CIO April 15 2007 Issue by Sreekanth Sastry

From The Editor

As a journalist, I’m apt to treat most buzzwords with a healthy bit of skepticism.

More Hope Than Hype CIOs and CFOs can now agree on something.

But sometimes, just sometimes, that cynicism gives way under the weight of hype living up to its promise. Many moons ago, I switched from making newspaper pages manually with scissors and glue to navigating through them on a monitor, mouse in hand. My outlook on ‘Web 2.0’ and its role in the enterprise reveals a similar evolution in thought. Peer-to-peer networking, social networks, blogs, podcasts, wikis, mash-ups and RSS — technologies that encourage user-collaboration to help manage knowledge internally and improve communication with customers and business partners are increasingly becoming the flavor of the day. Indian CIOs and other executives from verticals as diverse as IT and retail are signing up to put them to use in their organizations. A recent survey of 3,000 executives of leading organizations by McKinsey found that while the use and plans for Web 2.0 technologies were well balanced globally, The enthusiasm for Indian executives particularly stood out for inducting Web 2.0 their enthusiasm in this respect. technologies is getting More than half of the executives surveyed infectious in verticals as were “pleased” with the results of their diverse as retail and IT. investments in Internet technologies over the past five years. Nearly three-quarters told McKinsey that their companies plan to maintain or increase investments in Web 2.0 technologies in coming years. Not so curiously, early adopters seem happier with Web 2.0 ROI than late movers. Of those who rated themselves as “very satisfied” in the survey, 46 percent were early adopters and 44 percent fast followers. Another critical factor that this study brings to fore is that the passion for deploying these technologies seems to have infected the bean counters and the suits as well. CFOs and CEOs are seeing the business benefits of investing in Web 2.0. Check out the package we’ve put together for you (starting on page 32) to learn about how some of your peers are using Web 2.0, why it’s a big deal, and how it can benefit your business. Are you planning on inducting Web 2.0 technologies? Write in and let me know.

Vijay Ramachandran, Editor-in-Chief vijay_r@cio.in

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd8 8

Vo l/2 | ISSUE/11

4/13/2007 5:41:48 PM

content APRIL 15 2007‑ | ‑VoL/2‑ | ‑Issue/11

ENTERPRISE APPLICATIONS | ALL ABOuT WEB 2.0 | 32 IllUSt ratI ON by aNIl t

By deploying a family of collaborative, Webenabled technologies, the CIO stands to tap user capabilities in an innovative fashion. A look at this novel approach and its caveats. Feature by Esther Schindler

PLUS: Services Integration

COVEr: DESIGN by bINESh SrEEDharaN

ENTERPRISE MASHuPS |

Develop a class of apps on the back of Web 2.0. By galen gruman

VIEW FROM THE TOP | 46 Lakshmi Narayanan, vice chairman of Cognizant Technology Solutions, on the perils of overlooking IT — on the fast lane. Interview by Sunil Shah

Applied Insight ARCHITECTuRE FOR THE FuTuRE | 24 You can’t build a robust, agile enterprise architecture on the fly. But, you simply must make plans. Column by James M. Kerr

Security

Book Excerpt

MASS COLLABORATION |

Executive Expectations

Benefits of being part of the ideas market. By Don Tapscott & Anthony D. Williams

BAD NEIgHBORHOOD| 50 By scrimping on security in the name of money and resources, medium-sized enterprises make themselves a hot target. Feature by Allan Holmes

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd10 10

VOl/2 | ISSUE/11

content

Are You Automated? Security | Video Surveillance Search Gets a Boost Digital Music | Refueling Your Car Stereo

Essential Technology | 60 Enterprise Applications | SaaS Appeal

By John Edwards Open Source | Sightings from the Open Source Ecosystem By Bernard Golden

From the Editor | 8 More Hope Than Hype | CIOs and CFOs can

now agree on something. By Vijay Ramachandran

Inbox | 16 NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Govern UNITED & OPEN | 56 Sunil Abraham, director of Mahiti and manager of UNDP’s International Open Source Network, is a staunch advocate of open standards. It is freely available, maximizes choice, has no royalty implication, and does not include any predatory practice, he asserts.

3 0

Interview by Balaji Narasimhan

Peer To Peer LESSON FOR THE MeNTOR | 30 How one CIO got the extra resources she needed while learning how to help young IT professionals shine. Column by Barbara Kunkel

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd12 12

4/13/2007 5:42:09 PM

Advertiser Index

marketing & sales Manage ment

President N. Bringi Dev

COO Louis D’Mello Editorial Editor-IN-CHIEF Vijay Ramachandran

Special Correspondent Balaji Narasimhan

Senior Correspondent Gunjan Trivedi Chief COPY EDITOR Kunal N. Talgeri

SENIOR COPY EDITOR Sunil Shah D esign & Production

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

Vikas Kapoor; Anil V.K. Jinan K. Vijayan; Sani Mani Unnikrishnan A.V. Girish A.V. MM Shanith; Anil T PC Anoop; Jithesh C.C.

Bangalore

Avaya

4&5

Mahantesh Godi Tel : +919880436623 mahantesh_godi@idgindia.com

Canon IBC

IDG Media Pvt. Ltd. 7th Floor, Vayudooth Chambers 15 – 16, Mahatma Gandhi Road

Emerson

Banglore — 560 001

Fannair IFC Delhi Nitin Walia Tel : +919811772466

19, 23 & 27

nitin_walia@idgindia.com IDG Media Pvt. Ltd. 1202, Chirinjeev Towers

Intel

Krone

Lenovo

43, Nehru Place New Delhi — 110 019

Suresh Nair

Photography Srivatsa Shandilya

Mumbai

Production T.K. Karunakaran

Parul Singh

T.K. Jayadeep Marketing and Sales

General Manager, Sales Naveen Chand Singh brand Manager Alok Anand Marketing Siddharth Singh Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar, Kishore Venkat Delhi Nitin Walia; Aveek Bhose; Neeraj Puri; Anandram B; Muneet Pal Singh; Gaurav Mehta Mumbai Parul Singh, Chetan T. Rai, Rishi Kapoor Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

Singapore Michael Mullaney UK Shane Hannam

Events General Manager Rupesh Sreedharan Managers Chetan Acharya Pooja Chhabra

Tel : +919819804659 Parul_singh@idgindia.com IDG Media Pvt. Ltd.

Microsoft

RGF & 25

208, 2nd Floor “Madhava” Bandra – Kurla Complex Bandra (E)

SAP

Mumbai – 400 051

Japan

Wipro

6, 7 & 35

Xerox

Tomoko Fujikawa Tel : +81 3 5800 4851 tfujikawa@idg.co.jp

USA Larry Arthur Tel : +1 4 15 243 4141 larry_arthur@idg.com

Singapore Michael Mullaney Tel : +65 6345 8383 michael_mullaney@idg.com UK Shane Hannam Tel : +44 1784 210210 shane_hannam@idg.com

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd14 14

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Vo l/2 | ISSUE/11

4/13/2007 5:42:10 PM

reader FeedbaCk

Limited IT Infrastructure

Leverage CIOs' Forum

The CIO Focus: Security event, held in February, was a good experience. The panel discussion was interesting, and I am sure that many CIOs would have found the points discussed there to be a value-addition. Still, I would like to make a suggestion relating to the event: if possible, can the events be on topics or subjects more practical to CIOs instead of generic ones? Maybe, a poll can be done among readers to determine more indepth topics. This would make the events more relevant to CIOs. Interaction among peers should also be encouraged. It would be much better if we can have more CIOs sharing their real-life experiences pertaining to specific subject matter at such a platform. These experiences can be leveraged to understand the learnings and to analyze what-if scenarios. CIO India is also doing a very good job with its magazine content. The cover stories on early adopters of Microsoft Vista ('The Vista Outlook', January 1, 2007 2007) and compliance in Apollo Hospitals ('Rx For Compliance', February 15, 2007 2007) were commendable. I also find the daily dose of CIO Five interesting. ALOk kumAr Global head-internal IT, Tata Consultancy Services

Inbox.indd 16

a p r I L 1 5 , 2 0 0 7 | REAL CIO WORLD

I found the healthcare cover story (‘Rx ‘Rx For Compliance’, February 15, 2007 2007) to be a quick study on how healthcare operations in India are being proactive to stay ahead of the curve and compete globally. Still, it does not fully consider the scope of such a change in India. While private healthcare in India is gaining prominence, a vast majority of the billion-plus souls in India have to depend on government hospitals for medical attention. The government healthcare system in India has its hands full providing adequate medical attention to citizens, and has not been able to make a significant level of investment in its IT infrastructure. One of the comments in the article spoke of the irony that it is legally mandated in India for medical records to be maintained on paper, but the reason for this may be that hospitals cannot access electronic records. While this may be a highly simplistic view of the current healthcare situation in India, it is relevant because the article states that ‘with the growing gamut of medical insurance companies today, the Indian healthcare scenario bears a resemblance to that of the US in the pre-HIPAA days’. This statement is not entirely true. It was not only the clout of the insurance companies that made HIPAA possible, but also the extent to which IT was used in the day-to-day What Do You Think?

The government healthcare system in India has its hands full, but has not been able to make a significant level of investment in its IT infrastructure. operations of healthcare providers. That said, it is heartening that private healthcare providers in India are stepping forward to develop standards of sorts. It is likely that eventually a working HIPAA-like system can be developed in India to provide seamless care to those few who can either afford private healthcare or the health insurance premiums. One can hope that such a system will some day provide benefits for all. AshIsh mArbALLI Senior IT Consultant Innovate Infotech

Corrigendum In the cover story titled ‘What Would You Do If…?’ (April April 1, 2007 2007), the names of Tamal Chakravorty, CIO of Ericsson India, and S. Chandrashekhar, deputy GM (application, development & maintenance) of Ashok Leyland, were misspelled. The errors are regretted.

