lomte, CIO, KEC International Ltd “Green Initiatives are integral part of TCS’ social responsibility. We will continue to optimize our Next-Gen infrastructure and facilities to improve energy efficiency and lowering of carbon footprints.” Alok Kumar, VP & Global Head - Internal IT & Shared Services, TCS Limited “As people adopt 3G, it will be possible to extend our e-bill initiative to many more customers. We will continue to focus on datacenter consolidation and server virtualization, and usage of energyefficient devices across the organization.” Amrita Gangotra, Director - IT, India and South Asia, Bharti Airtel

Disaster Recovery

j u ly 1 5 , 2 0 1 1 | REAL CIO WORLD

Vol/6 | ISSUE/09

Disaster Recovery

From Japan’s triple disaster to terrorist attacks in Mumbai, catastrophe can strike anywhere. And when it does, your leadership will matter more than the specifics of your business-continuity plan. CIOs who have been through earthquakes and more share advice for calming, caring for and motivating employees who are coping with devastation. By Kim S. Nash

A disaster’s dimensions can grow even within one emergency: Linda Goodspeed, vice president of IT at Nissan North America, After anti-government protests this spring, ongoing civil war and was attending a global IT meeting at her company’s head office prolonged Internet outages now disrupt life in Libya and in other in Japan on March 11 and was caught in the magnitude 9.0 parts of North Africa and the Middle East. Tornadoes and flooding earthquake. The quake was among the top seven most powerful devastate the US Midwest and South. Companies doing business ever recorded and the strongest ever to hit the country. “People were in Japan continue to deal with the effects of a deadly tsunami and diving under desks. Women were crying. We could see fire outside,” nuclear radiation leaks. There, supply-chain disruptions now drag she says. “Window blinds were moving three feet to the left and to down the auto and electronics industries. At Nissan in April, global the right. I thought the building would fall apart.” production dropped 22 percent from the year before, while exports Goodspeed wasn’t hurt, and, to her surprise, panic didn’t prevail. from Japan sank 72 percent. In May, the company hoped to increase Her Japanese colleagues “went into repair mode,” she says, making production but warned that it had to confirm parts delivery with its sure visitors were OK, leading them to chairs in quiet rooms and suppliers daily. providing comfort. “To see people execute on this was amazing.” Despite the visible drama, many companies still rely on disasterHer experience illuminates what may be an under-appreciated recovery plans that assume disruptions will be single and short, aspect of disaster response: The preparation of corporate leaders and says Martin Gomberg, CIO of A&E Television Networks. In reality, the workforce to handle intense, maybe unprecedented, pressure. the interconnected nature of global business demands new thinking CIOs are often initial responders to corporate emergencies, and they about emergency planning. CIOs must replace outmoded ideas should understand the psychology of stress every bit as well as their about returning to normal operations in three to IT contingency plans. Reader ROI: five days with plans that consider the domino effect As companies integrate their operations with of disaster, says Gomberg, a business-continuity others’ around the world, they must prepare for a the importance of realizing that disasters expert who founded Heroes Partnership, a group steady stream of trouble. CIOs have to consider the are not short duration that helps companies and communities prepare business and social turmoil that can be triggered events for disasters. “When you talk about your business, by world events, including unpredictable natural Why preparation and you’re talking about your supply chain,” he says. disasters, social unrest and war—thousands of practice are essential. Know their breakpoints as well as you do your own, miles away from headquarters, but nevertheless the need to address he says. front and center. emotions Vol/6 | ISSUE/10

REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 1

8/11/2011 6:08:22 PM

Disaster Recovery emergencies, says Elaine Scarry, a professor of aesthetics and the general theory of value at Harvard. She recently studied several kinds of dire situations, including natural disasters, nuclear fallout, and heart attacks that occurred all over the world, for her book, Thinking in an Emergency. In New York and Los Angeles, about 1 percent of people who suffer cardiac arrest in public survive, compared with 5 percent in Stockholm and 12 percent in Osaka, Japan, according to Scarry. The X-factor? Governments and local organizations in Japan systematically train citizens in CPR. The more people there are who know CPR, the sooner a heart attack sufferer might receive it. Equipping average citizens with the knowledge to handle an emergency, Scarry says, allows them to act when a problem arises, producing measurable results. For CIOs, the corollary is to train all staff in emergency basics, she says. That could include IT procedures, such as how to initiate failover to a different server when a datacenter is expected to flood. But personal preparedness training should also First to go may be the idea that a central power must make every be in the toolkit, she says, including breathing exercises to keep calm, decision. Sometimes people can’t wait for instructions from a senior and a pocket checklist for first aid. leader before they need to act, so continuity plans need to disperse Local decision making is most effective when that kind of authority. Events on the ground can outpace the remote recovery competence is a habit, Scarry says. For example, in many areas process. Goodspeed, for example, was already on a plane home when of Japan, neighborhood groups take care of their town and each she got an e-mail from Nissan’s recovery group in the United States other. They regularly clean streets and make repairs to common recommending that she stay in her hotel in Japan. “You have to factor areas. When an earthquake hits, those citizens aren’t necessarily in people’s personal resolve. They may do the unexpected, but it may trained in the specifics of managing a quake’s aftermath. But they work very well,” she says. have practiced looking out for each other for a long time, Scarry Screwed-up communications technology may also render a topnotes. Their sense of self-reliance and community responsibility down plan useless. “You may not be able to reach the right executive,” means they don’t wait for a regional or national leader to assess the Gomberg says. “You need default positions so people know what to situation and authorize actions. do without specific instructions.” “If I were a corporate executive, I would look at my company CIOs can learn to formulate more-effective corporate-recovery and ask: How much hierarchy is there? Do people at all levels feel plans by evaluating how formal and informal communities handle they have a lot to contribute?” she says. “The greatest asset we have in an emergency is intelligent persons at every nodal point.” Too much command-and-control Modern businesscan inhibit recovery. “People walk around looking for a continuity plans must leader rather than the c learest path of action.” go beyond restoring operations to encompass Getting practice working together, however, makes the needs of employees, teamwork more automatic in an emergency. Staffers can says Linda Goodspeed, then devote brain power to analyzing the exceptional VP-IT, Nissan North conditions they face, says Luke Denmon, a project America. manager in datacenter advisory services at CB Richard Ellis, a $5.1 billion global commercial real estate company. Denmon’s group helps plan datacenters for his own company and for major clients. “You want people to rally not just around the task but the people affected by the task.” For example, Denmon suggests that before any tragedy occurs, CIOs reset the mission of IT to convey that technology exists to help people be at their best. That should be the case during routine workdays when the general ledger needs to be reconciled as well as in times of uncertainty when co-workers need to contact family members and then each other. He also tries to reiterate that “we’re all in this together,” he says, to create an expectation Modern business-continuity plans must go beyond restoring operations to encompass the needs of employees, say Goodspeed, Gomberg and other IT leaders who have endured calamities. Critical practices include allocating time and physical space for employees to decompress, teaching them how to set up family emergency plans to relieve anxiety about the safety of loved ones, and recasting the mission of IT as making people—and therefore companies—perform at their best. Essential, too, is to nurture teams’ confidence in their decision-making capabilities, because command-and-control plans dictated from afar can delay recovery. Effective response, Goodspeed says, “is more than what’s on paper. It’s how you act during a disaster.” If you haven’t incorporated these technology and management ideas, it’s time to rip up your business-continuity plan and start over.

Practice Teamwork

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Feature_disaster_recovery.indd 52

Vol/6 | ISSUE/10

8/11/2011 6:08:31 PM

Disaster Recovery

Let go of the idea that a central power must make every decision. Sometimes people can’t wait for instructions from a senior leader, so continuity plans need to disperse authority.

that everyone can solve problems. People internalize that message and act upon it naturally during tumult, he says. Lon Anderson was vice president of business process re-engineering and intranet development with Louisiana’s Hibernia National Bank when Hurricane Katrina struck in 2005, and the experience changed how he approaches his role as a leader. After Katrina, tight quarters added to Hibernia employees’ emotional stress. For six weeks, Hibernia had up to seven people in an office at its DR location. Twenty people packed into a conference room, sharing one phone. The heat, the sweat, the noise unnerved staff, Anderson says. Employees arrived at the recovery location to check in with colleagues or because it was the first safe place they could reach. “They would have fairly disturbing stories to tell, which would cause a wave of anxiety to move through the group again and again,” he says. On the other hand, teams previously unfamiliar with each other worked elbow to elbow and gained new appreciation for what each group did, he says. Following Katrina, the work of Hibernia’s sequestered e-commerce team was exposed to other parts of the company, in many cases for the first time, he recalls. Likewise, he says, “no one on my team understood cash management before.” Now, Anderson, who is currently vice president of corporate IT at services firm ICF International, recognizes the human need to vent in a crisis. He artfully guides colleagues to do so in small groups, away from the center of business-recovery work. But every day, he promotes interaction between teams so they will know how to work together when trouble arises. He learns about their families and their personal interests, and works to understand the sacrifices they make to do a good job. “I did have a strong belief that management needed a line between them and staff and an emotional relationship of any kind should be not fostered. I came out [of disaster experiences] feeling the exact opposite,” he says. It isn’t so much the human connection he’s after, but the solid business results. “Faults start to show in crisis. You need your people, and your people need you, to fill in gaps that might cause the team to collapse.”

