Registered No. RNP/BGS/2113/2009-11. Licensed to Post at Manipal HO on 12th/13th & 27th/28th of every month. Printed and Published By Louis D’Mello On Behalf Of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore 560 027, India.
KARENG/2005/16317
RNI_for CIO Indesign.indd 1
11/16/2011 3:09:41 PM
From The Editor
“He is most free from danger, who, even when safe, is on his guard.” — Publilius Syrus
Information Security. What is the first thing that goes through your mind when
A Security State of Mind Technology is the last thing to look at since security is a people issue.
you think of it? Firewalls, IDS, single sign-on, biometric devices? Think again. For security is more a question of putting protocols and procedures in place. In fact, a security expert I spoke to a few days ago was vehement that security has nothing much to do with the technology that one uses to achieve a ‘comfort’ level. Technology is the last thing to look at since security is a people issue, he told me. I guess information security is also about changing behavior. While from the management perspective it’s about handling risk management; from the enforcement perspective it’s about creating awareness within the organization. Satish Das, CSO, Cognizant Technology Solutions and one of the security practitioners we contacted for this issue’s cover story, tells us that the governance structure of a company is a key factor. “If risk management is a part of an organization’s structure, then the security framework will be clearly articulated and defined to meet the governance requirements,” he says. Does it all then boil down to being a mind- While security is about set issue? It could be. In fact, The Global handling risk management; State of Information Security Survey by CIO enfocing it involves and PricewaterhouseCoopers (Page 30) has creating awareness within raised a few curious points. Just 37 percent of the organization. the 8,200 executives covered stated that they had an information security strategy! Even more worrying, the response ‘unknown’ showed up as the second most prevalent attack type, the fourth most common attack method and the third highest attack source. And, 47 percent of the respondents reported damages as ‘unknown,’ as well. If that doesn’t bother you, analyze this: A full fifth of information executives said they didn’t know how much money their companies budget for infosecurity. And despite all the talk of technology (some so futuristic that they could feature in a Philip K. Dick novel), most companies continue to invest in the fundamental technologies that strengthen networks and applications. While a few verticals like BFSI, Pharma and IT / ITeS are quite gung-ho, others like manufacturing and retail are still to go beyond basic security technologies. Publilius Syrus writing 2,000 years ago in Rome got his security mindset right, have you?
Vijay Ramachandran, Editor vijay_r@cio.in
J a n u ar y 1 5 , 2 0 0 6 | REAL CIO WORLD
Content,Editorial,Colophone.indd4 4
Vol/1 | ISSUE/5
2/8/2006 6:43:13 PM
content JANUARY 15 2006‑ | ‑Vol/1‑ | ‑issUe/5
Executive Expectations VIEW FROm ThE TOp | 40 Azim H. Premji, Chairman, Wipro believes in integrity, customer satisfaction and quality. These drove Wipro to embrace Six Sigma and become the world’s first organization to achieve PCMM Level 5. Interview by Balaji Narasimhan
Governance ShARE pOWER TO GAIN CONTROL | 28 Why CIOs should cede the what of IT to business executives and focus instead on the how. PhoToS by Sr IVaTSa ShandIlya
Column by Susan Cramm
Keynote
3 0
ThE JOy OF FLEx | 22 A loosely coupled approach to business processes and IT makes it much more possible for companies to innovate, both within and across enterprises.
CoVEr: ImagIng by b In ESh SrEEdharan , Jayan K n arayanan
I
Column by John hagel and John Seely Brown
Security
COVER STORy |ThE GLOBAL STATE OF INFORmATION SECuRITy | 30 A worldwide study by CIO and PricewaterhouseCoopers reveals a digital landscape ablaze, with thousands of security leaders fighting the flames. But amid the uncertainty and crisis management, there’s an oasis of strategic thinking. By Gunjan Trivedi and Scott Berinato with Research Editor Lorraine Cosgrove Ware
Leadership ThE FOuR (NOT ThREE, NOT FIVE) pRINCIpLES OF mANAGING ExpECTATIONS | 44 CIO Joe Eng set new performance standards for his IT department, negotiated technical requirements with demanding business partners, calmed nervous end users and built a multi-million dollar global network by following four simple principles. Feature by Allan holmes
more »
J A n u A R y 1 5 , 2 0 0 6 | REAL CIO WORLD
Vol/1 | ISSUE/5
content
(cont.) departments Trendlines | 13 Outsourcing | Cutting Costs Can Cost Customers Staffing | IT Departments Are Changin’ Work Life Balance | New Year’s Resolutions By The Numbers | The Price of Procurement Chip Technology | Optical Chips Get Golden Edge Language | Most Annoying Workplace Clichés Book Review | Fit In Stand Out Leadership | Gender Gap in the Executive Suite
Essential Technology | 62 Open Source | Open Source Lights Up
By Galen Gruman Pundit | Services for Sale By Eric Knorr
From the Editor | 4 A Security State of Mind | Technology is the last
thing to look at since security is a people issue. By Vijay Ramachandran
Inbox | 12
5 2
NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in
c o.in
Govern Sleuthing Smarter | 58 Ramavtar Yadav, Director, National Crime Records Bureau, reveals how the bureau’s work in areas such as portrait building and information sharing is arming the cops with speed as they hotfoot it on the trail of crooks
2 8
Interview by Rahul Neel Mani
Haazir Ho (PRESENT YOURSELF) | 52 Video-conferencing links between courts and prisons have saved state governments crores. But it’s also brought more security, compassion and efficiency to a justice system struggling against a tide of backlogged cases. Feature by Balaji Narasimhan
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Content,Editorial,Colophone.indd8 8
Vol/1 | ISSUE/5
2/8/2006 6:43:18 PM
advisory board
Ma nag ement President N Bringi Dev
COO Louis D’Mello Editoria l Editor Vijay Ramachandran
Bureau Head-North Rahul Neel Mani
Special Correspondents T Radhakrishna Balaji Narasimhan
Senior Correspondent Gunjan Trivedi
Anil Nadkarni
Arindam Bose Head IT, LG Electronics India, a_bose@cio.in Arun Gupta Sr. Director - Business Technology, Pfizer India
D esign & Production
Creative Director Jayan K Narayanan
Designers Shyam S Deshpande Binesh Sreedharan Vikas Kapoor
17
Canon
67
Cubic Computing
39
Epson
23
a_gupta@cio.in Arvind Tawde VP & CIO, Mahindra & Mahindra, a_tawde@cio.in Ashish Kumar Chauhan
Editorial Director-Online R Giridhar
Borland
Head IT, Thomas Cook, a_nadkarni@cio.in
COPY EDITOR Sunil Shah www.C IO.IN
Advertiser Index
Hewlett Packard
5
Advisor, Reliance Industries Ltd, a_chauhan@cio.in M. D. Agarwal
Hitachi
27
Chief Manager – IT, BPCL, md_agarwal@cio.in Mani Mulki
IBM India
9, 11, 18-21
VP - IS, Godrej Consumer Products Ltd, m_mulki@cio.in Manish Choksi VP - IT, Asian Paints, m_choksi@cio.in
Interface Connectronics
25
Kelly IT Services
61
Lenovo
68
Anil V K Photography Srivatsa Shandilya Production TK Karunakaran Ma rketing and Sa les
BUSINESS Manager Naveen Chand Singh
Neel Ratan Executive Director – Business Solutions, Pricewaterhouse Coopers, n_ratan@cio.in Rajesh Uppal General Manager – IT, Maruti Udyog, r_uppal@cio.in
brand Manager Alok Anand
Marketing Siddharth Singh
Prof. R.T.Krishnan
Bangalore Mahantesh Godi
Professor, IIM-Bangalore, r_krishnan@cio.in
Santosh Malleswara Ashish Kumar
Delhi Sudhir Argula
Nitin Walia
Mumbai Rupesh Sreedharan
Nagesh Pai
S. B. Patankar
Microsoft
Molex Premise Networks
7
43
Director - IS, Bombay Stock Exchange, sb_patankar@cio.in S. Gopalakrishnan
Wipro Infotech
2, 3, 33
COO & Head Technology, Infosys Technologies
s_gopalakrishnan @cio.in
Japan Tomoko Fujikawa
USA Larry Arthur
Jo Ben-Atar
Singapore Michael Mullaney UK Shane Hannam
S. R. Balasubramanian Sr. VP, ISG Novasoft, sr_balasubra manian@cio.in Prof. S Sadagopan Director, IIIT - Bangalore. s_sadagopan@cio.in Sanjay Sharma Corporate Head Technology Officer, IDBI, s_sharma@cio.in Dr. Sridhar Mitta Managing Director & CTO, e4e Labs, s_mitta@cio.in
All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.
Sunil Gujral Former VP - Technologies, Wipro Spectramind
s_gujral@cio.in
Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited,
10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India
Unni Krishnan T.M CTO, Shopper’s Stop Ltd, u_krishnan@cio.in V. Balakrishnan CIO, Polaris Software Ltd., v_balakrishnan@cio.in
10
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Content,Editorial,Colophone.indd10 10
Vol/1 | ISSUE/5
2/8/2006 6:43:19 PM
reader feedback
Great Inspiration
Ones to Watch (Jan. 1) will be a great inspiration to all those who are waiting in the wings. Maybe you could extend this concept a bit more to actually identify good IT teams doing extraordinary work at various organizations. Covering a very well executed project at a time, you may give the due credit to all those unsung heroes. I also found the View From The Top of LG Electronics India Managing Director Kwang-Ro Kim quite interesting. Only 0.4 percent of revenue is LGEIL’s IT budget. How does it compare with the manufacturing sector’s average? If you can make LGEIL share its IT expenditure break-down, it will be very interesting. But what takes the cake is Kim’s statement: “... without the IT department’s approval we don’t open a remote office...” Hope every CEO understands this! M. S. V. Rao, Consulting Advisor - IDM, Tata Consultancy Services
It was a pleasure to read the Ones to Watch feature. It’s a manifestation of the quality of research and industry interaction you have been able to achieve in such a short time. I am impressed by the perseverance and meticulousness of the team at CIO. Keep it up. aShISh KUMaR ChaUhan Advisor, Reliance Industries
12
J A n u A R y 1 5 , 2 0 0 6 | REAL CIO WORLD
I found Ones to Watch quite an interesting read. Going forward, I suggest that you recognize young CIOs (probably under the age of 40 or so) in various verticals. Their achievements and their perspective on their sectors can be profiled similar to Ones to Watch. I would rather read the fresh views of these CIOs on their industries than the much-printed perspectives of established CIOs. While short-listing the young CIOs, I suggest a proper study should be done stressing the extent of their domain knowledge and industry experience. Sanjay ShaRMa Corporate Head – IT, IDBI
“These days, the major part of our time and effort goes into people management and development.”
encouraging Feature I must thank you for a very good write up relating to the development of IT in West Bengal (Mindset Manifesto, Jan 1). Thank you so much for your support. DR. G. D. GaUtaMa
Filling the Vacuum
I have been reading cIO IO from issue one. For long, there’s been a vacuum in this space. A magazine for CIOs ought to go beyond networking and infrastructure issues. These days, the major part of our time and effort go into people management and development. That has become one of the most critical parts of a CIO’s job. To be able to manage change, a CIO not only needs to enrich himself through technology, but also people and change management. Towards that end, CIO India is doing justice to this community. The quality of your magazine, its content, layout, look and feel is extremely good. Great going. ChInaR DeShpanDe CIO, Pantaloon Retail
What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.
editor@c o.in
Principal Secretary, West Bengal
The basic reason for the Govern section is to highlight the challenges and successes of senior IT executives in local, state and Central Government agencies. I appeal to government IT leaders to come forward and help us highlight their work in the field of e-governance. — Editor
With compliments from arun Shakya, Britannia Industries
Dear Arun, Thanks so much for the Dundee cakes. The entire Bangalore team enjoyed them. It was great to see you in the Ones to Watch. By the time we look for the next set of IT leaders with potential, I hope to see you in the ranks of the CIOs. — Editor
Vol/1 | ISSUE/5
trendlines new
*
hot
*
unexpected
Cutting Costs Can Cost Customers Companies that outsource customer service functions with the goal of reducing costs may risk reducing their client list as well, according to Gartner. The researcher predicts that through 2007 some 80 percent of organizations that outsource customer service projects with the primary goal of cutting costs will fail in that attempt. One factor is the high staff attrition rates at outsourcing companies, sometimes as much as 80 percent to 100 percent. “Companies are not looking at processes from a customer point of view, and this is risky,” says Gartner Vice President Alexa Bona. Customer-facing processes, such as call center services and tech support, require specific training and management to prevent client loss, she adds. Gartner predicts some 60 percent of organizations that outsource customer-facing functions will experience client defections due to service issues, a hidden cost that outweighs any potential cost savings. Indeed, Gartner found that companies employing outsourced
Illustration binesh sreedharan
OUTSOURCING
customer service processes could pay more; the average monthly cost per employee is 30 percent higher for outsourced operations than the top 15 percent of companies pay for in-house operations, Bona says. In spite of the poor outlook, Gartner predicts the market for customer service outsourcing will grow from $8.4 billion in 2004 to $12.2 billion in 2007. To make outsourcing work, companies should map their customer-facing processes from end to end and dedicate sufficient management to the projects, Bona says, adding that outsourcing contracts should contain provisions that allow the outsourcing company to be paid based on non-traditional metrics such as customer satisfaction, first-call resolution and even customer profitability.
—By Scarlet Pruitt
IT Departments, They Are A-Changin’ The demand for corporate IT specialists is shifting away from the IT worker who specializes in a certain technology and toward ‘versatilists’ — those capable of interacting with people outside of their typical domain, according to research from Gartner. S t a f f ing
Vol/1 | I SSUE/5
Trendlines NEW.indd 13
Gartner Vice President Diane Morello says the versatilist has a strong base of knowledge in a certain area, which may or may not be technologyrelated. Such an employee might have expertise as a project manager, financial analyst or an application designer but is able to take
on broader responsibilities required by an IT group. With ‘versatilists’ on staff, business and service providers can also stretch their personnel budgets further than they could with specialists. CIO research finds that IT departments are hiring now. But according to Morello, by 2010, IT organizations in mid-
size and large companies will be 30 percent smaller than they were in 2005. Meanwhile, 10 percent to 15 percent of IT workers today will drop out of the IT occupation, Morello says, choosing new fields such as teaching or government service.
—By Nancy Gohring
REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
13
2/8/2006 6:54:39 PM
tr e n d l in e s
by the numbers by JON SURMACZ
The Price Of Procurement Companies that do it right spend more on technology in the short term, but less on overall operations in the long run.
