March 1 2006 by Sreekanth Sastry

Cover_october011_checklist.indd 84

11/16/2011 4:13:59 PM

From The Editor

Two weeks ago, a senior infosecurity executive and I debated what might be in store

Do you Have Birds on your Mind? Organizations will have to go beyond looking to the government for taking on the avian flu.

for Indian organizations if the avian influenza A (H5N1) virus struck roots here. For a casual conversation, it was remarkably prescient, though, at the time of writing this column, India still doesn’t have a single ‘official’ case of a human contracting bird flu. Since my friend, the security expert, is associated with a software services company, he was also concerned about detailing to clients in the West the various scenarios his business continuity plan would cover and their net impact on project schedules. From the tsunami to the flood in Mumbai, organizations and their capabilities to manage crisis have been severely tested over the past many months. Talking to my friend and other IT leaders has given me distinct learning about business continuity, risk avoidance and applying them to a bird flu outbreak. While any decent business continuity plan begins with assessing risk and identifying critical operations, it will come through only if the number one asset of the organization— its people—is the focus. That’s how it definitely will work if you’re taking on avian flu. What happens if the government decides to quarantine the city that hosts your backup A business continuity plan facility? What will be the impact of schools will come through only or colleges being shut down, thus leading to if the number one asset your employees staying at home to take care of the organization—its of their children? How do you deal with a copeople—is the focus. worker falling sick with the flu? The best of plans can go awry for the want of a few details. For starters, you need an updated list of employee addresses (just refer to the Mumbai floods—I know quite a few BPOs who weren’t able to locate even staffers living close to office). Next, assess the skill levels of the employees. This will be critical for your next move—identifying a core team that’ll respond to an incident and will be needed to maintain basic business continuity. Finally, gear up to feed and house them while the epidemic burns out. Organizations and their CIOs will have to go well beyond looking to the government to tackle situations like bird flu. If there’s one lesson that the Mumbai flood proved, it was that. Be prepared. Be very prepared.

Vijay Ramachandran, Editor vijay_r@cio.in

Vol/1 | ISSUE/8

Content,Editorial,Colophone.indd3 3

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

2/25/2006 1:55:16 PM

MARCH 1 2006‑ | ‑Vol/1‑ | ‑issue/8

Executive Expectations View From The Top | 40 Neeraj R.S. Kanwar, COO, Apollo Tyres, is putting his company on the road to the top and he’s riding on IT. Interview by Rahul Neel Mani

Applied Insight Inside the Software

Testing Quagmire | 25 Software testing reveals the human failings behind the code. That’s why it can become a never-ending exercise in denial. Here are five questions that you can ask to help you cut through to testing’s root problems. Column by Paul Garbaczeski

P h otos by B ITOO SHARMA

3 0 Business Intelligence

Cover: Imaging by b in es h sreedharan

COVER STORy | Banking ON Intelligence | 30 ICICI is using business intelligence (BI) tactically to corner more than CRM benefits. The bank is tying together disparate databases and BI tools and is pressing this advantage into use for credit scoring and risk management.

From the Boardroom Your New Mandate: Meet the Customer | 20 Why it’s up to CIOs to ensure that their companies are focused on external customers—one at a time. Column by Jim Cash with Keri Pearlson

Security Little Holes | 46 Sure, you’ve got a mammoth security battleship, but it’s full of little holes. Feature by Thomas Wailgum

Feature by Gunjan Trivedi

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd4 4

Vo l/1 | ISSUE/8

2/25/2006 1:55:20 PM

content

Essential Technology | 60 Security | New Tech, New Anxieties By Meridith Levinson Pundit | A Really Hard Architecture Strategy

By Christopher Koch

From the Editor | 3 Do You Have Birds on Your Mind? |

Organisations will have to go well beyond looking to the government. By Vijay Ramachandran

Inbox | 12

5 2

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Govern Instant Leasing | 52 A recent survey ranks Singapore number two on an ease-of-doing-business index. A lot of credit goes to the JTC (Jurong Town Council) that brought down the process of leasing space to 13 questions and a few minutes. CIO brings you a path-breaking government implementation from beyond India.

2 0

Feature by Balaji Narasimhan

Innovate to Sustain | 56 Some would say Sanjeev Gupta, Secretary IT, Himachal Pradesh, is on the wrong side of the river. Driven by government mandate, he is setting up online services for the state’s citizens–only there aren’t enough of them to make a sustainable business model. But he believes it can be done. Interview by Rahul Neel Mani

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd8 8

Vo l/1 | ISSUE/8

2/25/2006 1:55:26 PM

advisory board

Manage m ent

President N. Bringi Dev

COO Louis D’Mello Editorial Editor Vijay Ramachandran

Bureau Head-North Rahul Neel Mani

Anil Nadkarni

Advertiser Index

Avavya

26, 27

Head IT, Thomas Cook, a_nadkarni@cio.in Arindam Bose Head IT, LG Electronics India, a_bose@cio.in Arun Gupta Director – Philips Global Infrastructure Services

Cisco

Epson

HCL Toshiba

Special Correspondents Balaji Narasimhan

Senior Correspondent Gunjan Trivedi

COPY EDITOR Sunil Shah

Arvind Tawde VP & CIO, Mahindra & Mahindra, a_tawde@cio.in Ashish Kumar Chauhan

www.C IO.IN

Advisor, Reliance Industries Ltd, a_chauhan@cio.in

Editorial Director-Online R. Giridhar M. D. Agarwal D esign & Production

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

Vikas Kapoor Anil V.K.

Chief Manager – IT, BPCL, md_agarwal@cio.in

Photography Srivatsa Shandilya

Production T.K. Karunakaran Marketing and Sales

General Manager, Sales Naveen Chand Singh

brand Manager Alok Anand

Marketing Siddharth Singh

Bangalore Mahantesh Godi

Santosh Malleswara Ashish Kumar

Delhi Sudhir Argula

Nitin Walia

Mumbai Rupesh Sreedharan

11, 68

Mani Mulki VP - IS, Godrej Consumer Products Ltd, m_mulki@cio.in

Imation

Interface Connectronics

Kelly

Krone

Manish Choksi VP - IT, Asian Paints, m_choksi@cio.in

Jinan K. Vijayan Unnikrishnan A.V.

IBM India

Neel Ratan Executive Director – Business Solutions, Pricewaterhouse Coopers, n_ratan@cio.in Rajesh Uppal General Manager – IT, Maruti Udyog, r_uppal@cio.in Prof. R.T.Krishnan Professor, IIM-Bangalore, r_krishnan@cio.in

Microsoft

S. B. Patankar Director - IS, Bombay Stock Exchange, sb_patankar@cio.in

Molex

Oracle

SAS

Tyco

Webex

S. Gopalakrishnan COO & Head Technology, Infosys Technologies

s_gopalakrishnan @cio.in

Nagesh Pai

Japan Tomoko Fujikawa

USA Larry Arthur

Jo Ben-Atar

Singapore Michael Mullaney

S. R. Balasubramanian Sr. VP, ISG Novasoft, sr_balasubra manian@cio.in Prof. S Sadagopan Director, IIIT - Bangalore. s_sadagopan@cio.in

UK Shane Hannam

Sanjay Sharma Corporate Head Technology Officer, IDBI, s_sharma@cio.in Dr. Sridhar Mitta Managing Director & CTO, e4e Labs, s_mitta@cio.in All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

Wipro Infotech

6, 7

Sunil Gujral Former VP - Technologies, Wipro Spectramind

Xerox

s_gujral@cio.in Unni Krishnan T.M

CTO, Shopper’s Stop Ltd, u_krishnan@cio.in V. Balakrishnan CIO, Polaris Software Ltd., v_balakrishnan@cio.in

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd10 10

Vo l/1 | ISSUE/8

2/25/2006 1:55:26 PM

reader feedback

in retail is cleared they will certainly do so, and will arrive with their technology solutions in place. Indian retailers will then have to catch up with them to try and level the playing field. I request you to cover upcoming technologies for the retail sector to help prepare us to take on MNCs, at least technologically.

Great Interview My hearty congratulations to the CIO team for the launch of a daily, onepage news service: CIO Five. (To get your copy log on to www.cio.in) I’ve found this format of disseminating information very useful for its focus. Also, since it captures the very latest developments in the industry. I would like to suggest, if there is space among the five news items, to have one covering on strategy / global trends / risk management and IT governance. At the end of the day, literally and figuratively, a CIO looks for intelligent advice and a solid knowledge-base. The magazine is also doing a great job by bringing us valuable inputs from the IT-user community. One of the columns I enjoy thoroughly is View from the Top, where CIO interviews a senior CEO. The Azim Premji interview must have been hard to get and was especially interesting because he pointed out that ERP is for boys and business intelligence is (BI) is for men. M.D. AGArwAl Chief Manager–IS, Bharat Petroleum

N.P. SINGh, VP – IT & E-commerce, Madura Garments

lead the way I’ve read two issues of CIO and I’d like to read a lot more. Much of the magazine’s appeal lies, I feel, in the choice of articles it decides to cover. The stories walk a fine line between technology and management, and this came out pertinently in the disaster recovery issue (Dec 15). Articles that demonstrate how others have identified potential problems, and have leveraged new or existing technologies to overcome them add value. Some of the more interesting articles also deal with the roles we play and how these are evolving. It becomes more complex when these modifications are put in the context of bigger change s in an organization. AruN ShAkyA ky , kyA Manager SAP Development, Britannia

In-Depth I am a regular reader of CIO, both of the magazine and of the website. Its contents are very crisp, to-the-point and contemporary. I am also impressed

Detail retail cIO is doing a great job of covering a lot of ground, particularly in topics related to strategic management of technology. Good show. Walmart, Tesco and Carrefour have already declared their interest in setting up shop in India. Once 100 percent FDI 12

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

editor@c o.in

“I have a sense that mobility and wireless technologies, given time, will re-define the way we carry out business.” with the team’s commitment to bringing meaningful stories, a good example of which is when dollar figures are converted into rupees. I would especially like to compliment the issue in which CIO featured an interview of the chairman of Wockhardt in View from Top. On the production side, I must congratulate you for getting the magazine to us on time every 15 days. And also on the look-and-feel of the magazine and on the quality of your printing! SANjAy Ay MIttA A tt l ttA Head of IT Navin Fluorine International Limited

Future Perfect kudos for the excellent magazine; its paper, printing, the organization of topics/ articles, etc. reflects an international quality. One is tempted to flip through it immediately on receipt. Some of the features like Trendlines and View from the Top are my favorites. I would to read more on technological advancements in mobility and wireless technologies. I have a sense that, given time, these technologies will redefine the way we carry out our business. Replacing human interfaces with embedded intelligence on such devices will introduce more agility into our processes. AvINASh ArorA Director – IS, New Holland Tractors

Vol/1 | ISSUE/8

new

hot

unexpected

compliance Spending on the Rise C o m p l i a n C e In spite of the current take up of regulatory compliance programmes being low, a MarketShare survey commissioned by Serena Software, covering 148 CIOs across Asia and Australia, has reflected that 75 percent of them ranked compliance as one of the top objectives for this year. The majority believe that they will gain an advantage over their competitors by complying with regulatory compliance standards and most feel that Singapore is the country leading the change in meeting regulatory compliance standards (31 percent). Japan (20 percent) and Hong Kong (23 percent) rank after it. “Asia is waking up to the relevance of international compliance requirements such as Sarbanes-Oxley and Basel II to the region,” said KC Yee, Vice President for APAC at Serena Software. “Assurance must be given to

international customers and partners that you can work at the same level that they do.” The survey also showed that 57 percent of respondents feel that they may be held directly accountable for compliance activities in the future. About 60 percent say that they currently spend “less than five percent” of their total IT budget on compliance-related activities, with only nine percent of companies saying that they currently spend “more than 15 percent.” But the results show more starting to use their IT budgets on compliancerelated activities over the next two years as 27 percent report plans to spend “over 15 percent” of their total IT budgets on compliance-related activities within then. —By Victoria Ho

World Cup Passes on Smart Soccer Ball

ImagIng by U n nIKRISHn an aV

SpoRTS i.T. World Cup soccer players should be happy: a new chip-enabled soccer ball won’t be ready for use at the World Cup soccer tournament in germany this June, according to the Fédération Internationale de Football association ssociation (FIF (FIFa). The world soccer body also took a pass on using the ball at the FIF FIFa Club World Championship games in Tokyo this past December. “The technology isn’t perfect yet,” says Jan Runau, a spokesman with sportswear manufacturer adidas-

Vol/1 | ISSUE/8

Trendlines.indd 13

Salomon, which supplies the official game balls for the tournaments. “We have to be 100 percent certain that it works perfectly before we can deploy it in professional soccer games.” He declined to say when that would be. Engineers working on the smart ball had hoped it would be ready for the World Cup tournament. The technology is based on an application-specific integrated circuit chip (radio frequency identification chips are one example) with a transmitter to send data. The chip, suspended in the middle of the ball to

survive acceleration and hard kicks, sends a radio signal to the referee’s watch when the ball crosses the goal line. Similar chips, but smaller and flatter, have been designed for players’ shin guards. The ball is being developed by adidas, didas, the Fraunhofer Institute and software company Cairos Technologies.

