July 1 2006 by Sreekanth Sastry

Alert_DEC2011.indd 18

11/16/2011 1:12:44 PM

From The Editor

It’s interesting how the shift toward a service economy has led to an increase in the

Radical Reform The IT promise: sustainable competitive advantage.

manpower involved in analyzing information and solving problems. Such ‘tacit’ jobs, states a McKinsey study, give a vital edge to firms — raising the productivity of their most valuable workers confers advantages that rival corporates can’t easily duplicate, as opposed to boosting productivity by reengineering or automating. The study, ‘The Next Revolution in Interactions’, apart from being an interesting read, points to major implications for business strategy and IT investment by enterprises. Though the authors’ research is based on the US market, the situation in India is fast changing given our buoyant economy. Adding value to what talented decision makers do calls for a radical shift in organizational structures that best assist them as well as the way that technology supports them. Make no mistake, technology and organizational strategies have to be tightly linked to ensure performance improvement. On one level, IT can improve the speed and quality of decision making by giving employees easier access to filtered and structured information, without them having to wade through volumes Technology and of unproductive e-mail. BI tools can also help organizational strategies business end-users zoom-in on to key trends have to be tightly linked quickly and with greater accuracy. to ensure performance Then again, current and emerging improvement. technologies can extend the breadth and impact of interactions between employees. Combining high-speed connectivity and applications like collaborative software and IP telephony can quicken the meeting of minds while progressively cutting the cost of such collaboration. Obviously, any such strategies call for not only business buy-in but also a greater business orientation for CIOs. This also points to another closely related issue: how can CIOs tune in to what can really work to give their organizations a sustainable edge? We turned to the CIO Advisory Board to identify the way forward for you and your peers. Their thoughts on how CIOs can manage the transformation from technologists to strategists are presented in the cover story ‘A New Game Plan’ (page 24). What stood out in their views on the nature of the evolution of the CIO’s role was how inevitable this was. I’d like to know your thoughts and perceptions on your role and position in your organization. Send me a note.

Vijay Ramachandran, Editor vijay_r@cio.in

Vol/1 | ISSUE/16

Content,Editorial,Colophone - 013 3

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 4:53:51 PM

content JUly 1 2006‑ | ‑Vol/1‑ | ‑issUe/16

CIO Outlook

Executive Expectations

COVER sTORy | A nEW GAmE pLAn | 24

VIEW FROm ThE TOp | 40 Subhash Chandra, chairman of Essel Group, on how IT will enable a paradigm shift in broadcasting – and redefine the remote control for consumers.

P hoToS by Sr IVaTSa ShandIlya

The CIO has established himself as a technology leader in the Indian milieu. The foremost challenge now is to evolve into a business strategist in the organization. CIO India's editorial advisory board identified four critical areas, which, if leveraged, will see CIOs in a position to make their organizations more global and profitable.

Making IT Work ThE hAmmER OF COnsEnsus | 18 When a committee is charged with achieving unanimity, the force of its decisions is multiplied. Column by michael schrage

CoVEr dESIgn : an Il Vk

Strategy: Ho How much of a strategist can the CIO be?

Interview by Gunjan Trivedi

Managing Outsourcing: Towards a governance structure to make outsourcing relationships work. Convergence: Bring management on your side. Attrition: How k keeping attrition in-check is part of your key result area.

Feature by harichandan Arakali

Fighting Spam ThE nO-COsT AnTI-spAm sOLuTIOn | 44 Blacklists, whitelists and greylists are all essential spam-fighting tools. Here's how your organization can use them. Feature by paul Venezia

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone - 018 8

Vol/1 | ISSUE/16

6/29/2006 4:54:04 PM

content

Essential Technology | 58 security | CSI for the Enterprise? By Galen Gruman pundit | Virtualization and the Impact

of Open Source By Bernard Golden

From the Editor | 3 Radical Reform | The IT promise: sustainable competitive advantage. By Vijay Ramachandran Ram

Inbox | 12

5 0

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. go to www.cio.in

c o.in

Govern InFOsEEDInG ThE FARm | 50 With Project Asha, the Assam Small Farmers' Agri-business Consortium has put in place a network of 219 information kiosks that are powered by the Internet. A look at how the network has benefited as many as 6,000 farmers across the state.

2 0

Feature by Ravi menon

unWIRInG ChAnDIGARh | 54 S.K. Sandhu, secretary, finance and IT, Chandigarh Administration, is determined to give citizens access to the government. And he is not taking half-measures either. By introducing Wi-Max throughout the city, he hopes to beat last-mile problems many e-governance applications face. Interview by Rahul neel mani 10

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone - 0110 10

Vol/1 | ISSUE/16

marketing & sales

Manage m ent

President N. Bringi Dev

COO Louis D’Mello Editorial Editor Vijay Ramachandran

Bangalore

7th Floor, Vayudooth Chambers

Assistant EditorS Ravi Menon;

15 – 16, Mahatma Gandhi Road

Senior Correspondent Gunjan Trivedi

Chief COPY EDITOR Kunal N. Talgeri COPY EDITOR Sunil Shah www.C IO.IN

Editorial Director-Online R. Giridhar D esign & Production

Hewlett-Packard

IBM Lenovo

Interface Connectronics

IDG Media Pvt. Ltd.

Special Correspondent Balaji Narasimhan

4, 5

Tel : +919342578822 mahantesh_godi@idgindia.com

Bureau Head-North Rahul Neel Mani

Avaya GlobalConnect

Mahantesh Godi

Harichandan Arakali

Advertiser Index

Banglore — 560 001

Delhi Nitin Walia Tel : +919811772466

Mercury

Microsoft

nitin_walia@idgindia.com IDG Media Pvt. Ltd. 1202, Chirinjeev Towers 43, Nehru Place

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

Vikas Kapoor Anil V.K. Jinan K. Vijayan Unnikrishnan A.V. Sasi Bhaskar Vishwanath Vanjire Sani Mani MM Shanith Anil T PC Anoop

Photography Srivatsa Shandilya

Production T.K. Karunakaran

T.K. Jayadeep Mar keting and Sales

General Manager, Sales Naveen Chand Singh brand Manager Alok Anand Marketing Siddharth Singh Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar Delhi Nitin Walia; Aveek Bhose Mumbai Rupesh Sreedharan Nagesh Pai; Swatantra Tiwari Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

Singapore Michael Mullaney UK Shane Hannam

New Delhi — 110 019

Ricoh

Research in Motion

SAS

Toshiba

Tyco

Mumbai Swatantra Tiwari Tel : +919819804659 swatantra_tiwari@idgindia.com IDG Media Pvt. Ltd. 208, 2nd Floor “Madhava” Bandra – Kurla Complex Bandra (E) Mumbai – 400 051

Japan Tomoko Fujikawa Tel : +81 3 5800 4851

Wipro Infotech

6, 7

tfujikawa@idg.co.jp

USA Larry Arthur Tel : +1 4 15 243 4141 larry_arthur@idg.com

Singapore Michael Mullaney Tel : +65 6345 8383 michael_mullaney@idg.com UK Shane Hannam Tel : +44 1784 210210 shane_hannam@idg.com

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

Vol/1 | ISSUE/16

Content,Editorial,Colophone - 0111 11

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 4:54:08 PM

reader feedback

Standout Event I enjoyed CIO Focus-Storage very much. The CIO series of events is becoming a good forum to network with colleagues in the industry. The presentations from the vendors were good. In future, a presentation from a fellow CIO, who has carried out an IT implementation in this area and would like to share his experience, would give the audience more insights into the subject.

Choosing Storage Solutions Understanding the value of information in day-to-day operations is fundamental to forming an effective information lifecycle management strategy (Benefits in Store, June 15). Information types, availability, integrity, bandwidth and sharing are the core competency of any digital organization. However, overseeing data storage management in an era of high-speed hardware obsolescence, while juggling budget, risk, and meeting regulatory requirements is a definite challenge. Part of the challenge is to select the right kind of storage architecture and storage management software solution from what is available. The way out for CIOs and other heads of IT departments in general is to answer these questions: the data that needs to be stored, the size of backup, backup intervals, how long data is to be protected or retained, the required data-recovery time, the type of server connectivity required, the choice of using offsite storage and remote application, and how much data is required to meet regulatory requirements. This will lead to differential tiers of storage that will reduce the average storage cost and increase efficiency. R.K. Upadhyay Deputy GM (IT), BSNL

Inbox.indd 12

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

RajESh Uppal GM-IT, Maruti Udyog

It is a very good idea to have forums such as the CIO Focus on security and storage, especially when the participants are active and there is an emphasis on exchanging experiences. If it is possible, please organize an event that shares innovative solutions implemented by CIOs and other out-ofthe-box solutions using IT. avinaSh aRoRa Director-IS, New Holland Tractors

Thank you for inviting me to be part of the storage event; it was a wonderful event. The program's content was great. Maybe an event focused on the BFSI sector could be arranged next? a Ul KUmaR at Chief Manager, Syndicate Bank

The storage event in Mumbai was a real stand-out. The selection of topics and the discussion on management of unstructured data were good. The What Do You Think?

â&#x20AC;&#x153;Understanding the value of information in day-to-day operations is key to forming an effective information lifecycle management strategy. â&#x20AC;? composition of the panelists was excellent and it brought forth different perspectives. There was also a good deal of interaction from the audience. Perhaps, it could have added more value to involve a software vendor who is doing work on content intelligence or maybe a BI tool vendor to find out how they are addressing the management of unstructured data. Overall, thumbs up! vinod SadavaRtE CIO, Patni Computer Systems

This (the cIO focus-Storage) was my first CIO event, and I thought it was extremely useful and thoughtprovoking. We plan to roll out storage initiatives in our organization soon. S. C. mittal ED (MSD), IFFCO

The storage event was really informative and well conducted. The Black Book on storage has benefited me greatly. I think it is the best takeaway in terms of knowledge and information for all CIOs. Sanjay mittal Head of IT, Navin Fluorine International

We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

editor@c o.in Vol/1 | ISSUE/16

new

hot

unexpected

I N N O V A T I O N If you live in Mumbai, you can’t miss them — dressed in crisp, white kurta pyjamas with their trademark Gandhian caps, this army of 5000-odd tiffin box suppliers or dabbawalas deliver tiffin boxes from suburban homes to a couple of lakh customers in their downtown offices. Six Sigma certified for time accuracy, logistics and supply chain, these dabbawalas recently got a new feather in their caps: their online presence through www.mydabbawala.com. This is the first time in their 115-year legacy that they are using technology. Manish Tripathi, the honorary CIO of the Mumbai Dabbawala Association, is an independent software consultant who has got this community closer to IT. He envisions three main purposes being served: to harness the Internet's reach for generating revenue, to be a single point of contact for the community to the world, and to garner more contribution from companies and society. “The initial response of these dabbawalas to IT was lukewarm. In fact, their first brush with IT was only when Bharat Petroleum donated two computers to them,” recalls Tripathi. The three-month old website, which comes to these dabbawalas at no extra cost, is beginning to deliver the goods. “Around 1,000 new customers have come in through the website,” he says. The dabbawalas have also signed up with a number of restaurants after these companies contacted them through their website. Tripathi is now developing applications for the web portal to automate the tiffin service requests. As of now, customers can send their requests on e-mail, which Tripathi communicates to the association. “Soon we are also going to start mobile services, where customers can request for the service by sending an SMS to 3636,” adds Tripathi. — By Gunjan Trivedi

Simulating Experience of Avian Flu a simulation at MIt of an avian flu outbreak in China underscores the need to consider supply chain disruptions as part of a company's emergency plans. the simulation was played out by a panel of managers from companies such as Intel and Cisco that deal with emergency situations. Panelists took on roles in ‘Vaxonn Wireless,’ a hypothetical mobile-phone maker. It wasn’t represented on the panel, but that doesn’t mean it won’t play a role in emergencies, says ken Cottrill, an MIt t spokesman. “In real life, the membership of an emergency response S U P P LY C H A I N

Vol/1 | I ssu E/16

team changes as the situation progresses.” Panelists reacted to news that two workers at the ‘Geeling Manufacturing’ plant in China, where Vaxonn phones were manufactured, had fallen ill with suspected cases of bird flu. the Chinese government quarantined the plant on and off during the outbreak. the crisis, which was contained in a few days, occurred as Vaxonn

prepared the release of its new slimPhone 360. Its ‘emergency response team’ kept in touch with the Geeling plant, and requested updates from the World health organization and the us Center for Disease Control. While the scenario wasn’t entirely realistic, the issues it posed were. besides the specter of avian flu, participants recalled the aftermath of the 9/11 attacks, and reflected on more ordinary situations such as power outages that can cause crises. the main recommendation that emerged from the simulation is that all companies, no matter their size, should have a written plan for emergencies. — by nancy Weil REAL CIO WORLD | J U LY 1 , 2 0 0 6

Illust ratIo n by unn IkrIshn an aV

I MaGIn G by bIn Esh srEEDharan

Photo by kaPIl

Thinking Out of the Box

6/29/2006 12:44:21 PM

t r e n d lin e s

B I O M E T R I C S A decade ago, William Beaumont Hospital, a 254-bed community hospital in Troy, Michigan, had a problem with a small number of rogue employees who were stealing narcotics from a storage area. At the time, narcotics storage was secured with a lock that opened by entering a code on a keypad. Security director Chris Hengstebeck looked for ways to tighten control of the affected rooms and cabinets and to generate a log of employees accessing them. The solution: a biometric hand geometry system, which identifies individuals through hand measurements. The hospital now has about 40 hand readers that control access not only to narcotics but also to the maternity ward and other sensitive areas. Hundreds of employees use the system. To enter a restricted area, employees must punch in their unique ID number and then have their hand scanned. “We recognized that there was a problem with ID cards and passwords being stolen,” said Hengstebeck during a presentation at the Winter 2006 Biometrics Summit. “The primary advantage of hand geometry over anything else is that it’s inextricably linked to the user,” Hengstebeck says. The hospital has added a fingerprint reader linked to the cabinets holding narcotics to further control access. Now, the hospital plans to use the hand geometry and fingerprint reader combination in areas of its Rs 2,218.5crore expansion due to start this summer. The system has several benefits besides improved access control. It helps with investigations. Linked with security cameras and a database of employee identification information, the system generates concrete evidence of possible improper or unlawful activities. It is also flexible enough that staffers can bypass it when they need immediate access, such as when a patient is being rushed to surgery.

— By Juan Carlos Peréz 14

Trendlines - 01.indd 14

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

The

World Cup’s

Not-So-Smart

Tickets

Regardless of the outcome of the World Cup football tournament that began in Germany last month, the games have already made history. Never before have fans attending an event organized by the Fédération Internationale de Football Association (FIFA) been required to provide so much information about themselves that can be accessed so quickly. More than 3.5 million tickets to the world’s biggest sporting event are expected to be sold with embedded radio frequency identification (RFID) chips that will link ticket-holders to a database containing personal identification information, including their birth date and ID card or passport number. Cup organizers say they need this information to combat black-market ticket sales and to keep out hooligans. But FIFA Secretary General Urs Linsi told the German newspaper Tagesspiegel that he would prefer to collect less information from fans in future. Fans view the ticketing requirements as excessive, and privacy groups have questioned the legality of gathering so much personal data for a public event. The German World Cup organizing committee was hauled into court over the issue. (The case was decided in the organizer’s favor.) There are rumors that security officials equipped with RFID scanners will monitor fans inside the stadiums, but the committee says there will be no in-stadium surveillance. The committee also stresses that no private data will be available on the RFID tags themselves. RFID

— By John Blau

Illust ration by an il t

Security in Employees’ Hands

Vol/1 | I SSUE/16

6/29/2006 12:44:22 PM

M A N A G e M e N T r e P O r T IT’s mission has shifted from delivering systems to managing the process of delivering them, according to a study by the Society of Information Management (SIM). Within the next two years, companies will need more staff capable of managing projects and working closely with business users. But many companies still fail to take business training into account when hiring entry-level staff, defaulting to candidates with technical degrees such as computer science and engineering, the report says. “If you look at computer science or engineering programs, there’s been an emphasis on the technical skills, like programming,” says Phil Zwieg, VP of IS with Northwestern Mutual, and VP for advocacy and communities of interest with SIM. College curricula, he adds, aren’t

changing fast enough to teach skills that businesses really need. While the colleges try to catch up, company training programs can help fill the gap. CIOs also may have to get creative about who they hire to fill upcoming vacancies, such as

the SIM survey has found that most companies provide both entry and midlevel hires with some business training.

recruiting business users for IT positions. “I don’t think a company can use just one avenue [for recruitment] anymore,” says Zwieg.