W
ringing efficiency out of the supply chain could be as simple as investing in technology that will automate operational tasks, such as purchase order processing. That’s because smoother supply chain operations can allow companies to shift resources to more strategic tasks — such as sourcing — where they can find even more value, according to the Hackett Group. In its latest ‘Book of Numbers’ report, Hackett states that companies with world-class procurement operations spend $1.4 million per billion of their overall procurement spend (the goods and services a company buys to do business) on technology, while average companies spend $1.1 million per billion of spend. According to Hackett, worldclass procurement organizations spend $7.4 million on procurement operations for every $1 billion of goods and services they buy. Average companies, on the other hand, spend $10.1 billion on procurement operations for every $1 billion of goods
and services they buy. So even though world-class companies are spending more on procurement technology (in terms of dollars and as a percentage of procurement operations), their overall spending on procurement operations is actually less. By automating operational processes in the purchase-to-pay cycle (processing of purchase orders, receipts, requests for quote and so on), world-class companies are able to focus resources and savings on strategic business operations, says Christopher Sawchuk, senior business adviser at Hackett. “The value of these [automation] investments is in cost reduction,” he says. “The savings allow procurement executives to spend a larger percentage of their budget on decision support rather than operational support and focus on aligning procurement with business strategy.” Decision-support tools can help executives determine who their best and worst suppliers are so that they may adjust their procurement plans accordingly.
Best Practices
1] processes
Identify operational that can be
automated with e-procurement and e-sourcing tools and invest in them.
2] business partners
Educate employees and about
the benefits of new procurement systems to ensure that they are used. Christopher Sawchuk, senior business adviser at the Hackett Group, says procurement executives should track how many transactions are going through the e-procurement system as an indicator of usage.
into strategic 3] Shift mode once the return on
automation investments is realized. This may mean investing in decisionsupport technologies, hiring staff with more sourcing experience. Worldclass companies spend 27% more on procurement technology than average companies, but they spend 27% less on overall procurement operations.
World-class procurement organizations invest more of their total operations spending on IT.
World-class: 19% Average: 11%
World-class companies allocate
36% more of their overall
procurement resources to decision support and risk management activities.
Elevated IT spending helps drive down costs: World-class companies
spend 42% less than average companies, which means they can focus on strategic operations. 14
Trendlines NEW.indd 14
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
World-class companies spend 27% more
on procurement
technology than average companies, but they
spend 27% less on overall procurement operations.
World-class companies rely on 38% fewer staff members than average companies resulting in a price tag for total procurement operations that’s 27% lower than average.
Vol/1 | I SSUE/5
2/8/2006 6:54:40 PM
Fit In, Stand Out: The Key to Leadership Effectiveness in Business and Life By Blythe J. McGarvie McGraw-Hill, 2005; Rs 1,197.50
tr e n d l in e s
How to Climb the Corporate Ladder Learn to fit in and still make your mark review Blythe McGarvie has done well in the corporate world, first as a CFO for several large companies and now as a corporate director for Accenture and The Pepsi Bottling Group, among others. She believes unabashedly in corporations — their moneymaking mission, their ability to do good and the opportunities they afford for career success. Fit In, Stand Out: The Key to Leadership Effectiveness in Business and Life is a career guide to the corporate world. Business success boils down to two actions, says McGarvie: Fitting in and standing out.
b oo k
Fitting in means finding your way in the culture and structure of a company. People who are new to an organization or a position should focus on showing colleagues that they can conform to company norms and are trustworthy and credible. Standing out means separating yourself from the corporate crowd. Doing outstanding work is not enough — you must seek opportunities to be noticed. While it is important for employees to demonstrate their ability
to fit in at the start of a job, the ambitious ones must then market themselves to move upward. The lengthiest part of McGarvie’s book is devoted to six characteristics that people need in order to advance. These characteristics include financial acuity — the development of deep financial comprehension — which McGarvie calls the most important catalyst for gaining a leadership position; integrity, an attribute that’s
important in an era of public mistrust in corporations; and global citizenship, necessary for success in a global world. McGarvie dresses up her framework as systems thinking, which is a theoretical approach to analyzing how interactions between parts of an entity affect overall performance. That’s a stretch in this case — and an unnecessary one. The true value of this book is in its practical advice and insights based on McGarvie’s experience.
—By Edward Prewitt
Gender Gap in the Executive Suite
80%
Vol/1 | I SSUE/5
Trendlines NEW.indd 15
men outnumber women in leadership positions, women are less likely to be viewed as good decision-makers. The implication of this finding, Prime says, is that women are more likely to have their decisions questioned, and thus have to spend more time getting buy-in. That’s time that could be spent on execution. And so, through no fault of their own, many women find their ability to get things done is compromised, which undermines their chances for promotion. Prime says this is one reason why only 16 percent of officers in Fortune 500 companies are women. Catalyst says one way companies can counter gender stereotypes is by having standard criteria for performance evaluations and promotions.
67%
Il lustratio n Shyam S. Deshpande
Men are better at delegating. Women are better at rewarding subordinates. Tired old stereotypes, perhaps, but both men and women in leadership positions believe them — to the detriment of female leaders, according to a study by the nonprofit research organization Catalyst. Of 296 senior corporate leaders surveyed, a majority of each gender agreed that men are better at take-charge leadership behaviors, such as influencing their superiors, while women are better at caretaking behaviors, such as team-building. The most disturbing discovery, according to Jeanine Prime, director of research at Catalyst, is men’s perceptions of women’s problem-solving skills. Male survey respondents said that 80 percent of male leaders are effective at solving problems, but only 67 percent of female leaders are. Because L e a d e rs h i p
—By Margaret Locher REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
15
2/8/2006 6:54:40 PM
May Play Role Role in
Optical Chips, Scientists Say
T e C h N O l O G Y Gold is prized in chip manufacture for its excellent electrical conductivity, but it also has unusual properties that could give it a role in new optical chips, scientists have discovered. In a typical electronic chip, tiny gold wires link microscopic connecting pads on the silicon wafer to the terminals of the chip packaging. The gold wires are about 50 micrometers in diameter, about half as thick as a human hair, and at that thickness the gold still behaves like the shiny metal we know. A micrometer is one millionth of a meter. If you divide it into rods 2,500 times thinner, though, just 20 nanometers across, the gold glitters in an entirely different way, according to scientists at the US Department of Energy’s laboratory in Argonne, Illinois. At the nanometer scale, where distances are measured in billionths of a meter, it’s not just optical properties that change: Many materials respond differently to variations in temperature, and to the effects of electric and magnet fields, when divided into such nanoparticles. The nanoscale gold rods studied at Argonne National Laboratory emit light when electrons in them are stimulated, and the wavelength of the light depends on the length of the rod used, the scientists found. They tested gold rods with lengths between 70 nm and 300 nm. Being able to control the wavelength of light, and to build light sources of a specific wavelength, is very important in optical communications. The discovery at Argonne could one day allow the fabrication of tuned light sources inside chips, leading to the creation of chips that can switch or route optical signals in fiber networks without having to convert them back to an electronic form first, the scientists said. However, they emphasized that they are only involved in basic research, not the development of products. Researchers at the Nanotechnology and Optical Instrumentation Laboratory in Troyes, France, also participated in the research, which was published in a paper in Physical Review Letters entitled ‘Surface Plasmon Characteristics of Tunable Photoluminescence in Single Gold Nanorods.’
ChIp
—By Peter Sayer 16
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
a new, value-added survey conducted by temporary staffing company accountemps now gives heightened visibility to the most annoying phrases and buzzwords peppering mind-share sessions in corporates. according to the 150 senior executives polled, thinking outside the box is not something their peers do well, especially when it comes to using the english language. apparently, the ability to speak in anything but clichés is not a core competency of even Generation X workers. In an effort to adopt a win-win approach to work, managers and their direct reports alike end up communicating in what all but consultants and hr people As identified by the would consider absolute Accountemps survey: gibberish. Cliché-usage is even rampant among those 1. At the end of the day customer-centric employ2. Solution ees who, one would think, would want a paradigm 3. Thinking outside that would get them on the the box same page with normal 4. Synergy humans, or at least achieve 5. Paradigm some sort of communicative synergy. y yet, at the end 6. Metrics of the day, it turns out that 7. Take it offline they value alignment with bad language even more. 8. Redeployed people as for how to imple9. Core competency ment a solution to our language-based woes, 10. Win-win or even an incremental 11. Value-added improvement, accountemps chairman Max 12. Get on the same page Messmer says business13. Customer-centric people should attempt to deploy a reality-based 14. Generation vocabulary with a heavy 15. Alignment emphasis on specific details. While there are few metrics available that shed light on the roI of descriptive verbiage, the wellchosen word — even when taken offline — goes far on the runway in terms of accountability management. and as Messmer points out, people who use buzzwords to clarify usually end up confusing everyone. l a NGUaG e
15
MOST ANNOYING
CLICHES
—By Megan Santosus Vol/1 | I ssue/5
TReNdlINeS
Gold
the Most Annoying w workplace clichés
New Year’s Resolutions for the Global CIO Having developers around the world may be good for business, but CIOs pay a personal toll. Because remote operations may be located up to 12 time zones away, the work week can stretch from Sunday night (as teams in Asia come into their offices) until Friday evening (when the US staff wrap up the work week). This schedule, combined with grueling travel demands, can pull families apart as professional responsibilities bleed into personal and social time. Ashwin Rangan managed worldwide technology teams for more than a decade as CIO of Conexant and as a senior manager at AST Research. He suggests six New Year’s resolutions for IT execs with global responsibilities: Wor k - Li f e B a l a nc e
1. Travel with your spouse. If your spouse joins you on an overseas trip at least once a year, he or she will better understand what you’re going through, as well as share in your cross-cultural learning.
2.
Get comfortable. If your company pays only for economy class airline travel, use your frequent flier miles to upgrade to business class. If it pays for business class, upgrade to first.
3.
Give yourself a break. Jet lag affects your judgment and your attention span, so keep a light schedule on the day you arrive at your destination.
4.
Send someone else. Your key reports in other countries should also visit each other frequently to build their own connections and sympathy for one another. You don’t always have to be there.
5. Minimize off-hours work. When transcontinental
conference calls are necessary, distribute the inconvenience around the globe. For half of the calls, you can have US teams come in early while the offshore team is at work, and you can schedule the rest during the US workday, when the offshore team stays late. Families on two continents will thank you.
6.
Stay home. Limit your Sunday evening social engagements, and advise your direct reports to consider the same. If no work issues crop up offshore, you can have an evening with your family; if they do, your loved ones will forgive you more easily than your friends. —By Gunjan Bagla
Vol/1 | I SSUE/5
Trendlines NEW.indd 17
2/8/2006 6:54:41 PM
John Hagel & John Seely Brown  
Keynote
The Joy of Flex A loosely coupled approach to business processes and IT makes it much more possible for companies to innovate, both within and across enterprises.
M
ost of you are probably familiar with the concept of loose coupling since it is a key design philosophy underlying new generations of technology platforms. Loose coupling, for example, is necessary to deliver the flexibility promised by service-oriented architectures (SOAs). But the concept of loose coupling also holds tremendous promise in transforming how executives organize business processes, especially as they extend across global business enterprises. Many businesses today are organized along a very different model using tightly specified, hardwired management approaches. While this strategy has been responsible for delivering a great deal of operating savings to many companies, it makes improvisation difficult because changes in one area will cause unanticipated disruptions in others. As a result, such flexibility in business practices is often discouraged. Enterprises today are hardwired at two levels: IT platforms generally remain hardwired, and the business processes we manage on top of these IT platforms are also hardwired. Companies now have an opportunity to introduce loose coupling at both levels. The innovation of loose coupling will not only change how companies operate within the enterprise. A loosely coupled approach transforms how they collaborate and innovate across enterprises by enabling the formation of global process networks that can mobilize large numbers of highly specialized business partners to deliver more value to customers. For example, Cisco has created a global process network consisting of thousands of channel partners who provide everything from basic fulfillment operations to highly specialized consulting or engineering services to adapt Cisco’s networking products to
22
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Column JOHN HAGEL AND JOHN SEEL16 16
Vol/1 | ISSUE/5
2/8/2006 6:18:30 PM
John Hagel & John Seely Brown
Keynote
the unique environments of its customers. The partners in this network are loosely coupled and orchestrated by Cisco. This process network works because Cisco has developed standardized ways of specifying capabilities and performance requirements, and it familiarizes all the partners when they join the process network with its standardized vocabulary. This approach to defining standardized ‘interfaces’ for each module of activity makes it possible for Cisco to quickly assemble the right modules and ensure that the best qualified partner is assigned to each module. This is an example of loose coupling at the business process level. CIOs are especially well positioned to help the rest of the senior management team make the transition toward loosely coupled business processes. They understand both the technology and design principles needed to support such processes, both within and across enterprises.
The Advantage of Interchangeable Apps Loose coupling begins with the notion of modularity, grouping activities into separate modules where the outputs can be clearly specified and where the activities in each module can be performed relatively independently without relying on activities in other parts of the application. For example, at the IT level, it makes sense to create a separate module for currency conversion in an order entry application so that introductions of new currencies can be handled independently without affecting the rest of the order entry procedures. The currency conversion module should be designed from the outset as a service that can be used by a broad range of applications — not only order entry but also procurement, expense report processing, financing and any other application — in a wide range of computing environments distributed around the world. But modularity is not enough. Loose coupling also seeks to create standardized ways of describing the procedures or information contained within the modules. In the IT domain, this is one of the major advances of Web services technology; through the Web Services Description Language (WSDL), it defines a set of standards for creating documents that describes what a Web service offers, how it communicates and where to find it. Because these standards have been widely adopted throughout the technology community, we are now able to access a much broader range of modules or services. For example, the developer of a new app could quickly make use of the currency conversion module based on the information provided in the interface document and just as easily switch to another currency conversion module if it offered better functionality (say, more frequent updates of conversion rates). Loose coupling is attractive on many levels. By making it easier to move modules in and out depending on need, it enhances flexibility. For example, a loosely coupled IT environment might make it easier for an insurance company to access a novel, highly 24
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Column JOHN HAGEL AND JOHN SEEL18 18
CIOs are naturally positioned to play a major role in helping companies deploy loosely coupled technology. specialized algorithm that allows it to assess risk in certain categories of commerci al buildings in a more rigorous way than a more general algorithm might. Hence, the company no longer has to rely on a single general purpose algorithm to cover all commercial buildings. Instead, it can use best-in-class algorithms for specific insurance categories and thereby manage its risk exposure more effectively. Loose coupling is likely to be even more attractive in the long-term because of its role in enhancing innovation. To begin with, orchestrators of these systems can re-combine modules in creative ways to deliver distinctive value. For example, online stockbrokers are using loosely coupled IT architectures to bring together a rich array of specialized information in highly tailored ways to serve the needs of high net-worth investors. Investors need detailed information about the performance of their portfolios, as well as access to a variety of specialized third-party information — analyst reports, technical charts, company profiles, macro-economic data and so on — to make better investment decisions. SOAs enable stockbrokers to assemble a much broader array of resources for their investors so that stockbrokers can experiment with new ways of combining data and analytic techniques. Innovation by re-combining modules is just the beginning. Loose coupling facilitates rapid incremental innovation within modules as well. By reducing interdependencies across modules, loose coupling makes it easier to experiment and improvise within a module without worrying about unanticipated disruptions in other parts of the system. In this respect, loose coupling at the IT level amplifies the potential for rapid incremental innovation through loose coupling at the business process level.