Fill Emotional Cracks In an emergency, the impulse is to rush, which can produce faulty decisions that waste time. Simple and clear communication works best. When the earthquake shook northern Japan that March afternoon, carmaker Renault’s disaster-recovery team sent an e-mail to Nissan and Renault employees (the two companies cooperate on purchasing, engineering, production and distribution) asking them to respond by typing “1” if they were OK or “2” if they needed help. The replies helped account for employees and pinpoint and triage potentially dangerous situations, Goodspeed says. Tending to people’s immediate needs—whether physical, emotional or practical—is part of business continuity, says Sonya Christian, who was CIO at Slidell Memorial Hospital in Louisiana

Vol/6 | ISSUE/10

Feature_disaster_recovery.indd 53

when Katrina hit. Christian, who is now CIO at West Georgia Health, says witnessing the effects of hurricanes, tornadoes and other catastrophes since Katrina has proved to her that one simple question—when asked continuously—is among her most powerful tools as a leader: “What is the most helpful thing that could be done right now?” The question is especially effective, says Harvard’s Scarry, because it reminds everyone that they have a hand in recovery. Selfconfidence is easily lost, she says, when emotions swell. People are working 18 hours a day when their homes may have been torn apart and family members or friends are injured or dead. It’s not clear how or whether they will be compensated. They might need to talk about how their work is proceeding, but their personal needs are the priority. “You’re asking the near-impossible of your people,” Anderson says. “You need to give them the flexibility to manage through that in whatever way they need.” They might want a walk outside, the chance to talk to a sympathetic listener, a regularly scheduled visit with their kids and spouse at the hotel, a break to find a toothbrush and a change of clothes, or time to cry. “It’s not a waste of time if they’re able to get on with their job after that,” he says. Gomberg suggests CIOs reach outside the corporate boundaries by teaching staff about family emergency preparedness. Ask them to make wallet cards for all family members containing phone numbers and their plan for where to meet in an emergency. Enacting a “homecontinuity plan” during a crisis will help staffers know their loved ones are safe, freeing them to focus on the job of restoring business, he says. Be prepared, also, for the stress to overwhelm some workers. One of Christian’s network administrators was due to work as a member of the storm team but didn’t show up. “He gave notice eventually because he’d relocated to another area of the country,” she recalls. Another network administrator did report for storm team duty but when he was released on break, he didn’t come back. Surprised, she had to reassign duties. “Staff members that had been solid and steady had maybe not the same level of dedication to their jobs” in an emergency, she observes. Now at West Georgia, she designates backup staff for the first-wave response team in case some employees waver.

Show the Way To make a company whole again, good leaders must keep themselves and their people together during what can be a lengthy recovery. CIOs should have a plan for organizing their and their team’s time according to clear goals, with allowances for periods away from the work site. Just as during normal operations, IT teams have defined projects and no one lives at the office. After Katrina, Christian helped run Slidell’s command center, REAL CIO WORLD | a u g u s t 1 5 , 2 0 1 1

8/11/2011 6:08:32 PM

Disaster Recovery

HelpYour Team in a Disaster

working 10 days straight, mainly in an area set up for hospital staff coming off shifts but unable to go home. IT staff and hospital employees saw people CIOs who have been through disasters share ideas to being assessed at a makeshift triage center across help employees cope personally and professionally in a the street. Common afflictions were skin lesions and catastrophe, so they can help with business recovery. dysentery from sitting in dirty water. While sewers It t leaders who have been through disasters have re-thought what to include in weren’t working and portable restrooms weren’t yet business-continuity plans. their plans include alternative uses for technology and set up, she recalls, people used the nearby ground. practical emergency-preparedness measures designed to keep employees cared“This alarmed a lot of our staff. They’d never had for during a crisis. to deal with that, even people who worked in the Have at least two alternatives for paying employees during an emergency when emergency department,” she says. “I saw department normal operating data might be inaccessible, says Martin Gomberg, CIo of A&E directors come back and sit down and cry.” Television Networks. options include re-running a prior payroll cycle at a backup site And she let them. She herself stole moments or offering a fixed amount of money to everyone and making up the difference later, alone in the stairwell, she says, to do the same. On he says. her eleventh day, she went home for an hour, the next day for four hours. Then she took two full If you do business in a place where the telecommunications infrastructure is days off. Since then, when faced with drawn-out under government control or subject to outages, configure some satellite phones, emergency conditions, such as hurricanes and advises Sonya Christian, CIo of West Georgia Health. Christian was running IT at tornadoes that have touched down since Katrina, Slidell Memorial Hospital in louisiana when Hurricane Katrina hit in 2005, and she she builds time in the response team’s schedule to wishes she’d had satellite phones then. Now she includes them in her disaster toolbox. leave work. The breaks renew the spirit, she says. “We maintain them year-round to be available during storm season,” she says. “Everyone on the disaster team needs to get away Prepare to use internal websites to keep in touch with employees if cell from the immediate work area, even if they feel service is out, says lon Anderson, VP of corporate IT at ICF International, a they don’t want to.” technology services firm. Anderson was a senior IT leader at Hibernia National Bank Amid that kind of chaos, CIOs must also in louisiana, which used a Web application that became a hub for employees and weigh decisions with big financial implications. customers after Hurricane Katrina hit. Ask news sites to publish the Web addresses At Hibernia, Anderson learned to step up and to get the word out. set clear goals for the rebuilding phase. IT’s top business priority was to get online banking back Certify as many staff members as possible in emergency-response training, up. Residents evacuating the area and dealing including how to respond to shock, perform CPR and treat exhaustion, with destruction of their homes needed access to Christian advises. Have a second disaster-management team ready to relieve their money, he says. Phone and power outages the first responders soon into the emergency, to alleviate physical and emotional heightened the sense of panic, says Anderson. fatigue, she adds.. Although Hibernia’s IT systems were in a — K.s.N. section of New Orleans that wasn’t in immediate jeopardy—though it did flood—the decision by then-Mayor Ray Nagin to close the city for at least 30 days meant the That attitude of taking satisfaction where you find it strengthened office would be inaccessible should something go wrong. Customers the staff, he says. When Anderson and his group restored online might be cut off from their accounts. “You can’t show people zero banking, “it was recognized by leaders across the organization as a balances,” he says. phenomenal achievement in a horrible environment.” So the bank’s IT recovery team hauled its mainframe—with At Nissan, what Goodspeed learned from her Japan earthquake its core banking applications—to the recovery site in Shreveport. experience has already been tested. In April, a tornado came close Hibernia was the first bank to restore service in New Orleans East— to her Tennessee office. The winds caused windows and the ground one of largest and most devastated areas, according to the Office of to shake. She and a woman who had traveled with her to Japan the Comptroller of the Currency. calmly told co-workers to sit in the stairwell and reassured them However, the disaster was so far-reaching that some people they’d be all right. “Because of the earthquake, I learned to skip the doubted companies could recover, even one as big as Hibernia, he shock phase and move directly into response mode,” she says. The says. Knowing immediately that restoring online banking would be tornado caused no damage to Nissan, and the colleagues around her the number-one priority helped the team prioritize work, Anderson remained unruffled, like she did. says. If a task didn’t contribute to getting customers their money, it The leader, Goodspeed says, sets the tone. CIO was set aside. The pessimism that he says hung over the staff magnified the team’s accomplishments. Jobs that would have been routine on a normal day, such as configuring a new server, were celebrated as victories. Kim s. Nash is senior editor. send feedback on this feature to editor@cio.in