TreNdLINeS

Recruitment Rethink for IT SIM’s survey of 96 executives from 89 companies found that more IT organizations of all sizes plan to expand their staff, although more small- and mid-market enterprises expect to add employees than large companies. Similarly, most companies, regardless of size, plan to outsource more work — particularly technical work — to third-party providers, although large companies intend to outsource more. Overall, however, the study concludes that the number of IT jobs won’t change much between now and 2008. The study identifies a number of business skills as core to successful IT operations, such as industry knowledge, project management expertise and business process knowledge. But it has found no technical skill to be correspondingly critical. — By Elana Varon

Iraq’s Virtual Library A group of US scientists, with help from Sun Microsystems and the US government, has launched an online library containing more than 1 million research articles for Iraqi scientists and students. The Iraqi Virtual Science Library (IVSL) was started with Rs 1.6 crore from the US Department of State and the US Department of Defense (DoD). According to project organizers, the online library is needed because for more than 20 years, Saddam Hussein’s regime neglected libraries and the scientific community. Then, following the US invasion of Iraq in 2003, many Iraqi libraries were found to have been looted and destroyed. “A lot of the holdings that the Iraqis did have were destroyed in the aftermath of the war,” says Barret Ripin, senior science diplomacy officer for the US Department of State. The project started with a group of scientists who were working at the State Department or DoD through a fellowship program of the American

Association for the Advancement of Science. The group wanted to give Iraqi scientists and students access to “top-tier” research, says D.J. Patil, an IVSL co-founder and researcher at the University of Maryland. With the first phase of IVSL complete, the online library includes access to more than 17,000 research journals. Some publishers donated access, while others offered subscription discounts, says Susan Cumberledge, another IVSL co-founder and a professor at the University of Massachusetts. Iraqi scientists and students can sign up for access through seven universities and one research institute there, and more schools will be added, says Cumberledge. Sun helped the IVSL team evaluate the Internet connectivity and infrastructure needed for the project. In the next phase, it will help Iraqi universities and government agencies create an opensource Web portal that the universities can manage, according to company officials. — By Grant Gross Illust ratIo n by MM shanIth

reSeArCH

Trendlines - 01.indd 15

BY dIANN dANIeL

TreNdLINeS

Room to Improve

IT’s Moves

At smaller companies, IT is best at meeting tactical goals. IT

deCISION-MAKerS

at small and mid-market companies think IT is best at supporting tactical efforts such as improving efficiency, but they have reported that IT falls short when it comes to innovation and other strategic contributions, according to a survey by Forrester Research. However, there’s room for improvement even in areas that executives think IT is good at. For example, only 38 percent of the 540 executives surveyed think that IT is great at improving workforce productivity. Fortysix percent said this is something IT is only somewhat good at. Similarly, only 34 percent said their IT departments were great at lowering company operating costs.

Even fewer execs think IT is great at making strategic contributions. A mere 21 percent said that IT excels at revamping core business processes. The decision-makers surveyed included both IT executives and business leaders such as CEOs and CFOs. Michael Speyer, the Forrester senior analyst who led the study, notes that the IT execs gave themselves better marks at cost-cutting and improving productivity than non-IT execs gave IT. Speyer says the ratings are based on respondents’ perceptions of IT, and he thinks the differences of opinion suggest the need for a common language shared by IT and the rest of the business when evaluating IT’s performance.

As for why IT isn’t better at contributing to strategic efforts, Speyer points out that IT has had 20 years of practice supporting areas like improving efficiency, but few companies have asked IT to contribute to core business transformation. For example, in retail, enabling employees to go online to find the location of an out-of-stock item or allowing customers to order on the Web are business innovations that aren’t possible without IT. But in general, Speyer says, IT execs have not been called upon to help brainstorm new business models, and so supporting innovation can be outside the comfort zone of many IT shops.

What IT Organizations Do Best

Technology decision-makers rate how well IT supports business objectives. Goal

A Little/ Not at All

Somewhat

To a Great Extent

17%

46%

38%

Improving products or processes

23%

39%

38%

Lowering costs

27%

38%

34%

31%

36%

34%

Improving productivity

Managing customer relationships Acquiring and retaining customers Driving innovative products, services or business practices Reengineering core business processes

35%

33%

32%

39%

36%

25%

41%

38%

21%

note: Percentages may not total 100 due to rounding.

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Best

Practices

Create shared metrics. Michael speyer says objective measurements which both It t execs and non-It t execs can use to discuss how well It is doing would help close the gaps in how It’s performance is perceived.

Make more time. Create opportunities to work on strategic initiatives by streamlining It operations. For example, consolidating servers using automated data center management tools makes data center management easier and frees up It staff for other activities — like learning about the business.

speak the CEO’s language. It must figure out how to translate business goals into It goals. t to do so, the CIo must learn the language of the business and understand its processes. Compared with their counterparts in large companies, CIos at smaller companies may find it easier to get close to the action.

Vol/1 | I ssuE/16

The Web

LIghTs LIghT LIgh Ts up

Illust ratIon by un n IkrIshnan aV

Your World

I N T e r N e T The Internet’s impact on users’ lives has grown during the past five years, but that impact is greater in some areas than in others, according to a recent survey by the Pew Internet & American Life Project. According to the survey, 35 percent of Internet users said being online has greatly improved their ability to do their jobs, up from 24 percent in March 2001. The job category saw a lower growth rate than other areas. In the category of respondents’ personal lives, the growth rate was higher. For example, 33 percent reported that being online has greatly improved the way they pursue their hobbies and interests, up from 20 percent five years ago. The resources and services available on the Web have exploded since 2001, but at the same time it’s become harder to make an impression on users, says Mary Madden, a research specialist at Pew. Also, occasional users may not know about things on the Internet that could change the way they live, Madden adds. Daily users are much more likely to report that being online has a major impact on the way they do things. Internet use is still more common among wealthier people, but the gap is narrowing, says Madden. “Much of the growth that has occurred in the past year alone has come from low-income groups,” she says.

— By Stephen Lawson

Vol/1 | I ssu E/16

Michael Schrage

MAKING IT WORK

The Hammer of Consensus When a committee is charged with achieving unanimity, the force of its decisions is multiplied.

recently served on a special committee of independent directors formed expressly to ensure fair terms for a high-profile, multibillion-dollar takeover. The negotiations for this deal were exceedingly complex, yet the chairman of our committee persuaded us to accept a diabolically simple constraint. Any public pronouncement, decision or action we took would have to be agreed upon unanimously. If we couldn’t reach a consensus, we wouldn’t proceed. Period. We were all in it together. The resulting experience was electrifying. Each of us had the explicit ability to delay, stalemate or kill any idea or initiative. That’s power. At the same time, we knew that any idea or initiative we suggested required unanimous consent. As a naturally contentious guy, I feared we’d all be a bit too willing to compromise in the name of comity. Not only was I wrong, I wasn’t even the most contentious. We had knock-down, drag-out arguments where decibel levels leaped. We fought over precise wording and imprecise spreadsheet calculations. We made our lawyers and investment bankers — who were exceptionally well-compensated — earn their pay with constant requests for data and interpretations to resolve our internal disagreements. There was absolutely no polite desire for early consensus. At no time, however, did any of us exercise our veto power — not once! I can’t even recall an implied threat to do so. The fact that any one of us could stop any proposal dead in its tracks liberated conversation rather than constrained it. We absolutely knew we’d take each other’s comments and concerns seriously. We listened to each other so closely and carefully that potential 'deal-breaker' conflicts never hit the

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Coloumn The Hammer of Consensus.18 18

Vol/1 | ISSUE/16

6/28/2006 6:48:53 PM

Michael Schrage

MAKING IT WORK

point of no return. Any decision made was owned by all of us. No weaseling; no waffling. Us. The result? We successfully struck a deal that made the shareholders reasonably happy and the independent directors impressed with each other’s diligence. Our chairman clearly knew what he was doing. That story often comes to mind when I hear the frustrations of IT governance and IT project steering committees designed to better align budgets, schedules, requirements and priorities. We can talk all we want about the strategic objectives of the business and the 'partnerships' that these committees supposedly oversee. But the simple truth is that steering committees aren’t about leadership or management; they’re about accountability. Strategic direction and the ongoing pursuit of operational excellence mean nothing without accountability. When the special committee chairman got us to commit to unanimity as our metric, he effectively guaranteed individual and institutional accountability. In essence, he made us accountable to each other so we would effectively become more accountable to the shareholders we represented. That’s genius. Billions of dollars and the threat of litigation were at stake. Yet, with this simple mechanism, we were able to negotiate a deal that was fair to all sides.

A Betrayal of Trust When I look at steering committees in many organizations, however, I see mechanisms for strategic direction, risk-sharing and alignment more than I see a bid for accountability. Indeed, those steering committees often seem to be mechanisms for holding others accountable — project leaders, procurement teams and so on — rather than themselves. The notion that IT steering committees can operate more like a bureaucratic tool to evade accountability than to own it appalls me. It is a betrayal of trust and an abdication, not a delegation, of leadership. So I have to ask: do you, as a CIO, serve on steering committees where strategic decisions and multimilliondollar commitments can be made with individual recusals and dissents? Is the committee as a whole held accountable for its priorities and choices? Or is the aspirational whole less than the sum of its political parts? Similarly, do you, as a CIO, oversee IT/business project steering committees where unanimity and consensus are as elusive as unicorns? Have you ever insisted that these committees stand by their budgets, schedules and deliverables as a unit? Let’s be honest: much of the problem is that accountability has become a fancier word for blame. We all say we want accountability, but who wants to be blamed? (I am surprised by the Enron-like denials of accountability on the part of top executives.) Yet we need to encourage individual and group initiative even as our processes, apps and systems become more cross-functional and interdependent. Frankly, CIOs who claim that partnership with the business units is the way to go must muster the courage to acknowledge

Vol/1 | ISSUE/16

Coloumn The Hammer of Consensus.19 19

The notion that IT steering committees can operate more like a bureaucratic tool to evade accountability rather than to own it is appalling. It is an adbication of leadership. reality. They need to insist that steering committees designed to promote strategic alignment and other such feel-goodies be retooled around accountability. Steering committees should be platforms for accountability before being internally marketed as exercises in risk-sharing and strategy. While in Australia recently, I heard CIO after CIO bemoaning the fact that when something succeeds, the business takes the credit, and when something fails, IT gets the blame. The steering committee chatter I heard made it clear that accountability wasn’t a serious factor in their design or deployment. Consensus? Unanimity? Nonsense! I can’t help but believe that more than a few CIOs would be better off if they began insisting on unanimity. More than six decades ago, one of America’s finest aircraft designers — Douglas’ Edward Henry Heinemann — oversaw the production of a myriad of state-of-the-art combat planes. One of his key managerial rules was that changes had to be made by consensus. This built both esprit and better integrated, highperformance aircraft. The wonderful paradox is that leading by consensus may be the surest way of generating the kind of arguments and candid discussion that guarantee a productive collaboration between IT and the business. The power of the veto may be the best guarantor of it never (or seldom) being used. But the most important issue here is that CIOs need to behave as if accountability is as important for committees as it is for individuals. They need to behave as if consensus is not the byproduct of least-common-denominator compromises but the result of smart people successfully collaborating within constraints. At the risk of going meta, CIOs need to accept that they should be held accountable for how they hold their people accountable. Sometimes the best way of making people more accountable to you, and to themselves, is to insist they become more accountable to each other. Is that idealistic? Perhaps. But as one looks at the future of IT governance and project management, it increasingly seems the most pragmatic way to go. CIO

Michael Schrage is codirector of the MIT Media Lab’s eMarkets Initiative. Send feedback on this column to editor@cio.in.

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/28/2006 6:48:53 PM

Martha Heller

CAREER COUNSEL

Hitting to All Fields How do you move into a new industry without taking a backward step?

Illust ration Anil T

eventeen years ago, you innocently took a job as an IS manager in a health-care organization. Now, after following a vigorous career trajectory from company to company in positions of increasing responsibility, you look in the mirror and staring back at you, to your horror, is a ‘health-care CIO’. You’ve been typecast, but you’re tired of the challenges endemic to your industry. You want a new role. What do you do? How do you convince a financial services CEO, who is keen on bringing in a business-focused IT leader, that you are the best fit for the job? How do you move into a new industry without taking a backward step? You don’t, says Don Parker, who is executive VP of operations and technology at BOK Financial and has spent most of his career in financial services. “Ten years ago, when the application of technology was more generic, IT knowledge could translate across industries,” he says. “But today, technology is how you compete and your value as a CIO is based on your ability to drive the business. Your best offers will come from the industry in which you have expertise.” But despite the fact that securing a CIO spot in a brand new industry is a good deal more challenging than remaining in one vertical, many CIOs have bitten the bullet and made the move. Here is some advice from those who have switched industries on getting the job and keeping it.

1. Think carefully about the industry. You need to do a “gut check”, advises Bart Thielbar, VP of IT at Northwestern Energy, who moved from insurance to utilities in 1998. “Are you moving toward something or away from something?” he 20

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Coloumn Hitting to All Fields.in20 20

Vol/1 | I SSUE/16

6/28/2006 6:51:40 PM

Martha Heller

CAREER COUNSEL

Many companies want CIOs with industry experience and will not talk to you unless you have it. But there are plenty of crossindustry opportunities for CIOs who look carefully enough. asks. “If you’ve had trouble succeeding in one industry, you may have trouble in the next, and this time you won’t have the same support networks.” Thielbar also advises CIOs to think long and hard about the future of the industry they are considering. “Understand that trends like regulations and consolidation will put pressure on your company and your job,” he says. “Make sure you can stomach those trends.”

2. Look for the late adopters. When Thielbar decided he was ready to move on, he looked for an industry that currently spent less money on technology than insurance did but that was gearing up to spend more. He saw that the utility industry was on the verge of automating its consumer processes, and he successfully set his sights on Northwestern. 3. Follow the vendors. Wayne Sadin, CIO of Aegis Mortgage, agrees with Parker that your best bet is to pick a great industry and stick with it because changing industries can be hard. However, if you are set on making a move, he suggests talking to your vendors about their market expansion plans. “Let’s say you’re an expert in imaging systems,” he says. “Go to your imaging systems vendors and ask them what new industries they’re trying to break into. Take advantage of all of that good market research.” Chances are, if the imaging vendors are targeting a specific industry, companies in that industry will value your expertise. 4. Make subtle, not drastic, industry changes. Rafael Sanchez, VP and group CIO of Carnival, has worked in his share of industries, but they all have a common element — the consumer. “I’ve worked in consumer products, food service and travel,” he says. “They definitely have their differences, but they are all focused on the customer, and from a technology standpoint they have a lot in common.” If you’re the CIO of a hospital and your goal is financial services, do a stint at a health insurance company before making your ultimate move.