The Li & Fung Story Given the limitations of hardwired approaches, it is not surprising that some companies have begun to develop an alternative strategy in designing business processes. One of the companies pioneering this alternative approach at the business process level is a Chinese company, Li & Fung, based in Hong Kong. Li & Fung is very well-known in the apparel industry, but surprisingly little-known outside this industry. Its customers are apparel designers who are located around the world. On their behalf, Li & Fung will orchestrate highly customized end-to-end supply chains starting with the sourcing of yarn or fibers and ending with delivery of assembled goods to specified retailer distribution centers.
Vol/1 | ISSUE/5
2/8/2006 6:18:30 PM
John Hagel & John Seely Brown
Keynote
This could involve bringing together dozens of specialized participants on a global scale to ensure that appropriate capabilities are brought to bear, for example, to produce highend wool sweaters targeted at the European market versus synthetic-fiber slacks targeted at the U.S. market where a quite different set of companies might be required. This enormous flexibility is made possible because Li & Fung has assembled a loosely coupled process network of 7,500 business partners around the world. Li & Fung can orchestrate this complex and highly flexible network because it focuses on defining standardized ways of specifying outputs from each partner and leaves decisions on how to execute against the outputs up to each partner. For example, it provides a standardized way of representing color for the garments, but does not tell its partners how to produce this color. At the IT level, Li & Fung is now deploying Web services technology and building an SOA extending across its entire process network to support its loosely coupled business processes. This kind of architecture is attractive for Li & Fung
than conventional transaction-based relationships. Loose coupling cannot work without significant investment in building trust-based relationships among participants. These business elements need to be woven together with technology elements to provide the foundation for shared meaning, trust, and orchestration, to develop and evolve. So far, the loosely coupled approach to business process management has been implemented across the boundaries of enterprises in order to coordinate business processes spanning multiple companies. We expect that, over time, this approach will be applied to business process management within the enterprise as well. Hard wiring within the enterprise has given companies cost savings, but at the expense of flexibility. As companies see the performance benefits of loose coupling, they will want to embrace this approach within the enterprise to enhance flexibility there as well. CIOs are naturally positioned to play a leadership role in helping companies to adopt and deploy these loosely coupled technology platforms. They would do well to start with business functions that have the greatest interaction with
Loose coupling makes it easier to improvise without worry about disruptions elsewhere in the system. because it does not require its business partners to rip out existing technology and adopt a common set of technology platforms. Instead, each partner can use Web services standards to implement loosely coupled interfaces for their existing applications and databases and automate connections with other business partners in the Li & Fung network. Using a loosely coupled management approach, Li & Fung has been able to compress cycle times across its global apparel supply chains from months to weeks, exceeding the performance of more hardwired competitors. In highly demanding, fast-moving industries like apparel and consumer electronics, loosely coupled approaches could not possibly succeed without delivering against aggressive cost, performance, quality and cycle time requirements. Li & Fung’s strategy is quite successful. It generates more than Rs 21,000 crore ($5 billion) in revenue and has grown at doubledigit rates over many years. With only 5,000 employees of its own, Li & Fung generates about Rs 4.5 crore ($1 million) in revenue per employee. In an industry accustomed to razorthin margins, Li & Fung is also quite profitable, with 30 percent to 50 percent return on equity.
Trust is Paramount Effective loose coupling requires the formation of long-term relationships among business participants that are far richer 26
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Column JOHN HAGEL AND JOHN SEEL20 20
third parties (for example, sales and marketing, customer support, procurement and supply chain management). This completely flips the historical pattern of IT deployment that started within the centralized ‘glass house’ and eventually reached functions that dealt with external business partners and only in a very limited way touched business partners (for example, through EDI connections and Web-based portals). By tying IT architecture evolution to the most pressing current business needs, CIOs can mobilize support from their business colleagues for more ambitious architectural migration strategies. More broadly, CIOs can help non-technology line executives to understand the compelling benefits created by a loosely coupled design approach. In focusing on the business applications of loose coupling, CIOs have the potential to become major players in the next wave of innovation. CIO
John Hagel and John Seely Brown are coauthors of a new book called The
Only Sustainable Edge: Why Business Strategy Depends on Productive Friction and Dynamic Specialization. Hagel is a management consultant who spent 16 years with McKinsey & Co. Brown, the former chief scientist at Xerox, is now a visiting scholar at the University of Southern California. Send feedback on this column to editor@cio.in
Vol/1 | ISSUE/5
2/8/2006 6:18:31 PM
Trendlines NEW.indd 18
2/8/2006 6:54:41 PM
Susan Cramm
Executive Coach
Share Power To Gain Control Why CIOs should cede the what of IT to business executives and focus instead on the how.
28
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Column SUSAN CRAMM.indd 20
Illustration by Shyam D esh pande
W
ho people work with is more important than who they work for, a Gartner EXP publication asserted recently. This statement is right on. Every time there’s an IT re-organization, too much emphasis is placed on structure and the unworkable extremes of centralization versus decentralization. Instead, CIOs should let IT’s organizational structure mirror that of the enterprise and focus their time on defining the decision rights — that is, who has the final say about key IT decisions — necessary for collaboration between IT and the business. When determining IT decision rights, it’s wise to remember the adage: To gain control, you have to give it away. That same adage applies to raising children (“You have two choices,” parents say), and it works when you’re trying to cozy up to business partners while maintaining some semblance of IT order at the enterprise level. Too often in the past, IT — like a desperate parent — has tried vainly to get its business counterparts to ‘grow up’ without granting the necessary freedom. In many organizations, business executives have little authority over IT funding, priorities, sequencing and resources, and feel forced to establish shadow IT organizations and partner with vendors who have gone around the IT organization. With one hand, CIOs attempt to limit business freedoms, while with the other, they try to finagle business counterparts into accepting accountability for value commitments. Since business accountability is out of whack with its authority, IT executives are in a constant state of frustration as they try to extract the desired behaviors from the business. CIOs find themselves operating like surrogate users and assuming business partner roles (for instance, developing strategy, selling initiatives,
Vo l/1 | ISSUE/5
2/8/2006 6:19:28 PM
Susan Cramm
Executive Coach
IT DECISION RIGHTS Play the Proper Roles to Do IT Right
IT planning Project priorities Service priorities Project implementation Project management Money Vendors/People Technology Compliance/Asset protection
The Business Executive’s Role: The ‘What’ of IT
The CIO’s Role: The ‘How’ of IT
IT business initiatives, value projections, prioritization criteria Business initiatives Service level objectives (SLOs) Timing: Stop, start, deter (No role) Budget authority for business initiatives Selection from qualified candidates Performance evaluation over the end result (No role) Risk posture
Target architecture, infrastructure strategies, sequencing criteria, decision rights IT initiatives SLO resource requirements Estimates and approach Skills, staffing, methods Budget authority for IT initiatives Standards and qualification Performance evaluation over the means Standards and guidelines Approach and resource requirements
writing business cases, managing business change and There’s a good reason why business partners often try to go reporting value realization). their own way with technology. Since they run the business, they You will never achieve the partnership necessary for success want control over the major factors of production: Money, people unless you arrange decision rights to promote accountability and technology. Don’t fight this impulse; the business side should from the business side. If you doubt the importance of this act, have appropriate control of IT. Delegating authority over the ask yourself why you never hear business leaders blaming ‘what’ of IT to the lowest level practical provides the means for IT the quality of their profits on finance or their people on to expand its organizational impact. Once that happens, you can human resources — yet their complaints about IT systems transition from being viewed as a roadblock to an enabler. are commonplace. CIOs need to follow the lead of mature financial and HR organizations and delegate authority for the management of certain aspects of IT to the business, in line Reader Q&A with competence and a commitment to follow the rules (that Q: Our government is undertaking a massive centralization, is, policies ensuring that the enterprise doesn’t suffer at the moving virtually all IT staff and management from 20 departhands of individual interests). ments to a centralized, shared-services IT organization. Many A simple but elegant way to responsibly delegate IT of us believe that the individual departments, which conduct authority is to grant the business the authority over the the business of government, should retain at least some IT ‘what’ of IT while retaining authority over how IT is delivered roles and functions to facilitate strategic planning, to steward (a concept shared with me by Jerry Gregoire when he was the business’ IT vision and to ensure that the new, centralized leading the Dell IT organization). This means that your IT organization delivers the maximum value for the funding it business customers determine the IT-enabled business receives. Based on the table in the article, what roles should a strategies and plans, set priorities and service requirements, lean and mean department-based IT group hold? allocate funding, approve vendors and people, and define risk A: You are right on target in your thinking. Assuming that the postures. Meanwhile, IT retains the final say over architectures, re-organization will result in few departmental IT resources, technologies, infrastructure strategies, decision rights, IT your role will become primarily one of planning, coordination initiatives, resource requirements, methods and tools, and the and communication. As such, do the best you can to retain as required qualifications for people and vendors. The idea is to many of the decision rights in the ‘business executive role’ transition from a custodial model of IT — that is, doing IT on column. It’s a matter of negotiation. CIO behalf of the company — to a fiduciary model, in which you ensure that the company does IT right. The determination of decision rights should be based on the maturity of the organization, within the business as well as the IT department. Although the majority of companies are not mature Susan Cramm is founder and president of Valuedance, in their usage or in their management of technology, ‘IT Decision an executive coaching firm in San Clemente, Calif. Send Rights’ above serves as a reference point. feedback on this column to editor@cio.in
Vol/1 | ISSUE/5
Column SUSAN CRAMM.indd 21
REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
29
2/8/2006 6:19:28 PM
Imaging by bi nesh s reedha ran
The Global State of
Information Security B y G u n j a n T r i v e d i a n d S c o tt B e r i n at o w i t h R e s e a r c h E d i t o r L o r r a i n e C o sg r o v e W a r e
A worldwide study by CIO and PricewaterhouseCoopers reveals a digital landscape ablaze, with thousands of security leaders fighting the flames. But amid the uncertainty and crisis management, there’s an oasis of strategic thinking.
30
Cover Story.indd 24
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Vo l/1 | ISSUE/5
2/8/2006 6:44:18 PM
Cover Story | Global Security
Every day it’s something else. Millions of personally identifiable records stolen. Intellectual property left on a laptop that’s gone missing. Corporate espionage rings that stretch from the United Kingdom to the Middle East and use IT to infiltrate companies. Phishing scams by the thousands: Puddle phishing, Wi-phishing, pharming. Then there’s spam and spyware, zombie networks, DDoS (distributed denial-of-service) attacks and session hijacking. Online auction fraud. Online extortion. We haven’t even mentioned good old viruses and worms, but those still work too. To borrow from forestry parlance, information security is an escaped wildfire. And according to The Global State of Information Security, a worldwide study by CIO and PricewaterhouseCoopers (PwC), you are the firefighters, desperately trying to outflank the fireline and prevent flare-ups and firestorms. It’s a thankless, impossible business. In this environment, just holding your ground is a victory, and that’s what you’re doing. This is the largest survey of its kind, with more than 8,200 IT and security executives responding from 63 countries on six continents. The data has shows incremental improvement in the tactical battle to react to and fight off security incidents. At the same time, the data shows a notable lack of focus on actions and strategies that could prevent these incidents in the first place. There’s also a remarkable ambivalence among respondents about compliance with government regulations, a clear lack of risk management discipline, and a continuing inability to create actionable security intelligence out of mountains of security data.
Just 37 percent of respondents reported that they had an information security strategy — and only 24 percent of the rest say that creating one is in the plans for next year. With increasingly serious, complex, targeted and damaging threats continuously emerging, that’s not a good thing. “When you spend all that time fighting fires, you don’t even have time to come up with the new ways to build things so they don’t burn down,” says Mark Lobel, a security-focused partner with PricewaterhouseCoopers, “Right now, there’s hardly a fire code.” Lobel compares the global state of information security to Chicago right before the great fire of 1871. “Some folks were well-protected and others weren’t,” he says, but when the ones that weren’t protected began to burn, the ones that were protected caught fire too. Of course, with the survey’s thousands of pages of data and tens of thousands of data points, the overall security picture is a little more complex than “Everyone’s tactical; no one’s strategic.” Some respondents show signs of embracing a more holistic approach than others. So we’ll delve into one industry sector — financial services — as a best practices group that, while still struggling to put out fires, has devoted more time, resources and strategic thinking to its information security posture than the average respondent. We’ll also highlight some other encouraging numbers that suggest that more companies than ever are laying the groundwork for a more strategic information security department. In all, we’ll look at eight distinct cuts of the data from The Global State of Information Security. Use the data to benchmark yourself and to glean ways you can start to beat back the flames. Maybe even create a fire code so that if a cow does knock over a lantern, the whole city won’t burn.