We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

editor@c o.in Vol/2 | ISSUE/11

new

hot

unexpected

What sells really well with beer? Diapers. Surprising and true. That’s the sort of information a business analytical tool revealed, and led one supermarket in the US to place beer and diapers on the same shelf before putting some fizz into its sales. An IT-helps-business dream, isn’t it? But CIOs of medium-sized organizations in India have had a tough time convincing management to buy a good reporting tool — let alone a business intelligence (BI) solution — primarily because they’re basing their sale on old homework. At a recent series of breakfast discussions organized by Team Computers, an IT infrastructure solution provider, CIOs

Business Intelligence

got together and exchanged BI notes, busting common myths surrounding the issue, such as: "It’s only for the big boys." The common perception is that you need management to bankroll you to the tune of Rs. 60 lakh if you want BI. False, said some CIOs. Truth is: you can get a start-up kit with 10 licenses for Rs. 7 lakh. It isn’t just a fancier excel sheet. You can get dashboards and a tool that drills down four levels. Shikha Rai, assistant director-IT, Canon India, which has 397 retail stores, 32 Canon care centers and over 100 authorized service centers, says they bought a BI tool with 30 licenses and hardware for Rs. 25 lakh. "BI takes too long." Once upon a time, a BI implementation could take anywhere between six and 18 months. Newer BI solutions can get the job done in six weeks. “Our implementation time was fairly short. It took us between 2.5 and 3 months,” says Rai. “And, I didn’t have to convince the business; they came to me. In fact, we might plan to buy more licenses and expand the scope of the tool next year,” she adds. "Few providers want to give a BI proof of concept (PoC) for free." But, what’s free in the world? More and more vendors are now agreeing to adjust the cost of a PoC with the final project — a win-win situation. — By Sunil Shah

Illustration by MM Sh anith

Small, but BI-Strong

A New Seal Fights Phishers SECU R IT Y Microsoft and some industry partners are promoting a new certification process designed to make it harder for phishers to spoof websites. The plan gives third-party certification authorities like VeriSign and Entrust more stringent guidelines for authenticating websites. A resulting new seal of approval, an Extended Validation Secure Sockets Layer (EV SSL) certificate, may reassure consumers that they are handing information over to a legitimate site. EV SSL-certified sites will look a little different from today’s secure sites, which typically have a 'lock' icon on the browser. When Internet Explorer hits the part of a website that supports the EV SSL WEB

Vol/2 | ISSUE/11

Trendlines.indd 17

standard, the address bar turns green. Users will also be able to see the country where the website is based. Websites buy these EV SSL seals from certification authorities, who follow the company’s paper trail, for example, confirming it has a legitimate address and control of the Web domain in question. “If you’re a company without a reliable paper trail, you’re not going to get one of these,” says Tim Callan, a product manager with VeriSign. “If you’re incorporated, if you’re an LLP, or if you’re a registered charity, you have nothing to worry about.” VeriSign has offered EV SSL certificates from December and has over 300 businesses in the certification process.

Wells Fargo has helped develop the EV SSL standard, and eBay’s PayPal has recently gone live with EV SSL certificates on two of its sites. Still, some issues must be worked out. For example, will smaller sites that haven’t been spoofed be willing to buy certificates? Also, it’s not settled how EV SSL will deal with international character types, or with two companies that have the same name but operate in different countries. According to Window Snyder, head of security strategy at Mozilla, the Firefox team will probably wait until version 3.0 of its browser is released later this year to support the new certificate program. – By Robert McMillan REAL CIO WORLD | a p r i l 1 5 , 2 0 0 7

4/13/2007 9:35:07 AM

Hackers have built their own encrypted IM program to shield themselves from law enforcement agencies. The application, called CarderIM, is a sophisticated tool that hackers are using to sell information such as creditcard numbers or e-mail addresses, says Andrew Moloney, business director for financial services for RSA, part of EMC, during a presentation at the recent International e-crime Congress in London. CarderIM exemplifies the increased effort hackers are making to obscure their activities while continuing to use the Internet as a means to communicate with other criminals. “They’re even investing in their own custom tools, their own places to work,” says Moloney. CarderIM’s logo is humorous: two overlapping half suns in the same red-and-yellow tones as MasterCard International’s logo. The name, CarderIM, is a reference to

Il lUSTRAT Ion By P C Ano o P

secuRitY

the practice of 'carding', or converting stolen credit-card details into cash or goods. Often, hackers aren’t interested in trying to convert creditcard numbers into cash. But other people are. On the Internet, the two can meet. But, the data-buyers and -sellers are constantly on the lookout for 'rippers' (the security experts or police gathering data on them), says Moloney. It’s not known how widely CarderIM is being used, but its distribution appears to be limited, he says. “To get a hold of it [CarderIM], you need to be part of one of the trusted groups, within which we have agents,” Moloney adds. During his presentation, Moloney showed a screenshot of an advertisement for CarderIM, which addressed the need to 'secure the scene'. The app supposedly uses encrypted servers that are 'offshore' and does not record IM conversations. “They know that we watch and listen,” Moloney smiles. – By Jeremy Kirk 18

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

tRendlines

Hackers Device Private IM

Where IT Isn't a

Fast Remedy H e A l t H c A R e It takes a long time for hospitals to see a return on IT investments, according to a recent report, which may explain why the industry has long been seen as a laggard in technology spending. The Economics of IT and hospital Performance report by PricewaterhouseCoopers analyzed data from nearly 2,000 US hospitals. It concluded that IT investment must reach a tipping point — usually at least two years — before operational performance improvements occur. Before that time, hospitals incur operating costs with little near-term financial benefit, according to the report. Mark Frisse, a professor of biomedical informatics at Vanderbilt University in nashville, says that the report “adds a dose of realism” to the issue of health IT. he notes that healthcare organizations must first realize that making IT effective involves much more than purchasing and putting into place an IT system. “one of the reasons why some implementations take so long and some implementations fail is that they are viewed as data processing problems and not as information management problems,” says Frisse. healthcare workers often don’t easily adapt to new technologies because they can require an abrupt transition from a system “that seems to be fairly effective to a system of care that may in theory be better, but which has not been witnessed by those who are asked to put their work — and their patients’ lives — at stake,” he adds. According to the report, “hospital management should not justify expensive new IT investments purely on the assumption that these investments will create huge and rapid paybacks for the organization.” J. Marc overhage, CEo and president of the Indianapolis-based Indiana health Information Exchange (IhIE), agrees that the RoI for health IT does take a long time to accrue, making it difficult for management to have a “good expectation that they will achieve a return.” The IhIE works with area hospitals and health care providers to exchange patient records electronically. Part of the problem, he says, is that upgrading IT systems requires changing established processes. “hospitals have to re- engineer processes enabled by IT and follow through with the changes that are required to achieve the value,” overhage says. “This follow-through is at least as challenging as putting the IT into place,” he adds. – By heather havenstein

Vol/2 | ISSUE/11

BY MARgARet lOcHeR

are you automated?

Best Practices

Too many companies still rely on a paper-based process. here’s how and why you should change — before your best people walk out the door. Most companies know that succession planning is essential today, but very few have automated their process. According to an Aberdeen Group report, only 7 percent of companies have a fully automated and integrated succession planning process. IT needs to recommend succession planning technologies that help senior managers make data-driven decisions on worker deployment and replacement, says David Foster, director of human capital management practice at Aberdeen. Why is an automated process key? Without a bridge to connect divisions, you basically have a bunch of little companies, says Foster. If employees can’t see a career path for themselves and “they don’t see anywhere to move within the company, they get jobs outside of the company,” he says. Half the companies Aberdeen surveyed used succession planning as a retention strategy. The problem: succession planning doesn’t work well unless leaders can see an inventory of skills by category and job classification. You have to identify leadership potential before you can stop it from walking out the door. 'Talent inventory' software from vendors like PeopleBoard and HRCharter can give leaders a better view of the organizational chart and employees’ capabilities, but if that information isn’t included in the succession planning program, the system has to connect to HR’s management system to include performance data, says Foster. “Most companies are in the infant stages. They might have the HR/IS connection, but performance data will be on paper in a file cabinet,” he says. But you can’t create a proper succession plan without all the data. The first step: automate the HR database, so that it can be part of the strategic planning, he says.

s tA F F M A nAg e M e n t

Be proactive. Don’t wait until someone leaves to look into his or her replacement. once you have a succession planning program, review it regularly. If it doesn’t positively affect retention, it’s not working. Combine efforts. Include talent and performance management and compensation in the succession planning process. Succession planning should be directly linked to areas like training. Invest in software that ties in these processes, and includes a reporting and analytics component. Enact the plan across the company. Succession planning isn’t just for executives anymore: make sure the plan touches every level of the organization.

Succession Planning Needs Work Most companies know the value of having a formal succession plan.

74% have a plan, or have budgeted to start one within 12 months. 26% do not have a plan. But few companies have automated the succession planning process.

62% use a paper-based process. 31% have partially automated the process. 7% have fully automated the process.

Vol/2 | ISSUE/11

Trendlines.indd 20

tRendlines

Succession Planning:

M A N A GE M ENT R E P O R T Do your employees have a 'Crackberry' problem? Their compulsive BlackBerry monitoring could backfire on you: checking e-mail via BlackBerry gives employees a sense of control but leads to more stress, according to a recent study from the MIT Sloan School of Management that examined BlackBerry use and organizational behavior. And this problem starts at the top. Ninety percent of individuals at the company studied said they felt some degree of compulsion in their BlackBerry use. They check their messages not only on evenings and weekends, but also at church, at the gym, at the doctor’s office and even at social gatherings. All this

despite the fact that their company doesn’t require them to be on call. The problem: senior employees often establish a pattern that subordinates adopt. If everyone in an organization has a BlackBerry, continuous connection becomes the norm, says Wanda Orlikowski, who co-authored the study with fellow Sloan professor JoAnne Yates. Companies can help their employees control BlackBerry compulsion by being clear about what normal hours for checking and responding to messages are, says co-author and doctoral student Melissa Mazmanian. “These norms and expectations should be accompanied by training that enables people to learn

trendlines

BlackBerry Addiction Starts at the Top how to batch and queue their messages so that they can work on e-mails when convenient, without sending them out until later,” she says. Some companies try to prohibit BlackBerry use during meetings. Orlikowski says some organizations require BlackBerrys to be left in a box outside the meeting room. If that seems too rigid, you might schedule breaks to allow people to check e-mails. Another tip: use header codes (such as “1” for urgent, “O” for no response needed) to save time.