5. Go pro bono. In 1999, Jan LaHayne, CIO and global leader of customer service for Littelfuse, moved from a career in the food industry to electronics. She recommends that once you’ve selected the industry of your dreams, you do some pro bono work in that industry to get some experience on your résumé (and some contacts in your Rolodex). “Go to your industry’s association and ask if there is something you can do for them,” she suggests. “If 22

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Coloumn Hitting to All Fields.in22 22

I wanted to work for Microsoft, I would find out what nonprofits they support and do pro bono work for them. Now you’re rubbing elbows with the right people. I’m doing that with the Brookfield Zoo,” she says. “If I ever decide to go into non-profit, I’ll have the experience.”

6. Highlight the similarities. Once you’ve found the industry, company and, most importantly, the CEO who will entertain your candidacy despite your lack of direct experience, you’ll still need to manage your interview. When Mike Sebastian, who was directing PC operations for the San Diego Sheriff’s Department, was on an interview at TD Industries, a construction company, he asked a series of questions about the outgoing CIO’s interaction with the actual business of construction. “I learned during the interview that while its business may be construction, the company lives and dies by project management and remote connectivity,” he says. “I was able to show them during the interview how important those skills are to the business and how relevant they were to my own background. In the end, I got the job.”

7. Hire a number two from the industry. Aegis’s Sadin suggests that once you’ve chosen your industry and landed the job, you should look hard at the experience of your direct reports to see what they can teach you. “If I were moving to a new industry, I would make sure that my number two comes out of that industry, or I would bring someone with industry experience in,” he says. “When two levels of IT don’t know the industry, discussions get pretty surreal.” For those of you who have made the switch, what experience or advice can you offer to your peers? CIO

Martha Heller is the managing director of the IT Leadership Practice at the Z Resource Group, an executive recruiting firm. Send feedback on this feature to editor@cio.in

Vol/1 | I SSUE/16

6/28/2006 6:51:40 PM

By harichandan arakali

CIOs are beginning to make a transition from being technology heads to IT strategists to even business strategists, notes CIO Indiaâ&#x20AC;&#x2122;s advisory board. The IT leaders on our board feel technology leaders must embrace the challenges that the transition brings, especially the business ones. CIOs will then be able to make their organizations more global and profitable â&#x20AC;&#x201D; and more reactive to a dynamic economic landscape. 24

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Cover story_with_Slug - 01.indd 24

Vol/1 | ISSUE/16

6/29/2006 4:12:21 PM

Cover Story|CIO Outlook

"I foresee a situation where, instead of a hardcore technologist, a business manager will

head the IT division in an organization."

— Mani Mulki, VP & head-IT, Godrej Consumer Products

"You have to think out-of-the-box to create a business case for convergence technologies." — Arun Gupta, director, Philips Electronics India

"Converting your IT unit into a profit center and tying up with a marketing firm is one way of tackling attrition." — Manish Choksi, VP (strategic planning & IT), Asian Paints

"What will make the CIO a strategist is not

outsourcing, but what he does with the flexibility a good outsourcing deal brings." — S. 'Kris' Gopalakrishan, COO & head-technology, Infosys

"It's important to mitigate the risk of losing people. After all, they are the biggest assets of the CIO — not hardware or software." — S.B. Patankar, chief technology advisor, BSE

"Outsourcing will go from piecemeal to complete, and vendors will become strategic partners." — Sanjay Sharma, corporate head (IT), IDBI

Vol/1 | ISSUE/16

Cover story_with_Slug - 01.indd 25

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 4:12:21 PM

Cover Story | CIO Outlook

Everyday,

Business Strategy ...........Page 28 Outsourcing Option ...........Page 32 Challenging Convergence ...........Page 34 Damming Attrition ...........Page 38

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Cover story_with_Slug - 01.indd 26

when Titan Industries’ small army of sales executives makes the rounds of its showrooms and its stockists, there is keen interest in the exercise from an unexpected quarter: what would otherwise be a bunch of mundane tasks that keeps the world’s sixth largest maker of branded wrist watches ticking is now a rich source of data for an experiment that the company’s CIO N. Kailasanathan is piloting. The sales team collects a lot of data, both routine and market-related, which keeps the inventories turning in Titan’s extensive domestic distribution chain of 176 exclusive showrooms and 123 multibrand outlets — Titan has sold its watches to about 7 crore customers, its website says. “The experiment is being built around a portal, which the sales guys can access from anywhere,” says Kailasanathan. But here’s the kicker: instead of just some place where the sales people will dump market data, the portal will among other things “become one way in which we can tackle attrition among the sales guys,” he says. The portal will not only act as the receptacle for the data that the sales people want to send upstairs, but also a repository of every piece of information about how they go about doing their work. Those processes are being built into the system “to act as a knowledge management tool for us”, Kailasanathan says. “So if someone quits, for instance, all his work, his best practices, and much of his market experience is still available to us,” he adds. Tanishq, the jewelry division of the company has 50 boutiques of its own that will probably get roped in, if the pilot works as expected. “We could use this information to figure out what works for the salespeople, what motivates them, and even train future sales leaders.” Sure, a meeting of minds of field sales staff and boardroom executives could do wonders for any company, and especially a large retail chain. But, did you think the CIO would be in the thick of it, ever? “Actually, among my peers, many CIOs are already in the thick of it,” says Arun Gupta, director of Philips Electronics India. Today’s leadership teams more often than not include the CIO, he says. Moreover, the CIO is reporting more directly to the CEO, he adds. Even in the conventional setup, where CIOs report to CFOs, only “a myopic CFO will want to keep his CIO from making strategic contributions,” Gupta observes. “Time and technology wait for none,” asserts Anurag Jain in his doctoral work at the Indian Institute of Management-Bangalore, referring to a dictum that CIOs swear by. Jain, who now heads Air Deccan’s revenue management systems, researched the changing strategic role of information systems executives. His work explores various factors contributing to the transition of the CIO from operations person to strategy person. The important factors matched the main finding of a survey, conducted by CIO India, of its editorial advisory board: pushed by CEOs to do more for less, grappling with convergence of communications technologies even as they begin to outsource more, and competing with the Indian IT services industry for recruits, CIOs of Indian enterprises have never had it so tough… or so exciting. These are good times to be adrenalin junkies for CIOs, as John Gantz, research firm IDC’s chief research officer, says. The rush will come in the form of a transformation of the role of the CIO — from IT strategist to business strategist.

Vol/1 | ISSUE/16

6/29/2006 4:12:22 PM

Cover Story | CIO Outlook

Business Strategy

Imaging by bi nes h s reedh aran

P hoto by Srivatsa Shandilya

he single most important question a CIO must ask himself today is: “Can I see the big picture?” The answer won’t be the same in India and the US, says S. 'Kris' Gopalakrishnan, COO and head-technology, Infosys Technologies. In the US, CIOs have been grappling with this question for some years now, whereas only a few companies in India have truly leveraged technology, he says. The CIO in India is seen more as an operations person, someone who helps automate processes — a technology person. The transition from the operations person to a strategy person, who can leverage IT for competitive advantage and ultimately new revenue streams, is only starting to happen, he says. “But IT alone will not deliver that advantage for long,” says Rishikesha T. Krishnan, professor of corporate strategy at the Indian Institute of Management, Bangalore. As long as it is a matter of technology, competition can do it too, he adds. The differentiator, Krishnan believes, will be how much of a strategist a CIO can become — use his insights into how technology works to suggest business strategies to the CEO. He must also follow up with practical ways of implementing those strategies. CIOs, then, must know the business of their constituencies like the back of their hands. Air Deccan, which saves up to Rs 50 per ticket by doing most things online, and ICICI Bank, which has an entire business channel built around the Internet, are exceptions. In general, the role of the CIO has been restricted to providing operational support and can’t be seen as strategic. Gopalakrishnan says that in companies where the transition has taken place, CIOs are beginning to report more directly to the CEO rather than the CFO. These could be firms where the CIO’s role would become one of a ‘revenue enhancer’, which gives him the opportunity to interact directly with the CEO – and maybe even look at a broader CXO role in the future, he says. In the US, the transition is definitely happening because of the Sarbanes-Oxley Act. With the increased focus on leveraging information for risk mitigation, for instance, the role of the CIO is changing: he has an audience with the board. In India, it has changed only in a few cases, he says. Arun Gupta, director of Philips Electronics India, however, believes that the strategic role of the CIO is now 28

S. ‘Kris’ Gopalakrishnan, COO and head-technology, Infosys sees future CIOs as business leaders and revenue enhancers.

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Cover story_with_Slug - 01.indd 28

6/29/2006 4:12:25 PM

Cover Story|CIO Outlook

pretty much established in India. Today’s corporate structures make strategic decisions the responsibility of a team rather than just the CEO, he says. “The CIO is very much part of that team, which is more relevant than a position on the board,” he says.

Driven by IT There is some danger associated with “IT-driven decisionmaking”, says IIM-B's Krishnan. “Strategic or not, CIOs must understand business… hat’s very clear because IT-driven decision-making can often conflict with other organizational priorities.” He cites the Taj Group of Hotel’s revenue optimization model, featured in CIO India ('Hit The Suite Spot', May 1, 2006). “The whole theme seemed to be: one can maximize returns on a room by choosing customers. But there are non-IT factors here, which can hurt your profitability if they are not factored into your decision support system. For instance, if you refuse a customer a room in a hotel because your software program tells you so, have you factored in customer service — what about customers who may not maximize your revenue on that room at that particular time, but are potentially among the most profitable customers for the hotel over three years? “This doesn’t mean that one shouldn’t use IT. Just be very careful about optimizing that revenue from a room — what you want to do is to make sure that such customers don’t get treated badly, even if, at a particular time, you are losing a bit of revenue from them,” Krishnan explains. “Your IT system must capture such subtleties. The CIO must ensure that the subtle nuances of business are incorporated in decision-making support systems that exploit technology.” Are CIOs in Indian firms equipped to make such “non-IT decisions”? Traditionally, the IT heads have come through the technology route, without adequate business exposure — barring the exceptions, that is yet to change, unlike in departments such as HR. Today, it is accepted that HR managers too need exposure to line functions. Future CIOs, more involved in the actual running of the business, could have MBA degrees with systems as a specialization, for instance. They would still need real business exposure.

least half their time on technology or operational issues,” says Anurag Jain of Air Deccan. “But they all want the opposite: spending at least two-thirds of their time on business-related strategy,” he says. “There are bottlenecks in the corporate structures of businesses that don’t allow CIOs to operate in a strategic way,” he says. It will also depend on the sector. Banking, telecom and aviation, for instance, are sectors where one can’t do without IT. Earlier, there was a maturity curve in these sectors, which doesn't exist today — companies start with a big bang on the IT front. In such sectors, there is no question about the strategic role of the CIO, he says. The CIO of a large mobile phone services company that Jain interviewed says for his doctoral work, “In corporate business, the management executive is seen as a warrior, whereas the CIO is seen as an inventor. The challenge is to see them together.” This perception also feeds into a “struggle” the CIO faces to expand his role. The CIO points out, “One way out is literally that: Way Out. If efforts at becoming a strategist from within the organization do not yield results, become an expert from the outside.” And call

“IT-driven decision-making can often conflict with other organizational priorities... The CIO must ensure that the subtle nuances of business are incorporated in decision-making support systems that exploit technology.”

—Rishikesha T. Krishnan,

professor (corporate strategy), IIm-B

A Struggle? “When I ask a CIO, ‘How is your time share right now versus how you would like it to be?’ most say they spend at

Vol/1 | ISSUE/16

Cover story_with_Slug - 01.indd 29

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 4:12:31 PM

Cover Story | CIO Outlook

it collaboration! Top management executives too prefer this route sometimes, says the CIO. In an era of outsourcing, how much of a firm’s IT strategy is driven by vendors is another question. One argument is that outsourcing makes the role of a CIO more strategic because only the important things are left for the CIO to manage — all the small things are out of the way. For instance, the CIO of a large bank might see his role as a strategist: IT governance is a big issue and the CIO will be involved in setting standards, building processes, formulating a matrix of requirements and managing service level agreements.

The Context Broadly, companies have realized the potential of technology to improve business functioning; there is little doubt about that. IT plays an important part of their business — keeping in touch with customers and e-commerce are examples. Even if a firm isn’t doing e-commerce, it still needs to tackle real time acquisition of point-of-sale data, for instance, in addition to data warehousing, and analytics. Clearly, technology is important in these areas. But can IT really provide a distinctive advantage? “It’s one thing to say IT is important, but another to say you

7 steps to cio heaven From technology leader to business strategist.

Corporate CIO

Lead the business Champion the impact of “e”

Source intelligently from the external market Chief Technology Officer

Sourcce: gartner Inc.

Business Unit CIO

Create an environment of opportunity

Develop IS technical, service and management skills

Ensure and demonstrate excellent value and performance

Build and maintain the technical platform and service delivery

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Cover story_with_Slug - 01.indd 30

should build your competitive business strategy around IT. Here the story is a bit mixed,” says Krishnan. What has emerged is yes, IT can give a competitive edge, but only for a while, for others can do it too. This doesn’t diminish its role; only, there will also be several “nonIT” sources of business advantage. Whether IT is used well will also depend on many other things. For instance, many firms have implemented ERP systems, but how well are they exploiting all the reports generated by these systems? Organizational structures play a big role here, so whether IT will really be a differentiator will depend on factors including how a company is structured, its decisionmaking processes, and how much attention is paid to data and analysis. Companies that fail to invest adequately in IT — the opposite argument — will lose out in the market: they may find themselves at a competitive disadvantage. So, firms need to know how to use IT intelligently; even with outsourcing, one must know how to do it — including asking vendors the right questions and monitoring their work. So, knowledge of potential and role of technology will be important. For all these reasons, the role of the person who heads an IT related activity is going to be very important. Will that person really play a strategic role? The answer involves more questions: what business is his firm in? How critical is IT to the success of that business? What investments are companies making in IT in that sector? Certainly, how much interest does the CEO take in IT, how much expertise does he have in it? En route to becoming a strategist, the CIO will encounter some formidable challenges, some of which are also opportunities: how does one manage and exploit outsourcing? What can the impending convergence of communication technologies do for business? And how does one attract and hold on to the many talented people who will be needed to tackle the first two questions?

Vol/1 | ISSUE/16

6/29/2006 4:12:31 PM

Cover Story | Xxxxxxxxxxx

Managing Outsourcing

Products, says the outsourcing wave will lead IT teams to hone their vendor management skills.

I Imaging by bi nes h s reedh aran

Mani Mulki, VP-IS, Godrej Consumer

P hoto by k apil

f the CIO is to become a more strategic animal, where does outsourcing fit in? The consensus among CIOs is that outsourcing of IT functions is increasing among large Indian enterprises. And they see it becoming mainstream in the next two years. Will outsourcing take some of the pressure off and free the CIO from operational chores to focus on IT strategy and even business strategy? The Indian CIO will find that it is “a constant challenge to get the best out of vendors,” says Rishikesha T. Krishnan of IIM-Bangalore. And will outsourcing be enough? Not really, for with outsourcing, the CIO will find that he has only begun to change the way he works. His workload will then include building a governance structure needed to make the outsourcing relationship work. Mani Mulki, a vice president heading information systems at Godrej Industries, says technology has become pervasive — management executives are no longer IT-agnostic. He points out two trends fueled by the increased dependence on IT that will drive outsourcing: first, IT departments are feeling the heat to maintain the efficiency of IT systems at near 100 per cent levels and, second, CIOs are expected to both maintain that efficiency and bring in new solutions to keep pace with the changing business needs of organizations. This combination of pressures will get more fierce as technology is commoditized. Business executives now see technology as an integral part of the organization; they are asking for more from IT to help develop new products and grow the business. In two years, not only will outsourcing increase, but CIOs are likely to drive more “complete outsourcing”, says Sanjay Sharma, corporate head of IT at IDBI. Mulki adds that the biggest challenge organizations will face is to define the business case for outsourcing because companies will otherwise get stuck in the rat race of “me-too”. Future reasons to outsource could even include security and building redundancies into IT systems, he says. At present, enterprises have chosen selective outsourcing and, in many cases, with multiple vendors. Here, the challenge is to draft, define and execute efficient SLAs. CIOs have to struggle to sustain SLAs with multiple vendors. In the future, organizations will prefer to outsource it all to one large player who will not only take care of infrastructure

Vol/1 | ISSUE/16

Cover story_with_Slug - 01.indd 32

6/29/2006 4:12:34 PM

Cover Story|CIO Outlook

but a high-end application development as well. This player will also have extended soft skills in the areas of training and will support existing applications. Sharma says there is a flip side to this: organizations stand to lose core expertise as they increasingly depend on vendors. Longer the duration of outsourcing deals, higher the risk of losing in-house expertise, skill-sets and ultimately control. The challenge will be to balance outsourcing with retaining knowledge and skill-sets within the CIO’s organization. CIOs will need to develop higher skill-sets in their own departments to ensure that outsourcing doesn’t erode data integrity. Defining and documenting SLAs to get the best out of the vendor without compromising on the organization’s interests becomes tougher. Arvind Tawde, vice president and CIO, Mahindra & Mahindra, says there is another dimension to outsourcing: managing global operations. Many Indian companies are now going global, so CIOs will have to manage global IT infrastructure and operations, and global service providers. The issue is not only outsourcing of technical integration, but also of managing cultures and different practices. “The leadership qualities of CIOs will be tested,” he says.