Inside the Study The Global State of Information Security, a worldwide study by CIO and PricewaterhouseCoopers, was conducted online. Readers of CIO and CSO (a CIO sister publication), and clients of PricewaterhouseCoopers were invited via e-mail to take the survey. The results shown here are based on the responses of more than 8,200 CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security from 63 countries. Indian organizations had a fair representation in the study with 206 respondents participating. The study’s margin of error is 1%. The study represents a broad range of industries including computer-related manufacturing and software (11%), consulting and professional services (11%), financial services/banking
Vol/1 | ISSUE/5
Cover Story.indd 25
(9%), government (9%), education (7%), health care (5%), telecommunications (5%) and transportation (2%). Thirty-two percent of the executives surveyed reported total annual sales of less than Rs 450 crore ($100 million), while 17% reported sales between Rs 450 crore and Rs 4,499 crore ($999.9 million). 21 percent of the survey base said their organization’s annual sales exceeded Rs 4,500 crore ($1 billion), while 17% were nonprofit organizations. (12 percent didn’t answer the question.) Fifty-four percent of the respondents held IT titles including CIO, CTO, vice president, director and manager while 10% were information security professionals. Twelve percent held CEO, CFO or non-IT director titles, while 24% listed ‘other.’ REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
31
2/8/2006 6:44:18 PM
Cover Story | Global Security
Sowing the Seeds of Strategic Security As information security gains more status in the organization, security improves. IT’s clear from the data that respondents spend most of their time in reactive mode: Responding to incidents, deploying firewalls, and dealing with More executive attention is being paid to the security function. everyday nuisances like spam and spyware. IroniIT and physical We have some form of cally, the most common proactive step respondWe employ a security report to the integration between ents take is to develop business continuity and CSO or CISO. same executive leader physical and IT security disaster recovery plans. So even their proactive 35% 60% 20% steps are investments in reactive measures. 20 20 30% 50% Having said that, a few numbers did pop out that 25% 15% 31 16 40% 50 53 15 26 20% suggest that the foundation is being laid for a time 30% 10% 15% when information security may become more stra20% 29 10% 5% tegic. This year, more companies employed security 10% 11 11 5% executives and focused on integration between phys0 0 0 ‘03 ‘04 ‘05 ‘03 ‘04 ‘05 ical and information than in the two previous years. “Organizations are now moving on from 2004 2005 employing remedial measures to become technoWhere/to whom does your CIO or equivalent logically proactive to threats,” says Satish Warrier, information security executive report? head-information security, IDBI. “Enterprises are increasingly drafting security strategies to include 21% CEO both physical and information security,” he adds. CIO (with security dept. integrated with IT dept.) 18% Security’s rising profile is most encouraging 12% Board of directors when you cross-reference the governance numCIO (with security dept. independent of IT dept.) 8% bers with effectiveness. Those companies where 5% CTO the function resides near the top have a far bet5% VP ter security posture than the average respondent. 4% CFO For example, only 37 percent of respondents said 4% COO they have an overall security strategy. At compaSecurity committee 4% nies with CSOs, that number leaps to 62 percent. 4% Internal audit Likewise, 80 percent of companies with CSOs also 4% Other employed a CISO or equivalent, compared with 3% CSO about 20 percent overall. Risk management 3% “If risk management is a part of an organization’s Chief privacy officer 2% structure, then the security framework will be artic2% Legal counsel ulated and defined to meet the governance requirements. With a risk management perspective, security executives look at both operations risks and business budgets. They were almost twice as likely to have a security budget risks,” says Satish Das, CSO, Cognizant Technology Solutions. Companies with an executive security function also reported that separate from the IT budget and, while they were equally likely to get their spending and policies are more aligned with the business and that additional monies for security from the IT department, companies with a higher percentage of their employees comply with internal informa- executive infosec leaders reported getting more money more often from tion security policies. Companies with a security chief also measured other lines of business, such as legal, risk, and compliance and regulatory groups. Companies that haven’t elevated and reviewed information security policies the role outnumber those that have. But if commore than those without a security executive, The Big Picture panies that have elevated information security and they were far more likely to prioritize inforHow does your organization fare against these tend to act more strategically (and more commation assets by risk level. global responses? Do you budget separately panies are doing that), then it follows that Resources are dialed up at companies with a for security? Please write in to editor@cio.in to share your thoughts and insights. information security is getting more strategic. security executive too. They averaged more fulltime employees at their companies and higher c o.in It’s early on in the trend, but it’s a positive.
The Good News
32
Cover Story.indd 26
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Vo l/1 | ISSUE/5
2/8/2006 6:44:19 PM
Eyes Wide Open
Cover Story | Global Security
Surveillance World The bigger the company, the more it watches its employees.
Tracking workers’ information access is the hottest trend.
Monitoring of employee use of Internet/information assets 60%
30% 20%
There’s a sudden and dramatic rise ��������������������� in companies monitoring their employees. The upsurge, part of a trend towards more surveillance both in public and in private, can be attributed to several factors. First, CISOs want to rein in instant messaging and other applications. Those apps not only sap employee productivity but they’re easy vehicles for intellectual property theft and other information leaks. Second, security execs need to put down rampant spam and malware — feral creatures that often get into networks through unauthorized usage by employees and knock systems offline, slow down overall network performance, spread viruses and open up the network to further attacks. Third, they want to shield the company from liability when employees use peer-to-peer networks to download copyrighted material, such as movies and music. And finally, there’s the evergreen insider threat. Thirty-three percent of all infosecurity attacks originated from employees, with another 28 percent coming from ex-employees and partners. In short, the only way security chiefs believe they can control the technologies that their employees use is to watch what they do with them. That’s why 88 percent of respondents either have monitoring in place or plan to by year’s end. It follows, too, that bigger companies have more to monitor and more resources to do it, and hence will monitor more.
Security Safeguards: Technology What security safeguards does your organization have in place? 0% 20% 40% 60% 80% 100%
Deploy reduced or single sign-on Deploy network firewalls Deploy secure remote access North America South America Europe Asia Middle East
Cover Story.indd 28
36 In use in 2004
34
either monitor now or plan to in the coming year.
29
In use Deployed A strategic in 2005 last year initiative this year
Percentage of companies monitoring workers 80% 70% 60% 50% 40% 30% 20% 10% 0
52 32
39
1–1K 1K–20K Number of employees
72
68
64 36
20K–150K
44
2004 2005
>150K
Ironically, PwC’s Lobel points out, it could be the unintended consequence of another, positive trend that’s helping nurture the monitoring culture. “With more and more security organizations reporting outside of IT, they really don’t integrate day in and day out with the folks rolling out the systems,” he says. That is the trend. More companies have information security reporting to the CEO or other departments, and more are integrating it with the physical security function. Currently, the only way to combat that disconnect between who’s deploying the applications and who’s securing them is to monitor. “In fact,” says Lobel, “the less security reports to IT, the more you’ll need this watchdog function.”
Defense Mechanism Companies are still investing in technologies that shore up networks and applications.
Deploy encryption technology
34
10% 0
88%
59
50% 40%
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Companies continue to invest in the fundamental technologies that strengthen networks and applications. Respondents most frequently listed data back-up (84%), network firewalls (82%), user passwords (80%), application firewalls (70%), and network security tools (61%) as the safeguards they had in place. Newer technologies such as biometrics and advanced access level tools and encryption are gaining popularity. Indian organizations are a mixed bag when it comes to technology adoption. Technologies in the financial, telecom, pharma and IT/ITeS sectors are on par
with global deployments. Other verticals such as manufacturing or retail are still implementing and stabilizing their enterprisewide transaction-level applications. These verticals are yet to go beyond basic security technologies, such as AVs, firewalls and IDS. “The Indian market is behind mature economies in terms of investment in security technologies, stringent process and creating awareness across the organization,” says Harish Shetty, Vice President – Information Security, HDFC Bank.
Vo l/1 | ISSUE/5
2/8/2006 6:44:19 PM
Cover Story | Global Security
Compliance? What’s That? The majority of information security executives range from ambivalent (at best) to downright dismissive (at worst) about the intentions, effect and pertinence of security regulations.
One PwC analyst called these numbers scary, but which is scariest? Is it the comparatively low number of respondents who are in compliance? Or the shockingly high number of respondents who cop to not complying even though they know that they have to? Or could it be the startlingly low number who believe that the regulations apply to them? These numbers represent the respondents not only in the developing economies but also in countries, such as the US, where regulations are stringent and pervasive. Interestingly, just 11 percent of respondents said they needed to be in compliance with California’s SB 1386 law, which mandates that companies report breaches of personal data to consumers. Any company that has even one customer in California (US) must comply with the law. Similarly, more than half said they didn’t need to comply with Sarbanes-Oxley, and four out of ten respondents in the health care industry said that the Health Insurance Portability and Accountability Act (HIPAA) didn’t apply to them, which seems impossible on the face of it. Of the companies reporting from Europe, 45 percent of the respondents said that they
Safe Deposits The financial services industry takes care of security business better than the rest of us. Learn from their best practices.
Overall
Security budget as a % of IT budget 13% Budget<$50,000 42% Budget<$1 million 10% Budget will increase this year 47% Employ a chief privacy officer 17% Employ a CISO OR CSO 34% Have an overall infosec strategy 37% Less than 50% employee compliance w/policy 30% Policies not aligned w/business 21%
Financial services
12% 21% 21% 58% 26% 51% 57% 17% 7%
Full-time security employees (mean number) For all respondents: 30 For financial services: 46 36
Cover Story.indd 30
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
needed to comply with the European Union Data Privacy Directive. Only forty-one percent are in compliance. Closer home, India has mandatory sector-specific compliance regulations, like RBI’s core banking guidelines for the banking sector, but not pervasive laws mandatory for companies across all verticals to be compliant with. The IT Act, 2000 and other regulations lack teeth. “Unless the regulations are mandatory, organizations will not accord them top priorities,” says Warrier of IDBI. Apart from enterprises in certain verticals, companies don’t fear any serious repercussions for not complying with the regulations, either because the mandates are too vague to really be enforced or the regulatory agencies aren’t devoting resources to enforcement. Supporting the ‘lack of teeth’ theory is the fact that only a third of respondents reported having compliance testing in place, and only a quarter link their security organization to the compliance group. Nevertheless, organizations are increasingly focusing more on following best practices. If getting compliant to leading industry standards such as ISO or BS standards fuels business growth,
The financial services sector has long been presumed to practice superior information security, largely because of the preciousness of its assets (money) and the fact that its business is carried out almost entirely on IT systems. The stakes are higher, the risks are higher, so the information security protection must be higher too. To an extent, the data supports the idea that companies in the money business tend to be more strategic and more secure than the rest of us, and, it turns out, even more confident. Another factor that helps financial companies excel is that they tend to be bigger, and bigger companies usually have more resources. (Then again, bigger companies often have a harder time with governance, and financial services companies, by this data, show strong organization.) But, we chose the financial services sector as a best practices group for several other reasons. The stakes are fiercely high in a business shooting huge sums of money around IT networks. Also, financial services companies already use risk models, ROI and other strategic tools in other parts of the business and have begun to apply those same tools to information security. Finally, the financial community knows regulations and has for a long time. When it comes to information security, the financial services industry is in a position where everyone else is headed. The differences between that place and the place most people
Vo l/1 | ISSUE/5
2/8/2006 6:44:19 PM
Cover Story | Global Security
no-compliance Zone Fewer companies than expected are following new government rules. What is your compliance with the following u.S. regulations? 70% 60% 50% 40% 30% 20% 10% 0
California SB 1386 (U.S. respondents)
47
64
59 44
32 18
38
17
38 38 15
Need to be and I am
Need to be
Sarbanes-Oxley (U.S. respondents)
17
Need to be and I am not
regulations’ effect:
On effectiveness of information security
On spending No effect Increased Don’t know Decreased
43% 34% 19% 4%
Increased No chance Don’t know Decreased
HIPAA (Health-care respondents) Gramm-Leach-Bliley (Financial services respondents)
46% 39% 10% 5%
are today is pronounced. Start with money. Financial services companies have bigger security budgets, but not necessarily bigger vis-à-vis the overall IT budget. To whatever extent these companies are more secure than the average company, that superiority can be attributed to more efficient spending, and spending on strategic planning, not technology. One simple example of this is investment in network firewalls. It was the fifth most cited strategic priority for this year with all respondents, but it doesn’t even make the top 10 with financial services companies. ditto for data backup, which is number three overall but not on financial services companies’ radar. These companies have these important technologies in place but also seem to have shifted priorities, perhaps understanding that more technology doesn’t mean more security. (The one type of technology financial services companies do seem to be investing in is identity management — not surprising as a reaction to the Id theft epidemic). “Security strategies are no more in silos, and are looked at more comprehensively with well-coordinated efforts across the organizations,” says Shetty. On the other hand, the banks were far more likely to have listed compliance testing as a priority for next year compared with the overall respondent base. The need to get compliant to either mandatory regulations or industry standards also drives information security adoption in financial sector organizations.
VOl/1 | ISSUE/5
enterprises are making efforts to get certified to the same. “Figures reveal that a large number of BS7799 certified companies are from India. This means that if business needs it, people will go for it. Government is also trying to optimize the laws to fill up the possible gaps in the regulations affecting personal data and information,” say Sivarama Krishnan, Associate Director, PwC. But the point remains: The negative attitude toward regulation (only half of respondents believe it has increased the effectiveness of information security) indicates that they haven’t had the intended effect, at least on information security.
“For PSU banks, reserve Bank of India is the final authority. Its guidelines or regulations are mandatory and our security strategies revolve around the same,” points out V. Babu, deputy general manager – IT, Bank of India. And just because the financial companies seem to be more strategic doesn’t mean they shy away from using threats to justify investments. While financial companies are slightly more likely to use rOI and contribution to business objectives as justifications for security investments, they are still far more likely to rely on legal and regulatory requirements, liability and revenue impact to justify their investments. Interestingly, half of all financial services respondents said “common industry practice” was one justification for security investments — suggesting either some level of information sharing amongst companies in the industry, or at least a copycat culture where many security executives try to keep up with the security leaders. One area in which the financial services sector doesn’t seem to outperform the rest of the respondents is integration with physical security practices. Watching the year-over-year numbers this year will be important given the number of highprofile data thefts that used physical security weaknesses — or at least the disconnect between the information security practices and physical security practices — to gain access to personal records.
reaL cIo WorLD | D e C e M b e r 1 5 , 2 0 0 5
37
2/8/2006 6:44:19 PM
Cover Story | Global Security
So Many Breaches, So Few Insights When it comes to malicious activity on their network, information security executives have more information than ever, but that doesn’t mean they know what to do with it.
numbers of data breach are unsettling. First, 47 percent of respondents report damages as ‘unknown.’ This suggests that respondents have neither the time nor the means to truly calculate losses from a breach, or if they considered the attacks minor, they didn’t bother. The increased sophistication of attacks during the past year could also contribute to the rising ‘unknown’ group.
The more complex attacks hit more complex targets. Take the hypothetical identity theft of 1,000 customer records. Many experts are concerned about ‘deferred loss identity theft’ wherein thieves sit on stolen identities for months or years until victims believe the danger has passed. It’s hard to put figures on potential outcomes like that. Other ‘unknown’ responses get one’s atten-
tion too: ‘Unknown’ showed up in survey responses as the second most prevalent attack type, the fourth most common attack method and the third highest attack source. Plus, data or material damages trail only firewall and IDS logs as the means of discovering attacks. In other words, information security professionals most often react. They learn of attacks after the damage is done. And often once the
The Great Unknown
Security executives still have trouble identifying who is attacking them, where the attack is coming from and how it’s being done. After crore have been spent on security defenses, the number of reported incidents remains steady...