—by y John blau REAL CIO WORLD | M A R C H 1 , 2 0 0 6

2/25/2006 1:47:33 PM

TRendlineS

Never Eat Alone: And Other Secrets to Success, One Relationship at a Time By Keith Ferrazzi

Shmooze Or Lose The author is living proof of his book’s claim—that success is all about relationships R e v i e w Never Eat Alone is the book to read before you head to your next conference. This roughly 300-page volume will get you pumped and primed for making lasting connections with the new folks you meet. Author Keith Ferrazzi, who became a partner at Deloitte Consulting when he was still in his twenties and who’s now CEO of his own consultancy, attributes his enviable success to the vast network he’s spent years cultivating. Ferrazzi gives

booK

the importance of networking a twist when he says it isn’t effective if it's carried out with desperation or out of blind selfinterest. Networking is most effective in helping people achieve their goals when they bring to it a desire to help others and a sincere interest in building meaningful relationships. The book stresses the importance of building relationships before you need them, and the way to do that is by offering yourself as a resource for others.

Never Eat Alone is packed with practical tips on where and how to meet people. There’s information about overcoming the various barriers to networking such as shyness, or the fear of making cold calls and small talk. There’s also advice about getting the most out of conferences and even hosting unforgettable dinner parties. Don’t be misled into thinking that this is a book for junior staff. It contains enough gems to make it worthwhile no matter where

the reader is on the corporate ladder. For instance, practicing random acts of kindness toward the CEO’s executive assistant is guaranteed to get you more face time with the big kahuna. Ferrazzi’s enthusiasm is communicated through his conversational writing style. This book will provide you with the confidence it takes to view every meeting with new people as the opportunity of a lifetime. —By Meridith �evin�on

What You Need to W Know About Wine SoFT SKillS You can discuss the merits of Java and .Net with anyone who asks. But do you know what goes better with grilled salmon or kakori kababs, a merlot or a pinot noir? Knowing which wine to order at a corporate dinner is one skill that can help a CIO distinguish himself as a businessperson and save him from social embarrassment. “When you’re asked to smell the cork, you need to be able to do that without looking like a geek,” says Jeff Connery, a wine lover and CIO of two Canadian banks: Envision Financial in Langley, British Columbia, and First Calgary Savings in Calgary. Notes Connery, “CIOs are not

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

just computer people anymore. They are dealing with boards, other executives and clients. Knowing about wine rounds out one’s business character.” To the rescue comes a new corporate wine studies program offered by the University of California at Irvine Extension. The six courses, each two to four hours long, teach how to pronounce wine names (try saying vino nobile di montepulciano three times fast), wine and food pairings, and wine etiquette (such as how to send a bottle back if the wine has cork in it). Their courses include ‘Wine as a Business Tool,‘ ’Entertaining Your Multicultural Client‘ and ‘CEO/Executive Roundtable Wine Tastings.’ “If yo u and I are sitting down to do a deal and have a lavish dinner, and [aside from] religious or health reasons, I order a Coca-Cola, you would think less of me,” says Marlene Rossman, instructor and creator of the courses. Especially, she adds, in ‘image conscious’ Southern California. You should order pinot noir with your grilled salmon. Now if you can figure out which glass is yours, you’ll have your social graces mastered. — By �auren �apoto� apoto�to

Vol/1 | ISSUE/8

Sense of

D. RAjENDRAN

Security Nowadays, we’re seeing an increasing dependence on a company’s network for its operations. In the past, a network might have only handled data exchanges over the company’s intranet, but today the reliance on the network has virtually tripled with it handling heavier Internet traffic, as well as the company’s voice and video exchanges, too. To cope with the added vulnerability as a result of the network opening itself to all these other uses, many companies have set up intrusion-detection alarm systems, triggered by potential security breaches. This could stem from something as critical as a hacker gaining access to the system successfully, or something as minor as the network being pinged. About 95 percent of security alarms are false alarms, according to Lloyd Carney, Chairman and CEO of Micromuse, a company providing software like Netcool Suite, which performs analytics around such alarms. The software works to monitor all the events generated by applications as well as security breaches within the network, then consolidates this information so that there is first a distinction made between device-level and service-affecting events. Finally, automated analysis of service-level problems is done and the display of the corresponding relationships between the IT-resources and the critical processes they support is mapped and listed out for the network administrator. By automating this process of distinguishing between the real and false threats, the administrator in charge of security might save not only a lot of effort manually weeding these out, but also be better positioned to arrest the real problems faster. Carney warns, “If your network is under threat, the first hour is the critical hour. If you can identify what the problem is and isolate it within that, you can save your network.” While technological advances have widened network bandwidth many times over in the past five years, the broadened uses of it have meant that it has become more complicated to manage, as well. A phone line over Internet Protocol, for example, may only require a fraction of the bandwidth of a video exchange, but needs a dedicated line, because the bits on the call cannot be dropped and resumed like that of a data download from the World Wide Web, or the conversation gets interrupted. “Even if your network seems to be fully-functioning, someone could perform a Denial of Service (DoS) attack on the voice gateway,” said Carney. This increases the scope of concern for the network administrator, who would need to look more closely at specific areas of a network’s operations. The need for analytics to assist a network administrator’s speed and efficiency in handling disaster, could therefore make all the difference between a crash successfully averted, or a lengthy—and not to mention, costly—downtime.

SeCuRiTy

Secretary, State Industries D. Rajendran, Secretary, State Industries, has been given additional charge of the department of IT, Tamil Nadu. Rajendran is an IAS officer of the 1985 batch and has been commissioner of smallscale industries, among other positions. In his new capacity he will continue to drive IT in the state, ensuring that current projects continue on course.

S. R. BALASuBRAmANIAN Executive Vice President—Special Projects, ISGN S. R. Balasubramanian has joined ISG Novasoft (ISGN) as Executive Vice President—Special Projects. ISGN is an enterprise application management and outsourced product development company and is part of the K. K. Birla Group. Balasubramanian will build competencies for ISGN’s AMO (Application Management Outsourcing) business globally and will help manage complex deals. He brings to bear 28 years of experience in IT and will be CIO of the parent organization. Prior to ISGN, Balasubramanian was VP-Information Systems, Hero Honda.

ARuN GuPTA Director, Philips Global Infrastructure Services, Philips Electronics, India. Arun Gupta, 42, is now Director – Philips Global Infrastructure Services at Philips Electronics, India. He will lead Philips' IT function and support various business units. In his previous position at Pfizer, he made tremendous and tangible contributions to field-force automation and SCM.

—ByVictoria Ho 16

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Vol/1 | ISSUE/8

TRendlineS

Making

b y LO R R AINE C O S G R OVE WA R E

Systems lower purchasing costs 20 percent at top companies. Companies that use IT effectively for procuring goods and services can save big bucks, according to The Hackett Group. The consultancy’s study of what it calls world-class organizations finds that increasing spending on procurement technologies, as well as improving the use of existing technology investments, lowers overall procurement costs by as much as 20 percent. Top companies also reap greater returns from their investments in procurement technologies than other companies do—as high as 360 percent more than other companies typically see. IT automates many of the transactions involved with procuring goods, such as order processing, scheduling and forecasting. Automation improves cycle times and reduces errors. As a result, fewer staff need to be dedicated to tasks such as operational support, order placement and forecasting. Instead, they can focus on more high-value activities like analyzing corporate spending patterns and aligning procurement with business strategy, says Christopher S. Sawchuk, Hackett’s procurement practice leader. Hackett defines world-class organizations as companies that rank in the top 25 percent on various efficiency metrics (such as staff levels, productivity, costs, cycle times) and effectiveness measures, such as ROI. According to the group, staff at world-class procurement organizations use online tools to communicate proposals, quotes or requests for information to suppliers 78 percent more often than their peers, and they are twice as likely to have access to suppliers’ online catalogs.

tr e n d l i n e s

IT Takes Expense Out of Purchase

Best Practices

Assess your investments. Review how IT is supporting procurement currently. Find out whether employees are using the existing tools and processes, and whether they are using all or a portion of the functionality.

Evaluate processes. Before applying any new technology, examine your procurement processes. Ensure that purchasing procedures in different parts of your company, such as receiving and payment schedules, are aligned.

Consult end-users. Work with the chief procurement officer or other procurement executives to learn what their staffers need to do their jobs effectively. Once you find out their priorities—whether it’s visibility into total spending or supplier management tools such as pricing and shipping schedules or electronic ordering tools—you’ll be able to invest time and energy where it’s needed most.

How IT Cuts Purchasing Costs World-class procurement organizations… …Have Smaller Staffs

…And Use Fewer Suppliers

Staff per $ 1 billion procurement spending

Average number of suppliers

World-class organization Typical organization

44.9 89.2

World-class organization Typical organization

4,171 7,710

Difference

49.6%

Difference

46%

Source: Hackett Group 18

Trendlines.indd 18

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Vol/1 | ISSUE/8

2/25/2006 1:47:55 PM

Tech Truck Bridges Digital Divide e d u c a t i o n While government departments across countries grapple with ways to promote technology adoption among young people, Western Australia’s Department of Industry and Resources (DOIR) has stopped talking and taken IT trucking. Established with a number of sponsors including DOIR, Telstra BigPond, and truck company Scania, the roadshow began visiting regional centers in the state’s South late last year as has been a great success according to the department’s infrastructure division manager, Kevin Russell. “It’s been a huge success because people in the region are crying out for this,” Russell said. “The acceptance is terrific and absolutely amazing.” The truck has so far made its way through farming centers, mining towns, schools, TAFE colleges, and universities. With most of the South finished, the truck will head North in April and complete its journey around September. “The technology roadshow is taking technology to the regions of WA to bridge the digital divide,” Russell said. “We’re informing people about the use of the Internet and how they can do business. For example, about using a content management system over a standard Web server.” Russell said the feedback from business people has been “excellent”; one person in the process of starting a company discovered about Rs 4.9 lakh (US$11,064) in software savings after visiting the roadshow. The roadshow also aims to heighten awareness of how the Internet can assist with communications for distancelearning, employment, and health. In addition to the demonstrations and advice, the roadshow has given out copies of Ubuntu Linux and TheOpenCD—a collection of popular, open source applications for Windows. “We’re not aligning to any one vendor; we can demonstrate what you can do with open source,” Russell said. Russell said while the TheOpenCD is “really good” it doesn’t have some applications which people need, so the team is looking at creating its own distribution of open source software. “It will be a mixture of business and education applications to cater for the diverse range of people out there,” Russell said. “I was surprised at the number of people in the region already using open source software, [because] the whole roadshow hasn’t been an open source promotion. Some really smart kids out there have been using Linux which is really enlightening and it’s good to see them getting involved in a global project. They have a great opportunity to be part of a global system in some way.”

—By Rodney Gedda, Computerworld

Vol/1 | ISSUE/8

Trendlines.indd 19

2/25/2006 1:47:56 PM

Jim Cash with Keri Pearlson

FROM THE BOARDROOM

Your New Mandate: Meet the Customer Why it’s up to CIOs to ensure that their companies are focused on external customers—one at a time.

ow leading companies generate revenue has evolved over the past 20 years: From managing markets to managing market segments to managing customers. This shift creates significant issues for the board of directors and the entire executive team, including the CIO. If this change in strategy hasn’t affected your company and industry, you are in a distinct minority. For the average CIO today, external customers are not a primary concern. Yet the CIO is uniquely positioned to help the executive team address customer management, for two reasons. First, the CIO is usually one of the most senior executives with a broad process view of the corporation. It is the role of information systems to span functional, geographical and hierarchical boundaries. Second, the way information is collected, stored and delivered can either help or hinder the corporation in managing customers. The CIO is best placed among executives to understand what these information needs are and to ensure that data systems can deliver the information needed by the company to support this marketing requirement.

The Right Way to Focus on Your Customers The traditional belief that simply increasing market share translates directly into higher profitability has been proven false in our current economy. You need look no further than the US airline and automotive industries to note that market share leaders are not the most profitable companies. Deciding whom to serve is a critical decision for any organization. One of the world’s experts on this topic, Harvard Business School Professor Das Narayandas, says, “Who we are affects who we can serve, and who we serve affects who we 20

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Coloumn Your New Market.indd 20

Vo l/1 | ISSUE/8

2/25/2006 1:39:35 PM

Jim Cash with Keri Pearlson

FROM THE BOARDROOM

CIOs must apprise executive colleagues of customer activity changes that affect the company’s goods or services. will be.” In today’s business world, a company’s customer set defines what products and services it will offer. Another of a company’s most important decisions is identifying who should be excluded from the customer list. Serving a specific customer can sometimes preempt your ability to serve others. The most obvious example is working with one large customer on a proprietary component for its product, which may require an agreement to not provide similar technology for its competitors, thereby excluding other potential customers. Sending unprofitable customers to your competitors can sometimes actually contribute to your comparative advantage. Although executives usually acknowledge the importance of customer targeting, in many companies salespeople are left to develop a de facto marketing strategy at the customer level. As Narayandas points out, since a salesperson’s behavior is directly affected by compensation schemes, letting salespeople determine whom to sell to is one sure way to get into trouble. Segmenting and prioritizing customers must be an executive-level decision. Narayandas outlines four steps for customer management: 1. Develop a clear vision of the customers to serve and not serve. 2. Develop and manage a portfolio of customer relationships— the set of activities that serve the customers. 3. Monitor the health of customer relationships—understand whether customers are satisfied with the activities designed for them. 4. Link the customer management effort to economic rewards—that is, the benefits to the company and its employees for successful management of customer relationships.