Outsourcing Strategists Sharma is optimistic: “As we move increasingly towards outsourcing our processes and functions, both mundane as well as specialized, we will be in a position to harness a much larger bank of specialized skill-sets with our vendors... They will (then) acquire the position of strategic partners.” Opportunities will lie in harnessing the expanding knowledge base available in the market, specializing in niche areas, and focusing on only the core business. With maturity coming in the area of complete outsourcing, organizations will not lose time in merely managing the infrastructure supporting the core business but will be able to focus more on the core business itself, generating more business products to market and gaining value, he says. Infosys’s Gopalakrishnan agrees: “Certain things can’t be outsourced — the technology architecture of a company, vendor management, deciding on strategic use of IT. Outsourcing makes IT teams lean, but doesn’t eliminate the need for them. You still need to figure out how to use IT, only the execution can be done from outside, he says. Progressively, organizations will outsource end-to-end management of hardware and infrastructure, including disaster recovery establishments, along with the entire management of the DR setup, drills and maintenance. Sharma, in fact, says that more

Vol/1 | ISSUE/16

Cover story_with_Slug - 01.indd 33

companies will open up to application level outsourcing too. Mulki adds that “the ASP model will make a strong comeback”. Organizations will then hire applications, and pay for the modules they use. There will be a change in the present-day application licensing model, perhaps in the next two years. It’ll be more modular. Over the next five years, applications will not be bought but hired as a service, he says. Gopalakrishnan feels that outsourcing is only one of the options a CIO will have. Software, as a service, brings a new dimension to outsourcing: it can change the CIO’s expense pattern, he says. It may make sense for an organization to look at using some software off the Net, rather than license it. For instance, a CRM application is available at salesforce.com. “So it suddenly changes your spend. Within Infosys itself, we are experimenting with such ideas, using Web services for things like payroll or administration." It is hosted by Infosys, and not by outsiders. “What will make a CIO the strategist, he ought to be, is not outsourcing itself, but what he does with the flexibility a good outsourcing deal can bring,” he says. Mulki’s summary is a pointer to the future of the CIO: “IT will be commoditized and I foresee a situation where, instead of a hardcore technologist, a business manager will manage the IT division in an organization. Organizations will reduce the workforce in IT departments, and only key people will remain to manage the show. Increasingly, we will witness, the in-house IT team will be required to hone its SLA and deal negotiation and vendor management skills to derive optimum results from various outsourcing deals.”

As we move towards outsourcing our processes and functions, both mundane as well as specialized, we will be in a position to harness a much larger bank of specialized skill-sets with our vendors. —Sanjay Sharma corporate head of It, IdBI

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 4:12:40 PM

Cover Story | CIO Outlook

Challenges of Convergence

Imaging by bi nes h sreedharan

Photo by Srivatsa Shan dilya

echnology, the undisputed domain of the CIO, is changing and, in the process, is attracting the attention of business heads. It’s opening up the possibility of putting voice and data on the same networks in large deployments. So a business savvy CIO will still need to be the technology leader his organization can count on. And outsourcing plugs directly into the question of how firms will deploy convergent technologies. Arun Gupta of Philips says convergence devices and the need to connect to the corporate infrastructure will not be limited to a select few in the company. Almost all decision makers and influencers will require ondemand access to information across different devices. Thus, applications being created should now cater to the possibility of information access and availability across multiple mobile and stationary platforms (laptop, tablet, PDA, mobile phone and home broadband). This has been on the agenda for sometime now, even if its adoption across enterprises is limited and varies across levels. For instance, middle and senior management with laptops typically access corporate networks and all resources, whereas sales teams will get updates and alerts via SMS on their mobile phones, says Gupta. The challenge is two-fold: first, can organizations take advantage of voice and data riding on the same network to improve their business processes? And second, how can customer-facing industries such as telephone firms, television networks and banks exploit convergence to do more business? Gupta says, “Companies are experimenting, but I don’t really know what will be the new paradigm that will make convergent technologies mainstream.” Even in the developed market, where the technology has been available for over five years, there have not been large deployments by any enterprise, Gupta says. “Everyone is trying to restrict it to their own domains — where they can keep tabs on it. But when you try to start connecting to the outside world, it becomes a difficult challenge.” VoIP, for instance, is working but 34

Arun Gupta, director, Philips Electronics India, advises CIOs to think out of the box to create business cases for convergence.

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Cover story_with_Slug - 01.indd 34

6/29/2006 4:12:42 PM

Cover Story|CIO Outlook

only for the carriers or in closed user groups. At the moment, the dropping cost of conventional telephone and mobile services have influenced firms in India to feel like it isn’t viable to invest in some way of enabling convergence for consumers, he says. Using convergent technologies within organizations is a different idea. It helps reach out to people with rich media: earlier it was offline; streaming was not very effective. So one sent out copies of CDs and hoped that people saw it. Now, with the network speeds increasing and compression technologies improving, these things can be done easily. An event held at Pfizer (where Gupta worked prior to joining Philips) last year, for instance, was webcast live across multiple internal networks with no bandwidth hassles. People were able to interact live. “That’s a new possibility because the firm was enabled. At Philips too, we have the capability to collaborate across the globe,” he says. But has anyone measured how convergence will make business processes more efficient (even in pilots) and which processes? Has anyone come up with metrics to find out if convergence will indeed make the processes more efficient? Gupta says he hasn’t heard of any. There isn’t even anecdotal evidence yet that business processes are made more efficient with convergence, he says. “You have to think out of the box to create a business case for convergence technologies. A real business case will be difficult to build. Today, the cost of deployment is pretty high and until the volume picks up, it is likely to remain that way.” The break might come from the carriers who may enable customers with this technology, “but if you ask me whether I can build a business case for Philips today — I don’t think so.” For a feel of why it isn’t commercially viable to go all out on convergence, and what CIOs are doing instead, consider Philips’s new campus in Bangalore, which will take 1,000 seats. “Originally, we planned it to take any kind of technology,” Gupta says. “But when we looked at the budget, it didn’t make sense because we wouldn’t have been able to use those technologies for another two years.” “The basic infrastructure alone came to Rs. 13.5 crore to Rs 18 crore — just setting up the servers, the switches, the cabling.” Software was additional and we weren’t even talking about the end-user devices such as desktops, laptops, PDAs, he says. “We were trying to create a campus that would be able to use any device, be fully wireless; we wanted to bring

Vol/1 | ISSUE/16

fiber to every desktop so you could get any bandwidth you wanted, and we were also trying to put in IP switches within the campus and some kind of converters that would talk to the external world.” “But what we settled for was IP-ready switches without the IP part of it. We didn’t bring fiber to every desktop but we did Gigabit Ethernet. The campus is still fully Wi-Fi today, but simple 802.11. Some compromises were made, but we did it at half the cost.” At the software application level, it is far from simply connecting everything to work together, as Jain is finding out. At Air Deccan, charged with its revenue management system, he is trying to buy an off-the-shelf solution, “but integration is a tricky issue because of some of the limitations with our existing customer reservation system”. An advantage of integration is that the airline will be able to target specific groups of customers: for instance they can be alerted about available seats on flights of their interest. Air Deccan is also finding out first-hand the difficulties with integration when two businesses want to collaborate. Efforts to integrate Air Deccan’s portal with the travel portal Makemytrip.com haven’t helped so far. “They already do this with some of the other carriers,” Jain says. “What they want to do is take data about our fares from our portal; there are tools — web-scrapers or leech software — that do this. The problem is that with our existing

“I am a great believer in the power of mobile devices for communication, entertainment, computing, commerce and control.” — Arindam Bose CIo, lg Electronics India

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 4:12:48 PM

Cover Story | CIO Outlook

website, we can’t provide the format in which they want the data. We book 25,000 seats a day, clock Rs 5 crore - 6 crore; we’d be in big trouble if we tampered with that. Once they’ve overcome business-to-business issues, firms such as Air Deccan and Makemytrip.com will have another challenge to worry about: providing secure ways

8 StepS to InnovatIon it’s what the business wants. here’s how to do it. Create a business/IT rotation program. move It people into the business and vice versa and watch innovation bloom. Move the focus from technology testing to simulation in a business context. t test your systems in a business context—with real people, data and customers. Build an innovation team. make innovation purposeful by devoting a small group to ongoing pilot projects and meetings with businesspeople. Mesh IT development with product development. It people could help speed the development process or even collaborate with product engineers.

Sources: Forrester research, gartner, CIo

Squeeze savings out of the infrastructure and dedicate the money to innovation. a program to constantly reduce fixed costs means there will be more money for innovation... without budget increases. Use process improvement methodologies (CMM, ITIL and so on) to decrease innovation cycle time. Using Cmm to standardize and improve processes means new projects can be completed quicker. Conduct interviews with all levels of the business. Interviewing businesspeople about what they do, what their problems are, and what they’d like to do next is the first step toward innovation.

to customers to buy online and on the air, and giving employees within the enterprises the ability to log in from anywhere, via any mobile device. Some of this is already happening, using SMS for instance. In a world where everything is connected, “if you have a mobile phone in your pocket you can stay in touch with your office, answer mails, give approvals, see your favourite movie, watch a cricket match, listen to music, play a game with a friend, buy flowers for your wife and turn air conditioners on,” says Arindam Bose, CIO at LG Electronics India. Bose points to five areas in which he is a “great believer in the mobile device”: Communication. This is already happening and will only get better with speedy Internet and video chat on mobile phones. Entertainment. Mobile-iPod hybrids will emerge. With Digital Mobile Broadcasting (DMB) making a commercial presence, you can see your TV programs on handhelds. Once DMB is in the bag, service providers will soon move to give Video On Demand. Consider games: now, there are standalone games on all mobile phones, but with infrastructure in place, “we will move into networked games where people can be anywhere but enjoy or compete”. Computing power. Software makers are moving in to give computing access on handhelds. So, handhelds will act as thin clients for most ERP or other IT-enabled business processes. Commerce. M-commerce is already a byword and in Japan, thanks to DoCoMo, and Scandinavia, people are buying and paying through mobile phones. It only needs to be extended on a larger scale. Control. Consumer durable companies are beginning to adapt their products, so that people can adjust their air conditioners, check the contents of their refrigerators, enable child-locks on televisions or download recipes for their microwave — all through a handheld. What all this means, is that in addition to playing a dominant role in building back-end infrastructure, the CIO will be indispensable to building the business models that will commercialize convergent technologies.

Create a joint IT and business capital spending plan. linking the It budget to plans to build a new factory could make it a better factory.

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Cover story_with_Slug - 01.indd 36

Vol/1 | ISSUE/16

6/29/2006 4:12:48 PM

Cover Story | Xxxxxxxxxxx

Tackling Attrition

o, the CIO has enormous potential to be more proactive in corporate business. But, in what is necessarily a team effort, leveraging IT to boost growth and profitability is hard if the CIO can’t find and retain young talent. Nurturing young recruits into leaders is even harder. S. B. Patankar, chief technology advisor of Bombay Stock Exchange, believes, “Pay structures are the first challenge. Beyond 10-15 percent lower than the going rate, it becomes very difficult to retain good talent.” He says pay structures fall into three categories with the top payers doling out the best salaries to fresh engineering graduates. Patankar advises organizations to classify themselves into one of these groups, and match salaries to the group standard if they want to stop skilled IT workers from leaving. But how does a CIO convince HR to revise its pay structure to avoid losing skilled IT workers? By looking at a scenario where the same job is outsourced, forcing the company to pay even more. Though this cannot be made the norm, Patankar insists that incentives have to be provided. However, Manish Choksi, VP (strategic planning & IT), Asian Paints, says attrition is a way of life. “We can only design systems to live with it. Our compensation is benchmarked with the lowest level among IT services companies, which works for us,” says Choksi.

& IT), Asian Paints, believes using IT as a profit center can help lower attrition.

I Imaging by bi nes h s reedh aran

Manish Choksi, VP (strategic planning

What Asian Paints lacks in pay, it makes up in career planning. After the first two years in an organization, talented people will stay only if an attractive career roadmap is articulated to them, notes Choksi. However, providing a career roadmap to fresh recruits is a CIO’s biggest challenge. Beyond the rank of executives or IT managers, it is essential to assign some generalist role to the IT workforce to keep saturation at bay, he feels. One way is to get people involved in innovative projects. For example, recruits who join as programmers should be given a chance to add project management and manpower-handling skills to their repertoires. Promoting people to that level gives them a growing sense of responsibility, observes Choksi. His advice is to bring people out of the ‘technology-alone’ landscape, and prepare them to become business consultants and solution architects — depending on the roles they play in different projects. Patankar agrees that CIOs need to create new challenges for their IT workforce. In many cases, where salaries are not

P hoto by Srivatsa Shandilya

Challenge Them

Vol/1 | ISSUE/16

Cover story_with_Slug - 01.indd 38

6/29/2006 4:12:51 PM

Cover Story|CIO Outlook

high, exposure to new things binds the workforce to the organization, he says, adding that organizations that have new IT projects also often have lower attrition rates. “One way we keep people involved and happy is by migrating from older platforms.” The challenges involved in this process are tremendous and there is plenty of learning and work satisfaction CIOs can provide their IT staffers, Patankar points out.

Train Them

is the order of the day. In the fight to mitigate the risk of losing people, CIOs realize that people are their biggest assets, not hardware or software.