2 3

100

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Feature_disaster_recovery.indd 54

Vol/6 | ISSUE/10

26-27 August 2011 the MArriott, Pune Visit www.cio100.in

Cio100 Partners

Essential

technology image by photos.com

A CLOSER LOOK AT datacenters

Building a datacenter from scratch is a tall order: It’s expensive, its time-consuming and is a drain on resources. That’s why datacenter colocation is a great option.

102

Essential_Tech.indd 80

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

Living Together By John Edwards

Colocation | Brian Burch knew the moment had arrived. Two of his datacenter's key services—availability and business continuity—needed fast and dramatic improvement. Design and location limitations meant that his company's existing datacenter couldn't be upgraded to the levels necessary to provide the required function and performance gains. So Burch, senior worldwide infrastructure director of Kemet, a capacitor manufacturer, decided last year that it was time for his datacenter to split. Even in today's challenging economy, enterprises are facing rising internal and external demands for IT services. When an existing datacenter can no longer shoulder an enterprise's IT burden alone, or when it becomes necessary to establish a secondary site to provide enhanced business continuity, an important decision point has been reached. For a number of enterprises, the obvious solution is to add another datacenter, and for many of those it means partnering with a colocation facility. If you're considering this option, it doesn't just pay to do your homework, experts say; it's essential. "You absolutely need to do the buy-vs.-build analysis," says Jeff Paschke, senior analyst at Tier1 Research Paschke. The No. 1 reason to consider colocation comes down to financials. "Do you want to go to your board and ask for $50 million in capex for another datacenter?" Paschke asks. "The alternative is Vol/6 | ISSUE/10

8/11/2011 6:26:42 PM

26-27 August 2011 the MArriott, Pune Visit www.cio100.in

Cio100 Partners

essential technology

Colo 101 to go to a provider and use opex and not have to spend money upfront," he says. Given the massive costs and time demands required to build a traditional datacenter, "fewer organizations are deciding to build their own satellite datacenters," says Lynda Stadtmueller, a datacenter analyst at technology research company Frost & Sullivan. Especially for enterprises that have latencysensitive applications that require local presence, there is a trend toward leasing space from a colo or hosting provider rather than building and managing their own datacenters, she explains. A Frost & Sullivan study conducted a year ago showed that total datacenter space used by enterprises will increase by almost 15 percent annually through 2013. Yet the percentage of that space that the enterprises own themselves—versus leasing from another provider—will decrease, from 70 percent to

Livin' la Vida Colo When looking for a colocation vendor, customers should search for players that have an established presence in the market, research firm InfoTech's senior analyst Darin Stahl advises. "This designation isn't about capability or quality," he says, "but rather about their influence on the market. If they stomp on the ground, does the earth shake?" Tier 1 vendors have a broad range of offerings and are the trend-setters, with major datacenters that sport all the bells and whistles. The next category—Tier 2—is made up of vendors that have a little less market influence but are still large in their respective areas. The last tier is "everyone else," including a large number of vendors that don't own their own buildings but are tenants looking to sublet the space out to customers. The problem with this scenario is if a vendor doesn't own the facility, it can't offer a meaningful SLA, Stahl says. "Any SLA you see from them says 'with the exception