— By Margaret Locher

Il lustratio n by ANIL T

Cell Phones as Loose Change? TEC H N O L O G Y Wave your cell phone at a Coke machine, hit a couple of keypad keys, and moments later an ice-cold beverage tumbles into your hand. Lack of loose change (or a credit card) becomes no barrier to the pause that refreshes. That’s the vision of so-called contactless payment through cell phones — and slowly but surely, all the elements required to make that vision a reality are falling into place. At CTIA Wireless 2007, Visa recently demonstrated its mobile payment application, which lets you use a cell phone with embedded Near Field Communication (NFC) technology to make payments to vending machines, parking meters, or any merchant with an NFC reader. You must launch the app and choose the 'payments' option to activate the NFC technology and transmit a payment through your Visa card. The 'offers' menu item will display Visa merchant offers (but only on an opt-in basis, Visa promises). Verisign has partnered with Visa for this functionality; the offers will arrive as text messages, but will only appear in the application, not your SMS inbox. The 'account' option uses secure over-the-air (OTA) technologies to let you manage your Visa account the way you would with a desktop browser — view statements and activity, pay monthly bills, and so on. Visa says some 50,000 merchants — including McDonald’s and 7-Eleven outlets — in cities such as Atlanta, New York, and

Philadelphia already have NFC readers. What’s missing are the phones — handsets with embedded NFC chips are not in mass distribution, and the Visa application only exists for Java phones at the moment — and support from the banks that issue Visa cards. Visa says they are waiting for the phones and merchants to reach critical mass. MasterCard, meanwhile, is also engaged in various trials and pilots — in Korea, Taiwan, and the US — of its own NFC-based system, called PayPass. The company is also trying out technology that would enable international money transfers between individuals.

– By Yardena Arar

Vol/2 | ISSUE/11

Trendlines.indd 21

4/13/2007 9:35:11 AM

Search Gets a Boost SECU R IT Y A company that makes a searchable surveillance system has developed a tool for banks that integrates video surveillance with case and transaction management systems, and allows banks to share faces, profiles and watch lists among branches. 3VR Security makes a bundled-hardware-and-software appliance that builds metadata describing surveillance footage to make it easier to detect fraud. “When you walk into a bank, a conventional recorder just records that data in a raw data form,” says Tim Ross, executive vice president of sales and marketing, 3VR Security. “What we’re doing is saying, ‘There’s motion happening on camera one. It’s motion that’s sized and shaped like a person, it’s moving in this direction.’ It becomes part of the metadata built around the video,” Ross explains. If a crook fraudulently uses someone else’s account, having this type of searchable surveillance system can make it easier to find video of the criminal, says Ross. “I can go ‘show me all the transactions on account 1234’. It pulls back a series of event cards which are key [video] frames with data. I say, ‘OK, here’s one person who clearly doesn’t match [the account holder]; this looks like my fraudster’, and sure enough it’s the reported transaction,” he says. A new version, slated for release, integrates the video management, search and face biometrics with banking case management and transaction systems. This week, 3VR is announcing that it is providing an API to connect its searchable surveillance systems to any analytic, camera, application or data source. Ross says 3VR is also providing camera virtualization, the ability to divide a camera feed into different regions and treat each section as if it were an individual stream that can be tagged with metadata. 3VR’s customers include Bank of Hawaii, which is already using the version being released this week. “3VR helps us effectively monitor for known criminals and individuals on watch lists to prevent fraudulent transactions from occurring,” states Brian Ishikawa, director of security at Bank of Hawaii, in a press release. “Additionally, we can now share watch lists across branches to defend against fraud threats across all the entire system. The video search capability allows rapid investigations of incidents. 3VR is the foundation to our overall security strategy.”

— By Jon Brodkin 22

Trendlines.indd 22

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

trendlines

Video Surveillance

Refueling Your Car Stereo MP3 files have proved a viable means for storing and listening to music for years. Yet, many believe we've only scratched the surface of the capabilities that MP3 files hold for the future. Why, for instance, are we living in a world where you can’t fill up your automobile with gas and download MP3s to your car stereo at the same time? Finally that problem is being addressed. At the Consumer Electronics Association trade show, Dresser Wayne, a manufacturer of fuel pumps, displayed how a customer could use a Bluetooth-enabled cell phone to download MP3s from the company’s Ovation iX fuel pump, DIGIT A L M USIC

then transfer the music to a Microsoft-enabled stereo system in a Lincoln Navigator. Dan Harrell, Dresser Wayne’s vice president of global product architecture, says the company is trying to capitalize on the few minutes of downtime people spend pumping gas. Dresser Wayne hopes the MP3 downloading will be the first step toward the gas pump becoming an Internet access station where drivers can, say, check the weather and run automotive diagnostics. “Most of us drive cars. And once or twice a week, we spend four to five minutes at the fuel dispenser,” says Harrell. “What are the opportunities in that time frame to do other things?” You won’t be downloading tunes this way in time for your summer vacation, though. Harrell says the technology remains at least three years away from any sort of widespread commercial viability. Meanwhile, cellular providers (and manufacturers of car stereos) will make it increasingly easier to download music directly, without the intervention of a pump. So it remains to be seen whether Dresser Wayne’s vision will ever materialize. Our suggestion for your first MP3 download? A line in Styx’s 'Mr. Roboto' comes to mind: “The problem’s plain to see: too much technology.” – By C.G. Lynch

Vol/2 | ISSUE/11

4/13/2007 9:35:12 AM

James M. Kerr

Applied Insight

An Architecture for the Future You can’t build a robust, agile enterprise architecture on the fly. You gotta make plans.

oday, organizations need to learn to make workflow changes on the fly. Otherwise, consumers and trading partners alike are ready to move on. This puts tremendous pressure on organizations to fully automate business operations wherever possible and adjust them dynamically without any disruption. Obviously, if this were easy, everyone would be doing it. Good architectural design isn’t enough. You also need flexibility and resilience. Businesses seeking to compete on a global scale should consider the following approach:

Step 1: Architecture Framework The first step is to establish a framework that presents a set of architectural principles that support the organization’s business goals and strategic drivers. For example, Fifth Third Bancorp, a Rs 476,100 crore diversified financial services company headquartered in Cincinnati, adopted these architectural principles: A multitiered processing environment is necessary to enable the distribution of processing capabilities. Applications should be independent of the underlying technology on which they are implemented. Interchangeable hardware components must be used on all platforms and tiers.

Step 2: Baseline Environment It’s important to get a baseline of the current environment — both business operations and IT systems — to define what works well and what must be improved in order to meet the future needs of the organization. 24

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn -An Architecture for the24 24

Vol/2 | ISSUE/11

4/13/2007 9:41:02 AM

James M. Kerr

Applied Insight

What’s striking about baseline assessment work is that it usually reveals issues that the organization already is aware of intuitively — such as a need to speed process redesign. However, what were once only hunches about the environment can now be supported by hard data.

Step 3: Target Definition The target definition phase is designed to identify the new IT projects that must be staffed and funded down the road. Start by asking the management team (either in a workshop or an interview setting) to paint its vision for the future deployment of IT within the enterprise. For example, the Metro Group, one of the largest trading and retail groups in the world with more than 2,300 stores across 28 countries, envisioned what it calls a ‘store of the future’. Making that happen called for exploiting RFID technology to track products through their entire lifecycle — from production to the shelves to the sale. RFID-tagged items would be placed on pallets and scanned upon leaving the warehouse; shipping data would be sent to the store manager for review; upon receipt at the store the pallets would be scanned again, and any discrepancies would immediately generate a report. Anything missing or damaged could be replaced through a follow-up order. RFID-equipped shopping carts would be used to monitor customer length of stay and average purchase. Item replenishment would be triggered by the system when low volume is indicated. Misplaced items would be flagged for restocking. Clearly, this vision will require many IT initiatives: from RFID vendor selection to new order processing and inventory control applications. But this exercise helps ensure that all those IT initiatives are targeted to strategic business goals.

Step 4: Gap Analysis A gap analysis is required to compare the baseline with the target and identify what’s missing. For example, besides the RFID selection and new inventory applications, the Metro Group also needed to identify projects to address skill gaps, and to process redesign needs and a whole host of standards and best-practice-based initiatives needed to help it bridge the gap between its current and future IT environments. It’s not unusual for this work to spawn 20 to 30 new IT initiatives.

Once an architecture has been developed, it’s important to create a mechanism to ensure that it remains synchronized with the strategic direction of the organization. interdependencies — all the information that an organization needs to drive execution. These plans are a handy way for the architecture development team to pass its insights on to the project managers who will follow them.

Step 6: Architecture Administration Once an architecture has been developed, it’s important to create a governance mechanism to ensure that it remains synchronized with the strategic direction of the organization — an important continuous process improvement step that is often overlooked. It’s not unusual for an enterprise to establish a project management office (PMO) to oversee the execution of the architecture plan. Myriad communication vehicles — newsletters, intranet sites, sponsor-review meetings and post-project assessment documents — emerge from the PMO as a means of improving cross-project and cross-company knowledge sharing and transfer. Clearly, robust and easily modifiable automation is fundamental to achieving an enterprise’s vision for the future. However, such benefits don’t come without their price. Hard work and management commitment, both from IT and from the highest levels of the business — including the CEO — are needed to build the kind of integrated IT architecture plans that will make the difference between success and failure in today’s highly competitive business climate. Your customers and trading partners are waiting. CIO

Step 5: Implementation Planning Implementation planning is performed in two parts. The first part takes the project opportunities, documents them fully and organizes them into three tiers or implementation plateaus. The second part produces first-cut project plans for each of the initiatives on the implementation agenda. The first-cut plans include details about the initiative such as project name, description, critical success factors, task lists, key deliverables, essential skills required and project 26

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn -An Architecture for the26 26

James M. Kerr is the former CIO of Mitsui Sumitomo Insurance Group and is adjunct professor at the Lally School of Management at Rensselaer Polytechnic Institute. His latest book, The Best Practices Enterprise, contains a chapter on the Resilient IT Architecture (RITA), on which this article is based. Send feedback on this column to editor@cio.in

Vol/2 | ISSUE/11

4/13/2007 9:41:02 AM

Barbara Kunkelâ&#x20AC;&#x201A;

Peer To Peer

Lessons for the Mentor How one CIO got the extra resources she needed while learning how to help young IT professionals shine.

or more than 20 years, Iâ&#x20AC;&#x2122;d coached youth soccer. I took immense pleasure in developing, guiding and motivating young players, both on and off the field. In turn, their enthusiasm energized me. Six years ago, unfortunately, I had to put my coaching on hold to deal with my mounting responsibilities as CIO of a growing national law firm. But when a series of mergers led to a significant increase in my departmentâ&#x20AC;&#x2122;s workload, I saw a new way to help young people learn and develop their potential. I initiated a summer college internship program to fill the resource void and, at the same time, help young women pursue careers in IT. At Nixon Peabody, only about 40 percent of the IT staff are women, and this percentage continues to shrink as it gets harder to find women with technical skills. Mentoring female summer interns, I thought, could draw more women into my department and into IT. I had no idea what lessons were in store for me over the next several years. It was as if I were stepping onto the soccer field for the first time in my life.