Unleash Them CIOs are also trying the smarter ‘if-you-can’t-fightthem-join-them’. A lot of enterprises now treat their IT companies as profit centers, says Choksi. This has given the CIO an opportunity to be proactive on two fronts: one, his organization gets a new stream of revenue and, two, his staff gets to move away from purely technology-led career paths, which helps control attrition. “A lot of companies are seriously doing it,” he says. A related trend among enterprises is co-sourcing IT services: joining hands with another IT services provider to share human resources. Then, there are possibilities of alliances between IT units and marketing companies to market IT services. This puts a full stop to worries about retaining talent, says Choksi. It also works wonders in specialized areas as it creates better career paths for IT staffers. In time, CIOs are likely to build small teams with strong domain knowledge, while the rest — the commoditizable services — will come from vendors. As IT teams start playing more strategic roles, the problems of pay and career paths will recede — the CIO and his team will be seen as integral parts to business, making their attrition no more than what occurs among management executives. CIO

“To minimize attrition, it’s a CIO’s key result area to strike the right balance in providing both on-the-job training and formal classroom training,” says Patankar. HR policies and a great work environment also make a lot of difference in retaining talent, he adds. People tend to leave companies with poor working environments even if they are paid well, he says. Choksi says most of his employees get on-the-job training if not formal training. “We make sure that we train people until they’re comfortable. With tight project deadlines, it’s tough for the CIO to provide appropriate levels of training even if that’s a differentiator, he states. Since enterprises like Asian Paints don’t need to advertise the skill levels of its IT personnel, they also don’t provide certified classroom training. The technology workforce, though, considers certification integral to career enhancement — but there are dangers for the organization. “This [certified training] cuts both ways. Good IT people could move on, but there are chances they will stay,” he says. Another problem is that formal training requires a long gestation period and enterprise IT teams can’t afford that. Providing immediate solutions —S.B. Patankar to every problem might not be chief technology advisor , BSE possible, but hearing staffers out and giving them a definite timeline to resolve their issues

“Pay structures are the first challenge. Beyond 10-15 percent lower than the going rate, it becomes very difficult to retain good talent. ”

Vol/1 | ISSUE/16

Cover story_with_Slug - 01.indd 39

Additional reporting by Rahul Neel Mani and Gunjan Trivedi. assistant editor Harichandan arakali can be reached at harichandan_a@cio.in. Bureau Head north Rahul neel Mani can be reached at rahul_m@cio.in. Senior Correspondent Gunjan t trivedi can be reached at gunjan_t@cio.in

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 4:12:55 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Subhash Chandra, chairman, Essel Group, believes that IT is enabling a change in broadcasting by letting consumers call the shots.

Redefining the Remote Control

BY GUNJAN TRIVEDI When it comes to media and entertainment, Subhash Chandra, chairman, Essel Group, has his concepts clearly carved out: content delivery is supreme, consumer is king, and interactivity the way forward.

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

View from the Top - Full Page.in40 40

CIO: You are credited with a hands-on approach to new initiatives. Do you approach IT planning and strategizing in the Essel Group in a similar way?

Subhash Chandra: Technology does play a central role in the media business. After understanding how core technology is to our strategies, I assess what it can do to better the business. Then, we have subject-matter experts

P hoto by Srivatsa Shandilya

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

The media baron looks at little else but technology to deliver the goods and realize his vision of taking the media experience to the next level. In this interview with CIO, Chandra zeroes-in on the issues that IT teams of media organizations face to find their way through the maze of technologies even as their dependence on IT is bound to rise phenomenally. It is critical, he says, that a media organization invests in technologies to manage systems that will guarantee safety of content.

Vol/1 | ISSUE/16

6/29/2006 4:38:15 PM

View from the Top

Subhash Chandra expects I.T. to: Facilitate cost savings, while adding to the top and bottom line Enable the media consumer to choose content, vis-Ă -vis interactive TV Generate more business opportunities

Vol/1 | ISSUE/16

View from the Top - Full Page.in41 41

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 4:38:17 PM

View from the Top

who help us gauge the extent of technology enablement. Accordingly, we take strategic decisions and move ahead. And since we are technology users and not developers, we leave it to IT vendors to figure out the nitty-gritty and provide turnkey solutions to enable the strategies that we have chalked out. Technology will play a much bigger role in the media division, compared to any other divisions of our group. It is absolutely core to the movement and security of content, and ensures efficient content and management of intellectual property rights. IT alone can facilitate a lot of cost savings and add significantly to both the top and bottom line of business. It also improves products and provides new business opportunities. The caveat here for media companies lies in balancing creative content and technology investments with cost control. Media companies that do it successfully create more value in the long run.

What role has technology played in Zee’s success? And what role do you see it playing in the future? As far as Zee’s corporate success is concerned, I do give credit to IT as it has indeed played a significant role. However, I wouldn’t say we invested in anything more than the necessary technology deployment. Our prime focus has been on improving efficiency and enabling a paperless enterprise at the start. While doing so, we figured out that there is another side to IT as well. The currency we deal in is content and, with IT-enablement of inoffice processes, safety becomes an issue as it now becomes easier to take away data and content from the systems. The technology-enablement of office operations does lead us to get lost in a web of technologies: at first, we buy technology to derive optimum efficiency, then technologies to safeguard the content 42

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

View from the Top - Full Page.in42 42

“No business can succeed if technology and its decisions are left to the IT team alone.” — Subhash Chandra

and, finally, the technologies to manage those systems that ensure safety of our content. Therefore, we are pretty cautious in the kind of office automation we want to bring in. We don’t want to invest in cuttingedge technology that we find difficult to manage later. Nevertheless, the broadcasting side of our business is witnessing cuttingedge technology implementations. We are now deploying new age digital asset management systems, through which we are building in access authorization, so that only authorized personnel have access to the content on our systems. In addition to this, we recently acquired a technology company called Pacenet that is developing various distribution technologies to deliver audio and video at homes in a far more efficient manner. Undoubtedly, technology is an integral part of a media company, and will increasingly play a very significant role in our success. In fact, in my companies, I ensure that as business managers, we do not segregate knowledge and say, this part of technology know-how comes in

my domain and the other in the CTO’s domain. Instead, knowledge of technology and its impact on our business is known across our entire business side, helping us have a better understanding of the scope, limitations and hurdles our strategies may have.

Essel Group has varied business interests. How do you see IT binding all of it? I am still learning the effect of IT binding all my business but, from what my colleagues have told me, we are trying to technologically bind diverse business streams into one. We are improving efficiencies phenomenally, enabling better overall management as well. Eprocurement is another area where our group companies are getting involved. In fact, one of our companies participated in e-bidding globally. With technology binding all the business streams, if we can reduce our input costs by 15 to 20 percent, it’ll be very good.

What has the role of IT been in Essel Group’s new revenue-making streams like online lottery and initiatives such as digitization of Zee’s content library? These initiatives have been made possible only because of technology. Five years ago, when we converted an hour-long content from a normal broadcast mode or a digi-beta tape to the Internet platform, it would take us at least six hours. With the technology we are now deploying, my content is residing on servers in the native digital format. So, with the click of a button, I can get the content converted to IP format, making it available online in a jiffy. We are the first company in this part of

Vol/1 | ISSUE/16

6/29/2006 4:38:20 PM

View from the Top

the world to implement this capability of converting our content to any platform of choice and, hopefully, we’ll see the commercial results by this October. It is indeed dramatically different from what it was five years ago. And, with these advancements, we can now leapfrog in terms of taking innovative revenuegenerating initiatives.

How do you see New Age technologies such as IPTV and video-on-demand revolutionizing the media and entertainment?

SNAPSHOT

Zee Telefilms Revenue (2004-05):

Rs 1,360 crore

Employees (2005):

> 2,400

No. of Brands: >23 Viewership*:

India 70,00,000 NO. OF Subscribers (IN HOUSEHOLDS)*:

Middle East 1,72,000

Rest of Asia 2,24,000 Africa 51,000 Canada 53,000 Caribbean 96,000 UK 168,000 US 2,27,000 CIO: Ishwar Jha *as on March 31, 2005

My view is that all these will be different names or protocols for content availability. Here, technology will enable the consumer of the media content to watch and receive content of his choice at his own convenient time, place and format. The power of content, which is right now in broadcasters’ hands, will shift to the consumer. It will revolutionize the way content is dished out. With interactivity, consumers will decide when and where they wish to see what kind of content. This will come in only through objectivity. For instance, sometime soon, if you tune into Zee News channel, there’ll be six video feeds available on screen – the first one will display general news bulletin, the second can be specific headlines, the third could be crime stories, the fourth can be news about entertainment business, the fifth can be financial news, and the sixth focusing only on the weather. With your

Vol/1 | ISSUE/16

View from the Top - Full Page.in43 43

TV remote, you can then select the specific video feed, and that particular kind of news will be displayed on TV. This kind of interactivity is not possible without technology. A lot of other development in terms of broadcasting technology is also happening. Tremendous innovation is happening in different areas, right from compression technologies, which are going to make the cable and satellites’ content-delivery capacities phenomenally more, to the Consumer Premises Equipment (CPE) domain. My feeling is that, over the next three to four years, we should be able to bring down costs of CPE significantly and provide CPE at prices anywhere between Rs 50 and Rs 100, as compared to today’s prices of Rs 5,000.

Will Interactive TV create the kind of impact that cable broadcasting did in India in the 1990s? India is catching up fast. The only regret is that people with vested interests have kept digitization of cable way behind, when it should have happened two to three years ago. If digitization of cable would have happened, all these technologies would have automatically found space to come in. We are trying to push it as much we can by making headway in digitizing the cable business. Our division, Siti Cable has been hived off as a separate standalone company just to enable digitization of cable broadcasting. In totality, India is five years behind the developed economies, and has a lot of catching up to do to bridge that wide gap.

What work is Zee doing in technologies such as 3G mobile technology? In the areas of convergence, we are primarily involved in repurposing activities, that is, converting content from one format to another for different platforms. Eventually, as the markets will grow, we will go to the source. With this, we will be producing content for mobile devices that will be different from what is being produced for big screen televisions. I am sure it is soon going to be roti, kapda, makaan — and entertainment. And when this kind of expansion of entertainment has to happen, technology, as an enabler, has to chip in. There are markets for handheld devices, broadband or normal delivery mediums. Technology will help us in harnessing and tapping these markets.

How should the typical CEO approach IT? IT should be looked at a much higher level than just playing the support function. Earlier, there were times when I would say that this is not my competency area; I would just let the technology guys take decisions. Now, technology is so integral to business that no business can be successful if the understanding of technology and decisions are left for technology decision makers alone. The business side has to be deeply involved as well. CIO

Senior Correspondent Gunjan Trivedi can be reached at gunjan_t@cio.in.

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 4:38:23 PM

Feature.indd 44

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Vol/1 | ISSUE/16

6/29/2006 3:58:37 PM

Security

The No-Cost

Anti-Spam B Y PA U L V E N E Z I A

Solution PC anooP

Blacklists, whitelists and greylists are all essential spam-fighting tools. Here's how your organization can use them effectively. Reader ROI:

IllUStratIon BY

Three approaches for enterprise to battle unwanted mail The DNS Blacklist Conundrum A real spam solution

Vol/1 | ISSUE/16

Feature.indd 45

ike the rising cost of postage stamps, increasing complexity in e-mail is inevitable. In the early halcyon days of the Internet, SMTP connections flowed like a mountain spring and mail filters were used solely for mail organization. Now, the water is brackish, and mail filters are an absolute necessity. But whose filters? Given the extraordinary volume of e-mail that most organizations receive, care and feeding of e-mail whitelists and blacklists is sporadic at best, and itâ&#x20AC;&#x2122;s usually done only to address an acute problem. Subscription services such as Postini can alleviate this problem from an inbound perspective, but thatâ&#x20AC;&#x2122;s only half the battle. Free DNS blacklists such as spamhaus.org and spamcop.net provide an interactive service to enable inbound mail servers to match the IP address of the server delivering mail against a list of known spamming servers via a simple DNS query. If a positive match is returned, the mail is rejected. Many organizations also rely on whitelists, which are simply lists of domains, addresses, or SMTP relay IP addresses that are always allowed to deliver mail. In most infrastructures, this is a list of domains that are close partners with the company, and ancillary addresses or domains that would be caught in a spam filter but are valid. The remaining list-based protection form is greylisting. A greylist rides the boundaries of the blacklists and whitelists, REAL CIO WORLD | J u LY 1 , 2 0 0 6

Security using interpretive back-end code and SMTP status flags to create dynamic whitelists and blacklists. All three approaches have their place in the modern enterprise’s battle against unwanted e-mail, but as with many well-intentioned schemes, caution should be exerted to protect the innocent — particularly when it comes to blacklists.

The Vigilante Approach Although quite plentiful, DNS blacklists have had their share of controversy. Given enough subscribers, a listing on a DNS blacklist can render e-mail useless for the target. Of course, this is the whole idea, but it’s not uncommon to find a site listed in a DNS blacklist that really doesn’t belong there. The reasons for this are varied. Direct reporting of a spamming IP address to a

DNS blacklist may result in not just that IP but the whole netblock appearing on the list. Shared hosting suffers from a variant of this problem, as a single violating user can cause many sites to be blocked because they all originate from the same IP address. In other cases, end-users of large ISPs may decide to mark legitimate mailing-list mail as spam rather than unsubscribe from the list. Thus, that server may be blacklisted, at least from that ISP. The lists themselves vary in focus and scope. The largest, sorbs.net, spamhaus.org, and spamcop.net, use general spamming guidelines to determine a host’s status. Rfc-ignorant.org goes a step further and lists mail servers that violate RFC 821 and 2821, which govern SMTP communication. Unfortunately, there are quite a few legitimate mail servers that violate these RFCs due to poor design and implementation, and anyone using those servers is likely to be listed by rfc-ignorant.org even if they’re not spammers. Certainly, those sites should be running compliant servers, but subscribing to this DNS blacklist can hamper otherwise legitimate communications. That said, the most popular DNS blacklists have been honing their service over the past few years and offer significantly more accurate results than

A Day in the Life of a Mail Server think your life is hard? a mail server's is harder — it spends far more time killing spam than delivering mail.

woke up, fell out of bed, dragged a comb across my head, and checked the statistics generated by one of my mail servers in the past 24 hours. the day before, I wrote a Sendmail milter in Perl to match every inbound mail relay against three of the most popular DnS blacklists: spamhaus.org, sorbs.net and spamcop.net. no blocking took place, as I was just interested in collecting numbers. (a a milter is an extension to Sendmail’s mail transfer agent). after the inbound e-mail was catalogued in the database, it was passed onto a trio of e-mail filters. First, it hit the greylisting milter that uses a heavily customized version of Evan Harris’s relaydelay code. If it passed that filter, it was checked by ClamaV for viruses and phishing scams, then finally passed to Spamassassin for spam checking. the results are impressive (see chart). Beyond the DnS blacklist matches, we see that the greylisting filter is working overtime: 120,571 messages were seen by the greylisting code, with only 87 matching manual whitelists. of those, only 2,515 messages were retried and successfully passed through the filter. of that number, ClamaV discarded seven worms and 23 phishing scams, and Spamassassin pulled out 64 confirmed spams, although 308 suspected spams were passed through. this filtering resulted in 2,113 messages actually delivered to inboxes in that 24-hour period, or less than 2 percent of the mail volume. If the DnS blacklist checks were in place and refusing e-mail based on the lookups to sorbs.net and so on, the number of e-mails hitting the filter chain would be halved, though at least 60,000 unwanted e-mails would still hit the filters. looking through the logs during the past few weeks, I saw that this was not an anomalous event. these numbers crop up nearly

everyday. the MySQl database running as the relaydelay backend has seen more than 43 million e-mails since I implemented it in its current form almost exactly one year ago. If you think that this filter chain is rather absurd, take it as an indication of the general state of e-mail traffic today. Without these filters, e-mail through this server would be unusable due to the crushing spam volume. that’s the truly absurd part. — P.V.