If you're considering colocation, it doesn't just pay to do your homework, experts say; it's essential. You absolutely need to do the build versus buy analysis. 64 percent, during that time. "A pretty hefty swing," Stadtmueller says. Most organizations begin thinking about adding a datacenter as soon as their existing facility starts maxing out its physical space, Stadtmueller says. Sometimes the push comes in the form of a business need—a new direction that requires a lot of extra capacity ASAP, or enough that it would push your existing datacenter over the edge of its existing power usage, for instance. Power is usually the gating factor in many older datacenters these days, meaning that enterprises run out of power options long before they run out of space.

104

Essential_Tech.indd 82

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

of anything outside our control." The only real advantage with this type of vendor is price.Be careful, though; sometimes the lowest-cost option comes with interesting risk. For a number of organizations, the idea of building out a second site often arises from a desire to create, enhance or save costs on an enterprise business continuity strategy. "With our new site, we really wanted to improve on the response time from any kind of a failure," Burch says. Kemet was also looking for a way to escape a costly relationship with a DR services provider, he adds. Analysis showed that the new facility would trim recovery time from 72 hours or more to a range of five minutes to 18 hours. The annualized cost of the new facility would be about the same as continuing the current DR contract.

There are hundreds of providers of colocation services—known as colo for short—offering a huge range of options and price points. Colocation is different from traditional hosting, which IT folks may be more familiar with. Colocation customers own their servers, routers and other hardware and often tend to mix this gear with their own employees (although customers can pay for "remote hands" services for the vendor to, say, restart a server so their IT staffers don't need to travel to the vendor's location just to do that). There are two general types of colocation providers: Wholesale and retail. Wholesale colocation providers deal with large spaces—a 10,000square-foot datacenter, for example. Except for the power and cooling infrastructure, it's essentially empty space. The customer, or tenant, does the work of rolling in the servers and racks, cabling up the gear and making sure it all works. On the retail side, spaces are usually smaller—down to individual servers or 'cages'—and there is more setup help available, for a price. In general, says Jeff Paschke, senior analyst at Tier1 Research, expect to pay more for retail colocation than wholesale space. Also, be on the lookout for the everpresent upsell. Darin Stahl, senior analyst at Info-Tech Research Group, says that many vendors are eschewing "straight" colo and will provide only managed services, where the vendors service and support the customer's equipment. The reason is a margin of "at least" 25 percent in managed services, Stahl explains. If you're not ready for that kind of thing, make sure to look for a colo partner that's going to give you what you want—no more and no less. — J.E.

Vol/6 | ISSUE/10

8/11/2011 6:26:42 PM

Given all that evidence, Burch decided to go with colo. And in addition to the DR features, now the company has "a modern test and development environment with a three-year refresh cycle," Burch says. "Basically, we got a new datacenter with new equipment and communications lines with zero change in budget. "One month after go-live on the new datacenter, we conducted a test recovery of the systems previously covered under our DR contract," Burch explains. "We recovered all of the target systems in less than 10 hours." He notes that the dramatic improvement over the previous recovery target of 72 hours or more included "normal delays from recovering on new equipment in a new location and using new procedures." To maximize the new datacenter's business continuity value, Burch and his team decided to place a significant amount of distance between the new facility and Kemet's headquarters. "We felt like we had to go at least 100 miles away to avoid the types of disasters that lead to electrical substation problems—large storms, those sorts of things," Burch says. The team ultimately fudged a little bit on its distance mandate and settled on a location, some 90 miles away. Beyond business continuity, Burch says the new datacenter was designed to fulfill another key goal: To provide a test and development center that would operate independently of the main facility. "Probably 95 percent of the hardware that's down there is being used for test and development instances of our applications," Burch says. "In the event of a disaster, it will just automatically convert from that role into running our production systems."

Licking Latency Another motivation for creating a new datacenter is to boost application responsiveness for regional employees, customers and other end users. Organizations running latency-sensitive network applications—the kind commonly used to power shopping and travel websites, financial services, videoconferencing and content distribution—usually like to place their applications as near to end users as

Vol/6 | ISSUE/10

Essential_Tech.indd 83

possible to improve response times. By splitting a datacenter into two or more sites, an organization can efficiently serve users distributed across a wide region or even over multiple continents. LexisNexis, known for its legal research and workflow services, decided in 2009 to establish a colo datacenter in Arizona, to serve customers more efficiently from a location that's relatively immune from storms, earthquakes and other natural calamities. "We wanted something that was in the western region of the US," says Terry Williams, the company's VP of managed technology services. "Location was a huge part of our decision." The company already had a datacenter in Ohio. Not surprisingly, network availability and performance were essential considerations for LexisNexis as it went about choosing its new datacenter site. "The key thing for us is network connectivity," Williams says. "That was something that just couldn't be compromised on." Williams says that turning to a colocation provider didn't require his firm to compromise on any facility services or amenities. "We expected all of the normal things that a hightier datacenter would have in terms of backup power, generators and all of those things, as well as network connectivity," he says. For his part, Burch feels that using a colocation provider allowed a faster, less costly deployment without sacrificing convenience or functionality. "We were able to get everything set up within a two-month

Theonlyreal advantagewith smallvendors isprice.Be careful,though; sometimes thelowest-cost optioncomeswith "interestingrisk."