...and information security executives know less than ever about the damage the incidents cause.
Percentage who said they had incidents
Percentage who said they had damages
60%
50%
56
50%
46
40% 30% 20%
40%
51
2003
12 14 10
23
10% 0
2004
2005
36
36
0 incidents
1–9
30% 20%
4 5 3
10–49
50–499
1 2 1 500+
10% 0
29
33
2003
2004
40 43
2005
29 17
36 $0 damages
13 13
<$10K
9 8 8 $10K-$100K
3 2 2
2 2 1
$100-$500K
>$500K
Executives often don’t know how they have been attacked....
...or where they’ve been attacked from...
...or who’s attacking them.
Top five attack types
Top five attack vectors
Top five attack sources
59%
Malicious code Unknown Unauthorized entry Denial-of-service Trafficking in illicit data/materials
26% 25% 21% 15%
Top five bearers of bad news How did your organization learn of the attacks?
Data or material damage
50% 39%
Alerted by customer Managed service provider
38
Cover Story.indd 32
21% 14% 11%
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Unknown
63%
Hackers
26%
33%
Employee
21%
Other/Don’t know
19% 16%
Former employee
25% 20% 11%
Customers
Who do you tell? Contacted as a result of attack:
Firewalls/log files/IDS Alerted by colleague
68%
E-mail virus Known OS vulnerability Abused valid account/ permissions Unknown Known application vulnerability
47
55%
No one Customers
16%
Partners/Suppliers
14%
Consultants
12%
Vo l/1 | ISSUE/5
2/8/2006 6:44:20 PM
Cover Story | Global Security
This Year’s To-Do List respondents identified their top strategic priorities for this year. here are the 10 most common answers.
events happened, they couldn’t figure out what it was, where it came from, or who did it. CIOs, CISOs and CSOs have gotten quite good at collecting and logging events on their networks — organizing their haystacks — but haven’t been able to reliably turn all that data into intelligence — efficiently finding the needles before they are pricked by them. A long-term strategic goal of all information security departments should be to reorganize so that they work as an intelligence unit rather than just a data collection unit.
1. Disaster recovery/business continuity 2. Employee awareness programs 3. Data backup 4. Overall information security strategy 5. Network firewalls 6. Centralized security information management system 7. Periodic security audits 8. Monitoring employees 9. Monitoring security reports (log files, vulnerability reports and so on) 10. Spending on intellectual property protection This list further reinforces the reactive nature of information security. Awareness programs often score high as a strategic priority because they’re relatively low-cost. One should expect number 10 on this list will shoot up in priority next year, given the steady stream of identity thefts and other major information crimes.
Follow The Money...Please! Information security is getting more money, but exactly how much and from where isn’t always clear. a full fIfTh (22 percent) of information executives who responded said they didn’t know how much their companies budget for infosecurity. More signs of a lack of proactive, strategic focus. Not good. Good news: The information security function can shake some money out of other departments’ pockets to supplement its own appropriations. The larger companies are most guilty of not tracking their spending well. About 40 percent of the 1,700 companies with Rs 22,500
crore ($5 billion) in revenue or more said they didn’t know their information security budget. Bigger companies, with more divisions, might have a harder time pinning down all the monies devoted to information security. In fact, the bigger companies reported much higher usage of money from other departments for security than smaller companies did. Many bigger companies also have integrated information and physical security, making their information security budget a less distinct entity. “This is a growing trend. The moment you see a certain percentage of the operations budget has been earmarked for security, you know that there are cerOne–fifth of respondents have no idea. tain initiatives that an organization has planned for,” Where, besides the information says Das of Cognizant. Information security budget security budget, does money for “With the process owners taking ownership, seas a percentage of IT budget: information security come from? curity is considered as a necessary value-add to the business and is computed with the TCO and ROI of 2005 the initiative,” adds Krishnan of PwC. IT 58% 2004 However, this kind of departmental-budgeting Don’t know 22% approach is yet to find major acceptance. “It’s far 2003 Finance 19% Compliance/ more common to find the budgeting model of hav19% Regulatory Is your information security budget ing charge-backs on business units rather than on part of your IT budget or separate? Other LOBs 18% departments for necessary usage in Indian enter15% Risk dept. Part of 84% prises,” says Unni Krishnan T. M., CTO & Customer 13% Legal Separate 16% Care Associate, Shopper’s Stop. cIo 10% HR 10% Marketing
Where the Money Comes From
13% 11% 11%
Send feedback on this feature to editor@cio.in
VOl/1 | ISSUE/5
reaL cIo WorLD | J a n u a r y 1 5 , 2 0 0 6
39
2/8/2006 6:44:20 PM
VIEW
from the TOP
Azim H. Premji, Chairman, Wipro, says CIOs must combine vision with an operational drive to translate strategies into effective solutions.
A Passion for
Excellence BY Balaji Narasimhan Under Azim H. Premjiâ&#x20AC;&#x2122;s leadership, Wipro has grown from a fledgling Rs 9 crore hydrogenated cooking fat company to a Rs 8,000 crore organization serving customers across the globe. Premji firmly believes that ordinary people are capable of extraordinary things and heâ&#x20AC;&#x2122;s of the opinion that creating highly charged teams is the key to this.
CIO: What role has IT playedas Wipro changes and evolves as an organization?
View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.
40
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
view from the top_Azim_New.indd 36
Azim H. Premji: Wipro has used IT strategically to address the rapid scaling-up of the organization. Five years ago, standardization on a single ERP platform was the first step towards this direction. The adoption of an Employee Self-Service portal around the same time was an important milestone for us. It enabled us to handle the issue of the rapid increase in the employee headcount: In one stroke, we were able to eliminate paper-based processes and to crash cycle-times of employee services. I would say that without the strategic
deployment of IT, we would have struggled to cope with our pace of growth and to drive operational efficiencies. We have managed change by involving all key business stakeholders in both crucial IT decisions and their implementation.
Did you face mindset issues while integrating IT into a brick-and-mortar enterprise? One factor that works in our favor is that we provide enterprise-scale IT services to our own clients. Hence the orientation to use IT is pretty high. We have not had any major issues of resistance to IT systems.
Vol/1 | ISSUE/5
2/8/2006 6:58:20 PM
Photo by Sr ivatsa Shandilya, imaging bin esh sreedharan
How has Wipro used IT to build a strong foundation as you pursue excellence?
Going forward, our strategies for growth cannot succeed fully without the parallel scaling-up of IT systems.
that if an IT application is used effectively by the majority of users for a minimum period of three years, it is a success.
We use IT in all facets of our business and IT is a key enabler of our strategic objectives. The success of all our major initiatives in excellence like Six Sigma, SEI-CMM and PCMM have depended heavily on corresponding automation programs. Starting from ‘Prospect Management’ right down to ‘Accounting and Reporting’, we have IT systems driving all our business processes.
How do you then define the success of IT projects?
Wipro runs on IT. What is your personal level of excellence for CIOs?
Vol/1 | ISSUE/5
view from the top_Azim_New.indd 37
That is ultimately determined by the extent of usage of the application by the users. While formal measures like Schedule and Cost overruns measure project-management skills, the value of an IT project is realized only over a period of time. I would say
CIOs must be as savvy about the key drivers of business as they are of IT issues. CIOs must combine long-sightedness and vision with a strong operational drive that translates vision into concrete and effective solutions.
REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
41
2/8/2006 6:58:21 PM
View from the Top
CIOs must have the wherewithal to engage with key stakeholders in the organization and manage change over sustained periods of time. CIOs must have outstanding people skills.
Does the Indian industry gives credence to Business Intelligence? Is it the key to CIO ascendance?
What is your involvement with CIOs at Wipro?
The Indian industry has probably just woken up to the potential of Business Intelligence (BI), but we are already a few years late. We embarked on a major BI initiative last year and invested in world-class systems. Effective BI or the lack of it can be a crucial differentiator and the CIO has to play a central role. The automation of transaction systems is relatively easy and the real challenge is in doing BI well. This separates the boys from the men.
I personally review the annual plan of the CIO group and thereafter review the progress every quarter and sometimes more frequently. I ensure that all key business priorities get addressed by the CIO’s group and step in for decisions related to funding.
Do boards consider CIOs important? Do CIOs get adequately discussed at that level? The strategic importance of IT has increased manifold in the last decade and has moved into the radar screen of most boards. While the dot com boom (and the subsequent bust) had its negatives, it also helped create a widespread awareness of the pervasiveness of IT. It brought IT to boards’ attention and there has been no looking back.
“CIOs are required to balance strategic perspective with strong execution skills. This qualifies them to ascend to the board.”
In your mind, is an Indian CIO’s role driven by initiative or by the board?
role requires very strong communication and people competencies. CTOs who measure up to this can definitely move in.
As of today, the Indian CIO’s role is still initiative-driven but it is just a question of time before it becomes board-driven. What will push this is the increased globalization of Indian companies, more ambitious growth targets and a need to comply with corporate governance norms like Sarbanes-Oxley.
Do you see CIOs ascending to the board? What skill-sets would they require for this?
Do you see CTOs moving into a CIO role? CTOs can move into a CIO role provided they balance their strong technology capabilities with a robust understanding of business concerns. A CIO’s impact is much larger as it affects all levels of the organization. A CIO’s 42
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
view from the top_Azim_New.indd 38
The CIO’s role by default requires him to have a horizontal view of the entire organization. He needs to combine technology-savvy with a robust perspective of how business is run and what its key drivers are. There are many examples of successful CIOs who have a track record in sales, operations or finance and vice versa. A CIO’s role requires him or her to balance a strategic perspective with strong execution skills. This qualifies them to ascend to the board.
Is there place for a supraCIO in a multi-SBU organization like Wipro? There is no standard formula and each organization has to work out its own best solution. A federated structure works well when there is a strong, central IS organization that sets policies, drives standards and runs the governance model but there have to be local execution teams to shorten implementation cycle-times and provide flexibility. A supraCIO is a good idea but he should be supported by strong SBU-level IS heads — without which he may not be very effective.
How do you choose, at an SBU-level, which technology initiative to fund? Several of our technology initiatives are common across SBUs — from the point of view of standardization, we try to keep things common across. However, a decision to fund an SBU-specific initiative is made based on a formal ROI or benefit analysis and on whether that initiative’s footprint can be extended to other areas of the organization. We also fund initiatives for solutions that are unique to a particular industry-model. CIO Special Correspondent Balaji Narasimhan can be reached at balaji_n@cio.in
Vol/1 | ISSUE/5
2/8/2006 6:58:24 PM
Trendline_Nov11.indd 19
11/16/2011 11:56:19 AM
The Four (Not Three, Not Five) Principles of Managing Expectations CIO Joe Eng set new performance standards for his IT department, negotiated technical requirements with demanding business partners, calmed nervous end users and built a multi-million dollar global network by following four simple principles BY ALLAN HOLMES The worst day in Joe Eng’s career was the day he told his CEO that his company’s most important IT project — a Rs 2,250 crore ($500 million), state-of-the-art global network that is among this decade’s most important IT initiatives in the financial services industry — would be three months late. Eng is CIO of the Society for Worldwide Interbank Financial Telecommunication (Swift), a financial industry-owned cooperative that supplies messaging services and software that most 44
J A n u A r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Reader ROI:
�hy managing e� e�pectations for an IT project is critical The differing concerns of senior e�ecutives, company employees and customers �rinciples for de�� de��ning ��ning and managing e�pectations
Vol/1 | ISSUE/5
Leadership
Photo by Claudio Vazque z
Swift CIO Joe Eng balanced competing demands from company executives and customers through constant communication and negotiation.
of the world’s banks use to send trillions of dollars in financial transactions daily. In February 2003, Eng and his team were testing the backbone of SwiftNet, the new network. With only a week before the two-year rollout of SwiftNet was scheduled to begin, the network monitoring software was not working reliably. Fixing the problem would take a few months. Eng’s boss, Swift CEO Leonard Schrank, had to know. And so Eng called Schrank at headquarters in Brussels with the bad news. Schrank was incensed. The last time Swift replaced its network, in the 1980s, the project was years late, and Swift’s banking customers hadn’t forgotten. What would they think now?
Vol/1 | ISSUE/5
Feature - Not one Not two...indd41 41
“The problem had a very visible repercussion,” Schrank says. “This was like delaying a space shuttle launch, with all the political pressures.” Eng endured Schrank’s grilling. But the pain was short-lived. By the end of the 10-minute call, Eng had explained the problem, offered a solution and reset Schrank’s expectations for when SwiftNet would be ready. He would do the same thing a few weeks later, when he was called on to repeat the story to Swift’s board of directors. Three months later, with SwiftNet fixed, the rollout began, just as Eng had promised. Eng’s encounter with Schrank may have been his most difficult moment, but there were many instances during the six-year project when Eng had to define — and then redefine — what he would deliver REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
45
2/8/2006 6:46:35 PM
Leadership
and when. For many CIOs, their toughest challenge is managing the expectations of senior executives, end users, IT staff and employees across the company, and the failure to address constituents’ expectations undermines CIOs’ credibility. In fact, expectations management can define whether or not your IT department is successful. (‘Managing expectations’ is one of five must-do items identified by CIO’s editors.) In Eng’s case, Swift IT staff, business leaders and its 7,800 shareholders (who are also Swift’s customers) all had their own ideas about what SwiftNet should be. Eng couldn’t possibly accommodate everyone’s demands, or predict every problem that might crop up. But he could be prepared to deal with them. Eng knew that managing expectations for SwiftNet would require frank communication, creative planning and deft diplomacy. He devised a strategy that included training internal IT staff and other employees about SwiftNet and its goals, providing choices to customers without compromising standards or efficiencies, and satisfying board members and executive staff within defined parameters. “I understood that the project had to do with understanding the stakeholders and what their needs were and being flexible enough to meet them without straying too far off course,” Eng says. “It’s a sensitive balancing act.”