Marketing Information Systems As we transition from the Industrial Age to the Service Economy, customer retention and loyalty have become better predictors of profitability than have traditional measures of market share. Scale is still important, but it must be attained with an increased focus on customer selection and management that facilitates the design of an efficient product/ service delivery system. Understanding which customers are profitable is a matter of studying what it costs to serve each customer and the price of the products or services they buy. Surprisingly, in most companies there is little analysis done of the cost-to-serve and prices, and frequently no relationship between them. Obviously, when prices or the cost-to-serve is too high, the 22

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Coloumn Your New Market.indd 22

situation is not sustainable. Success, then, comes from building a portfolio of customer relationships in which customers pay a fair price for goods or services developed at a profitable costto-serve for the corporation. This portfolio is built through a delicate combination of product development, service, sales incentives—and information management.

The CIO’s Role in Reaching External Customers As a CIO, you have the unique ability, and therefore the responsibility, to ensure that marketplace discussions are focused on the customer at a very granular level. Most organizations have not re-structured to reflect market changes and shifting customer requirements and power. Industrial Age organizational structures still dominate many companies. They were designed to implement mass production and vertical integration strategies, rather than the highly selective customer management strategies that companies need now. For example, a large computer manufacturing company in the early 1980s was organized by relative size of computer systems: A small systems division (including PCs), a minicomputer division and a mainframe systems division. For many years, this product focus had provided significant efficiency in the development and delivery of the company’s products and related services. As long as customer buying power was low and there was minimal overlap of customers across the business unit boundaries, the product-focused organizational structure was appropriate. But by the mid-’80s, customers wanted to implement MRP-II solutions that required highly integrated applications, which used systems from all three divisions. Customers were required to navigate through the company’s organizational structure and cross the business unit borders. It took the company six years to understand and respond to these emerging customer needs, since the internal organization (which was initially designed with customer needs in mind) was blind to this evolution. Until executives recognized that the market was requesting integrated solutions, the company continued to be product-focused and to build systems for each siloed business unit. An organizational structure that isn’t aligned with marketplace requirements causes misinterpretation of important data. When customer requests are viewed through a product lens, a company might respond in a way that actually conflicts with customer needs, as the computer maker did. CIOs must look to the marketplace and customers to ensure

Vo l/1 | ISSUE/8

2/25/2006 1:39:35 PM

Jim Cash with Keri Pearlson

FROM THE BOARDROOM

that information systems are responding to their requirements, regardless of how the company is internally organized. The CIO’s role is to ensure the data that matches marketplace and customer requirements is brought to light and brought to the attention of the rest of the company. Doing this requires a horizontal view of the business, and the CIO is one of the best C-level executives to have this view. He or she has allies in the organization, such as the supply chain owner and the quality management owner. But the CIO is often the seniormost executive with this view. CIOs are best-positioned on the executive committee to present this horizontal view. CIOs must keep their executive colleagues apprised of several important areas: Changes in customer and marketplace activity that could affect the company’s goods or services. Internal organizational structures that potentially could be at odds with customer needs. Information systems that target only the present, or are based on an outdated past perspective, and thereby obscure future views of the business. These responsibilities hold significant ramifications for CIOs. First, you must make sure that your company is fully committed to the shift to customer management. Second, you have to ensure that the information your corporation collects

Coloumn Your New Market.indd 24

is parsed and granular enough, down to the customer level, to enable customer management. This may mean driving a set of activities aimed at changing the sales-force data-collection activities—something the CIO doesn’t typically lead. It may mean driving a change in the marketing and sales processes to ensure availability of customer-level data. It may mean crafting a vision to make sure the company is positioned to appropriately respond to a shift from market segments to customer management. For some business leaders, that is a hard pill to swallow. It’s essential that you navigate these political hurdles, however. If your company can’t stay close to individual customers and change in the ways that they require, then you will find—as many executives have in the swiftly changing economy of recent years—that your company has lost the ability to sustain itself. CIO James Cash is the emeritus James E. Robison of Business Administration at Harvard Business School. He was also chairman of HBS Publishing. Keri E. Pearlson is a research director with The Concours Group and co-author of Managing and Using Information

Systems. Send feedback on this column to editor@cio.in

2/25/2006 1:39:40 PM

Paul Garbaczeski

APPLiED INSIGHT

Inside the Software Testing Quagmire Software testing reveals the human failings behind the code. That’s why it can become a never-ending exercise in denial. Here are five questions that you can ask to help you cut through to testing’s root problems...

here are few things worse than being responsible for a software project mired in testing. To those waiting to use the software, the project seems done. But it isn’t. The software needs to be tested to ensure it functions properly and is stable and reliable. And the project manager’s frustration mounts as days turn into weeks, weeks turn into months, and—heaven forbid—months turn into years. (For best practices for running your testing organization, see Testing, 1, 2, 3… February 1, 2006) This process is doubly frustrating for CIOs removed from the action. Testing managers—who may not be skilled at communicating with CIOs—can distract attention from the real problems by being overly detailed or focusing on irrelevancies. CIOs must assess the situation for themselves, asking the testing manager the following five questions face-to-face and observing how wide his pupils dilate.

Question #1: Is the software’s functionality complete, documented and subject to a formal change process?

Illust ration UNNIK RISHNAN AV

You’re really asking: Are we trying to hit a moving target? You’re trying to determine: If the problem is that the software is poorly defined or that the project’s scope has changed. Interpreting the response: If the software’s functionality is not fully documented or is not clear, testers will have difficulty determining whether it meets the project’s goals. When functionality is subject to interpretation, test cases might not reflect what was originally intended. If functionality changes because the organization continually adds, modifies or deletes functions, testers will have difficulty keeping up. Only changes critical to the integrity of the software should be allowed.

Vol/1 | ISSUE/8

Coloumn Inside the Software.indd25 25

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

2/25/2006 1:33:22 PM

Paul Garbaczeski

APPLiED INSIGHT

A related symptom to check: Intense debate about requirements and test results. Question #2: Is development complete? You’re really asking: Are the testers essentially starting over with each new release because there are so many changes? You’re trying to determine: If the software has been released for testing prematurely, or if changes are uncontrolled. Interpreting the response: Software released prematurely will differ markedly from the previous release. With all the changes, testing performed on a previous release might no longer be relevant to the new one. If testing of one release is not completed before the next one arrives, there will be no comprehensive understanding of release defects. After each release, the software will change due to user feedback. But problems will occur if developers and testersdo not agree

CIOs must assess the situation for themselves, asking the testing manager five questions face-to-face and observing how wide his pupils dilate. about which changes will be made. If developers decide to implement sweeping design changes or to improve software already functioning correctly, the testers will be the dubious beneficiaries of releases that behave very differently from previous ones. Again, testing efficiency will be very low. A related symptom to check: Complaints about the frequency of releases, about releases being delivered without notice or about significant changes in a release. Question #3: Are test cases repeatable; are they executed in a controlled environment? You’re really asking: Is testing ad hoc or disciplined? You’re trying to determine: If testing is effective. Interpreting the response: There should be a set of repeatable test cases and a controlled test environment where the state of the software being tested and the test data are always known. Absent these, it will be difficult to discern true software defects from false alarms caused by flawed test practices. A related symptom to check: If temporary testers are conscripted from other parts of the organization to ‘hammer’ the software without using formal test cases, it means the organization is reacting to poor testing by adding resources to collapse the test time, rather than addressing the problem’s root causes. Question #4: Is there a process being followed to evaluate each defect and prioritize its resolution? You’re really asking: Are the most severe problems being tackled first and are the contents of the next release agreed on? 28

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Coloumn Inside the Software.indd28 28

You’re trying to determine: If the organization is making good decisions about where to apply its assets. Interpreting the response: Defects vary in severity. For example, a defect in the cosmetics of a screen form is less severe than a defect that stops the software cold. A defect that impacts many users is more severe than one that impacts few users. The order in which the development team resolves defects should be in line with their severity. Trouble occurs when the development and test teams do not communicate about which defects to remedy and in which order. To ensure improvement of the software and for the test phase to move toward completion, the development and test teams must collaborate. A related symptom to check: The number of highestseverity defects does not diminish over time; friction exists between development and test organizations. Question #5: Does the organization collect testing metrics at regular intervals? The total number of test cases? The number that passed and failed? The number of defects—by degree of severity—in the process of being fixed? You’re really asking: Can the organization quantify the state of testing? You’re trying to determine: Can the organization measure progress? Interpreting the response: Metrics enable informed testing decisions. If metrics are not recorded and published on a regular basis, progress will remain uncertain. Metrics relating to test cases and defects must be captured, published and tracked. With these metrics you can determine whether defects are climbing, cresting or diminishing, and whether the most severe defects are being attacked first. You will see trends and be able to make corrections. A related symptom to check: There are differing opinions about the state of testing, open defects and trends. Because software testing ultimately exposes human failure, it’s difficult to know whether the process is achieving its goal of creating the best software. People don’t like to admit mistakes. They can go to extraordinary lengths to hide mistakes or take unilateral steps to try to remedy problems before others can discover them. ‘Busy-ness’ is no guarantee of progress—indeed, it may indicate the worst kind of testing failure. CIOs can provide a critically important perspective on the process to get testing back on track and keep it there. CIO

Paul Garbaczeski has held a variety of systems development, management and business positions at major enterprises over the past 30 years. Send feedback on this column to editor@cio.in

Vol/1 | ISSUE/8

2/25/2006 1:33:22 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Cover Story | Business Intelligence

IT is bankingâ&#x20AC;&#x2122;s new knight. Its business intelligence gambit has captured ICICI Bank more benefits than mere up-selling and ensures that a growth strategy based on risk is not defined by defensive play.

IMAGING BINESH SREEDHARAN

BY Gunjan Trivedi

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Vol/1 | ISSUE/8

Reader ROI

BI brings more than cross and up-selling What to watch out for when defining rules How to tackle user buy-in

Vol/1 | ISSUE/8

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

Cover Story | Business Intelligence

usiness intelligence (BI) wasn’t something Pravir Vohra, Senior General Manager (Head-Technology Management Group & Retail Technology Group), ICICI Bank, invented at the bank. Whip smart bank employees rearing to push the envelope were there before him, tinkering with their isolated systems, culling out information that could be the next big lead. But, flash-in-the-pan didn’t satisfy Vohra. Neither did the mere cross and up-selling of ICICI products. He wanted BI to do more. He also wanted to spread the BI oil over all ICICI’s disparate departments and calm raucous calls for more intelligent information. However he was willing to start where everyone else wanted to go. A little less than a half-decade ago, ICICI realized that it was sitting on a huge goldmine of a customer database. Only, the mine was made up of very disparate veins embedded deep in various units and systems. “We had realized that it was going to be harder and more expensive to acquire new customers than to derive more value from the existing ones,” recalls Vohra.

n March 2000, ICICI resolved to get on top of that heap. Reaching base camp, however, would take an intensive data aggregation exercise. A new business intelligence unit comprising tech-savvy business analysts was entrusted with the job of conceptualizing the project and planning a roadmap. The initial purpose was to consolidate business, customer and event transaction data into a single datastore. The bank started by populating the data from two to three systems to a data warehouse. Today, with significant growth in infrastructure over the past four years, the bank sends data from as many as thirteen systems to the warehouse. This covers almost 99 percent of its products-related customer transaction data. Stacking its information in neat piles at its warehouse also helped provide customers a more seamless experience with the ICICI group, which has multiple c o mp a n i e s offering d i f f e r e nt p r o du c t s . This also fuelled ICICI’s early move towards data warehousing and business intelligence. While it gave the bank the ability to pull out a single file on customers with accounts in their various business units, it also allowed them to leverage customer data to cross-sell and up-sell the bank’s products. 32

Cover Story.indd 32

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

And there was ample opportunity to do that. ICICI’s data-vault contains information over 1.55 crore customers. It’s the second largest bank and the largest private sector bank in the country, with assets over Rs 2,00,000 crore. If the financial services giant could use BI to continuously generate new business, it could feed the lines of ambitious marketing people waiting for a chance to score an ace.

Early-mover Disadvantage

But first they were going to have to lay down a court. Adopting data warehousing and BI technologies is still a blip on the horizon of most businesses. When ICICI Bank started out, it took on one of the problems early-movers face: An inaccurate roadmap. And the people selling them the camels didn’t quite know where the next oasis was. “When pre-sales meetings (with vendors) go beyond the regular jingle of success stories and ROI calculations, one often runs into a lack of adequate and in-depth knowledge. As technology partners, they are usually unable to convincingly address queries about scenarios that differ from published case studies,” laments Vohra. Bargaining with people who work with the camels can be a pain as well. As technology partners dangled ROI figures to lure Vohra into buying their products, ICICI’s head IT mandarin steadily became frustrated. The traditional model of ROI, which vendors base their pitch on, is something that is based on plenty of assumptions, he maintains. “All I need to do is presume that I have a set of X million customers and that I will cross-sell 1.4 products to them. And then I pit this number against the costs for acquiring new customers, warehouse technologies, amortization and running costs. It’s possible then to reduce unknowns to a tangible figure,” says Vohra. The real problem, however, is that a CIO needs to balance the reasons to innovate against the capital he is willing to write off if a project fails. Although, Vohra believes that not all risks need to be mitigated. A bank is in the business of taking calculated risks, after all. He feels that CIOs need to mull over every risk and look for countervailing reasons and then come up with a ‘risk balance-sheet’ that they are comfortable with.