Il lustration Unn ikrishnan A.V

What I Learned from Anna Anna, our first summer intern, joined the department in 2001 after she completed her first year as a computer science major at Rensselaer Polytechnic Institute. Her first week of orientation included an overview of the firm and its technology tools. Her first assignment, reporting to the supervisor of desktop support, tested her knowledge of hardware and put her on the front line with the internal customers. Anna adjusted quickly and appeared to enjoy the work. She was technically competent, a natural. But in 30

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn - Lessons for the Mentor30 30

Vo l/2 | I SSUE/11

4/13/2007 9:39:12 AM

Barbara Kunkel

Peer To Peer

checking with both her and her supervisor, I learned that something wasn’t right. The supervisor felt Anna was too shy, and the independent nature of the work did not suit her. Anna, in turn, wanted more challenges and more feedback, and she wanted to be more connected to the organization through group projects. I dropped by Anna’s office one afternoon and asked her to join me for ice cream at the mall next to our building. As we chatted about her sports activities from high school, her shyness melted. I learned quite a bit about how differently her generation views school, work and careers. We sat for two hours, laughing about stories from my generation (for instance, how my friends thought it would be funny to shuffle a sequence of computer punch cards so that my program would not run correctly). Her stories were similar in tone, except the tools and venues were IM, chat rooms and cell phone photos. With only six weeks left before Anna returned to school, we had reached a fork in the road. I discussed the situation with my managers and we decided to reassign Anna to a Web development project, working closely with another developer and a business analyst. It demanded that she ‘come out of her shell’, relate to users as a member of the IT team, and act more independently and creatively. Before returning to school, Anna developed a Web-based BlackBerry request form as part of our service request system that both improved service request efficiency and enhanced her internship experience. Anna had changed from a shy, quiet individual to an energized contributor to the team. She relished the experience and looked forward to returning to our firm the following summer. And these five lessons I learned from her about the next generation remain etched in my brain. A structured work environment that clearly links the interns’ assignments to the overall objectives of the organization reinforces the idea that the work matters. Working in teams is far more desirable than working independently. Demanding that interns think creatively makes the work much more rewarding. Communication is essential! They thirst for feedback. The personal touch and a social environment are important aspects of their work experience.

With the help of my staff, I designed a ‘work curriculum’ similar to a college course. This provided the framework that linked the interns’ assignments to the project objectives. Katie and Bridgette started their work by meeting with me to discuss expectations. By the end of the session, I could see their creative wheels whirring, but the task’s scope intimidated them. However, a pep talk provided them with the confidence they needed. As with Anna, the first week of orientation included an overview of the firm and its technology tools. However, as part of their assignment, Katie and Bridgette were each to craft an e-mail, addressed to the entire IT department, introducing

A structured work environment that clearly links the interns’ assignments to the overall objectives of the organization reinforces the idea that the work matters. themselves. I laughed when I saw the first e-mail, with the subject line ‘A little more info about the mysterious girl in the corner’. It was both humorous and engaging, and it generated a whirlwind of interaction in the department. The interns were off to a great start. I was confident their social needs were going to be met right away. It was important for me to assess their communication skills because this assignment required meetings, phone calls and e-mail with senior management, department heads and CIOs at other firms. I decided to give Katie and Bridgette some frank advice. “Relationship building is everything,” I told them, “and cryptic instant messaging will be the demise of your assignment.” I also requested that they e-mail me a 100-to-300-word weekly summary every Friday, telling me what they’d learned while reporting on the project’s progress. Every Monday morning, I’d give them feedback. This process fostered a continuous, open dialogue. At the end of the summer, Katie and Bridgette had to give a PowerPoint presentation to the department heads, summarizing their project. Their performance was impressive, and in fact, it’s one of the highlights of my career — the equivalent of building a dream team for the soccer season. The field of play may be different, but the goal remains the same: nurturing talent through good mentoring. CIO

How I Applied Anna’s Lessons In 2004 I wanted to expand our strategic planning process to include benchmark data on the effective use of technology at other law firms. To do that, we hired two college interns for the summer, Katie and Bridgette. This time, the interns would work directly with me.

Vol/2 | I SSUE/11

Coloumn - Lessons for the Mentor31 31

Barbara Kunkel is CIO of law firm Nixon Peabody, and a member of the CIO Executive

Council. Send feedback on this column to editor@cio.in

REAL CIO WORLD | a p r i l 1 5 , 2 0 0 7

4/13/2007 9:39:12 AM

Cover Story | Web 2.0

A family of Internet-enabled technologies and services holds a promise to provide a collaborative environment in your enterprise. What's better: Web 2.0 can be driven by technologies that do not have to be cutting-edge tools.

Web2.0 All About

by EsthEr schIndlEr

Reader ROI:

Why Web 2.0 is simple and inventive Ingredients of a Web 2.0enabled environment How to leverage ideas within your enterprise

Vol/2 | ISSUE/11

REAL CIO WORLD | A p r I l 1 5 , 2 0 0 7

Illustrat Ion by anI l t

echnology buzzwords. It’s always difficult to get past them. Even when the subject holds real merit, the hype machines quickly throw the subject out of whack, making it difficult to distinguish between the fad and the original promise. Public relations professionals, anxious to link their new product to a ‘hot new technology’, appropriate the term even when it doesn’t actually apply. Industry articles claim that the new buzzword-enabled technology will forever change the face of computing. You begin to expect to hear that a woman has named her baby after it, and that, at the end of the cycle, the technology will be blamed for global warming. This phenomenon certainly applies to the family of technologies and services that are bundled together under the Web 2.0 umbrella. In this article, we’ll summarize the key points to illuminate what Web 2.0 is — and what it isn’t — so that you can put it to use in your business.

Cover Story | Web 2.0 Q: Why is Web 2.0 such a big deal? a: Let’s start with the high-level view. Many consider Web 2.0 to be a major shift in computing because in the new paradigm, the Internet itself becomes the computing platform. That is, a ‘true’ Web 2.0 application — whatever that is — would be indistinguishable from a desktop app. Like a desktop program, the ultimate Web 2.0 app would have immediate feedback and would update data without a deliberate refresh. In this context, you’ll sometimes see these apps called rich Internet applications (RIAs).

Picking

But Web 2.0 isn’t meant to be a one-to-one replacement for the applications you run on your desktop. The new breed of application, which runs primarily on Internet servers and company intranets, is generally understood to be dynamic (that is, content updates automatically) and collaborative (drawing information from multiple sources and from user contribution), embraces the long tail (that is, appeals to smaller niches in the community and not just the largest audience) — and still remains simple and intuitive. It can be helpful to draw a line between software development technologies generally associated with

a blog’s brAins

Hungama.com listened to its Web 2.0-enabled employees, and hasn’t regretted it.

t is fitting that the inventive family of technologies called Web 2.0 has found a home at Hungama, a leading entertainment portal in India. After all, ‘hungama’ means 'disruption' in Hindi. Better known as Hungama, Virtual Marketing India takes Web 2.0 seriously. And for good reason: it’s helped produce some winning ideas. “A lot of ideas, and passion, have been generated by employees who use internal wikis and blogs,” says lincoln Gada, CTo of Hungama. He cites multi-user games, for which inputs came from Hungama staff members. “over our lAN, we had tennis games that everyone, from marketing to creatives and admin, joined in,” he recalls. Work at Hungama isn’t all about hitting a virtual ball, though. It’s a hard business where new trends make or break a company. The online gaming market is worth Rs. 21 crore, according to an IMRB International study for the Internet and Mobile Association of India. Having spawned the first multi-player game portal in India (GamingHungama. com), Hungama isn’t doing too badly. Gaming is among many initiatives of the group that expects to generate Rs. 8 crore to Rs. 10 crore in revenue from the portal in the coming year.

Cover Story.indd 34

A p r I l 1 5 , 2 0 0 7 | REAL CIO WORLD

Some of the ideas that Hungama applies comes from its 250-strong, young workforce. “It’s the youngsters who are driving Web 2.0 fiercely, mostly over internal blogs and wikis,” says Gada. on the back of Web 2.0, there is an aggregation of content and wisdom internally, he says. While employees create demos and develop other aspects that can be used externally, Web 2.0 also enables

Lincoln Gada

CTO, Virtual Marketing India

marketing to interact with the creative folk and share ideas, says Gada. “Web 2.0 services are driven by openness, and it’s the younger generation that expresses itself more.” That’s the sort of thing that justifies his description of Web 2.0: it’s all about creating usergenerated content. Gada is waiting for the day when all the content can be attached to meta data that will make it easier to search the content. He doesn’t monitor Web 2.0 technologies continuously, although there have been weeks when he spent 50 percent of his time focusing on user needs that Web 2.0 services can meet or on fine-tuning existing Web 2.0 services. In terms of money and energy spent, he spends between five and nine percent of his budget on Web 2.0 services. He has a 40-member IT team. “You should not look at Web 2.0 as a waste of bandwidth,” he asserts. However, you need to know how to channel without creating boundaries, he warns. "If you have 5,000 employees and 500 are on YouTube? Don’t jump into something you can’t control,” he says. That apart, Gada’s positive about Web 2.0. “It’s definitely worth the effort.”