A High-Stakes Project SwiftNet was no minor upgrade. It represented a multi-generational advance in telecommunications technology that the global financial industry required in order to operate in the future. Global competition means banks need to close financial transactions in near real-time (rather than waiting days sometimes) and to offer new network-based services. Swift provides the primary messaging and transaction network that makes international finance possible. Swift’s 7,800 customers in 200 countries generate millions of messages daily in order to conduct trillions of dollars in transactions. These transactions range from the simple, such as exchanging foreign currencies, to the complex, such as clearing securities trades. Swift’s legacy network, built on 1980s X.25 technology, was an aging, albeit dependable, workhorse. But manufacturers who supplied hardware for the network were closing out production of their old products. Furthermore, the cost of maintaining the network, at nearly Rs 270 crore ($60 million) a year, was increasing — costs that were passed on to customers. Most importantly, financial institutions wanted new messaging services that would allow them to offer Web-based products to their customers, decrease financial risks and lower their operating costs. One service the banks wanted was instant messaging that would alert them when a transaction was completed. Other customers, including John Galante, CTO with JPMorgan Worldwide Securities Services, needed more bandwidth to deal with a growing volume of securities trades. 46
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Feature - Not one Not two...indd42 42
The project had numerous risks, not the least of which was that any malfunction of SwiftNet during the migration would disrupt transactions and cost customers money. “The biggest challenge was how do we do this conversion while we support the ongoing business,” says Galante. Mistakes held the potential to bring international finance to a halt. “If SwiftNet were down a day, we would have a worldwide crisis,” says Mike Fish, deputy CIO for Swift. Swift executives worried that any major failure would encourage customers to abandon SwiftNet for Internet services offered by telecommunications vendors. Eng knew, however, that conflicts and problems were inevitable. “I knew [managing expectations] was going to be my number one job, and I needed help,” Eng says. He found it in a set of four principles for ensuring that everyone understood what they had to do, what IT would deliver, and when.
Principle #1
Define Expectations Internally Eng set as his first task making sure his staff understood why new messaging technology was needed and how they would approach designing, building and deploying it. Previous projects, including the last network upgrade, had fallen short because the IT staff spent too much time debating technologies and approaches to development. Eng assembled a cadre of senior and middle managers from throughout the company whom he thought employees admired and trusted. If these managers bought into a common approach to the project, the staff would take their cues from them. The debates about technology and deployment strategies would be minimized. “I needed these vanguards out there in the company selling the idea of change because I spent a lot of my time working with executive management, the board and customers,” Eng says. “[And] I just didn’t have the time.” Eng is an Apollo mission buff and an avid reader about the subject. The astronauts in the Apollo program, as portrayed in Tom Wolfe’s 1979 book, The Right Stuff, had developed strong communication skills, along with an ethic of teamwork and trust. Eng sought to replicate their camaraderie, and so, working with Swift’s human resources director, he devised a leadership training program (which he called The Right Stuff) to impart the necessary skills to his management team. In keeping with The Right Stuff theme, Eng borrowed the famous line, “Failure is not an option,” from the 1995 movie Apollo 13. The IT shop adopted the line as its motto, and it soon became a guiding principle within Swift. The expectation was set: When problems cropped up, the IT team would manage them and learn from them without letting the project get derailed.
Vol/1 | ISSUE/5
2/8/2006 6:46:35 PM
Leadership
On past projects, there had been little collaboration within the IT department or across Swift’s business functions, so Eng sent his first class of trainees (mostly those decision-makers involved in the design, architecture and operations of SwiftNet) to NASA to learn teamwork. At the US Space and Rocket Center in Huntsville, Ala., they rode in a space shuttle simulator for a team-building exercise, and NASA staff taught Swift managers how to make decisions quickly. Astronauts Wally Schirra, Dave Scott and Alan Bean told the group about trusting their colleagues.
For example, Eng and his team used the pilots to determine which platforms SwiftNet would support. They settled on three platforms that would accommodate the largest percentage of customers while keeping the system cost-effective: Sun Solaris, IBM AIX and Windows (for smaller banks). By standardizing on these platforms, Swift was able to oblige 80 percent to 90 percent of its customer base. While Eng had never promised to support everyone’s legacy systems, that didn’t stop customers from lobbying for their unique platforms. “They came in waves,” Fish recalls. “At meetings, there were
Pilot customers understood what to expect from the system because they had helped decide what they would get. The class returned to work with a plan for building a cohesive project management group by creating flexible teams for design, operations and testing. The managers also reworked the way Swift’s IT department measured performance. Rather than measuring the amount of time spent on specific tasks, managers would measure the results of the work. The Right Stuff group also instituted town hall meetings twice a year at locations worldwide, where speakers from across the company helped allay fears that SwiftNet would not deliver the services users needed or that the IT staff was out of touch with those needs. “What this did was narrow and align people’s expectations to a common set,” says Eng.
Principle #2
Establish Rules of Engagement Eng knew that if he tried to satisfy too many stakeholder requirements for SwiftNet he would end up with a mess. Most customers felt strongly that they needed everything they wanted, and they expected Swift to accommodate them. Rather than debating every idea with every customer, Eng decided to develop SwiftNet through pilots with a subset of representative customers. Whatever functionality was built into the pilots became the basis for SwiftNet’s requirements. The pilot customers understood what to expect from the system because they had been involved in deciding what they would get. They could then effectively manage the expectations of other customers by becoming public supporters of the system they helped build. 48
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Feature - Not one Not two...indd44 44
people pulling board members and our people aside to say, ‘Hey, I know you can’t include everything, but we have a VAX. You have to make it work with that too.’” Pressure to add requirements also came from within Swift, as the marketing and sales staff pushed for services they could sell to customers. Eng managed all of these requests by using a standard process for determining ROI. The litmus test for a requirement was whether it had a positive ROI for the customer. If it didn’t, Eng’s staff would point out the requirement’s downsides, and most customers would agree that the consequences were not worth the effort. Another argument Eng and his staff employed was to explain that the requirement could not be done technically or within the given time frame (he might agree to put off the requirement for a later release). The bottom line was that the new messaging services had to benefit the vast majority of the banks. “I would say: If you can show me how to justify it, then we’ll do it,” says Eng. Using this approach, Eng and the IT staff settled on the services and messaging capabilities the new SwiftNet would offer.
Principle #3 Deal with Doubters
The CLS Group, a foreign exchange service based in London and one of Swift’s bigger customers, was one of the participants in a SwiftNet pilot. As the day approached to launch the pilot, CLS executives were getting nervous. Testing of SwiftNet had produced the inevitable bugs and glitches, and CLS began to second-guess whether the network would be as reliable as Eng had
Vol/1 | ISSUE/5
2/8/2006 6:46:36 PM
Leadership
promised. They weren’t even sure who exactly was responsible for setting up interfaces between CLS’s platform and SwiftNet — Swift or CLS’ operating systems vendor, IBM. CLS executives wanted to clarify responsibilities for the project, so they asked Eng to meet with them and IBM. “There would have been no second chance if it could not be shown that the end-to-end system worked effectively,” says Rob Close, group CEO at CLS (he was then the chief operating officer). To prepare for the meeting, Eng asked the project manager and technical director to find out whatever they could about how IBM viewed its role in the project. He also made himself aware of the source of the
ogy and policy committee. Galante adds, “Holidays, planning for disaster recovery, regular system upgrades, took time. If anything, we wanted to go faster.” Eng went back to his staff with the message that the deadline was not moving. Within two months, Eng presented a new deployment plan that both met the deadline and addressed his concerns that banks have enough time to get the migration right. Eng’s original plan was to assign countries to “windows,” in which Swift’s smaller customers in each country or region had a set time to migrate to SwiftNet. Large customers had their own migration schedules. To make up for lost time, Eng devoted addi-
Pressure to add requirements was managed using a standard process for determining ROI. confusion (a disagreement about what was causing the problems during testing — IBM’s application or SwiftNet’s difficulties interfacing with IBM). “I didn’t want to be surprised, and I wanted to be honest and stick to the facts,” Eng says. After numerous meetings, Eng clarified Swift’s and IBM’s responsibilities for the deployment. CLS executives were satisfied. “Joe showed a sense of pragmatism and goodwill to find the way forward in what otherwise could have been a difficult circumstance,” Close says.
Principle #4
Not Everything is Negotiable Finally, in the summer of 2003, SwiftNet was ready to roll out, and Eng came face-to-face with an expectation from customers that was non-negotiable. He had to meet the deadline for deployment. Eng had wanted to recapture the time he lost earlier in the year, when he was sidetracked by the network management glitches, as well as build in time to deal with complications. To compensate, he wanted to move the completion date for the rollout from December 2004 to mid-2005. He was concerned that Swift’s largest users would need 18 months to migrate to the new system. Banks had to follow a complicated process to migrate to SwiftNet that included deploying a pilot before they would be ready for full operation. But slowing down the rollout wasn’t an option, according to Y.B. Yeung, head of information technology in the Asia-Pacific region for Hong Kong & Shanghai Banking and a member of Swift’s board of directors. “Any delay would be a sign that Swift was not meeting customer demand,” says Yeung, who chairs the board’s technol50
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Feature - Not one Not two...indd46 46
tional resources to quality assurance before the migration began. In addition, his staff found ways to add the large customers to each country window or overlap the beginning and end of each window so that more banks were migrating at a time. To simplify the process for ordering services, Eng’s team created an online application for customers to place their orders. The migration was completed on time, with no notable problems, according to Yeung. Yeung gives Eng high marks for his responsiveness to customers. “He says, ‘I hear what you are saying,’ and then he goes back and sees if there are ways to meet your needs. That way he [is] innovative in identifying solutions.” In other words, Eng and the IT department succeeded and earned credibility by effectively managing stakeholder expectations. CIO
Allan Holmes is Washington Bureau Chief. Send feedback on this column to editor@cio.in
Share Your Opinion How tough do you find managing the expectations of senior executives, end users, IT staff and employees ? Please write in to editor@cio.in to share your thoughts and insights.
editor@c o.in Vol/1 | ISSUE/5
2/8/2006 6:46:36 PM
Trendline_Nov11.indd 19
11/16/2011 11:56:19 AM
Haazir Ho Present yourself
Several courts in India are video conferencing with prisons to ensure quicker and safer trials. The technology, while also saving the exchequer crores of rupees, has revealed more benefits than meets the eye. By Balaji NarasimhaN
Justice delayed is Justice Denied
Illustrat Ion by shyam Desh panDe
According to the National Human Rights Commission (NHRC), as on June 30, 2004, 336,152 prisoners were crowded into jails across India. An overwhelming 239,146 of them — accounting for over 70 percent — occupy the shadowy world of the undertrial. Undertrials find themselves between a rock and a hard place. Not yet sentenced, they cannot start the process of getting out of jail and most are too poor to make bail. While only about two percent of those processed through the criminal justice system are finally convicted, undertrials face incarceration while they wait for a hearing. As a consequence, India’s jails are now overcrowded to almost thrice their capacity, which means inmates in some jails sleep in shifts. 52
Govern Main.indd 44
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Reader ROI:
How a straight-forward technology like video conferencing can deliver quicker justice Why undertrials are among those who benefit the most from video conferencing Why video conferencing can save a government more than travel costs
Vol/1 | I ssue/5
2/8/2006 6:47:15 PM
e-courts
Telgi, a crim inal
Many undertrials continue to languish in jail only because the justice system, burdened with logistical problems, is unable to give them a hearing. The only way out was to radically change the way that undertrials got a hearing. Employing video conferencing to link prisons and courts was a brilliant idea. But the presumption of failure could have been overwhelming since e-governance projects are associated with high costs. And unless departmental buy-in is secured, a project is normally destined to be categorized, tagged, bubblewrapped and shelved — to remain a file forever. Fortunately, none of these affected video conferencing adversely. Video conferencing is a not-so-high-cost and relatively simple solution to facilitating people’s appearance in court. Its first implementation, in Andhra Pradesh in 2000, cost a mere Rs 1.5 lakh. Karnataka soon followed suit. The road to video conferencing in courts was paved by the Supreme Court in 2001, when it authorized the technology’s use. The judgment settled matters: Any resistance to buy-in from lower courts or prison departments was quickly banished. The step, which pleasantly surprised many given the normally conservative approach of the law, wasn’t a sudden decision. The Supreme Court, the Department of Information Technology (DIT) and the National Informatics Centre (NIC) had been working with the ministries of Home and Law since the early 1990s to create a video conferencing system. It was part of a larger movement driven by the NIC to computerize the Supreme Court. They worked in collaboration with Singapore, which had utilized IT effectively in the judicial process since 1996. Changes in national government leadership, however, caused delays. The NHRC stepped in and made a committed push to implement the technology. Once it got the Supreme Court on its side, the project overcame inter-departmental conflicts. A project as successful as video conferencing has differing versions of who pioneered it. According to many accounts, Bihar was the first state in the country to adopt video conferencing in courts. However, Andhra Pradesh may have been the first to lead the way. Way back in December 2000, then State Governor C. Rangarajan amended the law to enable a
Vol/1 | I SSUE/5
Govern Main.indd 45
whose blood want spilt fo many r crimes that implicate in the highest people of the govern rungs ment.
defendant to stand before a magistrate “either in person or through the medium of video linkage.” Andhra Pradesh’s first video link was operated between the Chanchalguda central jail and the Nampally City Criminal Courts. And, it cost a mere Rs 1.5 lakh to set up. In early April 2003, the Supreme Court permitted trial judges to record evidence from witnesses living abroad via video conferencing. Within a week, a court in Mysore conducted India’s first long-distance case, involving a copyright violation against Los Angeles-based 20 th Century Fox.
It’s Cheaper, Sue Us Video conferencing is that rare solution that works to everyone’s convenience. State governments in India, which funnel large amounts of funds towards prison upkeep, have been able to save considerably using video conferencing. At last count, the state of Andhra Pradesh employed 1,000 police constable everyday to ferry inmates between jails and courts. While video conferencing has not entirely seen the end of this practice, it has made impressive inroads in pruning transportation costs. Figures provided by Karnataka alone are proof. Between June 2003 and November 2005, 68,191
The police arrest him in 1999 but he jumps bail and vanishes. The
law finally catches up with him in a
surprise raid at his hideouts at Ajmer
REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
53
2/8/2006 6:47:24 PM
e-courts
people from five jails across Karnataka (Bangalore, Mysore, Belgaum, Bijapur, and Dharwad) were produced before a magistrate using video conferencing. It saved the government over Rs 1.26 crore in transportation costs alone. It’s the sort of money that goes a long way in a prison, which would explain why almost every state capital now video conferences between its city court and jails. Dharam Pal Negi, Additional Director General of Police and Inspector General of Prisons, Karnataka State Police, says that what they saved directly from transportation is the least of it. Depending on whose version one believes, Sayyed Khwaja Yunus, accused in the Ghatkopar bombing incident, either escaped from a police vehicle in January 2003 while being transferred from Mumbai to Aurangabad or was done to death. In another incident, Manoj Kumar Singh, a notorious undertrial criminal escaped from Patna in May 2004 under similar circumstances. Curiously, undertrial escapes, and the inquiries that follow had been a fairly routine affair. While putting a figure to the cost of re-capturing an inmate is tough, there is no taking away from the fact that it is a cost both in material resources and scare manpower. And transfers, made sometimes on public transport, are an ideal time for criminals to make a quick getaway. Though, human rights activists
allege that in some cases ‘escapes’ were a means to ‘silencing’ certain undertrials. Thanks largely to video conferencing, Negi says, there have been no undertrial escapes from national prisons in the last two years. “There can’t be a better system,” says Negi adding that “its intrinsic value cannot be measured.”