64 %

Of organizations globally engage in some form of datacenter colocation service. Source: Info-Tech Research Group

period, and that included the building out of office space, even converting some office space into raised-floor datacenter space, which is pretty amazing." Yet, finding a suitable colocation provider can be just as challenging as scouting a site for a traditional datacenter. "We looked at taking a building and converting it ourselves," Williams says. After deciding that overhauling a standalone building wouldn't be cost-effective, LexisNexis started looking for a colocation provider. "I would say that we probably spent six months searching for a site, and we probably looked at no less than 30 different locations and providers—it was a very extensive search," Williams says.

Staffing Troubles Mention "colocation" and a lot of IT staffers will hear "outsourcing" and will naturally fear losing their jobs or influence, analysts say. "People are resistant to change," Tier1's Paschke says. Give your staff some time to become comfortable with this notion. Info-Tech's Stahl talks about an evolution from using colo for a backup datacenter to perhaps handling more critical, first-tier kinds of hardware, storage and apps. "Once that happens, customers start to wonder whether it's the best use of a server admin to go to the colo facility and mess around in the cage for a day." At that point, the company may be ready to consider managed services. LexisNexis' Williams notes that one secondary datacenter requirement that tends REAL CIO WORLD | AUGUST 1 5 , 2 0 1 1

105

8/11/2011 6:26:42 PM

essential technology

Compute Power

to be overlooked until the very last moment is finding qualified people to staff the facility. Sometimes enterprises opt to use the colo vendor's on-site experts, but other times they simply lease space within the facility and staff it themselves. "Obviously, you're going to do local hiring," Williams says. But he notes that a remote datacenter has different staffing needs than a primary site. Since secondary datacenters generally don't have as many management and admin jobs as main sites, hiring needs focus on technical individuals. Still, Williams notes that LexisNexis had no shortage of Ohio datacenter staff members volunteering to transfer to the new location. "If it's in a nice location, everybody is raising their hand to move out there and provide support," he says.

Careful planning and close attention to details are vital to a successful deployment, Burch says. "Most of all, look carefully at any contracts that might be involved with the new datacenter, particularly any DR or hosting contracts that could be either a positive or a negative in your planning," he advises. Burch also urges organizations not to neglect their main datacenter when planning their new facility, particularly if they intend to use the new site in any sort of backup role. "We did our new facility in conjunction with upgrading all of the equipment in our current datacenter," he says. Kemet also placed all-new equipment in its remote datacenter. "That's provided us with a good bit more flexibility as well as horsepower for our test and development environment," Burch says. "The developers are very pleased with that." LexisNexis' Williams feels that finding a competent and trustworthy colocation partner is essential to the success of a secondary datacenter. "The key thing is to find a partner that can provide what I would consider to be that intimate level of serviceâ&#x20AC;&#x201D;meaning that you feel that you're the only client there." CIO Send feedback to editor@cio.in

106

Essential_Tech.indd 84

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

OS for the Datacenter? IT Management | Personal computers have operating systems. Even phones have operating systems. So why doesn't the datacenter have one? Of course, it would be far more difficult to build an operating system capable of handling all the resources of a datacenter than it is to build one that allows a single device to run its applications. Datacenters have teams of IT pros to make sure all the servers are running and so forth, but the job is getting so big that a much more expansive OS to handle the whole datacenter is becoming necessary. That's what UC-Berkeley Ph.D. student Matei Zaharia argues. He's not the first to propose an OS for large clusters of computing systems, but he believes the need is getting more critical because of the growing diversity of applications and users, programming frameworks and storage systems. A datacenter OS would wrap those all together into one management platform and provide resource sharing, data sharing, programming abstraction and debugging. "These are the same reasons we developed time sharing and operating systems for computers," Zaharia says. But the idea of building operating systems for clusters has been around for decades, what's new today and why would it succeed now? Early versions of datacenter OSes are already being built, says Zaharia. He points to Google and the sophisticated methods the company has employed to run its datacenters. "Google's software stack is something that is designed with operating system-like thinking," he says. "Datacenters already host a diverse array of apps, and as new cluster programming frameworks are developed, we expect the number of apps to grow," he says. Zaharia says his team has taken an initial step by designing a cluster manager called Mesos "that enables fine-grained sharing across applications." â&#x20AC;&#x201D; By Jon Brodkin

image by photos.com

Other Pointers

Vol/6 | ISSUE/10

8/11/2011 6:26:44 PM

26-27 August 2011 the MArriott, Pune Visit www.cio100.in

Cio100 Partners

essential technology

Fast Forward Cost and organizational mistakes can bring virtualization projects to a virtual stall at dangerous times. Here’s how to keep your virtualization project moving through four key phases. By Kevin Fogarty

Virtualization | Virtualizing and consolidating datacenter servers provides such clear a financial benefit that there are few companies of any size, in any industry that shouldn't virtualize at least some of their servers and apps. But companies that start virtualization projects without planning for a second phase of migration will get stuck in phase one.