Vol/1 | ISSUE/8

2/25/2006 1:40:58 PM

Cover Story | Business Intelligence

Profile of a Bad Investment The business intelligence unit at ICICI works some of that risk-taking attitude everyday. They are the new financers, eons away from the archetypal cautious banker. Applying risk scoring algorithms, ICICI uses data warehousing and business intelligence technologies extensively to manage risk. One instance is when they run BI exercises to spotlight specific pin codes in a city where delinquency rates rise above the average. Based on different risk scores, the bank uses different lending patterns to service different locations in a sprawling metropolis like Mumbai. Since its analyses of delinquent behavior is based on the number of card products it has in certain pockets of a city, risk scoring shoots sharper as data size matures and grows. “We get more insights because the denominator becomes large enough to make the law of averaging meaningful and we learn to interpret it in a better, faster and smarter way. All the initiatives in the areas of risk are an extension of the risk scoring concept. With all the variables we can build in, such as regions, locations, professions, products etc., we are trying to come up with more accurate models. We are drilling deeper to gain more granularity,” he adds. The bank also leverages business intelligence to analyze patterns to help spot and control fraud. It has ‘fraud engines’ working outside the BI system because

fraud needs to be controlled almost in real-time, as transactions pour in and can’t wait for analytics. However, once an attempt to commit fraud is detected, the warehouse and BI jump into the picture. BI helps the bank in bringing forth a pattern. “BI may not get you to a result but gives you the what and where of a pattern,” says Vohra.

A Little Less Risky “Today, business intelligence helps us not only do marketing and sales related activities, but also enables us to derive relevant inferences, bring in operational intelligence, efficiently manage risk and apply credit scoring,” says Vohra. Scoring models are not alien to ICICI. The banking giant has used these models to score customers and products. BI helps to take the hocus-pocus out of the system. The evolution and deployment of BI tools at ICICI have given scoring models a face-lift. And now customers’ profiles are cleaner and sharper. The scoring model helps predict a customer’s creditworthiness and reduces the risk of the bank being scammed. A number of parameters used to create this score earlier were subjective and depended on the intuitive reasoning of the person behind a desk. With the introduction of an evolved BI, which was piggybacking on an elaborate data warehouse, the scoring models got more statistical, rational and reliable. The bank is applying that intelligence to its own products. “The models are evolving

From the Trenches Ten Secrets for BI Success.

1. Do an inventory and assessment

5. Simplify your underlying BI

of your technologies, tools and data— what’s valuable, what’s not. 2. Profile your analytic end-users to ease solution mapping and deployment. 3. Make sure the BI solutions you deploy are easy to use, deliver acceptable response times when functioning with large databases, and can handle all the data sources you need. 4. Deal with your data quality problems in both operational and decision-support data. Step one: Admit you have data quality problems.

infrastructure, including your data infrastructure. 6. Unify business rules enterprisewide with a centralized scheme that can generate, maintain and apply them, thus eliminating duplicate, and sometimes conflicting, departmental business rules. 7. Reuse the business rules and metadata that are already at work in your various BI and operational applications. 8. Realize that cross-departmental BI projects, while more challenging to

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

implement, typically yield greater value than single-department BI projects. 9. Develop a plan to address the IT operational demands (hardware, software, security) you face in order to support a bigger and more diverse analytic end-user community. 10. Consider bringing in a specialist BI consulting firm to lead your project. According to The olAP Survey 3, these tend to be the most successful.

Vol/1 | ISSUE/8

Cover Story | Business Intelligence not only in the manner of the actual algorithm used but in how we leverage them across more products. Our dream is to be able to score at both the customer and product level at the same time,” says Vohra. His team also employs BI to predict other behavior such as customer attrition and product usage. ICICI’s models are aiding the bank to predict customer behavior across segments and products, thereby helping the organization shape or modify products and services. Demand has increased the number BI models running at the warehouse. “Though not all the queries that are run at the warehouse are BI-related, I believe a fair amount out of the average 200-a-day are BI queries. These help us come up with effective new campaigns to grow product usage,” says Vohra.

More to BI Than Meets the Eye Vohra has proved that the bank can extract more from BI than the usual cross-sell and up-sell. Business intelligence has brought sophistication to the marketing of ICICI’s businesses. BI tools now help analysts understand the impact and

reach of campaigns run by the bank by sifting out knowledge of finer granularity from different markets. “BI powers us to reverse-feed the campaign success-rates into the systems to devise intelligent ways to take more marketing initiatives layered on the successful campaigns. This keeps us from wiping our slates clean every time we run a campaign,” says Vohra. The journey, however, was littered with anxious moments when they could have been wiped out. Like most high-impact technology, business intelligence and data warehousing honed ICICI’s competitive edge and empowered it to tap its potential. Also like most highimpact technology, it also came with is share of bugbears. A lack of user acceptance could have stopped them cold. User animosity has sunk many a grand IT initiative. Vohra anticipated this challenge early on. In order to draw in users right from the beginning, the technology team and the business intelligence unit polled internal users on the kind of answers they expected from the BI system. “When we first started the warehouse initiative, we asked users questions like ‘What are the ten biggest business questions you want an answer to?’” The exercise not only helped rally support but also assisted the IT team in creating a rich data-model that efficiently services even complex and esoteric queries.

How Secure is your BI Environment? Your BI environment contains pretty sensitive information—it’s called intelligence for a reason. To get a sense of how secure yours is, try answering these questions: ABOUT YOUR DATA ENVIRONMENT... Who has access to your data extracting and transformation tools and logic? Can they be modified without authorization? Do you know who accesses your data warehouse, the extent of their access and what kind of access they have? Do you know how your data is distributed in support of BI solutions? What do users do with the data they download? Can they send it to outside parties?

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

ABOUT YOUR SECURITY POLICY... Do your policies address BIrelated activities and users? What laws and regulations impact the information stored and used in your BI activities? Do you know if current or planned BI activities are sufficiently secure?

ABOUT YOUR BI AND REPORTING SOLUTIONS...

Do you know where your intelligence is? Do users have IDs?

Do you authorize who uses them? Do customers or suppliers have access to your intelligence?

Vol/1 | ISSUE/8

Cover Story | Business Intelligence And with technologies like BI, in which end-deliverables are difficult to define, having your back covered is a good idea. Unlike core banking, card processing, or lending systems, it’s hard to decide when to call a BI implementation a success, Vohra feels, making it vulnerable to a CFO’s red pen.

BI Readiness Checklist Sizeable investments are made in BI implementation. Here is an indicative checklist that will help you avoid the pitfalls in a BI rollout. INfORMATION fOCUS: Define reports, data elements and base systems. Identify business functions and relevant existing reports as well as new reporting needs. Identify usage pattern and frequency of the existing reporting system, if any. Differentiate between mandatory and nice-tohave data elements. Identify additional data needed for new reports. Build adequate reference data for BI tool. Isolate seldom-used reports and data elements. Classify and define data retention periods.

REPORTING PROCEDURES: Categorize information based on the requirement of real-time or scheduled analysis. Maintain user friendly display of data and the ability to cross-format exporting. Build in ways to highlight and flag exceptions and variations in reports.

SECURITY PROfILING: Identify data that requires restricted access. Map users to the appropriate access rights.

USER READINESS: Identify potential users who will have direct impact. Encourage participation in the preparatory phases. Identify ‘Business Champions’ for each business function among the users. Delegate responsibilities to Business Champions and key users. Communicate ‘change message’ appropriately.

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

“This is an unusual project in the sense that it usually needs year-on-year investments, as requirements continue to grow. Unlike other systems that scale up only as more customers and transactions are added, this scales up not only when more customers and transactions are added, but as queries get more integrated and more complex,” says Vohra. It’s an additional challenge when an organization is on a fast track to growth, as in ICICI’s case, because by the time technology-related decisions are taken, a CIO can miss the bus.

Pick-Up-Sticks A variety of information formats from different companies in the group and a lack of standardization also poses a major threat to the success of BI implementations, says Vohra. Everyone was playing pick-up-sticks—by themselves and with different sets. ICICI faced design issues while building physical and logical data models. “Data elements are critical but it is a pain to analyze which elements in the models to retain and which to drop. We had to really concentrate on the nitty-gritty, such as the choice of central coding structure, translation of data formats into the logical models, incorporation of additional systems and de-duplication of information,” states Vohra. Even once they got a fix on what to keep and what to throw out, the question of how long to keep it became an issue. A blanket policy for data retention would have obstructed the bank’s systems. Vohra had to devise ways to classify data and wrangle over retention periods. “It’s very easy to say that I’ll keep all my data intact for two years. But, this chokes infrastructure. What we need to ask ourselves is: Do we really require all this data for two years? It’s better to make data retention policies based on differential requirements than clog up systems,” points out Vohra. Some categories were easy to make a call on, like the decision to store some information in data marts at the product level, which didn’t have to go into the warehouse. Typically this information was processed into reports at the end of each day. ICICI used a time-based cut-off (two months) on some of its information to decide what stayed out of the warehouse. But rules defining a standard format of what went in the warehouse were tougher to make. While data was being moved to the warehouse or was in transit (whether it was being staged or de-duplicated), ICICI wanted a common reporting framework which would run on these temporary data marts. Along with that, it wanted a common mechanism to deliver data to the users; a mechanism that also addressed security and regulatory issues. This initial struggle was reflected in the confusion surrounding which type of business intelligence would be available at the product level and what would come out

Vol/1 | ISSUE/8

Cover Story | Business Intelligence of the warehouse. A critical area since data ownership belonging to different technology and business teams could result in a turf war. “It becomes a major problem as you grow and evolve. So, we decided to put in simple rules so that people have a common vision for simple queries being addressed by product processing systems and complex, analytic queries being handled by the warehouse,” says Vohra. Like all re-organizations, this one turned into a bout of spring-cleaning and efficiency-building. Earlier, the technology team ran SQL scripts on specific requests, put it in a staging area, and send its link to the user who had asked for the information. The same procedure every week or fortnight, month after month. Now, the same reports are prepublished. The common reporting framework gives users, (depending on access rights) admission to specific reports that are stored in specific systems for a pre-defined period. “Our premise was, while we’re creating these reports anyway, why not run them on their own and increase efficiency? It saves us from being dependent on people’s coding ability,” recalls Vohra. “It’s become a part of our hygiene now and its helped change the way people work,” adds Vohra. Pooling in data once a day, from the once a month routine earlier, keeps ICICI clean. Going forward, Vohra envisions the aggregation of data taking place in near real-time for critical systems. The bank is also aggregating all its disparate BI analytic tools into one common business intelligence framework with well-defined subsets. A few months ago, it felt the need for pervasive BI capability for the enterprise and decided that the time was right for it to start consolidating all initiatives.

P HOTO: BITOO SHARMA

The Next Hill As the BI deployment settles and stabilizes, Vohra and his team have kept building infrastructure to support the tools, finding solutions to new challenges and coming up with new ways to mitigate risk. Vohra now faces another challenge. As investments increase, a point will come beyond which returns will diminish. But IT needs to keep up with the bank’s need to retain transactional data for a given period. This will get progressively harder and more expensive as ICICI generates more transactions. “Though our statistical data is becoming richer, I have already been extracting value for five years. The cost will continue to increase roughly on a straight line, but the success rates will start to fall,” says Vohra. As more complex queries are run, consuming inordinate amounts of technological resources, the risk of these queries not resulting in significant value is much higher. This threatens the business case for further growth of BI. Vohra admits that he doesn’t have an answer to this as yet but says he plans on getting there soon. ICICI Bank’s Senior General Manager (Head-Technology Management Group & Retail Technology Group) has his

Vol/1 | ISSUE/8

Cover Story.indd 39

“Vendors usually can’t address queries that vary from the norm.” — Pravir Vohra Sr. GM & Head Retail Technology Group, ICICI Bank roadmap chalked out for the next couple of years. The process of evolving ICICI’s BI infrastructure into a consolidated framework has just got off the ground and he has a packed pipeline. “I don’t really have the next sea-change in mind because we need to walk our present path before worrying about that. Right now, my main concern is to derive the maximum value from what we’ve invested, and to ensure that every part of the enterprise and every business unit we touch is using IT to the fullest potential,” says Vohra. Over the next year, ICICI plans to consolidate its BI framework and take it to its international offices. The bank also wants to improve its current scoring models by bringing in third-party databases such as CIBIL’s (Credit Information Bureau (India) Ltd) to its warehouse and BI systems. For the time being, however, this will have to take a backseat because the IT team already has its plate full for the next 12 months just making sure that BI gets into every nook and corner of ICICI. As Vohra points out, his concern is figuring out how many ‘mechanics’ are not using these tools. “It’s still a work in progress,” he says. CIO Senior Correspondent Gunjan Trivedi can be reached at gunjan_t@cio.in

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

2/25/2006 1:41:09 PM

VIEW

from the TOP

Neeraj R.S. Kanwar, COO, Apollo Tyres, says IT will keep Apollo racing ahead in an automobile market that’s slick with new opportunities and newer competition.

Passion in

Motion BY Rahul Neel Mani 200,000 metric tons a year of tires and still rolling. Neeraj R.S. Kanwar, COO, Apollo Tyres, the country’s leading Indian tire company, recalls how in the race to the top they made an important pit stop to re-tread the company with IT. Today, IT allows Apollo’s shop floor to talk to its dealers and its customer’s assembly lines, vulcanizing Apollo’s customer relationships.