Courting Unseen Benefits There’s more to video conferencing than merely bridging the physical distance between the jail and the courtroom, echoes Dr. V. Vijayakumar, Registrar and Professor of Law, National Law School of India University, Bangalore. Dr. Vijayakumar says that video conferencing is really useful in child molestation cases where victims are shielded from the trauma of facing their assailants via a one-way video link. Dr. Vijayakumar also says that video conferencing has a ripple effect that has “curbed corruption, enhanced accountability, and reduced the number of adjournments in a case.” Under law, remand can be given in 15-day units, a right that is flagrantly ignored by the current system due to logistical barriers in prisons. Getting to the head of a line to see a judge has given occasion for corruption to bloom. Video conferencing by dint of lending better access to judges cut through the
Don’t even think of making a break for it on the way to court! u. I got my eyes on yo
46
Govern Main.indd 46
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Vol/1 | I SSUE/5
2/8/2006 6:47:34 PM
My lord, I recommestrongly n put him od we na vid
eo confe
rence link from prison.
mass of corruption that surrounds the undertrial and ensures a speedier trial. Video conferencing works two-ways. The court’s ability to look into prisons has reduced the harassment of inmates and given them a better chance to access medical aid. Video conferencing has made it possible for judges to view inmates directly. This in turn has made jail authorities more accountable. The system has also proved its effectiveness in high-profile cases where witness protection is mandated. Pappu Yadav, who is being tried in Patna from Tihar jail, and Abdul Kareem Telgi, who allegedly features in varied hit lists and is being tried simultaneously in over five cities, are among those who have experienced video conferencing.
Forward Motion The benefits of video conferencing in courts have ensured that its usage has spread. “Almost every state capital has got video-conferencing between its city court and jail,” points out C. L. M. Reddy, Head of Department, Courts Division, National Informatics Center, New Delhi. The NIC, taking the process one step further, has proposed that lawyers should be allowed to video conference between their offices and the court, saving them travel costs and discomfort too. This request is still pending with the judiciary. This, however, may only be a matter of time, as judges come to realize the immense potential of video conferencing. Talwant Singh, Additional District and Sessions Judge, New Delhi, and Chairman of the District Courts Website Committee, says, “There is
a strategy behind video conferencing usage and it is not being used only for remand cases.” According to Singh all the three courts in New Delhi — Tis Hazari, Patiala House, and Karkardooma — have video conferencing studios. It has condensed trial time and has served justice better, he stresses. In the June 2002 edition of its bi-annual analysis of prisoner population and undertrial prisoners, the NHRC found that the undertrial prisoner population was at 75 percent of the country’s total prison population. This figure came down to 71 percent by June 2004, a difference of about 100,000 people. Some of this change is attributed to video conferencing. In September 2005, NHRC Chairperson Justice A.S. Anand lauded various measures being used to uphold human dignity in jails, including video-conferencing. Video conferencing is being greeted so enthusiastically by those connected with the law that newer uses are being found continually. Tihar Jail now uses
Qualified Witnesses One of the first uses of video conferencing in a court setup occurred in Singapore in 1996 and involved the Las Vegas Hilton Corp. and a Singapore businessman. Singapore began actively using computers in the judiciary when Yong Pung How became Chief Justice in 1990. From February 2002, Singapore’s Supreme Court and several law firms started trials to use IP video conferencing for matters heard in court chambers before a registrar. Today, Singapore uses the best in tech-
Vol/1 | I SSUE/5
Govern Main.indd 47
nology and judges, lawyers, and others use advanced software to ‘mark’ locations of crime and other details on a screen, according to Dr. V. Vijayakumar, Registrar and Professor of Law, National Law School of India University. The US is also a key player, and leading the fray is the New Jersey Judiciary, which installed one of the largest video conferencing networks for court systems in April 2000. It has 29 remote sites located throughout the state. Video conferencing
saved West Virginia Rs 135 crore ($30 million) in the first year of operation. Scotland is among the countries that have recently implemented video conferencing. The Scottish Court Service, as part of its ongoing commitment to improve the efficiency of court proceedings, brought video-conferencing to a total of 26 courtrooms in June 2005.
— B.N.
REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
55
2/8/2006 6:47:40 PM
e-courts
Bailing Out Video conferencing is only as effective as its enforcement as militant cleric, Abu Bakar Bashir, demonstrated in Jakarta, in June 2003. For Bashir’s trial, five television monitors were installed in the courtroom to enable three suspects in Singapore to testify. Authorities in Jakarta also planned to video conference with other detainees in Malaysia. Although Jakarta had used video conferencing twice before, Bashir’s advocates, led by senior lawyer Mohamad Asegaf, walked out in protest, cheered on by hundreds of Bashir loyalists. Bashir, who was not allowed to leave the courtroom, called the trial unfair and refused to cooperate. He read a book for six hours while his own trial progressed, and even refused to raise his head to face the camera for a close-up so that a witness could identify him. —B.N
Telgi is tried from the security of his prison. Revelations from the case incriminate 67 people and continue to make national headlines.
video conferencing between inmates and visitors to curb the smuggling of money, narcotics, cell phones and weapons. Yet another innovative usage of video conferencing was implemented by the Court Dispute Resolution International (CDRI) in Singapore. CDRI is a settlement program co-conducted by a Singapore judge with judges from Australia and Europe. A similar system employed between the Portuguese and Indian courts during Abu Salem’s deportation might have expedited his extradition . The system, as any that brings about change, has its share of detractors as well. One among these is Byatha N. Jagadeesh, Advocate, Alternative Law Forum, an NGO which works for the rights of undertrials. “Video conferencing is detrimental to the rights of the accused, since they will never feel free to talk, surrounded by the police,” he points out. The court is also a meeting ground where undertrials can interact with family members. Video conferencing, he observes, prevents this. While a few such valid issues remain, some lawyers,
5 6 J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Govern Main.indd 48
Justice will be served because Telgi cannot get out of jail.
who have been known to rely on adjournments to delay cases, do not like video conferencing. The technology makes it much harder for them to prolong cases indefinitely. Now that’s something that we can all live with. CIO
Special Correspondent Balaji Narasimhan can be reached at balaji_n@cio.in
Vol/1 | I SSUE/5
2/8/2006 6:47:46 PM
Interview.indd 1
2/8/2006 6:51:17 PM
Sleuthing
Smarter Ramavtar Yadav, Director, National Crime Records Bureau, is equipping cops with technology to beat crime.
Interview.indd 50
2/8/2006 6:51:19 PM
Interview | Ramavtar Yadav By Rahul Neel Mani CIO: How is NCRB changing the way that the police functions?
Ramavtar Yadav: Our approach arises from the police’s needs. For any police system, the record of a criminal’s activities is a vital source of information. They detail a criminal’s modus operandi, which aids a police officer attach a crime to a criminal. All police forces gather and exchange information on criminals. Until digitization happened, the Indian police used physical records. The absence of digital records hampered the police from sharing information across states and analyzing the modus operandi of criminals. The absence of digital records hampered the police from sharing information across states and analyzing it. That’s why the Ministry Of Home Affairs began a major computerization drive in police departments across the country, and made the National Crime Records Bureau (NCRB) the nodal agency for this.
tems are connected to a server and those servers are then connected to the central server at NCRB. Under the current modernization drive, which will cost an estimated Rs 600 crore, we are doing the groundwork of supplying hardware to all 12,400 police stations in the country. Thus far, we’ve covered 40 percent and the rest will fall in place over the next three to four years. While we were responsible for supplying the hardware in the first phase, the Government of India is now equipping states with machines. There are also a lot of agencies, other than police stations, which need computerization.
How has this helped better policing? It is difficult to quantify the gains police departments have made due to CCIS. What is certain is that the data now available has helped the police to catch criminals quicker. A criminal on the run does not recognize state borders. In fact, police departments have to work in coordination to nab criminals.
Currently, the database has 18 million records and the NCRB has asked state police departments to digitaize records of crimes committed over the past ten years. Karnataka, Gujarat and Maharashtra have partially captured this data. This has brought a perceptible change in the police department’s crime-solving techniques. The application initially ran on a UNIX platform but from 2000 we decided to put it on the Windows platform to make it easier for police officers.
How does IT usage by the Indian police compare with those in developed countries? The Indian police is in the initial stages of IT usage. But our target is to put IT usage on par with the most developed systems over the next few years. The police system in the UK serves as a pointer. Their approach of making records and their database accessible nationally down to nodal police officers is excellent. In the next three to four years,
For years, the police, burdened with a system that stymied
quick exchange of information, found themselves on the back foot in the fight against crime. Ramavtar Yadav, Director, National Crime Records Bureau of India, has one agenda: Use IT to keep the cops ahead of the robbers.
NCRB’s responsibility extends to training all important police officers in both systems and applications. This is how the Crime and Criminal Information System (CCIS) was introduced in police departments.
What is the size of the network that uses CCIS? When we set out, the NCRB focused on providing hardware to all 740 district and state police headquarters. These sysVol/1 | ISSUE/5
Interview.indd 51
To facilitate the sharing of information, the CCIS application has been Web-enabled. Police officers can now access a national database to track crimes and suspects. There are close to 15,000 such police officers who are authorized to log to the system. Without this kind of a centralized database, even two neighboring districts can’t help each other — interstate information exchange is a far cry. The system is also useful for civil verification such as passports, domestic help, and insurance.
we would like to have all First Information Reports (FIRs) and crime reports available online. We also want to be able to mine that data. Various socio-economic issues will count as some of the parameters. Police work is not limited to the control of crime and criminals. There are other issues such as government legislation, internal budgeting and civic construction, which impact policing. With IT, we will also be able to coordinate with the other civic REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
59
2/8/2006 6:51:19 PM
Interview | Ramavtar Yadav bodies such as electricity, water and municipal bodies. IT can bring cohesion between multiple government bodies. That’s where we want to see the Indian police system and we are working towards it.
identifies them as the most frequently used to carry away stolen vehicles. The information collection centers compare registration numbers of each passing vehicle to those of stolen vehicles.
How is the NCRB ensuring the longterm success of the project? The NCRB is tackling the project on three fronts: Providing hardware, creating applications and training officers. The third is crucial and so far we’ve trained 35,000 police officers across the country. We are also working with various state police departments to upgrade both their systems and applications, because state governments don’t have that kind of expertise. The bureau is also playing the role of network and systems planners for these states. We provide them with training for sophisticated data management and network security. Training for data and crime trend analysis is next. The NCRB has also initiated a ‘Train the Trainer’ program so that state police departments can keep their staff abreast of the latest technology and its usage. All state governments have also agreed to train new recruits like sub-inspectors and constables to use computers. Already, training departments and computer labs have been set up to impart training to officers.
Where does the portrait building app score over the older method? Portrait Building Software (PBS) has changed the way the criminals are identified. Till now the only way to identify a criminal was through a portrait based on an eyewitness’ description. Manually made portraits, however, have a high margin of error. PBS has helped shorten the process and drastically reduce the margin of error.
IT also powers the fingerprint identification system, doesn’t it? Fingerprints form crucial evidence. In India, digitization has taken fingerprint classification technology into a new era. When fingerprints were maintained as paper records, it was almost impossible to share them between states. Now we have over 700,000 fingerprints that are digitally available through a single repository. A criminal’s history is also available against a fingerprint, which helps the police nab a criminal wanted in more than one case. Has the ‘property coordination application’ been of substantial help? The application provides records of stolen or recovered vehicles. This information is available to the public through 33 information counters across the country. On an average about 150-200 people visit these counters every day to verify whether a sec60
Interview.indd 52
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
In the next few years we would like all FIRs and crime reports available online. We also want to be able to mine that data for trends that will help crack cases faster.” ondhand vehicle is legitimate. If the vehicle they want to buy is listed on our system, it means that it was either stolen or recovered from thieves. The NCRB has also set up information collection centers on routes that see large numbers of vehicles. The Punjab-Kashmir border and West Bengal-Assam border are two that were targeted based on analysis that
Does the NCRB train police personnel from other nations? So far the NCRB has trained over 1,200 police personnel from 60 countries. We have a fixed three-month training program. The training addresses two major areas – IT for police and fingerprinting. Training requests normally come from developing nations in Africa and Southeast and Central Asia. These training sessions also serve to teach us how effectively or innovatively other nations are using IT in their police systems. What new IT initiatives is the NCRB planning? So far policing has been conventional, with limited use of intelligence on criminals. With the help of information systems and digitization, our aim is to create better crime analysis. With this we see the police force building crime intelligence just as private enterprises build business intelligence. What is the use of IT if we don’t use data to be more proactive? New age crime is nothing short of technological warfare. It is our duty at NCRB to keep up with this change and update ourselves on the technologies that criminals use. Simultaneously, we are initiating a full-fledged program on cyber crime and forensics to empower the police. NCRB’s IT initiatives will keep the police at the forefront of this fight. CIO
Bureau Head North Rahul Neel Mani can be reached at rahul_m@cio.in.
Vol/1 | ISSUE/5
2/8/2006 6:51:23 PM
Interview.indd 53
2/8/2006 6:51:23 PM
Essential
technology CRM and business intelligence from open source? You bet.
From Inception to Implementation — I.T. That Matters
Open Source Lights Up BY GALEN GRUMAN Open Source | The odds are good that the LAMP stack is running somewhere inside your company. The acronym refers to the foundational foursome of the open-source movement: The Linux operating system, Apache Web server, MySQL database and, collectively, the Perl, PHP and Python programming languages. Development tools such as Eclipse and application servers such as JBoss have also gained popularity — and trust — especially now that major vendors such as IBM, BEA Systems and Borland have adopted or supported them commercially. But what about the next step up the software ladder? Is open source ready for ERP, business intelligence or CRM? Ready or not, it’s happening; the first industrial-grade applications in these areas are now emerging. And CIOs will soon need to decide how to approach these fresh options in their enterprise software catalog. As with the adoption of the LAMP players, these new open-source enterprise applications will find their way into the enterprise at a departmental or small-project level. As a result, “we don’t see [these applications] on CIOs’ agenda at all,” notes Michael Goulde, an open-source senior analyst with Forrester Research. But, he warns, “CIOs should sync up with their development teams to see [where such applications] might have payback to the organization.”