Progressive e-mail Purification Original Connections DNS blacklist matches* — Spamhaus.org — Spamcop.net — Sorbs.net

Passed Greylisting Caught by ClamAV — worms — phishing scams Spam Assassin — conrmed spams blocked — suspected spams passed through

Actually Delivered

122,865 57,881 45,829 59,010

2,515 7 23 64 308

2,113

*Some spammed e-mails could be common to multiple blacklists. 46

Security previous incarnations. In fact, services such as spamhaus.org and sorbs.net offer freely available lists that don’t just blacklist known spammer netblocks, but also list known dynamic IP netblocks used by carriers for home broadband connections, hosts running open proxies, buggy Web code that can be coopted to send spam, and lists of hosts that have been identified as zombies and are spamming at the whim of a botnet controller. How popular are these DNS blacklists? Steve Linford at spamhaus.org estimates that the spamhaus network receives between 80,000 and 100,000 queries per second, and that doesn’t count the number of large entities that don’t use the public servers, but have arrangements to pull the DNS blacklist databases to local servers on a scheduled basis, which significantly reduces the amount of queries to the public servers. But what about false positives? “Funny you should ask,” says John Shearer, Network Manager at Northfield Mount Hermon School. “Until last night we’d stayed away from DNS blacklists due to fear of false positives. In the past few months, however, we’ve seen a significant increase in our spam volume, and I finally implemented the njabl.org DNS blacklist in our mail filter. It’s stopped over 3,100 connections in the past 15 hours.” Given the prevalence of DNS blacklists, false positives are always a threat, but the ever-growing spam problem is overriding those fears, as the benefits largely outweigh the negatives. When a server is blacklisted, the site admins generally don’t know until rejected e-mails start bouncing back to users. In most cases, the bounced messages contain information on why the e-mail was blocked, and by whom. A URL is usually included in the warning message to instruct admins on how to request removal from the blacklist. Linford estimates that spamhaus.org’s turnover is five lakh entries a day. Each DNS blacklist uses its own method of collecting and maintaining its database. Many run honeynets that exist solely to catalog automated attacks from zombie networks, adding the source IP addresses to the database when they’re seen. Dead-end SMTP servers are also used. They don’t have actual mailboxes but simply absorb e-mail addressed to nonexistent users to identify spamming networks and systems. Although the threat of open relays on the Internet isn’t nearly what it used to be, some still exist, and several DNS blacklists actively scan for open relays, blacklisting them when they’re discovered. It wasn’t long ago that many commercial SMTP servers shipped as open relays when used with their default settings. Today, that’s not an option. Nevertheless, John Gilmore, the fifth employee at Sun Microsystems — a founder of the EFF, Cygnus solutions, and the father of UseNet’s alt.* hierarchy — continues to run a restricted open relay. For him, it’s a free speech issue. For the rest of us, it’s simply bad practice and will render e-mail basically useless.

Floating in the Grey Area Greylisting cleverly stymies the stupid bots responsible for most spam. The main functionality lies in an SMTP errorcode, which replies to the sending server to wait a few minutes before delivering the e-mail it just tried to deliver. Normally, this errorcode is sent by receiving servers swamped with requests and can’t handle any more mail at the moment. Greylisting relies on the fact that most spamming servers and botnets try to deliver e-mail only once, ignoring the RFC requirement to retry delivery at a specific interval. For them to attempt retries on every e-mail sent would significantly reduce their overall volume. Thus, every e-mail into a greylist filter is initially denied with the “Please try

Vol/1 | ISSUE/16

Feature.indd 47

Greylisting, in concert with subscriptions to one or more DNS blacklists — plus spam and virus filtering — provide the key to relatively clean e-mail flows. The chance of losing or missing e-mail is ever present but not generally a deal killer. again later” errorcode. If the remote server resends the message in 10 minutes or so, the e-mail is passed through unmolested, as are any subsequent e-mails matching the headers of the first. Greylisting has seen growing popularity recently. This spam-blocking method can significantly reduce the problem but also delays every e-mail until the sending server retries the message. The delay is necessary to separate the wheat from the chaff, but you will find that several legitimate senders — and their ISPs — have poorly configured mail servers, requiring that you bulk up your whitelist.

Toward a Real Spam Solution Nonetheless, greylisting, in concert with subscriptions to one or more DNS blacklists — plus spam and virus filtering — provide the key to relatively clean e-mail flows. It’s the rule for SMTP servers today. The chance of losing or missing e-mail is ever present but not generally a deal killer. As with any widespread technology, critical mass needs to be attained before any relevant change are seen. One potential answer to the overall problem comes in the form of SPF (Sender Policy Framework). At its essence, SPF is a reverse verification performed on each inbound e-mail. Just as every Internet mail server needs an inbound MX DNS record, SPF requires that each server maintain an outbound MX record, or rather, a notation in a domain’s DNS records that verifies that a certain server is responsible for sending e-mail. If a mail server using SPF finds that the sending server has no record in the REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 3:58:40 PM

Security

Blacklisters Take One for the Team Botnet operators and wholesale spammers on one side. and the DnS Blacklists on the other. the war rages on.

lthough the major DnS blacklists offer their services free to most users, they certainly pay a price for providing them. as each DnS blacklist grows in popularity and effectiveness, it presents a significant problem to the revenue stream of botnet operators, wholesale spammers, and their clients alike. thus, most DnS blacklists find themselves mired in a battle with these unsavory entities that goes far beyond simply dealing with spam. “oh, it’s definitely a war,” says a source at sorbs. net. “and it’s escalating. We’re actively trying to identify and stop spammers and botnets — and they’re actively trying to avoid us or destroy us.” He cites a few examples. “Since we scan for open proxies caused by malware, some of the malware programmers have started to obfuscate our scanners by returning invalid data, which causes our scanners to retry the scan. at the scanning rates we have to run, this reduces the effectiveness of the process, so we have to recode our scanners to avoid that problem.” this war is not without spies and doubleagents. the same source recalls one event where an anonymous e-mailer sent word to sorbs.net that a certain piece of Windows malware would automatically uninstall itself if a specific 24-byte sequence was sent to one of the tCP ports it

domain DNS, then the mail is either bounced or at least marked as potential spam. For instance, if a message is received that claims to be from aol.com, but the sending server doesn’t exist in the SPF lookups for aol.com, then the e-mail is likely a forgery. This solution has potential as well as caveats. For example, MTA (Mail transfer Agent)-level e-mail forwarding fails, requiring servers to re-mail, rather than forward e-mail to prevent problems with SPF filters. There are technical solutions to this, however, and they are in development. Another option is secure SMTP using x.509 certificates. This method would require that every valid SMTP server on the Internet be assigned an identifying certificate. Only servers with valid certificates would be allowed to send mail to other 48

Feature.indd 48

J u LY 1 , 2 0 0 6 | REAL CIO WORLD

Some malware is coded to refuse connections from known DNS blacklist netblocks.

listened to. With that information, the sorbs. net scans were modified to include this sequence, and thousands of infected hosts were found and cleaned. as DnS blacklists use a variety of methods to compile their databases, botnet controllers and spammers can identify and evade them. Some malware is coded to refuse connections from known DnS blacklist netblocks to avoid the scans. other techniques involve blacklists of the blacklists, as lists of servers likely to be used as DnS blacklist spam collectors are used to avoid that trap. Beyond the cat-and-mouse game, spammers and botnet operators also employ DDoS attacks against the larger DnS blacklists, a problem that has plagued spamhaus.org in the recent past, forcing it to take active and continuous antiDDoS measures to maintain its service. and so it goes: parry and thrust, duck and weave, as each side tries to outwit the other. If — and it’s a big if — the efficacy of botnets decreases as a result of stricter security in Windows XP SP2 and the promises of Vista, then we might see a shift in the status quo. Until then, the fight is on. — P.V.

servers. Again, this solution would require that the majority of e-mail servers operating now be assigned certificates and configured either to disallow uncertified delivery or at least put uncertified e-mail into probation. Neither solution is likely to happen soon, although SPF has seen growing popularity recently. Until several major open source and commercial MTA products begin cooperating on a single standard, e-mail, as with the blacklists, will continue to be hit or miss. CIO

Vol/1 | ISSUE/16

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

010 101 10 0 1 010

0 101 101

10 010 10 1

0 101

0101 01 0 1 1101 0 1 0 1 1010 010 101

1 10 10

1010

01 0 10 1 0101 1011

11 01010 0 101

0101

1010 1010101010 1101010 101010 0 1 0 010 1 0

10101 10 01010 10 01 10101 01 10101 10 0 1 01 0 0 1 1 1 0 10 101001010101011010101010101010 101 10110 0 0110 10 11 0 110 01 0 0110 1010101011010101010101010 100110 10 1010 100 010 01 111 11110 10011001 1100110100 101 01 0 1 10 1 0 0 0 1 1 1 10 0 0100 1001010 10 01001101 101 011001101 01010 1 0101011010101010101010 1010101011010101 10 010 010101 01100110 10 01 101101010 101 110011110 01 10 01 0 01 0 1 0 0 1 1 1 1 1 0 0 0101 10 1100110 0110 10 110 01110 10 1 0 01 01 1 0 001100 10 0 110 1 0 01 1 1 0 0 1 1 1 0 01 0 1 1 1 0 01 0 1 1 1 0 0 0 1 1 0 0 01 0 1 0 1 10 1 101010 001 0 10 00110 1 01 01 1 1 1 1 10 1 0 0 0 0 1 0 1 01 0 11 01 0 1 01 10 10101 1001100 1100110 10 10 010110 111100 10110011001 10 10101 10 10 001100 1010 1 0 10 10 10 110011 1011110010 10101010 10 10 1 1 0 0 1 1 0 1 10 0 0 10 0 0 1 0 0 1 1 0 0 1 1 0 1 0 01 1 1 0 0 1 10 1010 1100 010101010 10011011011010 10 10 10101 01100 10 110010 10101101 10 10 1010 1010101010101010 1 01 0 0 10110 00110 100110 0 1011010101 01 10 01011 1 01 0 0 101 10 10011 0101110 0 1 0 11 0101 00110 11001 0110 101010 0 10010 1 01 0 1 0 0 1 0 1 0 0 1 1 1 1 11 010 110 00 10 10010 1100 1100110 1 1 0 1 1 1 0 0 1 1 0 0 10 10 101 11001 0 1001110011111010 1 0 0 0 01 0 100 1001 0 10 1 1 10 1 0 0 10 1011 010 11010101010101010 1010101011010 01 101010 1 01 0

00111001

10 10 01 10 0101110 101110010101011011010 01110000110 0 101

1010 101 0

10 10 10 11 01

11 0

Infoseeding 10 10

01 01 01

0 01 01 01

10 11 0 10 10 10

b y R av i M e n o n

0 101 10 10 10 10 10

0 10 101

10 10 10 10

0 01 11 10 10 10 10

01 01 01

0 01

1 10

10 10 1

0 101

110 1

Farmers in Assam, planting their monsoon crop, are looking up at the heavens — and at their PC screens. With Project Asha, they now have an information network of community kiosks powered by the Internet.

ssam is leading the way in harvesting farmers for a change — on the furrow of Project Asha. The project’s two prongs, which the Assam Small Farmers’ Agribusiness Consortium (ASFAC) has been using to good effect, are the Internet and a state-wide kiosk network. While the first is evolving on a solid foundation through ASFAC’s online agriportal (assamagribusiness.nic.in), the second has extended the benefits of the agro-information trail down to over 6,000 farmers in the state through community information centres (CICs). Project Asha has something on every government department — from

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

inside stories of local government departments to district-wise crop price updates across the country. Through the vast network of 219 CICs spread across Assam, the portal has been furthering its aims to mesh local crop knowledge, government policy information know-how, farmer success stories and university scholarships into a detailed picture of Assam’s agricultural map, accessible to anyone with a computer. As of May 2006, the portal had logged over 52,000 hits, says Ariz Ahammed, ASFAC’s CEO until March this year (now director-training, Assam Administrative Staff College), who has been instrumental in getting

Vol/1 | ISSUE/16

e-Kiosks 010 110 101

01 10 1 01 0 1 10 0101 1 011001010110100 10101010110 0 1 1 1 0 0 1 1 1 0 0 1 1 1 0 0 0 1 1010110 0 1 1 0 1 0 0 1 0 0 1 10101 0 11 0 1 1 0 1 0 0101 1 01 10101 0110 01 1010 01 10 0 10 101 10 0 10 10101010110101010 1 1 0 1 0 1 0 1 10 101010 0 101010 0 10 1011010 101101 0 1010 01010 101011 101 1 01 0 0101001 1010 110010 1010 0 1 01 10 1010 0 1 01 1 0 1010 101 01 1 0 1010 101 1010 1101 00 1 0 10 1010 010 1 0 1 01 0 110 1 1 01 0 010 1011 10 1 0 10 0 1 01 0 110 101 101 10 010 10 011 101 110 010 010 1 01 10 0 01 1 10 1 0 01 010 10 10 0 10 101 1 1 10 0 10 1 0 11 0 10 110 110 01 10 10 10 01 1 10 0 1 01 10 01 10 10 01 10 10 01 10 1 10 10 0 10 10 10 10 10 10 11

10101101010101010

the Farm animal husbandry, Project Asha on track Reader ROI: fisheries and sericulture; from the bare bones of an How to cultivate a sense of its veterinary services idea since April 2005. ownership and community among the stakeholders is under development. Real-time information access has With modern cultivation been facilitated through regular How the portal-kiosk combo can effect a stable revenue model in and m a n age m e nt price feeds of different crops the medium term practices for a number on the portal. Its single-source of crops and up-to-date architecture helps provide a range crop statistics available online, the portal of e-governance services to over 6,000 registered is bringing together farmers, goverment farmers through the online facility at its CICs. departments, universities and corporates. Depending on the season, each CIC has been seeing Further, strong backbone support from the 5 to 10 visitors every day. Asha’s biggest success, though, has been in uniting farmers, co-operatives, National Informatics Center (NIC) and the Department of Information Technology has helped banking institutions and the academic community the Assam State Center implement the project. on a single and relevant information portal. “The players and partner list is dynamic and has the potential to expand,” says Ahammed. Play It agaIn, assam About 100 to 200 farmers and representatives Ensuring end-user buy-in was a key goal of agricultural NGOs access the portal everyday. of the project, for which resources had to Asha has effectively removed the trader barrier be concentrated towards for farmers, who can extract crop prices on a raising awareness levels and real-time basis from organized markets as well as capacity building among the unorganized haats.. “Under the NeGP (National e- stakeholders. The stakeholders governance Plan), we plan to network CICs as hubs included agriculture, animal of public service delivery,” notes Ahammed. husbandry and veterinary, The Asha services portal extends its services on five fishery and sericulture extension different areas of farming: agriculture, horticulture, functionaries, scientists of the

PhotoS by S. m a hnta

010 1

010 101

ImagIng by b InES h S rEEdharan Imag

10 10101010110100 101010101101 10101010 010110 101010 10101 0101 1 01 0 1011

e-Kiosks Assam Agricultural University, R&D and financial institutions, NGOs, voluntary organizations, traders, farmers and farmers associations. “We looked at a single-window approach to the farm sector while framing our IT architecture,” says Ahammed. “Using existing ICT infrastructure helped us in our content development and localization efforts, and promoted a sense of collective ownership of the project.” Value-added services like high interactivity among different stakeholders and a facility that enables farmers to trade online also necessitated enhanced VSAT connectivity and needs-assessment studies on a continuous basis. Services are available to farmers in various packages starting from Rs 50 for a quarter, to Rs 100, Rs 250 and Rs 500 per annum. Special offers are available for self-help groups, voluntary organizations and farmers associations. Under the Rs 100 package alone, Asha offers 10 telephonic responses every month to queries from farmers, 12 hours of free Internet surfing, and even a 25 percent rebate on printing services. The challenges faced in implementing Project Asha turned out to be advantages once they were addressed. “Framing the right content and localizing some of it was a test of commitment and liaisoning abilities. Often, poor logistics and lethargy in the system did not help our updating capabilities. While

capacity building among stakeholders was effected through workshops to build awareness and participation, we still faced major constraints on Web development resources and connectivity,” recalls Ahammed. Deepak Gowami, Assam’s state information officer, technical director and officer-in-charge of the State NIC Training Division, feels Asha has been a good effort to leverage ICT for Assam’s farmer community. “A lot of effort has gone into designing, deploying and maintaining the Web-enabled system — both by ICT professionals and the state government organizations. The initial Herculean effort has started showing fruits at an early date.” At a pan-state level, besides providing farmers with the information they need in their own language, Goswami also points out the need for voice-enabled websites, which can overcome the literacy barrier. These would be effective localization measures, he says.