Phase 1: Technical Efficiency and Consolidation

caused by the most subtle—cost and organizational—issues that affect virtualization projects directly, according to James Staten, principal analyst at Forrester research. Planning to virtualize every workload on every server without modifying the way IT plans capacity requirements or the way it allocates computing resources and IT staff

image by photos.co m

CIOs have to stop talking about their physical -to-virtual server ratio.That's an interesting thing to brag about,but completely irrelevant. The cost benefit of getting as many as 10 or 20 virtual servers for the price of one physical box drove many companies to migrations that covered as much as 25 percent of all the servers targeted for conversion. But that was before they hit ‘VM stall,’ a virtual halt in migrations 108

Essential_Tech.indd 86

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

support time, leaves IT departments with a lot of duplicated processes. And a steadily dropping ROI as a P2V migration expands, says Chris Wolf, research VP at Gartner. Here's some advice for avoiding stalls during four key phases of your virtualization project.

The first, ecstatic wave of virtualization saves far more money, far more quickly than at any other time during the migration to or operation of a virtual infrastructure, according to Gary Chen, research analyst at IDC. The cost benefit of eliminating 10 physical servers and replacing it with one larger, more automated box often gives both IT and business-unit managers a false sense of success and unrealistic expectations for the future, he says. Many IT groups stick with the same set of cost metrics to estimate success, which usually means focusing only on how densely VMs can be packed into physical hosts, not investing in management tools or training that give CIOs a better idea of how to allocate virtualized resources in new ways, Chen says. "People have to move their thinking away from something a lot of them are proud of—their physical server-to-virtual server ratio, or how many machines they can take out of an environment," Staten says. "That's an interesting thing to brag about, but completely irrelevant. The real need is to shift to the point that you can deliver greater efficiency—higher sustained utilization and peak utilization of their whole pool of computing resources."

Phase 2: Picking Targets, Simplifying Administration The next phase of a migration requires more specific knowledge of what individual VMs are doing, for what business unit, and what resources they require, Staten says. That requires more than high VM density to keep the ROI positive; it requires changes

Vol/6 | ISSUE/10

8/11/2011 6:26:48 PM

26-27 August 2011 the MArriott, Pune Visit www.cio100.in

Cio100 Partners

essential technology

in IT administration and support to improve processes like change management, provisioning and incident management that don't work effectively within older organizational silos, Staten says. "You start to look at all the resources— CPU, memory, storage—as a pool you can allocate," he says. "You can't do that without visibility into all the resources or within existing management silos," says Wolf. Getting beyond the first big opportunity for VM stall means giving system admins responsibility for a set of VMs according to the business unit that uses the VMs, not the physical location of the servers. Failure to allocate human resources efficiently causes efforts to be duplicated,

Phase 3: Process Automation Restricting sprawl doesn't keep most companies moving on ambitious migrations, Wolf says. The real advantage of virtual infrastructures is flexibility. And to ensure it, IT has to be able to use VM mobility, detailed resource management, automated provisioning and change management. Otherwise, the whole infrastructure won't work efficiently, he says. The measure here should no longer be how high the utilization of a single server or group of VMs is in running one app, but how consistently high the utilization of the whole datacenter has become, Staten says. Performance optimization is just one part

The measure should no longer be how high the utilization of a single server or group of VMs is in running one app, but how consistently high the utilization of the whole datacenter has become. extra work and gaps in responsibility, all adding up to a huge waste of resources. "Sprawl is the typical problem there for companies that are not doing lifecycle management or automating any of the procedures involved in systems administration or support," Staten says. At the most basic level, it's necessary to know what all those VMs are doing, or whether they're doing anything at all. Datacenter admins consistently report that about 15 percent of the servers they maintain aren't doing anything useful. That is, they are not being used by any end users or apps in an average month, according to Sumir Karayi, CEO of 1E software, an asset-management vendor. "If a server is being backed up or patched, it can look busy just doing housekeeping work. With virtual servers it's even easier because there's not as much of a perceived cost to running them without doing any work,” says Karayi. 110

Essential_Tech.indd 88

a u g u s t 1 5 , 2 0 1 1 | REAL CIO WORLD

of the equation, though, Chen says. Costs rise dramatically with overuse or unsupervised use of licenses, not just the wasteful launch of VMs, he says. Many companies are renegotiating their enterprise license agreements specifically for that reason, Staten says. It's too easy for end users to launch a server or application instance that takes up licenses for the OS, application and database, use it for a day, then leave it running and launch another the next morning. Unfortunately, according to a 2010 IDC study, 25 percent of IT organizations manage servers and storage manually, only 30 percent consider datacenter operational costs to be a priority, and only 25 percent are consistently concerned about software license costs. Less than a third of CIOs worldwide—31 percent—consider integrating server, storage and network management for virtualized infrastructures a

prime concern. Many organizations recognize the potential benefits of granular, consolidated management of virtual infrastructures, but haven't been able to accomplish it themselves. That’s partly because of the limited availability of tools that can handle the requirement and partly because their organizations haven't advanced their thinking enough to be confident in their ability to accomplish it, according to Galen Schreck, VP and principal analyst at Forrester.