62
Essentisl Tec.indd 54
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
Vol/1 | ISSUE/5
2/8/2006 6:44:59 PM
essential technology
However, CIOs should tread carefully on such open-source applications, advises Mark Lobel, a partner at PricewaterhouseCoopers who focuses on information security, including security for financial applications. One key concern is that applications tend to reflect and embed business processes and logic, which often are key strategic assets you don’t want to share with others — and open-source licenses can require such sharing if companies aren’t careful. Another issue is the longterm viability of open-source applications
Open source depends upon volunteer developers for success, but the more niche a product, the smaller the potential pool of interested contributors. for specific functions. Open source depends upon volunteer developers for success, but the more niche a product, the smaller the potential pool of interested contributors. As such, grassroots support for specific apps such as ERP or CRM tools may look more like brigades than the armies now supporting broad open-source infrastructure such as Linux, Apache and MySQL. Still, properly managed open-source applications can save enterprises money and time — as well as reduce dependency on specific vendors.
Finding a Fit Financial-services giant Fidelity Investments has used open-source technology for about
Vol/1 | ISSUE/5
Essentisl Tec.indd 55
But,is it Really Free? It pays to read the fine print on open-source licenses. Open-source applications typically provide
services that, for example, a Siebel CRM
free use of the software and access to its
deployment might require.
source code. But if you plan to distribute the
Another example is the Veteran
modified application outside your company,
Administration’s Vista electronic records
open-source licenses usually require you
software, which is available free as public-
to return any enhancements to the user
domain software.Although the VA has
community, says Michael Goulde, a senior
integrated enhancements made by some users
analyst at Forrester Research. But as the
in later releases, it still manages the core code
open-source model moves up the stack to
development. Private companies have created
applications, the term open source is morphing
proprietary extensions and add-ons that they
to accommodate corporate needs.
sell to Vista users.They’ve also customized the
More restrictive licenses are emerging with
Vista code for their clients, but none of these
the new class of open-source CRM applications.
efforts belong to the VA or the Vista community
For example, a version of SugarCRM is available
as they would in traditional open-source efforts
under a variation on the standard General
such as Linux,Apache or BSD Unix.
Public License (GPL). But users of SugarCRM
The Avalanche Corporate Technology
Pro, available under a separate license from
Cooperative is taking a private open-source
SugarCRM, get a different deal.The SugarCRM
approach: Enterprises and consultants can
license works much like a proprietary software
join, which provides them access to software
vendor’s license, with the exception that Sugar
developed by the Avalanche members. (The
provides the source code and lets companies
cooperative is just starting its first efforts,
modify it for internal use only. And that modified
including a Sarbanes-Oxley compliance
code belongs to the user company, not to
project.) As with open source, the members
SugarCRM.
all contribute technology to various Avalanche
This model is becoming common as more
efforts, and Avalanche members provide
companies build businesses around open-
mutual support. Unlike open source, however,
source software for which they offer both a
only Avalanche members have access to this
‘pro’ version and for-pay support services,
technology, which its founders believe will
says Goulde.
ensure development efforts stay focused on
"Their free version is really a marketing tool,” says Bob Gatewood, CTO of Athenahealth, a
members’business priorities. For CIOs, this means that some open-
service provider to doctors and a SugarCRM
source tools might in fact be just partially open
Pro customer. That suits Gatewood just
source, requiring a careful understanding
fine, since the SugarCRM license still lets
of the license and the program’s contents.
Athenahealth customize its CRM code easily,
You really need to read the license,” advises
without requiring expensive professional
Athenahealth’s Gatewood.
four years to reduce costs and dependence on vendors. “We started with Linux like everyone else did, but our intent all along was to see how far up the stack we could go,” says Charlie Brenner, Senior Vice President
of the Fidelity Center for Applied Technology, Fidelity’s technology incubation group. After Linux, Fidelity adopted Apache and Perl, and then the Struts Web application framework and the Eclipse Foundation’s development
– G.G.
REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
63
2/8/2006 6:44:59 PM
essential technology
environment. Fidelity is now looking at open-source database management systems and assessing what applications might make sense. The advantages of open source include widespread component reuse, better access to underlying code to customize interfaces across applications, and less complex systems to manage. “We’re heavy users of proprietary [software], and that won’t change, but there are times you need a motor scooter, not a truck,” Brenner says. Others are less interested in picking the proper vehicle than they are in creating a uniform, inexpensive core on which to hang their IT business. At Midland Memorial Hospital in Texas, “we’re trying to get a complete open-source or public-domain stack rather than be proprietary,” says IS Director David Whiles. His organization already uses the LAMP stack and is now deploying a public-domain electronic records system, the Veteran Administration’s Vista, for less than half of what a proprietary system would cost (even with the cost of hiring a consultancy to add features such as billing). Medical industry service provider Athenahealth, meanwhile, is using SugarCRM — an open-source CRM package. CTO Bob Gatewood says he had several reasons to switch from his current CRM provider, Salesforce.com. But he notes that making the change will save about
call-center and other support applications, something not possible with proprietary software where code is tightly held by the vendors. Other IT execs seek the same benefit. “We can take the pieces we need [with open source],” says Bob Hecht, Vice President of Content Strategy at specialized data provider Informa, which is investigating the Alfresco open-source knowledge-management application as an alternative to commercial enterprise content-management tools. Informa is exploring Alfresco because a license for a commercial enterprise content management application for a company of its size would cost millions of dollars and would impose a single content-management model on the company’s array of publishing, training and events businesses. “We just won’t do that,” Hecht says. (It also helps that Alfresco was developed in part by former Documentum technologists, giving Hecht more confidence that the application will be enterprise-class.)
Starting Small Open-source applications can make especially good sense for non-strategic, fairly generic applications like reporting or salesforce automation. Departments that have unique technology needs and smaller companies with limited budgets are also more likely
Open-source applications makes good sense for non-strategic, fairly generic applications like reporting or sales-force automation. Rs 4.5 crore ($1 million) over three years in per-user licensing fees, even after the cost of development and integration is subtracted. He expects to complete the migration in early 2006.
Easy Mixing Beyond spending less, Gatewood plans to more closely integrate the SugarCRM code — which he can access directly — into his 64
Essentisl Tec.indd 56
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
to consider open-source applications, says Forrester’s Goulde. “Larger companies are not about to rip out SAP. Plus the functionality and the integration are both more complex for a large company than open-source apps currently can handle,” he adds. For example, open-source tools “are not going to take the business-intelligence market because they are not yet competitive with commercial software,” says Eric Rogge,
61%
of developers in Europe, West Asia and Africa have used opensource software for development, but only a third have contributed to the open-source community. SOURCE: Evans Data, 2005
Research Director for BI and performance management at Ventana. For example, opensource BI applications don’t yet offer a comprehensive platform with reporting, ad-hoc analysis, online analytical processing (OLAP) connectivity, alerting, dashboards and workflow. Nor do they offer aids for developing user-interface controls, ad-hoc analysis against relational data sources or score-card functionality with strategy maps, metrics management and collaboration features, he says. But Rogge does expect open-source applications to eventually make inroads in the BI reporting tool segment, since there are a variety of uses for basic reporting tools in an organization where a costly, complex BI tool isn’t needed. Furthermore, increased adoption of opensource databases should encourage the development of open-source reporting tools that
Vol/1 | ISSUE/5
2/8/2006 6:45:00 PM
essential technology
take advantage of them, says Don DePalma, an analyst at the consultancy Common Sense Advisory. “Most database activity is about reporting, analyzing and crunching the data, so [open-source reporting tools] would seem a natural development. Companies, universities or governments using open-source operating systems and databases would be a great audience for such software,” he says. DePalma doesn’t expect a popular reporting tool like BusinessObjects’ Crystal Reports, for example, to support open-source databases because of the vendor’s relationships with proprietary database developers such as IBM,
Wal-Mart has done for RFID, notes Forrester Research ERP Analyst Ray Wang.
Gauging Open Source’s Risks But using open-source applications does carry risks. One is that staff developers unfamiliar with the competitive value of various components might accidentally embed strategic business logic or processes into code that is then provided back to the open-source community, neutralizing a competitive advantage. But CIOs should be able to manage their strategic assets while still choosing open-source applications, says Eric
Staff developers unfamiliar with the competitive value of various components might accidentally embed strategic business logic or processes into code that is then provided back to the open-source community. Microsoft and Oracle. That provides an opportunity for the open-source community to create a Crystal Reports-like reporting tool, he says. Open-source applications also make sense when there are regulations or other requirements common to an industry, where having a mutually supported tool would benefit everyone and not put anyone in the position of losing a competitive advantage, Goulde says. Analysts most often cite the health-care and financialservices industries as candidates for these kinds of tools, though liability concerns surrounding legal requirements make it critical that potential users understand the possible risks, notes Fidelity’s Brenner. It is also possible to imagine a large player in a specific industry making an open-source application viable, perhaps for some supply-chain management functions, much as
Vol/1 | ISSUE/5
Essentisl Tec.indd 57
Link, Diabetech’s CTO. Business logic, for example, should not reside in modified opensource code but in your internal rules base or in-house applications that call the opensource tools, as is common in commercial ERP systems, he says. “It does require careful thought to know what is strategic,” but any IT development effort should make such an assessment, whether it involves commercial, home-grown or open-source code, Link says. CIOs should also be able to distinguish between applications and platforms and the issues that surround each, Brenner adds. Reporting tools and CRM are two examples of platforms that are often marketed as applications, he notes. The difference is that platforms typically don’t encapsulate specific business processes or logic, making them well-suited for open-source efforts — and less risky for the companies that use them, as companies using such tools will be less
tempted to insert their own business logic into the products and unwittingly release it to the world. A reporting tool, for instance, might act on a company’s data, but it would never incorporate that data into its own code — and thus a company would never be required by the license to release the data as open source. (Another alternative is to go pseudo open source as in the Avalanche Corporate Technology Cooperative, which openly shares code on a variety of projects, but only among subscribed members. Beyond intellectual property concerns, another significant risk is an application’s long-term viability. Open source has worked well for widely distributed tools such as those in the LAMP stack that are typically run as-is and don’t need to be customized at each location. But for niche applications, the community of developers is necessarily smaller than for a piece of infrastructure, reducing the resources that contribute to the application’s development, maintenance and support. This could make it difficult for many projects to muster sufficient developer support to stay viable. The diversity of applications will be a difficult issue for the open-source community, says PricewaterhouseCoopers’ Lobel. This limitation is exacerbated if companies don’t share their developments with the community for fear of releasing competitive business logic. “I can’t see it going very long if companies aren’t contributing back. An open system works only when it’s open,” Lobel says. Diabetech’s Link, however, believes that argument is overstated, since companies are typically happy to share infrastructure code with others, thus moving the application forward even while keeping their businessspecific code to themselves. Despite these issues, even cautious observers concede that open-source applications can make sense beyond the LAMP stack: And sensible CIOs should start paying attention. CIO
Galen Gruman is a freelance writer based in San Francisco. Send feedback on this feature to editor@cio.in
REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 6
65
2/8/2006 6:45:00 PM
Pundit
essential technology
Services For Sale IT may finally get its chance to sell Web services. BY ERIC KNORR SOFTWARE | Nearly four years ago, I sat at the back of a packed conference on something new and exciting called Web services. Web services was going to be bigger than the Web itself. Any machine would be able to talk to any machine, and eventually most apps would be built from components strung together across the Internet. As part of the revolution, why shouldn’t enterprise customers become Web services vendors? But IT had other priorities, like slashing costs. And Web services mainly became a cheap integration method. But recently those giddy early days came rushing back when I spoke with Infravio CEO Jeff Tonkel about his X-registry product, an enterprise registry and repository for publishing and even selling Web services. Before Tonkel’s tenure, Infravio’s foray into the Web services market included both development and migration tools. Tonkel then moved the company to the broker space, where Web services is an EAI replacement with performance management and measurement capabilities. But ultimately, BEA, Cisco, Microsoft and the other big infrastructure players are going to own this space. Now Web services/service-oriented architecture asset management is the center of Tonkel’s strategic vision for Infravio. As luck would have it, travel giant Sabre needed just such an application. Infravio beat out its competitors because its X-registry is similar to a searchable e-commerce catalog that holds detailed descriptions of 66
Et-Pundit.indd 58
J a n u a r y 1 5 , 2 0 0 6 | REAL CIO WORLD
services and, more importantly, provides control and approval mechanisms. Sabre decided it was easier to set up shop using X-registry than to build a similar app itself. Those who know a little about Web services may wonder: Why not just use Universal Description, Discovery and Integration (UDDI)? Mainly because UDDI as it stands is really a spec for a relatively simple directory and (unique among the basic Web services standards) has lost traction rather than gained it. And the ebXML registry spec, once championed by IBM and Sun, never really got off the ground. Infravio has no direct competition as yet, but I imagine a few companies may want to enter the space. The great thing about Web services is that it’s been a grassroots effort and has lowered the cost of integration. The problem with it is that developers tend to use it as an ad hoc solution and document it poorly — the key exceptions being the public-facing Web services, such as those offered by Google or Amazon.com. True, what Google and Amazon.com offer is pretty simple, but it’s easy to underestimate the effort involved in making Web services reliable, self-service, scalable entities that pretty much anybody can use. Throw in the proper rights and permissions mechanisms, and that philosophy should also underlie Web services inside the firewall. It’s going to take years before the swirl of draft Web services specs settles down, if ever, and even if it does I can’t imagine a day when Web services will
The problem with Web services technology is that developers tend to use it as an ad hoc solution and document it poorly. run around connecting with each other dynamically, without human intervention. In human-readable form, registries and repositories must capture all the relevant information needed to contract with a Web service, or much of the Herculean effort involved in creating a service-oriented architecture — which expands organizations’ integration possibilities by a magnitude — will go to waste. And these registries should include descriptions understandable by business types, not just technologists. Who knows? Once you’ve established that sort of repository inside your organization, it’s not that big a step to consider selling a few select services over the Internet. At the very least, if you pitch it right, the prospect might score a few points with the business guys. CIO
Eric Knorr is executive editor at large for InfoWorld. Send feedback on this column to editor@cio.in
Vol/1 | ISSUE/5
2/8/2006 6:45:34 PM