CIO: How did Apollo Tyres evolve into a systems-driven company?

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

View from the Top.indd 40

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Neeraj R. S. Kanwar: At one time, Apollo, as an IT organization, was scattered over different locations with numerous departments, each of which was an island of excellence. Each office owned disparate software packages and every plant was an isolated system. Today, Apollo has over 140 offices across the country. These include sales, commercial and technical services departments. We own four plants and source from three others. A 9,000-strong community works for us besides a network of 4,000 exclusive dealers and 2,000 others who stock our tires, making ours the largest network in India. In the process of getting here, we realized that we needed our key decision-makers, across all our offices, to collaborate more. And if we were to become a 360-degree organization, it was important to implement a software package across Apollo. At that time we looked around the market for someone who could fulfill this function and SAP came the closest to it. We also formalized on IBM as our implementation partner of choice. Within a record seven months, Apollo had mySAP.com up and running.

Vol/1 | ISSUE/8

2/25/2006 1:48:31 PM

“I want IT to enable me to talk to my machines on the shop floor where I see a lot of hidden costs,” says Neeraj R.S. Kanwar, COO, Apollo Tyres

How was it done in such a short time? It was possible because we constituted a core team of 18-20 senior people, who were taken off their assignments and put on this project. I remember having an argument with the SAP head for Asia Pacific over whether a seven-month timeframe was realistic. He said we'd gone crazy. It became a challenge and in the end we came out on top. But during the

Vol/1 | ISSUE/8

View from the Top.indd 41

implementation, I remember SAP telling us that they would launch one module after the other, only after the seventh month. We, on the other hand, needed that system as of yesterday and couldn’t wait for a year. I wanted every module up and live in seven months. I wanted to make up for the years we had lost. In a competitive era we couldn’t afford to be laggards. Our effort paid off and on the first day of the eighth month, we were live with four modules—without any major failures.

SAP’s APAC head called back to show his appreciation. Today, the entire company runs on MySAP.com.

Creating a homogeneous IT environment in a crunch must have produced flashpoints... Not really! The approach we took and the people chosen to work under the leadership of the IT head found the project astonishingly exciting. During the journey,

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

2/25/2006 1:48:39 PM

View from the Top

they got a sense of how the implementation would help take the company to an entirely new horizon. It was something they had been struggling to achieve and the project was seen as major push in that direction.

Wasn’t Apollo behind the times with the project? We were late, but better late than never. Within the tire industry here, we were the second to run on a certified ERP, the first being Goodyear. It was a big move and now we can boast of it as a hard decision and an achievement. Its success is based on our foresight and the IT team's collaboration.

What were three most important goals the implementation was to achieve? The first, most tangible, requirement from the system was to generate MIS reports. Second, to capture data on a real-time basis. This information would greatly aid the decisionmaking process for marketing, technical support and sales. Last, we wanted to bring transparency across the company. MySAP.com serves only as a takeoff platform on our journey to use IT to drive business. With unconnected, obsolete data flowing in from 140 offices and 4,000 dealers, we were getting a skewed picture. This prevented us from performing many critical functions we do today, like demand forecasting and advance planning. From there, we moved into business intelligence. It has not only enabled us, as users, to take better decisions but has also helped customers and dealers outside Apollo, to stay in sync with us. 42

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

View from the Top.indd 42

How did you champion the project?

Has IT enabled Apollo to reduce its time-to-market?

I advocated a couple of basic fundamentals. One, that the project and the methodology should be extremely transparent. I wanted an open-ended approach, which would allow various departments to communicate their problems to the head of IT. We asked them to bring up workflow issues and possible solutions. I put my weight behind the project by instructing the function chiefs, who report to me, to support the head of IT. We also constituted a core steering committee of five, who met every fortnight to review the project.

What MySAP.com allowed us to do primarily is to get data right-on. I was then able to take that information to my stores, into our supply chain and production planning. It helped me forecast seasonal trends, like the April-June and November-December farm seasons. MySAP.com allows us to tell what’s gone into the market and, more importantly, what else needs to be introduced. Armed with this knowledge, we have been able to enhance the way we track products. As a result, we know when and where to stock products in order to achieve the shortest delivery time. To shorten that cycle further, we’ve also started bar-coding our products. Additionally, we put up a dealer portal to give exclusive Apollo dealers the option of linking up with our systems and locating information instantaneously. Although we only have 250 dealers on the platform right now, I soon hope to see many more utilizing this tool. We realize that truck tire dealers might be hesitant to increase their use of computers and we are addressing this. More dealers will figure that the portal offers them the ability to place orders, create invoices, manage stock and do whole bunch of other functions. The portal also acts as marketing tool and that helps us reach the market faster.

“We're on our partners' shop floors and know their assembly line needs. IT is aligning my production with theirs.”

What other benefits does the portal offer? The site services more than just our dealers. We are talking of alignment with our OEM (Original Equipment Manuf acturer) partners.

Vol/1 | ISSUE/8

2/25/2006 1:48:40 PM

View from the Top

Already, we are seeing orders coming in from M&M, Tata and Maruti on a weekly basis. Apollo is now on the shop floors of its partners. We know what their assemblylines require. Instead of constructing warehouses at random, we’re trying to have them near these factories to further reduce delivery time. But it is IT that is aligning my production line with theirs.

How has this impacted on your supply chain and where are the bottlenecks? Even today, there’s plenty of room to improve the performance of our SCM (supply chain management). We have already graduated to the next level. Take for example our Advance Planning and Optimization (APO) tool, which does both demand and production planning. Before adopting it, we could forecast about 20-30 percent of what was being sold. You can imagine the amount of hidden costs that remained hidden. If I am not planning right, I won’t be able to purchase right. And given that the price of my raw material is 65 percent of my product’s cost, wrong purchases cause cash flow to go haywire. With APO we can now forecast 75 percent, which is incredible and the IT team needs a pat on their back. SCM now helps me sell the right product, at the right time, to the right person. There’s no dearth of suppliers and getting to know you customer is crucial. The supply chain has also helped us improve after-sales service. We’ve put some of Apollo’s suppliers on the SCM and we’re trying to expand that number. Today, we buy 60 percent of our raw material from the domestic market and have the rest imported. Our international sellers are not yet talking to my systems, but the momentum among the domestic players is picking up. Getting them all will add value. If I am going to make the best use of this system, I have to populate the information highway across the company. 44

View from the Top.indd 44

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

We are here today but we’ve still got a long way to go. I would like SCM to give me the ability to track every single product, whether it's in a warehouse, in production or in transition.

SNAPSHOT

Apollo Tyres

Headquarters:

Gurgaon, Haryana Primary Business:

How did you empower field associates?

Tire Manufacturing

Revenue:

Rs 2,800 crore

Employees:

Do you foresee a smarter use of IT? I want IT to enable me to talk to my machines on the shop floor. Right now it’s only my customers and sales-force who are talking to me. The shop floor is an area where I see a lot of hidden costs. I need to know which machine is not giving me optimum results because that’s a cost to me. That’s where IT is working on now.

9,000 By giving them access realSales Offices: time information. On the 140 field, obsolete information is No. of Exclusive a huge handicap. I personally How important is Dealers: 4,000 wanted to equip them with the CIO to Apollo? a Palm or a Blackberry, but IT Staff: 28 my CIO suggested that the We see IT as more than transfer of data could also just a support function. IT IT Head: Dheeraj Sinha be done via SMS. is totally in line with the Apollo has almost 500 company’s vision and is also people in the field, all of part of the core team. Our whom once carried heaps CIO is very much a part of of files just to check the our journey to success. Full status of various dealers, distributors credit for moving away from the problems and customers. Today, they have access of decentralized architecture to centralized to that information over their phones. information architecture goes to the IT team. Normally they make requests over SMS Last year we set out on a journey we call straight to SAP. ‘Passion in Motion’. It has three pillars: People, technology and quality and is driven by our CIO. Tomorrow, if I envision How has IT helped Apollo going global, I trust IT and my CIO to give map the various demands of me a leg-up. CIO

its huge customer base?

We make 250 different types of tires today. As we reach the status of an FMCG, IT will continue to help us keep track of every product, its demand forecast and production cycle. The way the automobile sector is growing, we will need IT to map our production and ensure we don’t lose new or present customers. My aspiration is for IT to provide a transparent and back-to-back access to my dealers who, in turn, interface with customers. I’d like this to happen as soon as possible.

Bureau Head North Rahul Neel Mani can be reached at rahul_m@cio.in

Vol/1 | ISSUE/8

2/25/2006 1:48:41 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

. . . f o h ull t o f m t’s amut i m b a p, t i go sh e tle v ’ t u a o b y y , e rit r Su ecu s

Feature FINAL.indd 46

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Vol/1 | ISSUE/8

2/25/2006 1:43:44 PM

Security

This is not the best of times for information security. From cloned credit cards to lookalike websites used for phishing, common sense security procedures seem in short supply. “Almost without exception we’re living in a world where no one thinks to lock the stable doors until the horses have escaped,” says David Friedlander, a senior analyst at Forrester Research. CIOs can spend millions on firewalls, intrusion detection systems and whatever else their security vendors are selling, but when that VP of marketing decides to sync his work laptop with his unsecured home PC—and there’s no policy or training to make him think twice—your million-dollar security efforts become worthless. With that in mind, here are 10 common security ailments and 10 practical remedies. They’re easy and inexpensive, and you can do them right now. All involve some form of user education and training. “How do Reader ROI you stop stupid mistakes?” asks Mark Lobel, a partner in the Common security problems security practice at PricewaterhouseCoopers. “It’s education and how to fix them and security awareness—basic blocking and tackling—and it Steps for preventing does not have to cost a fortune.” future holes Vol/1 | ISSUE/8

Feature FINAL.indd 47

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

2/25/2006 1:43:53 PM

Security

Save As...

The Hole | A company familiar to Adam Couture, a principal analyst at Gartner Research, searched its Exchange servers for documents called ‘passwords.doc.’ There were 40 of them. The Problem | Uneducated users. “Some of these [mistakes] are so obvious that you think, ‘Nobody would do that,’” Couture says. “But you give people too much credit.” Any hacker, malcontent employee or grandmother with a minimal amount of computer know-how could unlock those documents and ravage your company’s most sensitive applications (not to mention all of your employees’ personal information). The Solution | First, CIOs need to acknowledge that there might be passwords.doc files on their networks, find them and destroy them. Then, via e-mail or a company-wide meeting, they need to explain to users why keeping a file like this on the network is a really, really bad idea.

Ever Heard of “bcc:”?

The Hole | On June 13, 2005, the University of Kansas Office of Student Financial Aid sent out an e-mail to 119 students, informing them that their failing grades put them at risk of losing their financial aid. The e-mail included all 119 students’ names within the e-mail address list. The Problem | Besides embarrassing their students, U. Kansas administrators may have violated the Department of Education’s Family Education Rights and Privacy Act, which protects the privacy of students’ grades and financial situations. The Solution | First, companies need a policy that explicitly states what can and cannot be sent out via e-mail or IM. “A lot of companies don’t have good acceptable-use policies for e-mail,” says Michael Osterman, founder of Osterman Research. He suggests that they map out how employees should handle confidential information, offer them training and have them sign a one-page document stating that they have taken the course and understand what to do. University of Kansas officials say they have “undertaken internal measures—such as reviewing e-mail 48

Feature FINAL.indd 48

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

and privacy policies, and training staff—to ensure it does not happen again.” Osterman also suggests that CIOs add an outbound scanning system to the existing e-mail system that looks for sensitive content in e-mails (such as 16-digit numbers, which could be credit card numbers). He says these systems are inexpensive and are offered by scores of messaging vendors; some vendors will even do a complimentary scan of a company’s messages to see how bad it might be. One vendor that he’s familiar with started scanning a new customer’s network and found 10 violations in 10 minutes.

No One Noticed? Really?

The Hole | Orazio Lembo, of Hackensack, N.J., made millions by purchasing account information from eight bank employees who worked at several financial institutions, including Bank of America, Commerce Bank, PNC, Wachovia and others. Lembo paid Rs 450 ($10) for each pilfered account. Most of the felonious employees were high-level, but two bank tellers were also arrested. Lembo had approximately 676,000 accounts in his database, according to Capt. Frank Lomia of the Hackensack Police Department, an official investigating Lembo. The Problem | Capt. Lomia says that many of Lembo’s contacts usually accessed and sold 100 to 200 accounts a week—but one managed to access 500 in one week. “What surprised me is that someone could look at 500 accounts and have no one notice,” he says. The Solution | CIOs, with the help of the HR, security and audit functions, need to institute a clearly defined policy on who has access to what information, how they can access it and how often. After all, with HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley looking over CIOs’ shoulders, compliance and controls have to be on the top of the to-do list. “Through all the phases of information creation to maintenance and storage and destruction,” asks PwC’s Lobel, “do you have that data classification and lifecycle process, and do people know what it is?” Lobel says many of his clients have compliance controls, but employees either don’t know such controls exist or aren’t clear where they apply. “User education is not easy, but it is worth the effort,” he says.