— Sunil Shah

Vol/2 | ISSUE/11

Cover Story | Web 2.0 Web 2.0, and the functionality those technologies let programmers achieve. The technologies are simply tools that enable programmers to put up a website that, one hopes, improves the user experience. If programmers can accomplish the same goals using an ‘old’ technology or, heck, using chicken wire and an old coat

hanger, the site is no less a ‘Web 2.0’ site. We won’t inundate you with references to additional reading, but it’s probably important to at least glance at the seminal definition of Web 2.0, at least in the eyes of one of the people who crafted its name, and called Web 2.0 ‘the new conventional wisdom’. Tim O’Reilly, founder and CEO of O’Reilly Media and the guy who came up with the term said recently, “Web 2.0 is ultimately a tipping point, not a starting point. And it’s about business models and social adoption rates, as much as it is about technology.”

a Podcast for growth Cognizant Technology Solutions is filling ‘dead zones’ in their employees’ time by podcasting information.

ore than 18,000 e m p l oye es of Cognizant Technology Solutions received a surprise gift in March 2006: a 30 GB iPod. The reason? The company had entered the $1-billion revenue club. But if you thought all those employees were cramming their iPods with just music, think again. The company has come up with an innovative way of educating and empowering its users, with the aid of a Web 2.0 technology: podcasts. “Success in this high-velocity world is achieved by removing information asymmetry,” avers Vaidya Nathan, assistant vice president and global head for learning, Cognizant. Vaidya Nathan and his team put together podcasts, covering areas like situational usage of English, cross-cultural nuggets, project management, general management, thought leadership, induction, and general security awareness. The response was overwhelming and enthusiastic, he says. The reasons for success are many. For one thing, as Vaidya Nathan says, while employees are very busy, “all of them have ‘dead zones’ in their day, mostly while commuting, which they would like to spend on some learning activity.” The Web 2.0 experiment was most successful with

Cover Story.indd 36

A p r I l 1 5 , 2 0 0 7 | REAL CIO WORLD

people who were changing levels. While the success has pleased Vaidya Nathan, he is quick to note that it can't become the be-all and end-all of corporate training. “There are learnings that are ‘skill oriented’ and some which are ‘context oriented’. For example, management of personal calendar is skill oriented, and a latest trend in CRM in telecom is context oriented. Podcasts are effective for context-oriented learning, and cost least in both production and delivery,” he says. Cognizant also uses MediaWiki for collaborative authoring when it has to manage case-study oriented teaching. It also uses VSATs to deliver pre-entry level training, and Virtual labs for hands-on exercises. Vaidya Nathan also has a very simple way of measuring RoI: he bases it on the number of downloads and comments left behind, besides the number of follow-up suggestions. “In the many months since we have deployed podcasts, about 60 percent of our organization has downloaded them.” Cognizant also uses Kirkpatrick’s evaluation model (which measures reaction of students, learning, behavior and results) to gauge the efficacy of podcast modules.

— Balaji Narasimhan

Q: What are the Web 2.0 technologies? a: To many technology leaders, the biggest surprise is that Web 2.0 isn’t based on a just-invented technology. Rather, it’s based on a clever repackaging of older technologies, tied to an ‘Aha!’ of attitude. That ‘Aha!’ was first uttered by Jesse James Garrett in February 2005, and immortalized online in his essay, Ajax: A New Approach to Web Applications. In it, he explained the Ajax collection of Web development techniques — asynchronous JavaScript and XML — as a way to create interactive Web applications. You’re probably moderately familiar with these components, at least well enough to nod along when your development staff mentions them. CSS and HTML (or XHTML) are used to control the presentation of data on the webpage. The client-side scripting language, usually JavaScript or JScript, dynamically displays and interacts with the information presented. The golden key is the JavaScript XMLHttpRequest object, which gives developers the ability to make a page exchange data asynchronously with the Web server. (Some Ajax frameworks use an IFrame object instead of XMLHttpRequest, but don’t let that distract you; the intent is the same.) As a CIO, the important bit to understand is that it lets a webpage keep data in sync with information stored on a company server, using a

Vol/2 | ISSUE/11

Cover Story | Web 2.0 business partner’s Web service, or from any public online entity that makes the information available. Data is generally stored and exchanged using XML, often in conjunction with Web services. Other data interchange formats will work as long as they support some form of server-side scripting. Developers can work with Ajax or other Web development tools in a brute-force manner. Or they can use an ever-expanding number of tools and frameworks that let them add Web 2.0 features to their existing development environment. It’s probable that the development tools your company uses are already supported. Another element in the Web 2.0 development scheme is the use of open application program interfaces (APIs). The underlying code may not be open source in any true definition of that term, but APIs provide access to a site’s underlying data and system dynamics. That’s what makes it feasible for a developer to create, say, a unique view of book sales data; she can leverage Amazon Web Services via the associated API. If those technologies are all a bit new to you, and you come from an older era of data processing, you may be more comfortable with an alternate visualization. Think of Web 2.0 in ancient UNIX terms: pipes and redirects connecting the output of lots of smaller tools and processes — the Web as monster collection of shell scripts, if you will. That sounds a bit like a techniques lecture given to programmers. If you’re not personally involved with software development, your attention may be beginning to fray. Never fear: that’s all the programmer-speak we’re going to use, because Web 2.0 isn’t truly defined by the use of Ajax. What matters is what it lets you achieve.

Q: What do those technologies let you do? a: Ajax is just the screwdriver that lets a programmer affix certain behaviors to a website. The common elements that help define a site as Web 2.0 — at least superficially —

include mashups (See page 40), real-time data feeds, tagging, user-generated content and resource sharing. Mashups is a relatively new term for a Web function that’s been around for a while: aggregating elements from several online sources on a single webpage. If your personal homepage automatically includes a box showing the local weather prediction, your site is a mashup (though a rather lame one). However, mashups are generally meant to be an integral source of the site’s value, not a convenient or gratuitous add-on. Also, they usually combine existing data in a new and useful way, such as connecting Google maps with Craigslist rental listings to help a site viewer locate a new home, or a graph connecting publicly available demographic data to zip codes, or a restaurant-finder using address data and Yahoo’s restaurant listings. Real-time data feeds provide an ongoing stream of information. Usually, the data is from an external source, such as an ever-changing text box showing the latest news items or a site element that links to the most popular photos. However, the data feed could just as easily show corporate data, such as the latest software build status, network uptime or other dashboard-like features. Standard websites use a designer’s structure, called a taxonomy, to organize how information is found and displayed on a website. Instead, Web 2.0 sites often use tags, which are simply words chosen by the content creator to describe the item. For example, a user might tag her photo ‘cat, glue, Boston’, to identify the subject, location or situation in the image. Or a blogger might tag his entry with keywords that describe the topic: ‘politics, Academy Awards, Golden Gate Bridge’. Neither of those users has to decide whether the new content should be shoehorned into ‘pets’ or ‘tourism’, which might have been the predetermined taxonomy categories. When tags work, they let users organize data in ways that make sense to them. Plus, they almost instantly become a kind of real-time data feed. Web 2.0 sites often display the

interest high in india

What are your company’s plans for investing in Web 2.0 technologies over the next three years? Investment in these types of technologies will increase By Industry

By Region

Retail

High tech

Telecommunications

Financial services Pharmaceuticals

63 53

India

Asia-Pacific

Europe

China

North America Latin America

64 62

% of respondents Source: 2007 McKinsey Survey on Internet Technologies

Vol/2 | ISSUE/11

Cover Story.indd 37

REAL CIO WORLD | A p r I l 1 5 , 2 0 0 7

Cover Story | Web 2.0 most popular tags with font size indicating topic popularity (called a tag cloud), making it a great way to discover interesting things or to spot trends. As with anything else search-related, however, tags aren’t perfect, as they rely on users choosing keywords that others will recognize. Should someone clicking on a San Francisco tag automatically be shown the Golden Gate Bridge tagged item? That’s just one example of the wisdom still to be developed. The use of tags brings up another key bit of Web 2.0: building a site on user-generated content. Online participation isn’t a new phenomenon; virtual communities have been around since electronic bulletin board services first became popular in the mid-1980s, and companies like CompuServe built their entire business around user-created and -maintained discussion forums. With Web 2.0, however, the community’s contributions become the star, and the site exists only to create and serve those contributions. That’s certainly true of the myriad photo-sharing sites, for example; without people uploading ‘me and my dog’ pictures, there’s nothing at all to look at. It’s also the case for dozens of websites where people share links to articles and webpages that they think are cool. In earlier times, most of the user interaction was conversation. With Web 2.0, a large part of the experience is sharing data (files, music, video), ideally in a ‘remixed’ fashion with ‘rich interactivity’ — terms that are intentionally vague and thus open to both cynicism and innovation.

Q: hoW does Web 2.0 change the user exPerience? a: The point of all the technology and the design principles is, of course, to enhance the way that people interact with one another and with their computer systems. Ideally, Web 2.0 sites make it easier for people to connect and to learn from one another. The result of the user-generated content, for instance, is said to be ‘collective intelligence’, or the wisdom that comes from consensus decision-making. Whether for trivial matters like movie reviews or for important business-changing decisions, the advantage is that people can work and play better, and collectively can make more intelligent decisions. One side effect of the Web-based rich Internet application, which runs primarily on a hosted server (though the user interface elements run on the client’s Web browser), is that it promotes the notion of software-as-a-service. Arguably, whether written for in-house use or acquired from a service vendor, these technologies can make it easier to upgrade and maintain applications, to deal with security issues, and to take advantage of the service-oriented architecture capabilities in which your company has invested. Your developers can build applications that rely on publicly available Web services, treating the Internet like a planetary operating system.