FUElIng thE FIrE Effective localization does take its slow plod, but localized applications and integrated service offerings will get egovernance stakeholders there faster, as Asha has set out to prove. With the ‘fireplace congress’ the concept of connecting community members on topics of interest and generating debate has been extended with Asha. Everybody involved has helped kindle the

flames of connectivity. All shareholders have lent different elements of their infrastructure to implement the project, says Ahammed. Under Project Asha, the CICs have been developed as repositories of agri-business information by becoming key service delivery points for the portal. Content development, capacity building, and coordination and management were undertaken by ASFAC, whose project news with certain functionalities and information on buying and selling are accessible only to registered users. Once more centers are up and running, the task of covering and connecting over 26,000 villages in Assam looms large over ASFAC. But the benefits of the program have been many and the response has been “encouraging”, notes Ahammed. The primary step in setting up Asha was using the existing infrastructure at the 219 CICs across Assam for effective services delivery, he says. “We also utilized the existing NICNET backbone for our connectivity needs. Besides NIC’s servers, where we hosted the portal services, the Assam State Center and the Solution Architect and Network Operation Group were roped in to design the software architecture, development and testing of interactive applications for the portal. The content is regularly updated on a secure VPN.” The heat of the nascent knowledge revolution on Assam’s agricultural

“We looked at a single-window

approach to the farm sector

while framing our IT architecture.” — Ariz Ahammed, Ahammed director (training), Assam Administrative Administrative Staff College

Govern Main_Optn2.indd 52

6/29/2006 2:23:31 PM

e-Kiosks firmament has been felt in states like Andhra Pradesh and Gujarat. “Asha possessed all the ingredients for successful use of ICT in agriculture such as collective ownership and coordination between government, farmers, institutions, civil society and the private sector. Local content has also been an important factor, besides connectivity and access to CICs,” says Ahammed. “Capacity building among the stakeholders, network connectivity, marketing and promotion of e-governance initiatives and control over Web development continue to be important. Developing and maintaining a sustainable business model is another key issue,” he adds. NIC’s Goswami says that the CIC project was launched to bridge the digital divide in the North-East. “CICs have greatly succeeded in achieving this by way of creating awareness about ICT at the block-level by conducting a number of useful training programs and providing cyber-café services in the rural areas. But I believe the CIC revenue model has to be reviewed, as CICs will not be able to stand on their own feet without some amount of government support,” he explains. The project’s momentum, he adds, would be difficult to maintain in a normal government set-up without a ‘mission-mode approach’. “If nobody champions the project with the required level of commitment, it will be difficult to sustain,” says Goswami.

harvEst oF laUrEls Thus far, accolades for the community matrix have rolled in fast and furious. In February 2006, Project Asha won the prestigious Golden Icon Award for Exemplary Leadership and ICT Achievement of the Year. Later in the month, the Lal Bahadur Shastri National Academy of AdministrationMussoorie invited a presentation from Asha to IAS officer trainees on use of ICT in agriculture. Even as the SFAC attached to the Indian government’s Ministry of Agriculture requested 17 of its affiliate bodies in different states to replicate

Vol/1 | ISSUE/16

Govern Main_Optn2.indd 53

the initiative, Project price quotes for maize, Asha officials were busy paddy or fruits sometimes evangelizing the project throw up error messages. at e-governance seminars While Ahammed insists all over the country. For that deficiencies in VSAT SNAPSHOT the first time, it was giving connectivity are being ASHA Assam’s farmers a hand in corrected and the site FARmERS ENROLLED WITH AGRI-PORTAL* the task of forging stronger is being streamlined, 6,000 farmer-public-private these are issues that NO. OF HITS** partnerships in the agriASFAC will be keen to 52,000+ marketing space. address for users with TOTAL USER FEES The success of the project different connectivity FROm CICs* also lies in attracting speeds. Says Ahammed, > rs 5 lakh organizations, like National “We are working on this. CURRENT CIC Seeds Corporation, IndoAsha has full potential vISITOR RATE American Hybrid Seeds to upscale the knowledge, PER DAy 100-200 and Jain Irrigation, besides information and a number of national services using the latest NO. OF CICs*** 219 agricultural institutions available technologies, and state universities, including XML.” vISITOR TARGET PER CIC (2006-07) into partnerships with Wireless technologies 1,000 the initiative. too could be leveraged *till February 2006 Nevertheless, how do by Asha if projects like **till may 2006 you measure return on nLogue’s RASI can be ***till June 2006 investment in a project replicated selectively. like Asha? “Given the Again, this would depend nature of government-public service on how the delicensing of spectrum initiatives, the response to user-fee proceeds at TRAI’s end. Internationally collection by CICs has been exceptional open spectrum is still held under close and very encouraging. With the wraps by TRAI and further delicensing expansion of demand-driven services, would lead to a stronger rural-urban Asha will strike breakeven within the connect and spur rural development. This next one year. Asha’s profitability would be to the benefit of telecoms too. and sustainability is linked to service The National Alliance for delivery and further promotion of our Information and Communication work. I believe that e-commerce in Technologies for Basic Human agribusiness services and e-learning Needs aims to take information and have a great future.” communication technologies (ICT) to Once broadband access reaches more India’s 638,000 villages by August 15, villages in Assam, it would be easier to 2007. Asha is the salient cloud which connect them to district headquarters will usher in the ICT monsoon. While much faster. Asha has the scope to the farming community is voting with extend its reach beyond agriculture its feet for the CICs, assamagribusiness. to areas like farmer’s education and nic.in will have to retain eyeballs employment opportunities, once outside the CIC premises. The provisos connectivity bottlenecks are removed. embedded in Assam’s ICT hope will Couple the increased connectivity be robust bandwidth and connectivity, speeds with the latest technologies, and wider data variegation and strong comparisons with the US Department server traffic management, inter alia, of Agriculture portal (www.usda.gov) a good monsoon. CIO will evaporate. As of now, the portal still throws up error messages sometimes when asked to fetch dynamic data on Assistant Editor Ravi Menon can be reached at crop prices. For example, searches for ravi_menon@cio.in. REAL CIO WORLD | J U LY 1 , 2 0 0 6

Unwiring

Interview | S.K. Sandhu

ChAndigArh S.K. Sandhu, secretary, finance and iT, Chandigarh Administration, is freeing the city from its shackles in more ways than one. His vision of ‘IT for Society’ aims to ensure that all citizen problems can be addressed electronically. Making all of Chandigarh wireless is one of the bold approaches he has chosen.

T ImagIn g by U n nIKRISH nan aV

P Hoto by Pan KaJ SHaRma

By Rahul Neel MaNi

The Union Territory of Chandigarh, despite being spread over a mere 114 square kilometers, has made significant headway in IT in the past three years. Programs like e-Sampark and Chandigarh Training on Soft Skills (C-TOSS). have taken off and been replicated by other states. If imitation is the best form of flattery, few can question its success. Now, S.K. Sandhu, secretary, finance and IT, Chandigarh Administration, is pulling the plug in a different sense. Creating a wireless city to beat last-mile problems that have dogged e-governance applications in various states is among the approaches he is taking to ensure that IT-enabled services are accessible to every citizen. He says that their mission will only be complete when a rickshaw puller or a small farmer can avail of the utility services provided through IT.

Vol/1 | ISSUE/16

CIO: When you decided to take Chandigarh wireless, what was your decision based on?

S.K. Sandhu: After we wired the entire city, we realized that there were still continuing issues with lastmile connectivity in some areas. This is not a problem that is peculiar to Chandigarh; it can occur in any other city. We brainstormed and came up with the idea to provide Wi-Max connectivity to the entire city. This solution permits us to leapfrog into the latest technology while providing good connectivity to citizens anywhere, anytime. With Wi-Max, a single signaling tower or access point reaches a much wider area than Wi-Fi. We also realized that the mobile population of the city was growing exponentially and we wanted to provide the latest WLAN technology, so that we didn’t have to worry for the next 10 years or so. What is the status of this plan?

It is in the last stages of finalization and we are talking with Intel and a couple of other companies to work out the modalities of ‘Wi-Maxing’ the city. In some sense, we are unwiring the city. This will help not only bypass last-mile problems but also REAL CIO WORLD | J U LY 1 , 2 0 0 6

Interview | S.K. Sandhu In the future, 18 more of these kiosks will be set up in villages that fall under Chandigarh’s jurisdiction. We don’t want to remain focused merely on people with resources. The only way we can fulfill the vision of ‘IT for Society’ is make these services available to small farmers or a rickshaw puller. We have also launched a special program for the village student to be trained under the C-TOSS scheme (Chandigarh Training on Soft Skills).

enable citizens to access the Internet faster, cheaper and better. This will take an actionable shape in a month — including the financial model to operate this service. As a union territory, what are the challenges you face in effectively implementing IT policies?

Chandigarh has natural restrictions. We are spread over only 114 square kilometers and we have to work with that. But we’re optimizing our resources and we have certain advantages that are not available to other states and Union Territories. What we have is the best-planned city at our disposal. The standard of living here is higher than the Indian average. Infrastructure is well-laid out, with a view to the future. All this has helped us overcome our biggest hurdle: limited land.

How do you rate the success of e-Sampark?

In some sense, we are unwiring the city. Wi-Max will bypass last-mile problems and give citizens faster, cheaper and better Internet connectivity.

The last published figures note that transactions done via eight centers totaled to Rs 239 crore. We continue to add services every month to the existing set. Based on this success, the government now plans to set up 70 more kiosks in the city. These will be known as eJansampark. We have also set up a central data hub at the secretariat level, which will seamlessly connect to the 70 kiosks to provide services and information. This will enable private services in the city to provide information on school admissions or nursing homes. All a citizen has to pay is Rs 2 to avail of any service. We will also extend this service to mobile users, under M Sampark, where a user can send an SMS and access all Sampark services on his phone. The ultimate objective is to act as a syndicate in providing these services. There are 2 lakh transactions every month through these kiosks and this will increase once we have 70 more centers.

What is the scope of the e-Sampark project?

e-Sampark is a program that enables citizens to avail of government services and has won many awards as a successful e-governance project. As of now, eight e-Sampark kiosks are running in Chandigarh and these provide 15 citizencentric services. Under Vision 2010, we would like to see the bare minimum face-to-face interaction between citizens and government officials. I want government departments to be able to redress any kind of citizen issue electronically. Already, the eight existing centers offer services that include providing various kinds of government certificates and paying electricity, water and telephone bills — including bills of private mobile service providers. It says a lot that these services have acknowledged the value of e-Sampark. 56

Interview - 02.indd 56

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

How does the C-TOSS program you mentioned earlier help ‘IT for Society’ in Chandigarh?

C-TOSS is a program that has worked wonders for the city and is now finding takers in many other states. After talks with IT companies that are establishing their businesses in Chandigarh, we found out that there was a sizeable gap in the skills, which students needed to perform specialized jobs and those that they acquired through general education. We had multiple rounds of discussions with IT companies as we tried to bridge this gap and the result was C-TOSS, which is uniquely designed to provide complete soft-skills training to students. To run the C-TOSS initiative the Society for Promotion of Information Technology in Chandigarh (SPIC) was formed.

Vol/1 | ISSUE/16

6/29/2006 2:57:57 PM

Interview | S.K. Sandhu The high-end module — 62 hours of training — comprises voice modulation, familiarization with the needs of IT companies and other skills. Training is in the hands of professional agencies. To avail of the training, students have to undergo a test that is also outsourced to an external agency. The program has been responsible for increasing the ‘employability’ of students in various IT companies. It benefits both sides since companies can hire skilled workers. The program is so popular that states like Haryana and Punjab have approached us to provide them with the necessary know-how to run C-TOSS. We are now launching a nation-wide program along the same lines with NASSCOM. The Chandigarh government has appointed a consultant to help make the city a financial services center. Why is Chandigarh heading in this direction?

SNAPSHOT

Chandigarh Area:

114 sq km Population:

9 lakh

Literacy rate:

82 percent

Programs:

has also constructed its building, which is spread over close to 4 lakh square feet and it has shifted from Mohali (a satellite town to Chandigarh) to this new campus. In addition to this, we have sites known as ‘build to suit’ sites. Under this scheme, 13 IT companies have been allotted sites of between one to two acres. Another 30 acres of land has been given to Wipro, 10 acres to Tech Mahindra and five acres to E-Sys, a Singapore-based hardware manufacturer and distributor of IT products, to start manufacturing and assembly of finished IT products. Still, 25 applications are pending for land allocation and development work. These are in the last stages of consideration.

E-Sampark

E-Sampark Centers: 8

How will the park benefit Chandigarh as a whole?

We would like to develop the RGCTP over 650 acres. It’s not just about offering office space, but Transactions providing world-class, end-to-end infrastructure There are about 227 banks in Chandigarh. The per month: 1.25 lakh and minimizing dependability on any external total deposits in the last financial year totaled to agency. This will ensure that occupants receive about Rs 14,850 crore. Annual software exports Turnover (2005): Rs 239 crore comprehensive service quickly. This plan entails a from here added to Rs 360 crore. All these figures huge housing facility spread over close to 20 acres point to Chandigarh’s potential and show that Chandigarh Training on Soft so that people don’t have to travel long distances Chandigarh is emerging as a great place to work. Skills (C-TOSS) and waste time. The park will include housing units, Therefore, we would like to make it a hub for Rajiv Gandhi serviced apartments, schools, hospitals, stadiums, financial services. Chandigarh parks, etcetera. Technology Park: 650 acres This whole mission not only helps us promote What are the other initiatives Chandigarh has Chandigarh as the next best IT destination but taken to boost IT? also create a ‘tech-enabled’ society. Chandigarh’s Three years ago, we embarked on a journey IT mission doesn’t stop here. We also have plans to make Chandigarh an attractive alternative to provide facilities to entrepreneurs who can’t buy their own to the likes of Bangalore, Mumbai and Gurgaon. The land but want to work from here. For this, we are setting up an Chandigarh administration earmarked 120 acres in north-west Entrepreneur Development Center with plug-and-play facilities. Chandigarh for an IT park popularly known as Rajiv Gandhi This forms part of an integrated plan to create a place where Chandigarh Technology Park (RGCTP). We quickly started people will think of business and work. creating the necessary infrastructure to provide world-class We have also asked the government of India to declare the services to the park’s occupants. Part of our approach was RGCTP a Special Economic Zone. In phase one, the park has to allot 12.5 acres to the real estate developer DLF, to create already been approved as a SEZ. This will serve as a big boost state-of-the-art infrastructure for IT companies. Another for us as we promote IT and attract software and IT service 20 acres was allocated to Infosys to develop IT. The concept companies to occupy space in the park. CIO was to engage a developer and an anchor company to create critical infrastructure and then market the park to potential Indian IT companies. The thrust of this is to work towards ‘IT for Society’ and towards Vision 2010, which aims to promote the application of IT for society. Our goal is to help every citizen in Chandigarh to benefit from various IT applications and ‘automate’ the city by 2010. What is the current status of the park?

DLF has constructed and developed close to 6 lakh square feet, out of which 40 percent is already occupied by IT companies. The rest will be occupied by the end of October 2006. Infosys

Vol/1 | ISSUE/16

Interview - 02.indd 57

Bureau Head North Rahul Neel Mani can be reached at rahul_m@cio.in

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/29/2006 2:57:58 PM

Essential

technology Illustration by SAS I BH ASKAR

From Inception to Implementation — I.T. That Matters

Electronic data discovery tools help investigate fraud, breaches and other bad behavior. But CIOs should approach them with caution.