Vol/1 | ISSUE/8

2/25/2006 1:43:54 PM

Security

ChoicePoint’s Bad Choice

The Hole | Criminals posing as small-business owners accessed the information—names, addresses and Social Security numbers—of 145,000 ChoicePoint customers. The Problem | Call it what you will—fraud, ‘social engineering,’ the Kevin Mitnick effect—this was one really glaring example of how these kinds of attacks are plaguing companies. Lobel says commercial enterprises could improve when it comes to training users about social engineering— hackers targeting well-meaning users over the phone or Internet to obtain private information such as passwords. “We’re always going to find somebody who doesn’t know what they shouldn’t be doing,” he says. The Solution | CIOs should make sure that both users and customers are adequately trained in how to recognize and respond to phishing and other related attacks— especially before they go out and hire a company such as PwC to audit their user base. “[CIOs] should spend their money on a [training] program rather than on testing,” Lobel says. ChoicePoint claims that it has strengthened its customer-credentialing procedures and is re-credentialing broad segments of its customer base, including its smallbusiness customers.

Loose Laptops

The Hole | On April 5, MCI said that an MCI financial analyst’s laptop had been stolen from his car, which was parked in his home garage. That laptop contained the names and Social Security numbers of 16,500 current and former employees. The Problem | In many recent cases involving laptops, the computer’s security was handled by a Windows logon password. “It’s getting easier for even the more casual criminal to find out how to break into the laptop,” says Forrester’s Friedlander. “There’s more awareness that the information is valuable.” Plus, the data in many of these recent incidents wasn’t encrypted. (MCI won’t say whether the stolen laptop was encrypted, just that it had password protection). According to Friedlander, encryption adoption is much lower than firewall adoption because encryption historically has had performance issues (it slows the computer down) as well as usability issues (users are often confused about how to encrypt the right data). In a recent Forrester survey, 38 percent of respondents said they have no plans to deploy encryption tools. Ouch. The Solution | CIOs need to do some classic risk management, says Friedlander, and ask themselves: What is the information on the system that I care about the most? Who’s connected to a network where I might be exposed? And then they should create or revise their security policies based on that assessment. For example, if a laptop has customer information on it that would kill the company if it got into a competitor’s hands, then the

Vol/1 | ISSUE/8

Feature FINAL.indd 49

CIO should ensure that encryption was turned on. Users need to understand “why these policies and technologies are in place that may seem inconvenient, but why they do matter,” says Friedlander. “If they realize the implications, most people will want to act.” If the information on another laptop is less critical, then more basic security measures, such as strong passwords, can be used, he says.

Tales of the Tapes

The Hole | Let’s not forget the good ole data tape—in particular, CitiFinancial’s now-infamous UPS shipment of unencrypted computer tapes that were lost in transit to a credit bureau. A whopping 3.9 million CitiFinancial customers’ data was on those tapes, including their names, Social Security numbers, account numbers and payment histories. The Problem | CitiFinancial has stated it “[has] no reason to believe that this information has been used inappropriately.” But on the other hand, there’s no reason to believe that it won’t be. There are companies that specialize in handling data tapes, Iron Mountain for one. But even Iron Mountain is not impervious to security snafus. In May, Time Warner announced that Iron Mountain had lost 40 backup tapes that had the names and Social Security numbers for 600,000 of its current and former US-based employees and for some of their dependents and beneficiaries. Iron Mountain says it has recently suffered three other ‘events of human error’ that resulted in the loss of customers’ backup tapes—and these are the guys who supposedly are all about security and nothing else. The Solution | In July, Citigroup said it will start shipping customer information via direct, encrypted electronic transmissions. Though “you can squeeze a lot more

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

2/25/2006 1:43:55 PM

Security data into a truck than you can over the wire,” Couture of Gartner Research says, “[sending data electronically] could be cost-effective for smaller companies with small amounts of data.” Citigroup’s new shipping method will also take much of the people part out of the equation. “Any time you have to touch that tape and add a human element in the process, there’s the potential [for] incompetence, malfeasance, and pure and simple stupidity,” Couture says.

How Much for a BlackBerry?

The Hole | This tale has been told so often that it is teetering on the brink of urban legend status: Back in 2003, a former Morgan Stanley executive, apparently with no more use for his BlackBerry, sold the device on eBay for a whopping Rs 697.5 ($15.50.) The Problem | The surprised buyer soon found out that the BlackBerry still contained hundreds of confidential Morgan Stanley e-mails, according to a Forrester report. The Solution | First, users with handhelds, laptops and other devices need to be made to understand what’s really at stake. “It’s not the laptops that are the issue; it’s what’s on them,” says For-rester’s Friedlander. Second, CIOs need to institute a repeatable and enforceable policy for device and access management—even for high-powered executives. When someone leaves the company, he should have to turn in all of his corporate-issued devices, and IS should lock him out of all applications to which he had access. “If you have 1,000 users, there should be 1,000 accounts,” says the CISO of a large Midwestern financial services company. “So why are there 1,400? Because people who have left still have authority to log in.” According to the Forrester report, Morgan Stanley did have a policy that stated that mobile devices should be returned to IS for ‘data cleansing,’ but this exec must have slipped through the front door. Another huge problem is those longtime employees who move around the company and retain access to data associated with their previous jobs even though it’s unrelated to their new position, says Jeffrey Margolies, lead for Accenture’s security services and identity management practice. “They accumulate access over time, and they are an audit nightmare.” A solution is to set up one place (whether it’s a website or paper form) where employees can request access to applications, Margolies says. CIOs need a policy that states who has access to what systems and why, with IT, HR and 50

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

security getting to make the decisions. “Over the last 10 years, we have built hundreds of applications, and every single application has its own way of [determining] access and managing that access,” he says. “But just [giving people] one place to go and [saying] just fill out this form—even if it’s paper—the level of confusion is reduced.”

IM Not OK

The Hole | One of your top sales guys is a huge believer in instant messaging. In fact, he’s been using a consumer-grade IM client (probably AOL Instant Messenger) to communicate with his customers for years. And this hypothetical salesman’s IM name fits his personality perfectly: Big Bad Texan. The Problem | There are three, says Osterman of Osterman Research. First, security: A consumer-grade IM client used on a corporate system will bypass all antivirus and spam software. Second, compliance: Consumer-grade IM clients don’t have auditing and logging capabilities for regulatory compliance. And third, name-space control: If Big Bad Texan takes a job at your competitor, rest assured he’s taking his IM name—and your key customers—with him. “There’s no clue to the outside world that he left,” Osterman says. The Solution | The first step is for CIOs to admit to themselves that consumer-grade IM could be running rampant in their organizations. Osterman estimates that 30 percent of all e-mail users are instant messaging these days. Like e-mail, CIOs need to develop an acceptable-use policy and make sure everyone understands it. Then CIOs have two options: Allow consumergrade IM to remain in place and deploy a system that will provide any number of security functions, such as blocking file transfers or mapping IM screen names to corporate identities, says Osterman. Alternatively, CIOs can replace consumergrade IM tools with an enterprise-grade system. “This can be a more expensive and disruptive option, but it’s one that many organizations are choosing,” Osterman says.

Unwired and Unsafe Workers

The Hole | The CISO (chief information security officer) of the Midwestern financial services company shares this nightmare: An executive decides she wants to put a wireless access point in her house so she can work at home from anywhere in her house. Her son gets her up and running. She wirelessly logs into the network, and she uses the default password for the connection that came straight out of the box. The Problem | “Go to every single hacker site, and you can find every default password and user ID [for

Vol/1 | ISSUE/8

Security wireless routers],” says the CISO. “Home PCs are one of the greatest vulnerabilities.” And once this executive authenticates, others can see how she did it, “then people are in,” the CISO says. The Solution | Back to the basics with this one. CIOs need to make sure all employees who work from home know that they have to change all the default settings, and they can’t forget about firewall, VPN, antivirus patching and authentication tools. That all takes an omnipresent security education program, but to this CISO, it’s the cost of doing business today. “The struggle with security education is getting it so it becomes like breathing,” the CISO says. “Users have to become smarter about how they do things.”

40 Million ‘Served’

The Hole | In June, MasterCard announced that CardSystems Solutions, a third-party processor of credit card transactions for MasterCard, Visa, American Express and Discover, allowed an unauthorized individual to infiltrate its network and access cardholder data. The Problem | Up to 40 million cardholders’ information could have been exposed. It turns out CardSystems had violated its agreement with the credit card companies: It was not allowed to store cardholders’ account information on its systems, and yet it did just that.

Feature FINAL.indd 51

The Solution | If a company has an agreement not to store another company’s data on its systems, it shouldn’t. And if for some strange reason it becomes necessary, the company had better ensure that it has the necessary controls. “All of those cases of breaches speak to the need for a good, old-fashioned defense, in-depth, with multiple layers of control,” says PwC’s Lobel. For example, he says, instead of just having a firewall, companies should have multiple layers of controls on their network. Or rather than just using SSL, companies need to use authentication too. “You get into the security versus ease-of-use trade-off and cost,” he says. “That’s the decision that businesses have to make with their eyes wide open.” In the end, how a company views security and protects its customers’ and employees’ data will have a direct correlation to its longevity. In the case of CardSystems, in July both Visa and American Express said they no longer wanted to do business with the company. CIO

Editorial Intern C.G. Lynch also contributed to this report. Send feedback on this column to editor@cio.in

2/25/2006 1:44:01 PM

INSTANT LEASING 52

Govern Main.indd 52

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

Vol/1 | ISSUE/8

2/25/2006 1:44:58 PM

e-governance

The judicious use of technology has helped Singapore’s JTC (Jurong Town Council) improve transparency, increase user convenience, and reduce the time it takes to process a request for rented space from 14 days to almost zero.

IMAGING BINESH SREEDHARAN

By Balaji NarasimhaN

Today, we live in an ‘instant’ age—instant money components. In the words of Yap Chee Yuen, Group CIO and CKO, JTC, “The corporation is committed to helping transfers and instant messaging. But, in many parts of customers stay competitive, to be responsive to their needs the world, if you’re a business owner who wants to set and to be creative in continually providing solutions that up a factory or pick up office space, you can forget the exceed customer expectations.” instant experience. Unless, of course, you are in SingaSinga e-governance projects, people-oriented as they are, pore and have access to the eCREAM system. make buy-in very critical. The responsibility of selling eCREAM (which stands for Customer, Real Estate eCREAM fell squarely on JTC’s lap. Tan Soo Cheow, And Marketing) is a state-of-the-art system that JTC Deputy Director, JTC, says, “Buy-in was secured via (formerly Jurong Town Council)—a government agency road shows that exhibited an exciting, relevant protothat provides tenancy and lease management services type and demonstrated the usefulness of the system.” to more than 7,000 companies in Singapore—uses to Conviction, however, cannot be built in a day. manage its online activities. Thanks to eCREAM, JTC Persuading stakeholders was going to require a mindset has cut down the process time to lease land from 14 change and senior management was brought into the days under the manual system to an instant approval. loop and was closely involved in the implementation And that’s not all—customers, now only have to answer process. To ensure that everything fell into place 13 questions online, a far cry from the days of a ten-page and worked with homogenous paper form. Sweet. coherence, JTC also hired from the Like all good e-governance projects, Reader ROI: top drawer. They asked consultants eCREAM started not with technology, Why embedding people in Authur D’Little to run a complete but with people. JTC wanted to rea project is a smart way of side-stepping implementation Business Process Re-engineering invent itself into a customer-centric problems (BPR) exercise. Workflows organization, which, in a government How to combine functionality were scrutinized and efficiency setup, requires shedding layers of with ease-of-use bottlenecks flagged. Value-chains bureaucracy. It also needed a robust What to watch out for when were also studied to determine the IT infrastructure; one built on tough employing vendors in an best way JTC could make things framework, which would leverage a e-governance project easier for its clients. set of databases and infrastructure Vol/1 | ISSUE/8

Govern Main.indd 53

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

e-governance

getting knowledge transferred Once their strategy was set, from the external suppliers and JTC moved to issues on the vendors. Fortunately, three JTC ground. Questions of whether employees been committed to to use Microsoft .NET or Sun’s work with the vendors from the J2EE and whether they should project’s start and the transfer use customized development was handled with ease. or settle for existing packages Deploying its manpower were tabled. To answer intelligently was one of JTC’s these questions, JTC hired strengths; one which ensured a Accenture for business smooth rollout. This sensitivity and technical expertise, was reflected in the way they and Avanade for technical communicated job security to implementation. It was agreed their people. An important issue that JTC would construct on with any computerization effort Microsoft .NET architecture, “To ensure minimal is that employees get the feeling and rely on Microsoft for the disruption to our that a computer is replacing OS and the database. The customers when we them. JTC was committed to workflow would be managed rolled out the project, we redeploying manpower saved with Tibco, while CA’s Aion set a very tight timeline by the eCREAM project to business rules package was for ourselves and our perform other duties. In one to be deployed as part of the vendors.” – Yap Chee Yeun, stroke JTC removed employee three-tiered, clustered Web Group CIO and CKO, JTC fears of being sacked and architecture. Surrounding secured buy-in. This helped these deployments was one JTC employees embrace the project wholeheartedly. JTC, key criteria: Data integrity, accuracy and security which has a staff strength of around 820, has witnessed needed to be by design and not by chance. an attrition rate of a mere five percent. When all the pieces had fallen into place, JTC moved It’s no wonder fewer employees wanted to leave. into implementation. The company took a four-phased Information sharing and processing became simpler approach to ensure manageability, and also because with the elimination of manual processes, and this this enabled them to chart a course that gave their improved operational efficiency, boosting staff morale. employees several morale-boosting milestones. Despite JTC had won over its staff and eCREAM pressed that planning ahead, JTC was forced to contend with issues advantage by proving to be a great tool. like managing vendor commitment. The final issue was

The Indian Angle From its slow start, India is catching up with the likes of Singapore in the race to increase efficiency in land-leasing processes. one government entity that is taking o steps to speed up land leasing is the Maharashtra Industrial Development Corporation (MIDC), India’s largest industrial infrastructure and water supply provider. According to Sanjay Khandare, Joint CE CEo (IT), MIDC, once a project’s requirements have been submitted and the land 54

Govern Main.indd 54

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

premium cost has been paid, land possession can be given in seven days. The land-lease process could take another 7 days. While MIDC doesn’t have an online leasing system in place right now, they are working on it. Currently, entrepreneurs who want to lease land from MIDC have to fill up a twopage form containing 12 questions. Gujarat Industrial Development Corporation (GIDC) isn’t online either, but many of the application forms are available online.

one government entity that has made greater progress than MIDC and GIDC is Delhi State Industrial Development Corporation (DSIDC), which has a variety of forms online. DSIDC’s advantage over other government offices is that it has online registration forms for small scale industries, societies and partnerships. It also gives companies reference numbers to track the status of their applications. — B. N.