Q: hoW can Web 2.0 benefit my business? a: To the casual observer, Web 2.0 is primarily a consumer

PoPular bets

Is your company investing in any of the following Web 2.0 technologies or tools? Web Services (n=2,615)

Collective Intelligence (n=1,987)

Peer-to-Peer Networking (n=2,245)

28 37

Social Networking (n=2,173) RSS (n=1,755)

Podcasts (n= 2,325)

35 33

Wikis (n=1,705) Blogs (n=2,431)

32 21

Mash-Ups (n= 1,046)

39 42 40 39 43 54

% of respondents Using or planning to use Not under consideration Respondents whose investment plans are uncertain are not shown; respondents who are unfamiliar are excluded. Source: 2007, McKinsey Survey on Internet Technologies

A p r I l 1 5 , 2 0 0 7 | REAL CIO WORLD

trend. But it’s harder to identify the ‘obvious’ benefits of Web 2.0 for traditional businesses. Certainly, Web 2.0 is important if you’re building yet another website to share digital photos. It also has business implications if you create business-to-consumer online resources, such as a hotel reservation site in which the user can dynamically change search criteria, and which encourages user-generated content such as hotel reviews. However, Web 2.0 is equally important in business-tobusiness IT. For businesses, Web 2.0 often becomes intertwined with SOA and other Web services technologies. (See The Truth about SOA, 1 August 2006) The key is to tie the flexibility of Web 2.0 to the service-oriented

Vol/2 | ISSUE/11

Cover Story | Web 2.0 principles of loose coupling, encapsulation and code reuse. Web 2.0 creates rich media by integrating data sources and Internet(and thus intranet-) provided services. That means Web 2.0 can act as a flexible and lightweight user interface, relying on network accessible services that are built on an SOA foundation. The interaction between the two enables business to create and manage processes with more flexibility. Users can create enterprise mashups by collecting, assembling and sharing existing enterprise content whether to simplify business integration efforts or to provide portals that monitor and improve systems information and transactional flows. This spells benefit for corporations. After all, the drivers that make Web 2.0 compelling to consumers — such as its ability to provide contextualized, personal information, and to use community and social connections to improve communication — are equally important in a business context.

Q: What’s the borderline betWeen the hyPe and the Promise? a: One of the first barriers is

o rlo ove l ok lo web 2.0 . At .0 A

your oWn Peril: study

Many in the business community — including those in IT — relegate Web 2.0’s clout to the under-20 set. A new study concludes that attitude is a mistake. The Web 2.0 model of consumer interaction and participation is a mass phenomenon, concludes the Booz Allen Hamilton study of 2,400 consumers in the United States, the United Kingdom and Germany. Companies that don’t adapt their business models to the lessons of YouTube, Flickr and MySpace are in trouble, the study says. Key findings include: Web 2.0 relevance cuts across gender and age. Forty-one percent of U.S. MySpace users are older than 35. That number was 35 percent for the United Kingdom and 29 percent for Germany. Web 2.0 users have few privacy concerns. Sixty-four percent of U.S. messages are freely available to the public. U.K. respondents reported that number as 61 percent, while Germany reported 73 percent. Web 2.0 capitalizes on ubiquitous connectivity. Approximately one-quarter of surveyed MySpace users are accessing MySpace from a laptop, a school or office computer, an Internet-enabled cafe or a BlackBerry. Web 2.0 communities influence opinions and purchasing decisions. Thirty-nine percent of surveyed MySpace users receive product picks from virtual peers. The study determines that the Internet is establishing itself more strongly in consumers’ lives. In particular, Web 2.0-influenced trends will affect how businesses get and keep customers. The study lists Web 2.0 opportunities that include shorter innovation cycles using customer integration, cross-media selling, customer service sites with enduser created content and wide participation, and using Web 2.0 as a brand channel.

the term itself. Some old-timers in the industry consider the name ‘Web 2.0’ a bit presumptuous. On Web 2.0 is already at critical mass, the study concludes. Businesses who don’t one hand, the cynics argue, wasn’t respond are placing themselves at risk. the real distinction in the Web’s — By Diann Daniel evolution the point where content and presentation were separated — otherwise known as cascading style sheets (CSS)? Alternately, they say, it’s history’s place to say platform, using network effects to make your application get when the industry evolved to another level, and what we call better the more people use it. Web 2.0 may not be significant enough of a change. Whatever else Web 2.0 is, it’s clearly the next stage in what Still, Web 2.0 mean something, although what it is can be we can do with technology. CIO hard to quantify. According to O’Reilly: A lot of people are wrapping themselves in the Web 2.0 mantle today, and a lot of them don’t understand it. For example, if someone says that they were working with JavaScript and XML (i.e. Ajax), that doesn’t mean that they were working Copyright 2007. www.cio.com.Send feedback about this feature to with Web 2.0. Web 2.0 is about harnessing the Internet as a editor@cio.in

Vol/2 | ISSUE/11

Cover Story.indd 39

REAL CIO WORLD | A p r I l 1 5 , 2 0 0 7

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

EntErprisE

Mashups Mashups arenâ&#x20AC;&#x2122;t just sexy, but also useful for business. Their easy integration of data and services should enable a whole new class of enterprise apps if IT can look past the hype.

a p r I l 1 5 , 2 0 0 7 | REAL CIO WORLD

Cover Story Part - 2.indd 40

Vol/2 | ISSUE/11

Web 2.0

By Galen Gruman

IllUSt rat Ion by MM Shan It h

hey’re all the rage in the Web 2.0 crowd: mashup all that is old is new again services that typically combine maps with all sorts For years, Web apps have dominated in-house enterprise of data from a variety of Web sources. In the past development efforts, so integrating multiple data sources year, we’ve seen a host of much-discussed sites into interactive Web pages behind the firewall is nothing new. pop up, from Zillow.com for real-estate value estimation, But runaway adoption of AJAX (Asynchronous JavaScript to AuctionMapper, which presents eBay search results on and XML) is changing the game. “What sets off the lightbulb maps to help locate the nearest sellers. [in developer’s minds] is that you have this ubiquitous But mashups are more than just annotated maps for platform where you can integrate components without custom consumer websites. The technology holds real promise applications,” says Ross Dargahi, co-founder and vice president for the enterprise, both within companies and among of engineering at Zimbra, a developer of AJAX-based e-mail customers and partners. Because mashups use technology and collaboration tools. that you already have — JavaScript, XML and DHTML, Moreover, as more enterprise and service providers plus fast Internet connections to support graphical and adopt Web technologies, a broader swath of data is functional richness — there’s no huge investment required. available in XML form. “In the past, half the work was IT is starting to take mashups seriously as quick, easy how to make these things work together. With XML and solutions to integration problems that previously seemed so on, that’s old hat,” Gallucci says. like a daunting amount of work. The tipping point was when Google published its Google This sort of lightweight integration has plenty of precedent, Maps API, says Aaron Tavistock, chief architect at Zip from the time-honored stock ticker, to e-commerce sites that Realty. “Google has put a lot out to seed the mashup concept, combine UPS or FedEx tracking data with an order history telling developers, ‘Here, use this.’ Before that, the openness to present a single view of order status. Inside the enterprise, hadn’t been there.” Graphical richness has been the big portal server vendors, including IBM and Plumtree, have draw, says Zimbra’s Dargahi. “Historically, Web apps have long offered users graphical tools to integrate data sources been thin, so IT loves them because they’re easy to deploy. 'at the glass', resulting in simple, personalized Web apps. But users don’t like them because they are clunky and “What’s different now is the availability and the ease-ofnot as capable as desktop apps. AJAX lets you provide that use,” says Giovanni Gallucci, president and COO of Kinetic rich interface for thin Web apps. What captures people’s Results, which specializes in search engine optimization imagination is the client, the presentation — but the power and Web analytics. “That’s because a lot of the APIs are is the information available through these APIs,” he adds. built on common standards.” Kinetic Results has created mashups using Web traffic soa Made sexy and other analytics data to create visual reports for With the widespread adoption of Web standards, customers. Other adopters include aircraft engine maker “information access has become that much easier,” says Pratt & Whitney, which uses mashups Dan Gisolfi, an IBM IT architect who’s to give employees access to the repair, evangelizing mashups to enterprise order, and service history for any part, customers. “Not only does it use the Reader ROI: integrating a half-dozen data sources. Web 2.0 tools, but it brings together Why mashups are so attractive And real-estate brokerage Zip Realty disparate services and behaviors.” Where mashups and SOA meet uses mashups to integrate client Newer, more complex technologies The dangers of using data data from the CRM system within from the SOA and Web services sources from the Web and how agents’ e-mail, allowing them to view worlds — such as SOAP (Simple you can contain it. reports of current property matches Object Access Protocol), WSDL (Web from e-mail alerts. Services Description Language) and

Vol/2 | ISSUE/11

Cover Story Part - 2.indd 41

REAL CIO WORLD | a p r I l 1 5 , 2 0 0 7

Web 2.0 REST (Representational State Transfer) — can also be part of mashups, argues Gisolfi. In a sense, mashups are the simplest form of SOA-based application. “Mashups fit very nicely around the concept of a service-oriented enterprise,” concurs Shane Pearson, vice president of marketing at BEA Systems. Or as Jason Bloomberg, senior analyst at consultancy ZapThink, puts it: “They’re the sexy part of SOA.” “Look around. You probably already have some mashups in place,” even if you don’t use that label, says BEA’s Pearson. For example, Pratt & Whitney developed its first mashups four years ago, using the term “info center” for these composite applications that used the technologies now associated with mashups, notes Colin Karsten, manager of business process solutions at the company. They were a natural outgrowth of first Web service and then SOA explorations, applying the same principles of modularity and standard interfaces to discrete projects. If your enterprise isn’t pursuing an SOA strategy, that might change after a few mashups are demoed. “Mashups expose

the need for SOA,” says IBM’s Gisolfi. When decision makers see quick and easy consolidation in a single Web page of data and functionality normally spread across several apps, the benefits sell themselves.