Essentisl Tec.indd 58

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

CSI for the Enterprise? BY GALEN GRUMAN SECURITY | Michael Osborne has been getting a lot of vendor calls lately pitching a new

breed of products, typically called electronic data discovery (EDD) tools. These tools promise to investigate historical data to uncover security breaches, compliance failures and plain old errors in transactions across various enterprise systems, from network administration to accounting. Driven by compliance requirements such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, these tools focus on user activities, such as who accessed a database or updated a customer account. The goal is to look at both real-time and historic patterns across multiple databases, networks and applications to find suspicious activities that might indicate insider financial fraud, customer identity theft, compliance policy breaches or theft of proprietary data such as customer contacts or product designs. As the senior security manager at Kimberly-Clark, which makes health and hygiene products, Osborne is interested in ways to prevent supplier or insider fraud, such as detecting sham providers used to steal or launder money. In other organizations, electronic data discovery tools might be used to detect identity theft or violations of information-access policies. Osborne is not alone in getting these pitches, say analysts and consultants, who warn that CIOs should be cautious. “There’s a lot of vaporware out there,” says Avivah Litan, a security

Vo l/1 | I SSUE/16

6/28/2006 6:54:52 PM

essential technology

research director at Gartner. “You’re seeing vendors build an industry around scare tactics over compliance and security.” That’s not to say there aren’t useful technologies available. For example, Osborne is evaluating a tool from Oversight Systems that analyzes accounting information from SAP and other financial systems to detect fraud and errors both in current transactions and in past transactions stored in the SAP system. He’s recommended that Kimberly-Clark seriously consider adopting the technology. At online shopping service provider 2Checkout.com, Tom Denman, the director of risk management, has adopted 41st Parameter’s analysis tools to detect fraud in the shopping and financial transactions that his service handles for online stores. 2Checkout used to rely on real-time security event monitoring tools but found they couldn’t do as thorough an analysis in real-time. Denman now batches customer transactions and uses 41st Parameter tools to analyze them against previous transactions and various fraud patterns, to detect stolen credit cards and the like (one fraud pattern might be the use of a credit card number for online purchases the same day in several countries). Suspect transactions get flagged for human review, prioritized by risk level. The use of historical data correlated across multiple systems and a focus on user activity is what distinguishes EDD from real-time security event monitoring (SEM) tools, which typically are used to monitor network activity for intrusion and viruses. EDD provides more context in which to find fraud or uncover breaches. “The tools can serve the understand-andprevent function,” says Keith Schwalm, vice president of Good Harbor Consulting, a security advisory firm. EDD tools can work as an adjunct to SEM tools, or provide both functions, notes Amrit Williams, a security research director at Gartner. The vendor trend is to merge the two functions into a suite, he adds.

Vol/1 | I SSUE/16

Essentisl Tec.indd 59

The Flavors of EDD Vendors are beginning to provide newer features to this security tool. Electronic data discovery tools come in several forms, typically based on the type of monitoring tool their developer has been selling. Most are outgrowths of security event monitoring (SEM) tools, which sometimes go by the acronyms SIM (security information management) and SIEM (security information and event management). These tools are usually deployed as software and/or appliance monitors within a specific system, such as in a network to monitor for intrusions and unusual traffic patterns or in a transaction system to monitor for suspicious transactions such as unusual access to customer records (typically indicating identity theft) or a temporary change of vendor address coincident with unusual payments to that vendor (typically indicating a hijacked account being used to steal money). Most of these systems were developed for the financial services and retail industries to detect fraud in credit card, banking and sales activities. More recently, vendors have begun developing tools for other regulated companies, such as health-care providers and public companies, says Amrit Williams, a Gartner security research director. While the EDD market is fairly small — just $190 million in revenue for 2004, and growing 20 percent to 30 percent a year — large companies such as Cisco Systems, IBM and Symantec have recently joined the many small vendors in this space, hoping to capture the growing security and compliance dollars, says Williams. Those oriented to financial services (mainly for fraud detection) include Actimize, 41st Parameter, Mantas, PassMark Security, RSA Security and SearchSpace. Another set of vendors provides log and transaction analysis for a variety of servers and applications, including ArcSight, Computer Associates, e-Security, Intellitactics, NetForensics, Network Intelligence and SenSage. Other vendors are more focused on network security and monitoring, including Cisco, IBM Tivoli, NetIQ and Symantec. Most offer reporting and analysis capabilities based on historical or stored data in addition to real-time monitoring, and an increasing number provide query tools as well. Another sort of EDD tool is Guidance Software’s EnCase, which some enterprises and law enforcement agencies use to investigate the contents of a user’s PC to track file histories and data fragments to show evidence of fraud or policy breaches, such as violating corporate policies on viewing pornography at work. BlackBag Technology offers similar investigative tools to examine drive contents without altering them. — G.G.

Beware the Forensics Label Many salespeople attach the label ‘forensics’ to their security and compliance analysis tools, and that can be very misleading. In law enforcement circles, ‘forensics’ means a well-defined set of discovery and investigative processes that hold up in court for civil or criminal proceedings. An enterprise that relies on these tools’ records or analysis in, for example, a wrongful termination suit, is probably in for an unpleasant

surprise. “It may not hold up in court,” says Schwalm, a former Secret Service agent. “Very few vendors have an idea of what the requirements [are for proof, from a legal perspective]. They’re really providing just a paper trail. You should challenge what the vendor means by ‘forensics capability,’” he adds. One gotcha of using EDD tools for legal purposes is proving the inviolability of the data. Tools that keep or aggregate event logs may not provide access control that lets the REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/28/2006 6:54:52 PM

essential technology

enterprise prove that the underlying data is unaltered and accurate. This issue is particularly critical because most vendors pitch their EDD tools as a way of detecting internal threats. Yet, an insider is in the best position to access and alter data to cover his tracks or deflect blame to someone else, making truly secure access control and data management policies a must to even consider relying on EDD tools in a legal case. To thwart insider manipulations, critical functions such as setting up new vendors or changing payment destinations should require multiple levels of approval. “One person shouldn’t be minding the whole store,” says 2Checkout’s Denman. A related concern is being able to go back to the original raw data, since most EDD tools alter the original data to put it into a searchable database and to make formats from different types of monitoring appliances consistent. Such regularization is necessary to analyze the records, but to be legally effective, there must be a defensible way to show that it didn’t distort the original data, says Gartner’s Litan. There are no broad standards for what constitutes acceptable forensics. Different courts and law enforcement agencies have their own standards, so the CIO should make sure his security experts consult with those organizations to find out what evidence they’ll require to pursue a case. Denman has done just that, working with the FBI’s cybercrime task force “to know what they look for.” For example, investigators prefer to make forensically sound copies of original data or the best available evidence; they never manipulate original data directly. CIOs should be sure they don’t approach EDD solely as an IT issue. “Let your general counsel manage this,” advises Matt Curtin, founder of the forensic computing consultancy Interhack. An attorney can best decide what records would be needed for legal proceedings. And he can set guidelines on cleansing transaction histories: “The 60

Essentisl Tec.indd 60

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

The use of historical data correlated across multiple systems and a focus on user activity distinguishes EDD from real-time security event monitoring tools that are used to track network activity for intrusion and viruses. longer you keep the data, the more you have to be subpoenaed,” Curtin says, “so you’ll be hit for more [discovery] requests.” That increases the chances that the other party will find your own errors and mistakes, he notes.

Focus on Investigation While the ‘forensics’ label may be misleading, EDD tools can help the enterprise investigate possible security and compliance breaches to identify where a true forensics investigation should take place or to understand a previous breach as part of an effort to strengthen enterprise defenses. Curtin advises that enterprises consider EDD tools that provide search and query capabilities that in-house analysts can use to uncover clues about potential problems, not just canned detection rules. Having lots of monitoring systems isn’t that useful if you don’t know where to focus your attention. EDD tools can help identify the problematic areas, “so you don’t bother with the rest of the data,” he says. But systems that offer only canned analyses don’t let forensics experts do the kind of digging they need to do, forcing them to go through logs and databases manually. “Most companies today run the rules that come out of the box,” notes John Summers, global director of managed security at the Unisys consultancy, but for EDD tools to be effective, “rules need to be specific to your business and processes.” Good EDD analysis tools let you both customize the rules and conduct your own queries and searches, say Curtin and Summers. It’s also key to remember that current real-time analysis tools focus on a specific

type of monitoring, such as credit card fraud detection or intrusion detection, rather than provide broad, enterprisewide risk analysis.

Monitor at Multiple Levels Vendors are increasingly focused on EDD as a way to get CIOs’ compliance money, says Unisys’s Summers. Early EDD tools just added reporting to the real-time eventmonitoring capabilities offered by SEM tools and appliances, he notes, but since summer 2005, vendors have been adding more “pragmatic” compliance-oriented services to the tools now relabeled as EDD. For example, tools that used to focus on firewall and intrusion detection logs are now examining database logs to monitor access to specific data, both to help assess compliance with data access policies and to identify data access patterns that may indicate fraud. By noticing a firewall breach that occurs 30 seconds before unusual database access, for instance, such tools can alert administrators of a possible identity theft. That might lead to an immediate shutdown of access to that database as well as a deeper look into past activities to see if the identity theft has been ongoing. Similarly, EDD tools are also now examining server logs for both compliance and security analysis, he says. To do truly useful monitoring and analysis of data access requires understanding who the users are and what permissions they have, Summers says, so he expects EDD tools to begin monitoring policy servers and directory services in the next year. That requires a cohesive strategy

Vo l/1 | I SSUE/16

6/28/2006 6:54:52 PM

essential technology

for compliance and security, one that requires coordinating IT, business, security and legal needs. To accomplish that strategy, the CIO needs to ensure that monitoring and analysis is deployed holistically, not by just the security team or the network administration staff. Effective fraud and compliance monitoring requires having the right policies in place to manage data and access, as well as analyzing ongoing events in the network, in key applications and in key data stores. The new breed of EDD tools are fairly expensive and difficult to deploy, notes Gartner’s Williams. Costs for a large enterprise start at Rs 1.35 crore and can rise beyond Rs 4.5 crore to deploy, since storage needs can be multiple terabytes and require an information management system. The actual deployment can take up to six months if it involves custom development, which is often the case. Over time, the tools will become more standardized and thus easier to deploy as vendors see broad patterns from the custom deployments, Williams notes. But today, the high costs have limited the tools’ adoption mainly to regulated enterprises or ones where fraud costs more than its prevention, he says. EDD tools can be part of an overall security and compliance effort, but, by themselves, EDD tools are barely BandAids — unless, of course, you’re just making a pro forma “cover-your-ass investment”, says Gartner’s Litan. That kind of lipservice monitoring and analysis may help you complete a checklist to impress naive shareholders, but it won’t really help your company, says Good Harbor’s Schwalm. After all, as Summers of Unisys notes, “most companies already do logs, but no one looks at them.” CIO

The Enemy Inside Excerpts from a study report that delves into the mind of the 'insider attacker'. For years, external security threats received more attention than internal security threats — but the focus has changed. While viruses, worms, Trojans and DoS are serious, attacks perpetrated by people with trusted insider status — employees, ex-employees, contractors and business partners — pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside. The United States Secret Service and the Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center published an insider threats study report in 2005, which offered critical insights into the mind and motivation of the ‘inside attacker’. Here are some statistics from the CERT study: I n 92 percent of the incidents investigated, revenge was the primary motivator. Sixty-two percent of the attacks were planned in advance. Fifty-seven percent of the attackers surveyed would consider themselves “disgruntled.” Eighty percent exhibited suspicious or disruptive behavior to their colleagues or supervisors before the attack. Only 43 percent had authorized access (by policy). Sixty-four percent used remote access to carry out the attack. Most incidents required little technical sophistication. What are Some Common Attacks? Sabotage of information or systems: This category includes physical destruction of network cabling or computing devices, or disabling of electrical or other environmental control. Theft of information or computing assets: This category includes theft of anything from digitally stored information, such as company critical financial data, to internal product engineering plans and theft of physical devices. Introduction of bad code: ‘Bad code’ may include time bombs (software programmed to damage a system on a certain date), or logic bombs (software programmed to damage a system under certain conditions). Viruses: While the most significant internal threat is the ‘ignorant’ employee who double clicks on an e-mail attachment, activating a virus, results from a number of ‘insider attack’ surveys show that viruses may be exploited by hostile employees. Installation of unauthorized software or hardware: Common attacks include the installation of Trojans by privileged users. Manipulation of protocol design flaws: Protocol weaknesses in TCP/IP can result in a virtual treasure trove of problems, for example DNS spoofing, TCP sequence, hijacked sessions and authentication session / transaction replay, denial of service and TCP_SYN flooding. Manipulation of operating system design flaws: With the ability to read and administrative access, privileged users, in particular, can manipulate design flaws and exercise native vulnerabilities. Social engineering: Attackers may use e-mail, IM or telephone to impersonate employees and administrators to gain username, passwords or escalated privilege to information or systems, as well as to execute Trojan horse programs.

— Kristin Gallina Lovejoy Galen Gruman is principal of the Zango Group and a regular contributor to CIO. Send feedback about this feature to editor@cio.in.

Vol/1 | I SSUE/16

Essentisl Tec.indd 61

REAL CIO WORLD | J U LY 1 , 2 0 0 6

6/28/2006 6:54:52 PM

Pundit

essential technology

Virtualization and the Impact of Open Source What has caused the effective price of virtualization to head toward zero — and how? BY BERNARD GOLDEN

STORAGE | In contrast to many who seem to feel that open source and proprietary software operate in two parallel but separate universes — that open source is used by people who can’t afford ‘real’ software, while proprietary commercial software is for organizations that need reliability, scalability, and all the other ‘abilities’ — I believe that open source is already challenging the proprietary software world.

and their sales strategy melded perfectly with EMC, which sells expensive storage solutions through a hands-on, expensive, sales force. Today, VMWare has completely restructured its product line and its go-tomarket strategy. VMWare offers a significant part of its product line available for immediate download at no cost. That’s right: EMC paid Rs 2,700 crore to buy a company that doesn’t charge for its products.

resulting user base. VMWare cut its prices with gusto. Of course, the flip side of this change is that VMWare expects you to download the product and do the work of figuring out whether it’s right for your purpose. They’ll be glad to engage in a sales conversation once you’ve done the exploratory work and decided the VMWare solution is right for you. This poses one of the great challenges

Unlike databases, where Oracle has a huge installed base that it can milk at traditional prices, virtualization is a nascent market where user choices are being made today. How about a case study to test the theory? Let’s look at virtualization, something that has tremendous potential with a clear payoff: reduced costs for IT organizations, both hard (power, machines) and soft (admin and operations personnel). It evinces an undeniable fact: machines are improving so fast that they make possible a change to the traditional hardware infrastructure, breaking the bounds of the one machine, one application practice used by most IT shops. In 2004, EMC decided to opt for virtualization as a complementary offering to its existing storage business. It paid over Rs 2,700 crore to buy VMWare, which had a very capable, albeit pricy, line of products. VMWare offered them via a hands-on, expensive, direct sales force. These products 62

ET-Pundit.indd 62

J U LY 1 , 2 0 0 6 | REAL CIO WORLD

Why the big change in strategy? In one word: Xen. This is an open source virtualization product emanating from Cambridge University, with a commercial arm called Xensource. The entrance of an open source product into the market has caused the effective price of virtualization to head toward zero. What’s interesting about this market, though, is how fast commoditization has occurred. Unlike databases, where Oracle has a huge installed base that it can milk at traditional prices, virtualization is a nascent market where user choices are being made today. VMWare faced its own choice: maintain its historical pricing and end up a bit player, or chop prices, attempt to establish a dominant market share, and figure out how to make money from the

open source presents to IT. Unlike databases, where the entrance of open source offerings was supported by a large trained technical workforce, nascent markets like virtualization suffer from a lack of skilled expertise, which makes successful implementations much more difficult. I’m not sure what the answer to this dilemma is, but I’m pretty sure the momentum of commoditization through open source is unstoppable. CIO

Bernard Golden is CEO of Navica, an open-source consultancy, and the author of Succeeding With Open

Source (Addision-Wesley, 2004). Send feedback on this column to editor@cio.in

Vo l/1 | ISSUE/16

6/28/2006 6:56:17 PM