Phase 4: Cost Efficiency, Chargeback Despite the lack of granular resource allocation, sophisticated policy-based management or even a long-range capacity management plan at most companies, 36 of every $100 spent on physical servers in 2014 will go to hardware intended to host virtual servers, according to a December study from IDC. The 2.2 million physical servers that figure represents will actually run 18.4 million servers, at an average of 8.5 VMs per host by 2014, the study predicted. The number of those servers will drive changes in the way IT does its job, but the $19 billion (about Rs 85,500 crore) cost will change the way it reports its spending to the rest of the business, and how it justifies the work it does for business units, Chen says. An extra virtual machine looks free because it requires no capital costs to launch, Staten says. Licensing costs, resource use, administration, storage and all the other costs still exist, but are usually not translated clearly in budget analyses to the business side, he says. That failure to understand real costs—as much as any other single factor—can cause even a technically successful virtualization project to hang. CIO

Send feedback on this feature to editor@cio.in

Vol/6 | ISSUE/10

8/11/2011 6:26:48 PM

26-27 August 2011 the MArriott, Pune Visit www.cio100.in

Cio100 Partners

bookclub club whAt we’Re ReAdINg

by Vijay RamachandRan

* sUPPOrTeD by hP sTOrageWOrks DIVIsIOn

Talented Tale Building a talent pipeline in your organization is never going to be an easy task, here’s how you can go about it.

ed by Support

IN SUMMARY: Journalists typically have little use for HR departments and their trappings. Veteran editor Pritish Nandy once remarked that as far as he was concerned the bunch had only two functions—ensuring that salaries were paid out on time and that the loos were kept clean. An extreme view, no doubt, but one that I have heard echoes of in my many conversations with CIOs. The idea of a department that does more than paperwork, I suspect, is as alien to newsrooms as it is to IT departments. Indeed, most editors that I have worked with recruited and groomed stars, based on old world wisdom, seatof-the-pants management, and a whole lot of faith. I’m no exception to this philosophy; however, I have seen enough great teams self-destruct to know that there ought to be a better way of going about the talent game. The Talent Masters aims to nudge us in that direction. Indeed, the opening lines of the book read: “If businesses managed their money as carelessly as they manage their people, most would be bankrupt.” I found myself buying into many of the book’s ideas, and forming a healthier respect for the souls tasked with HR than before. Read on for excerpts from reviews of this book from two of your peers who recommend it more heartily than me:

The book is one of the greatest path lighters about the principles and

practices of fostering human resources that I’ve come across. Through their analyses of real world examples from organizations as diverse as GE and Goodyear; Hindustan Unilever and LG; Apple and HP, the authors have put forward their hypothesis, in simple yet relatable terms. I was specially impressed by the parallels that they have drawn between financial management and talent management. Both class and experience shine in this book and I unequivocally subscribe to their belief in creating a performance-driven meritocracy as also an organization which fosters problem-solvers rather than problem identifiers. Neither is an simple task, but with this book as a guide makes it easier. I believe that this book will help both aspiring and practicing CIOs to become more successful. While CIOs will relate to the examples in the book, the principles of leadership apply to other functions as well, and therefore would be good reading for anyone in a senior leadership role. Daya Prakash, CIO, LG Electronics

CIO Book CLUB log on to cio.in/bookclub to get YOUR FRee COpY p . Also, read pY reviews and post comments.

c o.in

the tALeNt MASteRS: Why

smart People Put People before numbers By Bill Conaty & Ram Charan Publisher: Random House Business Price: Rs 700

Without doubt this is a valuable book. I would go so far as to call it the ‘Bible’ of leadership development. Overall, The Talent Masters offers a valuable window into the skills of talent development—from what a talent master does (succession planning and leadership development); to the special expertise of such masters (growing the talent pipeline and building capacity through experiences); to becoming one (setting the right values and behaviors, as well as getting the right talent management process in place); and, finally serving up a tool kit of things to get the ball rolling. Real life examples from global organizations, and the compilation of rich experiences by the authors whet my appetite and made it an interesting read. This book should be on the table of every right-thinking business leader. Farhan khan, AVP-IT, Radico Khaitan Sounds interesting? We invite you to join the CIO Book Club. CIO Send feedback to editor@cio.in

Vol/6 | ISSUE/10