Managing sources and services

The end result may be attractive, but the relative ease with which mashups can be created carries a certain degree of inherent risk. Typically, little more than JavaScript skills are required, and toolkits that ease the development process such as Tibco General Interface Builder and Backbase are proliferating. “That’s why you’d better have a way for IT management and control,” advises Joe Kraus, CEO of JotSpot, which hosts wikis for business users. ZapThink’s Bloomberg agrees. “The last thing a manager wants is for employees to assemble composite applications willy-nilly, with no controls in place or visibility by management. That’s an accident waiting to happen.” One issue is the integrity of data external to the enterprise. FedEx and Google may be trusted, but more and more businesses are publishing XML APIs available to the Web. “Common sense says you should be careful with whom you integrate,” Dargahi says. Kinetic Results’ Gallucci expects businesses with established partnerships to adopt the mashup approach as a way to exchange information and better integrate processes. ashups make it almost too easy to draw on multiple data sources to In this case, the external data provider is an create rich Web apps. observing a few best practices can prevent a organization with which you already have a mashup mess. trust-based relationship. An obvious example would be mashup dashboards across members Identify which internal content may be used and for what purposes, so of a supply chain, using data feeds from proprietary data doesn’t leak out through mashups. various members to provide a common view. He expects early intercompany mashups to license external sources to avoid surprises (such as advertisements); for l be created informally as test cases by project free sources, know the license terms before relying on them for anything but developers or business analysts. “Once they proof-of-concept. see it working, they can push it up the food chain and make it formal,” he says. Create a directory of XMl and rSS data feeds from internal data sources for Zip Realty takes this approach, says mashup developers, within It as well as in business units. Tavistock. “We feel more comfortable with formal licensing arrangements,” he says, and Exploit mashups as a lightweight integration option with external business thus licenses Google Maps and MapQuest data partners for non-critical functions such as status monitoring. for its mashups. “If it’s not a core feature, we might be willing to use something that’s not Mashup toolkits are at an early stage: find the best for your current needs, under a formal relationship,” he notes, such but keep evaluating new ones to capitalize on improved development as a data source made freely available à la the environments. open source model. IBM’s Gisolfi believes that control will be Develop and enforce policies for mashups, but don’t make them too hard for most enterprise IT departments to restrictive or you’ll defeat the purpose of lightweight development — and no maintain, especially as mashup tools designed one will follow the rules anyway. for non-technical users emerge. He says IT will have to educate departments on the need

MashupsAccording to thE rulEs

a p r I l 1 5 , 2 0 0 7 | REAL CIO WORLD

Cover Story Part - 2.indd 42

Vol/2 | ISSUE/11

Web 2.0 to get formal licenses with external providers whose information is used for ongoing business purposes. Governance also comes into play for internal data sources, to ensure that confidential data is not inadvertently shared. This requires good governance in the form of policies, access management, and at least spot-checked approval. “For example, a business analyst has the right to mashup the call center screens, but a customer service rep does not,” says ZapThink’s Bloomberg. Over time, he expects mashup development tools to help enforce access and use policies, allowing IT to set the policies. But in the meantime, “you can only tell them what to do and get on their case if they don’t.” Mashup governance goes beyond policies, notes Bloomberg. “Part of the challenge for IT is to build the right services at the right granularity,” he says, so that mashup assemblers don't go around IT. The use of external services and data sources should be treated the same way, vetted by IT — and perhaps the legal department before it's made available.

a pandora’s box?

sprint

ashups are seductive, thanks to their whizzy interfaces and lightweight development needs. t to creative developers, they are an open invitation to mix and match data and services in new ways. but you need to think of them through from an enterprise perspective, “mashups are no more than happy Meal toys,” says Edmund Vazquez, manager of Web services integration and Soa implementation at Sprint nextel. Sprint has begun piloting mashups as a way of bringing together services and data sources in ways for which they were not planned, using simple and familiar technologies. “they let you redirect existing resources rather than design a new application up front, providing a cheap way to get add-on value for your existing services,” says Vazquez. Sprint’s control over mashups came naturally as part of a larger initiative. With its overall Soa plan, the company has defined a Web services platform and policies for using services as well as data within Web services, including mashups. “that gives us a leg up for the consumption of the services we deliver,” says Vazquez. “but it took us a year to develop the policies and platform.” Without such effort, Vazquez sees mashups creating risk, delivering services that can’t be supported well, tarnishing hard-earned brand reputations, and disappointing business partners and customers. “If you use someone’s mashup service, they become your trusted business partner, whether you meant them to or not,” he says. that’s why Sprint decided not to use any of the free map sources for dealer-location mashups. “they had no enterprise support model, they couldn’t guarantee reliability, and they had no product manager,” recalls Vazquez. Small businesses may be able to risk service outages and surprises such as unexpected ads in mashup content, because their transaction volume is low and mashups give them a cheap way to add peripheral features, Vazquez says, but enterprises must be more careful. Even for mashups designed to be used wholly within the enterprise, Vazquez argues for the same rigorous approval process applied to any other types of applications. “at some point, mashups are going to interact with It’s software and data,” he says. then the task for It — often in coordination with legal, finance, brand management, and other business groups — boils down to everyday policy management questions such as who is authorized to develop mashups; which services and data sources may be used; how to handle policy violations; and so on. Fortunately, for most companies with an organized approach to Soa, that approach fits nicely into the governance framework they’re already creating. — G.G.

Because mashups are easier to create than many traditional applications, they might not get the same scrutiny for security, warns JotSpot’s Kraus. “A lot of these apps rely on JavaScript, which has too many leaks. Randomly installing external mashup components is dangerous — you don’t know what the apps will do, given that users want to match what’s interesting to them by using third-party resources.” Although IT may understand the security issues related to JavaScript or other technologies underlying mashups, it’s too early to tell precisely what the new risks are. “We don’t yet know enough about mashup security issues,” says IBM’s Gisolfi, so security best practices are hard to come by. Although attractive for lightweight, rapidly developed apps, mashups also have obvious limitations. “Mashups make sense for 80 percent of non-critical IT processes and logic,” suggests Stefan Andreasen, co-founder and CTO of Kapow Technologies, which creates products that convert any Web-

Vol/2 | ISSUE/11

Cover Story Part - 2.indd 43

Mixes it up

accessible information into standards-based forms that can be used in portals and mashups. “But no company would rely on a lightweight model [such as mashups] for critical information.” So IT should pay attention to where mashups are used, so they don’t creep into such business-critical areas. CIO

REAL CIO WORLD | a p r I l 1 5 , 2 0 0 7

Book Excerpt

teaming Changes

UP everything Wikinomics How Mass Collaboration Changes Everything Publisher: Portfolio, 2006 Price: Rs 1,317

Book Excerpt.indd 44

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

ideas, innovations and uniquely ompanies can tap emerging qualified minds on a global basis. global marketplaces to discover and develop new products and services Let Others faster and much more efficiently PrOfit than they have in the past. We call The online technology transfer these marketplaces Ideagoras, much marketplace yet2.com was founded like the bustling agoras that sprung in 1999 as a place where companies up in the heart of ancient Athens. In could post underutilized assets they those days, agoras were the center were seeking to license externally. of politics and commerce for the For Procter & Gamble, the prospect of burgeoning Athenian citizenry. listing underutilized assets with yet2. Modern-day ideagoras make ideas, com presented a potential windfall. inventions and scientific expertise The consumer products giant owns around the planet accessible to more than 27,000 U.S. patents. In innovation-hungry companies. the late 1990s, P&G discovered it Science and technology now was spending $1.5 billion on R&D, evolve at such a great speed that but using less than 10 percent of the even the largest companies can no resulting patents in its own products. longer research all the disciplines The problem for P&G (and that contribute to their products. other companies) was that finding Nor can they control an end-toapplications and buyers for these end production process or seek innovative technologies could be to retain the most talented people highly inefficient. In most cases, inside their boundaries. Meanwhile, firms seeking to buy or sell new acquisitions, alliances, joint ventures, inventions and technologies would and selective outsourcing are simply call up close associates. While patent too rigid, and not scalable searches aided the process enough, to drive growth of identifying desirable Reader ROI: and innovation at a level technologies, they Why you can do that will make companies typically produced more better than truly competitive. Smart dead ends than leads. in-house R&D companies will treat Online exchanges promise How to look for the world as their R&D to improve liquidity by ideas without department and use expanding the universe of wasting your time ideagoras to seek out opportunities. They could

Vol/2 | ISSUE/11

Book Excerpt

Being part of the ideas market can make all the difference today. Look on the outside for ideas — the Truth is out there. By Don Tapscott and Anthony D. Williams also reduce search costs by easing the process of matching buyers and sellers. By visiting yet2.com, companies can browse a list of available technologies worth $10 billion. Yet2.com’s network of 500 clients has access to roughly 40 percent of the world’s R&D capacity. P&G recently used yet2.com to identify a buyer for a transdermal drug-delivery technology. The system transfers large drug molecules like insulin through the skin, so that a person with diabetes could wear a patch much like those used to help people quit smoking. P&G built a prototype. Now, Corium, a small company that specializes in drug delivery systems, is set to launch the product, and the two companies are exploring further collaboration.

Ask for Help As companies climb the open innovation learning curve, they discover that the real value of an open market for innovation lies in getting access to ideas that can fill performance gaps or fuel their product pipelines. With the pace of innovation in consumer products having doubled in five years, an army of researchers is no longer sufficient to keep P&G at the forefront. For every P&G researcher, there are 200 scientists or engineers elsewhere in the world who are just as good. When P&G launched its ‘connect and develop’ initiative to help tap this vast reservoir of talent, the idea wasn’t to replace its researchers, but to leverage them better. “Most mature companies,” says Larry Huston, P&G’s vice president for innovation and knowledge, “have to create organic growth of 5 to 7 percent year in, year out.” Relying on internal capabilities may have worked when P&G was a $25-billion company, he argues. But today it’s worth $70 billion. Organic growth of 6 percent is the equivalent of building a $4-billion business every year! Ideagoras can also enable companies like P&G to hone their value-adding capabilities and avoid reinventing the wheel. For example, when P&G set out to launch a new line of Pringles potato chips with trivia questions and animal pictures printed on each chip, it discovered that producing images on thousands of chips each minute was highly complex. P&G formulated a paper describing the technology it needed and tapped its global network to see if someone could solve the

Vol/2 | ISSUE/11

Book Excerpt.indd 45

problem. A solution popped up in a small bakery in Bologna, where a university professor was printing edible images on cakes and cookies. He’d cooked up an ink-jet method, and it looked like this would solve P&G’s problem. So, P&G acquired the technology and adapted it. Huston says P&G was able to launch Pringles Prints in less than a year, and for much less than what it would have otherwise cost.