Vol/1 | ISSUE/8

e-governance

eCREAM’s benefits to JTC’s external customers were also so immense that they adopted it with gusto. “Our customers have been receptive to trying out our e-applications. On our end, we smoothened the change by going onsite to teach our customers the use of online applications, by setting up self-help kiosks at our counter, and by providing publicity booths during our customer events,” says Yap. Another advantage to eCREAM is centralization. Earlier, JTC had four zonal offices to handle all the manual work, but thanks to the new system, all these activities have been moved back to the head office. This is one reason why the system, which cost Rs 12.2 crore (S$4.5 million), managed to deliver savings of Rs 10.3 crore (S$3.8 million) within the first year. eCREAM didn’t only save money, it also brought more in. In 2005, JTC allocated 332,600 sqm (gross) of ready-built factories as opposed to 262,100 sqm in 2004, a clear 26 percent jump. It also delivered in other areas. In 2005, JTC allocated 199,600 hectares of prepared industrial land, compared to 117,900 hectares in 2004. Apart from translating to a 69 percent leap, this figure is important because it marks the highest net allocation for prepared industrial land over a 10-year period between 1995-2005. But customer benefits are not measured merely in figures. eCREAM—and Krypton, its public interface— ensured that customer-service levels saw a marked rise. Ease-of-use was backed by solid savings as costs per transaction came down. Eliminating the cost of processing paper meant administrative fees could be slashed from Rs 13,600 (S$500) for hardcopy applications to Rs 5,400 (S$200). Getting feedback is the lifeblood of a system like eCREAM. JTC setup a corporate data warehouse called OASIS, which it stacked with customer queries, complaints and suggestions. Using OASIS to drive customer strategy ensured that technology did not alienate the customer. As Yap puts it, “JTC officers must be able to retrieve key information at the click of a mouse so that they can enhance their customerresponse time.” The results of this effort are beginning to show. Tan says, “Customer feedback shows that eCREAM affords them convenience and that its online applications are easy to use. Some have even commended us, saying that this is what every corporation should strive for.” Another way customers benefited from the system was because eCREAM enabled them to find the right facilities, which is possibly one of the reasons why gross allocations increased dramatically. eCREAM has also enhanced system integrity, including accuracy, security and traceability. Speed and timeliness of information have been bettered, along with

Vol/1 | ISSUE/8

Measurable Benefits Item

2004

2005

Ready Built Facilities

98,300 sqm

180,400 sqm

83%

Business Park Space

102,400 sqm

226,400 sqm

121%

Specialized Parks

45.1 ha

101.3 ha

125%

Prepared Industrial Land

68.9 ha

174.1 ha

152%

ease-of-use. Thanks to eCREAM and other initiatives, JTC has won the Singapore Quality Class award and Singapore’s National Infocomm Award in 2004 for the ‘Most innovative use of infocomm technology.’ JTC isn’t resting on its laurels. It is moving ahead at full steam with new ideas for eCREAM. On the anvil are plans to integrate a module to track leads and opportunities, apart from facilitating the litigation process. Krypton is also being enhanced with a flexi-pay e-payment module. Simultaneously, JTC is busy integrating Titanium, its portal for partners’ access, with eCREAM. The company is also working on incorporating 3G wireless access into eCREAM so that employees can use their PDAs to query the system. Meanwhile, the original system is being constantly upgraded to meet newer corporate objectives. But, all said and done, the chief success of eCREAM can perhaps be traced to one important fact—eCREAM was envisaged as a module to ensure better customer satisfaction, and this focus has been retained two years after the application was first rolled out. Here’s a lesson all e-government initiatives can benefit from—start with the customer, and end with them. CIO Special Correspondent Balaji Narasimhan can be reached at balaji_n@cio.in

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

2/25/2006 1:45:03 PM

innovate to

sustain Sanjeev Gupta, Secretary IT, Himachal Pradesh, finds himself on rocky ground. He’s got the funds to take e-governance to the state’s most remote valleys, but he’s short on users, making project ROI hard. A cold breeze blows on him: How is he to make essential but non-earning citizen projects financially viable in the long-run, given Himachal’s small population? By Rahul Neel MaNi

CIO : Himachal Pradesh has the unique problem of creating mass services for relatively few citizens. How do you ensure ROI and the continued viability of e-governance projects? Sanjeev Gupta: Himachal Pradesh is one of the few Indian states where community service centers (CSC) have percolated down to the tehsil (administrative sub division) level. So, e-governance initiatives have already met success here. The challenge that we face is the sustained viability of future projects, given that the state only has a population of 65 lakh and low per capita income. But even now, services are available and there are many people using them. Out of 110 tehsils, 58 offer to register land records online. Our land record software has a pedigree table, which tracks a family’s history with ownership rights. We have 56

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

both village and irrigation census register modules. New Jamabandis (entries in a register of tenants) are created virtually everyday, every minute. Thirty-one centers at the sub-divisional level have generated Rs 2.5 crore in just a year. I think this is a phenomenal success given our small population. During the days of the manual system, people were forced to wait for an eternity and bribe government officers for a license worth Rs 1,000. Citizens are much happier spending Rs 100 at the center where, at least, their work is done quickly. The flip-side is that people could ask us why the government should demand an additional fee to deliver services efficiently, when that’s our job in the first place. In our defense, we have tried to keep user charges to a bare minimum—in order to encourage citizens to keep using the CSCs. The citizens’ faith in these

VOl/1 l/1 | ISSUE/8

Interview | Sanjeev Gupta

PHOtO by S RIVAtSA SHAn dIlyA

The challenge is in creating continued feasibility, not in creating credibility, says sanjeev Gupta, secretary it, it Himachal Pradesh, focusing on the state’s unique problem.

services is bound to deepen—after all he’s getting updated information. The challenge is in creating continued feasibility, not in creating credibility. What else have you tried to sustain these projects?

The approach is important. In our case, the front-end is managed by private entrepreneurs who charge every transaction. The rest is taken care of by the government.

V Ol/1 | ISSUE/8

Soon, we’re going to have integrated CSCs in three districts. The government will put up the capital and provide basic infrastructure, but the recurring costs need to be borne by a private partner. The government will determine the cost of a service and the private partner will take home a fixed share. But, honestly, I am wary of the nation’s plans of sustaining 100,000 CSCs when we’re struggling with the current state of affairs. Some of the tehsils reflect a meager five property registrations a day. Numbers like REAL CIO WORLD | M A R C H 1 , 2 0 0 6

Interview | Sanjeev Gupta that make me worry about the viability of these projects. How will we cope when we open more centers? Since the small population is a given parameter, how do you see the way ahead?

We have already raised this issue with Union Government, and they have agreed to share the burden of this project with us. The government has agreed to provide us with a cross-subsidy. That’s how we plan to get past this problem for now. Without this support, it will be difficult to sustain these massive e-governance projects. How have you reached the more inaccessible tehsils?

Few people are aware that Himachal Pradesh, despite its difficult terrain, has deep optical-fiber penetration. The state has 24,000 km of roads (out of which 13,000 km is metalled) of which 8,500 km has optical fiber laid into it. When we ran an analysis for a State-Wide-AreaNetwork (SWAN), we discovered that out of 131 Points

can be an unreliable source of income. So, in some cases, warranty costs reach inordinately high levels as private partners inflate their prices to ensure they recover their any which way. We found that Supply-Operate-Manage (SOM) was a better alternative. What works for us is that since goods are procured with a certain level of warranty, operational expenses are reduced considerably. Our specific needs demand that we resort to wireless solutions at many locations, which means that we need to watch our warranty costs. In any case, I advocate that SWAN implementation should not be vendor-driven. I’ve had a vendor ask me for individual leased lines for 25 horizontal offices that each POP connects. At Rs 60,000 per pair of modems, that’s a good deal the vendor has cornered. A vendor shouldn’t dictate how many leased lines I need to buy. So I toyed with the idea of an E3 or STM switch which can replace a number of modems. There’s no point in stacking that many modems, it only adds complexity.

“We have to think unconventionally and be very careful while spending taxpayer money. If not spent carefully, generations hence will curse us.”

of Presence (POPs), 101 have fiber connectivity. The other locations will be connected via microwave. We’re in a good position compared to other states that plan to lay optical fiber only now and are going to have to pay for it. Infrastructure is already a non-issue here, it’s the number of people using the services that we are short of. Strangely, it’s one state where low population has become a hindrance to progress.

Now, my total bandwidth charges for horizontal connectivity down to the tehsil level is Rs 40 lakh. Beyond to exchange to the POPs the cost is nearly Rs 10 crore. In my view, instead of using the leased line modem, we can physically terminate the optical fiber into the LAN switch of that office. This reduces our spend to a few thousands from millions. We have to think unconventionally and be very careful while spending taxpayer money. If not spent carefully, generations hence will curse us.

In view of the difficult terrain, what innovations have you introduced during project implementation?

Did other projects share this approach?

As elsewhere, our SWAN was completed on a PPP (Public-Private-Partnership) model. But our model differs slightly from the BOOT (Build-Own-OperateTransfer.) This model demands private players to invest their money and recover it through user charges, which

Our land records system has. No other state’s system has come close to the functionality that the software developed by NIC Himachal Pradesh has achieved. As I’ve described, every land owner in the state has a unique code assigned to him. This replaces all the

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

VOl/1 | ISSUE/8

Interview | Sanjeev Gupta various documents that a citizen would PGI in Chandigarh or AIIMS in Delhi. have to carry to register land. And there The project will also facilitate online are plenty: Land records, Himachal diagnosis from remote locations. Pradesh citizenship, a caste certificate, Once we have finished with these if he or she is an agriculturalist then a three districts, we will replicate the certificate stating so, for instance. project at 20 other locations over the SNAPSHOT We created a database, which is next three months. We will use ISDN updated every time a registration connections where optical fiber is POPuLATION: 65 lakh takes place. The codification process not available. It is one of the most has minimized a number of workflows. ambitious and beneficial projects we TOTAL POINTS OF PRESENCE: 131 Citizens no longer have to go to a have undertaken so far. Its benefits to citizens who don’t have access to Patwari (an officer of the revenue OPTICAL FIbER: 8,500 km hospitals is incalculable. department) just to know the value of a piece of land. POINTS OF PRESENCE WITH We’ve also started something Finally, what are your plans for the OPTICAL rudimentary but innovative to improve tax current fiscal? FIbER: 101 collection. There was a need to network and Our biggest project, the Hospital PROjECTS uNDER computerize inter-state barriers to evaluate Information Management System ImPLEmENTATION: the value of cargo each truck carried. There (HMIS), will kick off. We are starting it SWAn, Hospital have been cases of people declaring that the with the Indira Gandhi Medical College Management goods they were transporting to New Delhi and will soon take it to hospitals across Information System, were worth as little as Rs 20,000. The fact the state. Integrated Community Service is that freight from Delhi to Shimla costs SWAN, too, is on high priority Centers, between Rs 5,000-8,000. Only someone and we are determined to finish it by tele-medicine with no financial sense would pay that the year end. We also need to set up much to ship goods worth Rs 20,000 about 530 CSCs and populate them But at that time we didn’t have a Wide with data. Area Network so we decided to place dialApart from this, we already have in modems at the barriers to trap trucks almost all senior secondary schools declaring suspiciously low amounts. computerized. The challenge we are We stared with the Parwanoo barrier. We were up against is acquiring software. I am making it not surprised to find that in many cases goods were a priority to get software packages from the Azim undervalued up to five times. This has also kept Premji Foundation and distribute them to the schools. excise and taxation inspectors on their toes because We will also impart multimedia education and they know someone is watching. The result is a 20 to computer-aided learning to empower people. CIO 25 percent growth in revenue. The Reference Monitoring System (Refnet) is another unique project, which is also a personal favorite. Refnet monitors the journey of a file in a government office—online. The document is computerized at the beginning of its journey and is called a Paper under Consideration (PUC). The PUC is tracked throughout its lifecycle and this inject transparency into the system. Officials who have a tendency to hold on to files are pulled up. Himachal also implemented a tele-medicine project, hasn’t it?

The project is a C-DAC and Himachal government initiative funded by the department of IT. It brings medical expertise available in larger cities to the more remote areas of Simla, Chamba and Kinnaur. The project will have dual benefits. Doctors will soon have access to the services of world-class hospitals like

VOl/1 | ISSUE/8

Bureau Head North Rahul Neel Mani can be reached at rahul_m@cio.in

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

Essential

technology Illustration by UNNIKRISHNAN AV

From Inception to Implementation — I.T. That Matters

The tools that are making your users’ lives easier—USB thumb drives, DVD burners, peer-topeer file-sharing tools—are making your lives harder. Here’s how to ease the strain.

Essentisl Tec.indd 60

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

NewTech,NewAnxieties BY CHRIStopher LINDQUIST SECURITY | Internal data theft. The problem was bad enough 10 years ago, when remote connections to your office were limited by modem speeds, and the most anyone was going to take was a couple of floppies or a briefcase-load of printouts. It could be damaging, sure, but it was mostly petty theft—the equivalent of a stolen lipstick dropped in a handbag. But the same modern technologies that have made your users’ lives more convenient and entertaining—USB thumb drives, portable media players, DVD burners, peer-to-peer filesharing tools—have also created a situation where something no bigger than a lipstick might just contain gigabytes of your corporate data. Worse, such tools can make data thieves out of even well-intentioned users with goals no more insidious than getting out of the office early enough to pick up their kids from school. Where these unwitting burglars once might have tried to sneak a single file onto a floppy to work on later at home, now it can be just as easy to download an entire directory to a thumb drive or to open an assortment of files to remote synchronization using an inexpensive online service such as BeInSync.com. Unfortunately, traditional security tools are often completely ineffective against these new threats. And locking down USB ports with Windows Group Policy or by tweaking

Vol/1 | ISSUE/8

2/25/2006 1:42:08 PM

essential technology

PC BIOS settings is kludgy at best—if not downright unmanageable for large, dispersed corporations. A recent CIO-conducted poll of more than 200 IT professionals showed that 62 percent were at least very worried about the loss of critical data via USB drives and other portable devices—outpacing concern over e-mail by 12 percent. It’s easy to understand the fear. Every day new devices and services appear, forcing IT managers to play a never-ending game of catch-up. So what are you going to do? Here’s an escalating plan for securing your company’s data.

TAKE A STAND There is no magic bullet for the problems these latest threats present to your data. Policies, procedures and technology must work together to create a proper balance of security and convenience. “I think these

Essentisl Tec.indd 61

measures—technical or otherwise—need to be part of a healthy balanced diet,” says Andrew Jaquith, senior analyst for security solutions and services at Yankee Group. “The pendulum can’t swing so far that you’re hampering productivity.” Jaquith gives the example of a financial services firm he knows that went so far as to actually solder shut the USB ports on a number of its workstations in order to safeguard critical financial information. Instead, a good place to start is with simple, well-defined and well-distributed policies regarding the use of removable mass storage devices, service providers and peerto-peer software. The goal is to guarantee that no one on your staff can truthfully say that they didn’t know they shouldn’t attach their MP3 player, PDA or other device to their PC, or that signing up for that remote access service wasn’t a serious mistake. Publicizing your policy should make people think twice about doing these things in the first place,

There is no magic bullet for these threats. Procedures and technology will create a balance of security and convenience. and it also will provide a firmer footing for disciplinary action later on, should that become necessary. Fabi Gower, IT director at medical staffing and recruitment company Martin, Fletcher, is a firm believer in policy. She oversees two days of IT orientation training during the 30-day

2/25/2006 1:42:10 PM

essential technology

training period for all new employees at the company, and she makes it crystal clear what is and what isn’t OK. And that policy is pretty simple: If the company didn’t give it to you, it’s not allowed. John Loyd, director of information technology for engineering consultant Patton, Harris, Rust and Associates (PHR&A), also makes sure that company policies—no webmail, no webpages unrelated to the business during business hours, no software installed by anyone but IT—are made clear on the company intranet and to new employees during orientation. But in an effort to bring security home for PHR&A users, Lloyd’s department sends out regular e-mails concerning

monitoring is sufficient. “Monitor rather than block is the best policy,” says Yankee’s Jaquith, noting a personal experience with a former employer who didn’t block employee Web browsing, but who made it very clear that they were logging it—and that they would review those logs regularly. Even then, some employees wandered to sites that violated company policy. But, Jaquith says, “it only takes a couple publicized examples to get users to straighten up and fly right.”

BLOCK IF YOU MUST If policy and monitoring don’t seem sufficient to address the threat, next come tools for restricting access. For Gower, the equation was simple: Martin, Fletcher’s

A security policy isn’t enough. Monitoring is needed, but that doesn’t mean buying new software. Monitoring could be IT personnel making visual audits of the devices people are using. various security issues, pointing users to additional resources, and even giving advice on protecting their home PCs. And, he notes, the bulletins have a side benefit. “It makes our IT department look knowledgeable and competent.”

KEEP YOUR EYES OPEN Having and communicating a security policy isn’t enough. Some kind of monitoring is the next step. But monitoring doesn’t mean buying new software. Eric Ahlm, VP of emerging technologies at security consultant Vigilar, says monitoring can be as simple as having IT personnel make a visual audit of what types of devices people are using, especially at smaller companies. “Just walk around the premises and see how widespread personal devices are,” Ahlm says. Even if you do decide to invest in tools, you shouldn’t feel obligated to go for full lockdown from the get-go. Letting users know you’re 62

Essentisl Tec.indd 62

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

value is contained in its database of job-seeking health-care professionals; anything that could expose that database to theft or loss would be unacceptable. Coming to the company six years ago, Gower quickly recognized that personal mass storage devices and other tools— including locally attached USB printers— could present a serious threat. So she began looking for a solution. It wasn’t easy. After two years of examining Windows Group Policy hacks and PC BIOS settings and even mulling over the ‘epoxy the ports shut’ option, Gower finally found her solution with SecureWave’s Sanctuary Device Control, a remotely managed tool that shuts off USB and FireWire ports, disc drives of all types, Bluetooth connections and more. IT can then selectively activate devices as needed— even to the point of letting individual users have time-limited access to specific ports

on an ad hoc basis. “We have a couple of VPs and maybe our COO who have USB printers,” Gower says. “I can allow each of these people USB printer access.” PHR&A’s Loyd—also a SecureWave customer—notes that implementing the company’s product can take a few months (largely from building the whitelist of allowable activities and having to scan every executable file to determine which are permitted). But, he says, the result is a much safer, more controlled environment.

DON’T STOP THINKING ABOUT TOMORROW Addressing current problems is also a good first step toward dealing with upcoming issues. For instance, recently released USB drives based on the U3 standard allow users not only to transfer data in a frighteningly efficient manner but also to carry USBstored applications and desktop settings. A user simply pops a U3 driver into an available port, and the applications automatically install—regardless of whether the user has administrator privileges. While the drive is installed, users can copy files, run U3 compatible applications (for a list of such apps, visit Software.U3.com and take advantage of all their customized Windows settings, such as Web bookmarks.) When they remove the drive, all traces of its presence vanish. But tools that can block USB ports (and sometimes other types of connections, such as FireWire and Bluetooth)—including SecureWave’s Device Control, SmartLine’s DeviceLock, Ardence’s Port Blocker, Reflex Magnetics’ DiskNet Pro, Safend’s Protector and myriad others—can prevent U3 and other device usage. Unfortunately, no product provides a complete solution for the latest security problems. Port blockers can sometimes be defeated by using bootable CD or DVD-ROMs (or the latest geeky toy — bootable USB drives), giving dedicated attackers free access to local hard drives. Modifying and password-protecting the BIOS on every machine to support hard-drive-only booting solves that problem, but only at the price of tedious

Vol/1 | ISSUE/8

2/25/2006 1:42:11 PM

Under essential technology

configuration processes—especially if you have thousands of machines with which to deal. And there seems to be no allencompassing solution coming down the road anytime soon to such enduser-induced threats. Attempts at enterprisewide digital rights management, for instance, are in their infancy. For his part, Yankee’s Jaquith says that they’re also in the world of fantasy. “I don’t think we’ll ever get to a place where we can track every piece of data we create,” he says. Instead, companies might want to take a cue from the open-source world and services such as photo-posting site Flickr, which allows users to apply simple tags to their photos, such as ‘San Francisco’ or ‘wedding,’ making it easy to locate and control access to various pictures. “That kind of semantic tagging is a lot flatter and simpler and easier to use,” he says. “That’s where we really need to be. Label

Vol/1 | ISSUE/8

Essentisl Tec.indd 64

it as product plans. Strategy. Pricing.” And then use those tags as keys to which you can attach security policies. Jaquith also points to security vendor Verdasys as having an interesting alternative solution. Rather than blocking connections, Verdasys tools begin monitoring when something happens that’s worth watching. For instance, noticing when a spreadsheet is attached to an e-mail message. According to the company, the Verdasys software can simply log such events for later review. It can also block the attachment. But a third option provides the opportunity for some social engineering; the software can pop up a message window warning users about the hazards of attaching spreadsheets to email, but still allow the user to do so if he types a reason into a text field explaining why he needs to do it. “Just warning people is enough to get them to stop doing what they’re doing,”

says Dan Geer, vice president and chief scientist at Verdasys and a widely acknowledged security expert. “Nine times out of ten, people are doing things against policy because they forget policy,” Geer says. And tools such as those from Verdasys act as very potent reminders. “The best proving ground for this is the sales guy,” says Jaquith. “[Think about] Joey the sales manager. How frustrated would he be if you put some of these measures in place?” If your answer is ‘extremely frustrated,’ Jaquith says, you’re probably better off finding a different solution or combination of solutions. “Monitoring and blocking mixed with some good oldfashioned human deterrents is the right way to do this.” CIO

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | M A R C H 1 , 2 0 0 6

2/25/2006 1:42:15 PM

Pundit

essential technology

A Really Hard Architecture Strategy SOA says enterprise application infrastructure is almost irrelevant and it’s backed by business.

SOA isn’t just popular with CIOs. In many companies, business people are pushing the SOA strategy pitch.

By Christopher Koch SOA | “I’m not saying it’s impossible, but it’ll be really, really hard to be successful.” That’s how a Forrester Research analyst described the task Oracle faces in integrating all its recent enterprise software acquisitions. It got me thinking about how the traditional vendor strategy for enterprise applications— big, integrated suites as a bulwark to assert dominance over customers’ software buying patterns—is increasingly at odds with the emerging thinking on enterprise architectural strategy: SOA. In the last century, vendor strategy pretty much lined up with thinking on architecture: Standardize as much as possible to reduce integration headaches. That was great for vendors. If you owned the major chunk of a customer’s enterprise software architecture, you got two big advantages: First, the suite was so big and complex that the customer had little incentive to get rid of it over the long term, which guaranteed streams of revenue in the form of maintenance fees, which could be raised incrementally over time; second, you got a critical advantage in selling them new software: Fear of integration problems and management complexity if they bought stuff from someone else. But today, the dominant architectural trend, SOA, is diverging from the vendor strategy. SOA says the enterprise application infrastructure is almost irrelevant. Technology is constructed according to services specified by the business. In this scenario, enterprise applications become 66

M A R C H 1 , 2 0 0 6 | REAL CIO WORLD

ET-Pundit - 01 Final.indd 66

just a piece of the service, yet another component of a larger business process. The vendor of the applications doesn’t matter anymore; the linkages between them become the important thing. In this sense, the vendors’ integration strategies become more important than the features of their software suites. Of course, both the dominant enterprise software vendors, Oracle and SAP have begun offering integration middleware to go along with their big software suites. Yet both are sticking with the big, integrated software suite vision. Indeed, Oracle has pledged to meld all the best of all its different acquisitions together into something greater: Fusion. But that begs the question: Why? Why try to integrate or build something that serves all the diverse interests of all the customers that bought Peoplesoft, Oracle and J.D. Edwards when the emerging SOA strategy is telling your customers that it’s okay to have diversity in your software portfolio? And SOA isn’t just popular with CIOs. In many companies, business people are pushing the SOA strategy pitch. They want linked business services and flexible new workflows and processes—software architectures and infrastructures are less important to them than ever. Which gets us back to that word that the Forrester analyst used: ‘Impossible.’ I’ve heard that word used before: Oracle’s attempt to integrate software from four different vendors together into a seamless

ERP package called Oracle CPG in the late 90s. Granted, integration tools and techniques have improved since then, and Oracle now owns the software it is trying to integrate, which eliminates the organizational boundaries that hampered the CPG effort. But, getting software written by different developers at different companies to integrate at a really foundational level is, well—here’s what an ERP analyst told me for the Oracle CPG story: “It’s impossible to try to integrate four pieces like that from different vendors into a single product.” Of course, Oracle doesn’t have to integrate all the acquisitions in the technical sense. It has other options. It has an anxious herd of CIOs all paying maintenance fees on different enterprise software packages who could be coaxed into upgrading to something entirely new, or buying middleware so they can keep what they have. But if SOA really takes over, how anxious will those CIOs be for upgraded versions of software they already own? SOA bodes for keeping old software infrastructure around longer. It seems that if SOA really takes over, the software that links applications together, rather than the applications themselves, will become the most important strategic decision that CIOs make. What do you think? CIO Christopher Koch is CIO’s Executive Editor (Investigations).Send feedback about this column to editor@cio.in

Vo l/1 | ISSUE/8

2/25/2006 1:42:58 PM