Stay Focused on Top Company Goals Huston notes that no amount of idea hunting will pay off if, internally, the organization isn’t behind the program. “Once an external idea gets into the development pipeline, it still needs R&D, manufacturing and other functions pulling for it,” he says. Moreover, there needs to be senior-level support, ideally from the CEO. Furthermore, all journeys to the technology hinterland should begin with some basic stock-taking. What will customers need in the future? What can we deliver internally? Where can we work closely with partners to create even more value? To fine tune its searches for new ideas, P&G begins with a list of its top ten customer needs, which includes broadly defined goals that are subsequently boiled down to solvable scientific problems. Next, it creates a list of new products or concepts that can help it take advantage of existing brand equity. Finally, it utilizes ‘technology game boards’, a tool that allows P&G planners to assess which technologies might be central to several overlapping product categories or brands, and thus make good candidates for strengthening. Larry Huston compares the whole exercise to a ‘multi-level game of chess’. Yet, even with this highly refined approach to filtering opportunities, only one in one hundred external ideas identified by P&G ends up in the market. CIO This excerpt first appeared at www.cio.com. Reprinted from WIKINOMICS: How Mass Collaboration Changes Everything, by Don Tapscott and Anthony D. Williams, by arrangement with Portfolio, a member of Penguin Group (USA) Inc. Copyright (c) Don Tapscott and Anthony D. Williams, 2006. Tapscott is chief executive and Williams is research director of New Paradigm, a think tank. Send feedback to editor@cio.in REAL CIO WORLD | a p r i l 1 5 , 2 0 0 7

4/13/2007 11:35:35 AM

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

View from the Top - 01.indd 46

Technology on the

Fast Lane BY sunil shah

Lakshmi Narayanan: Yes, we’ve had our setbacks. We made some mistakes but fortunately, at that time, the industry was growing so rapidly that our mistakes didn’t hurt us too much. For example, in 2000, during the Y2K remediation period, we clearly went overboard. Close to 50 percent of our business was Y2K or Y2K-related, knowing fully well that after

2000, there was going to be a decline. We did have some kind of a decline after the Y2K problem was solved. Another thing that has hurt us was not investing in our own systems. It’s like a failure on the part of our CIO for not demanding more or not investing in technology. We were so busy with growth that we were just managing — not investing — in systems. Managing growth became difficult because we did not get sufficient help from systems. We managed it only because people worked 12

CIO: Cognizant has seen much success. But, have you also faced reversals?

Photo BY Sr ivatsa Shandilya

Cognizant Technology Solutions has been through phases of exceptional growth. It is the fastest Indian company to enter the league of the Big Four — in 12 years, which is less than half the time it took the others. Its growth has been among the highest in the industry over the past 15 quarters. And in the next 20 months, it plans to add 17,500 new recruits to its existing strength of 40,000, highlighting yet again its desire for fast growth. However, the spanking pace has come at a price. In this interview to CIO India, Lakshmi Narayanan, vice chairman of Cognizant Technology Solutions, describes the challenges of scale brought about by lack of IT systems.

Imaging by Bi n esh Sreedh aran

Lakshmi Narayanan, vice chairman of Cognizant Technology Solutions, asserts that IT has a critical role to play in his vision of strategic discipline. An organization cannot afford to navigate rapid growth without an IT paddle, he notes.

Vol/2 | ISSUE/11

4/13/2007 4:35:32 PM

View from the Top

Lakshmi Narayanan expects I.T. to: Be agile in times of fast growth Understand business strategy Make organizational processes globally competitive

Vol/1 | ISSUE/16

View from the Top - 01.indd 47

REAL CIO WORLD | J U LY 1 , 2 0 0 6

4/13/2007 4:35:34 PM

View from the Top

to 14 hours a day. Over the past two years, we have been investing heavily in systems, putting together a PeopleSoft solution and an Oracle solution that have gone global. And there is a new, experienced CIO. That has given us the ability to scale up rapidly.

Given this experience, how important is the CIO to the organization? The role of the CIO is extremely important in today’s context because the key competitive advantage in any industry — be it manufacturing or services — is technology. Even more so in the services industry, where the efficiency of office processes and productivity is determined purely by the deployment of technology — both information technology and communication technology. It’s also more relevant to us because we operate on a global delivery model and people in different parts of the world have to follow the same systems, same communication methods, so that we all work of the same page. Further, when we do acquisitions — we’ve been doing some small ones — we don’t compromise on our systems. Whoever comes in, they have to immediately follow our systems. To that extent, the CIO serves as the backbone, so that other things can be attached for growth.

Is there something that CIOs need to do for a greater say in management decisions? It is very important for a CIO and his team to understand the business. The CIO has to understand the business as much as, or even better than, the CEO. He needs to understand the model, its uniqueness, and key parameters. It’s only then that the CIO can make a significant contribution. The CIO needs contribute to both, what we call ‘the numerator’ and ‘the denominator’. The numerator is: how can technology help 48

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

View from the Top - 01.indd 48

“It is important for a CIO to understand the business. He has to understand it as much as, or even better than, the CEO.” — Lakshmi Narayanan improve the top-line? The CIO needs to ask, how can new business opportunities or existing business ones be better served by using technology? The denominator is the cost part. How can the CIO use technology to reduce costs of operation. When both happen, you have a double benefit. And that’s something that CIOs want to be able to quantify and present to the CEO. Second, CIOs need to constantly benchmark themselves against global standards. The global mindset is very important.

So, should a CIO be a businessperson first, and then a technologist? He has to be strong in both, but must clearly be a technology person first with a very good understanding of business. If he’s a strong businessperson, some headbutting is likely to happen with the business people. If you look at large corporations,

over a period of time, CIOs have come from the business side and many CIOs have eventually gone into the business side. This emphasizes the point that technology and business are very important.

If that happens, how should CXOs view the IT department? Traditionally, the IT and HR departments have been viewed as cost centers, which exist merely to provide reports, manage data, ensure that the results are published on time, and so on. Clearly, the new school of thought is partnership. Here is a unique professional capability that is available and that can be leveraged effectively to influence both the ‘numerator’ and the ‘denominator’. Once such an approach is taken, then the relationship is at a peer level between the CIO and other executives.

How would you define your leadership style? It has changed over a period of time. It must — because individuals have to reinvent themselves every three or four years if they are to take on something new. During the initial days, it used to be very hands-on. We were more hierarchical, where top-down commands were given to build a team. The next stage was empowering the people. As you grow larger, it is not possible to run a hierarchical organization. You put down the broad parameters and values, and the next set of leaders will need to be handson. And that trickles down. That’s the second stage, what we call ‘embedded leadership’: essentially, look to create leaders across the organization who can take ownership for a part of the business and deliver results. Finally, once you have a good managerial team, you just have to inspire and excite them. Tell them about the opportunities and innovation in the industry. Leaders don’t have to explain — they lead by example.

Vol/2 | ISSUE/11

4/13/2007 4:35:35 PM

View from the Top

How has Cognizant differentiated itself from the rest of the industry? One of the first things that come to mind is: strategic discipline in what we want to pursue. Given that we want to use technology to deliver business results to customers, our orientation and discipline have been in those areas. We’ve not expanded into areas that will take our focus away from the core strategy. In terms of operations, there are several differences (between our competitors and us). For example, we invest a lot more on the front-end of the organization (in people and capabilities) than in the backend office infrastructure and campuses. In terms of locations, while most local companies work out of Bangalore, we chose Chennai, so that we can dominate one city and get the best talent. The third difference is that we want to get the best talent. Here, growth is a key parameter. In order to attract the best talent, we had to provide better growth for people within Cognizant. To provide better growth opportunities, we have to grow faster and better than the rest of the industry. We decided that if we have to compromise on margins for higher growth, and getting better talent, then so be it. We will operate on a lower margin than the rest of the industry, but provide better growth opportunities. Fourth, while the industry said, ‘We want to be the biggest’ and ‘We want to get to $10 billion’, we said we are not about size. That’s not what we are chasing. We will focus on customers and deliver a different experience to them, so that it is not only easy to do business with us, but also exciting for them to partner with Cognizant. If it is just about delivering against just SLAs, that’s not good enough. There must be energy in a relationship.

How do you execute this in practice? The mindset needs to be different. The mindset is: we have to bring the best talent, best capability, best method and technology

Vol/2 | ISSUE/11

View from the Top - 01.indd 49

— no matter where it comes from. It could be coming from people in India or people overseas — it just doesn’t matter. The mindset is: get the best to work in order to provide a superior solution to the customer. As a result, people think beyond boundaries. The culture is one of customer-orientation.

SNAPSHOT

Cognizant Revenue:

Rs. 3,986.1 crore*

At a time of high attrition, can you share some of your best practices?

There were two or three key decisions that came out of the employee interaction. Global locations: 28 First and foremost is: no restrictions on any of the CIO: Mark Greenlaw employees. We do not expect them to sign service *Annual report 2005 agreements that will tie them Given that to the company. We invest customer in their training, but do not satisfaction is expect them to commit to the company. The overwhelmingly important, focus on the individual is very high. how is it measured? Reward and recognition is another area where we are constantly challenged. Every Both customer and employee satisfaction time we do an employee survey, the scores are measured. There are two ways of on all parameters are high, but rewards measuring customer satisfaction. We could and recognition are always a few notches do an internal dipstick to find out how we are lower. This is an area where we work doing in our relationship with our customer. with employees. The third is strategy and But, the best way to get any measure is leadership. We ask employees whether they through external, independent, third-party like the leadership of this company, and market surveys. We’ve consistently engaged whether they think the leaders can deliver an external market research agency that results and take the company towards its goes out, administers questionnaires, talks strategic goal. If these scores start slipping, to our customers, and gets both qualitative we try to provide opportunities for people in and quantitative feedback. the lower rungs to move up rapidly. More aptly, we have a strategy session with our board every year. Our board of directors wants to know if strategy needs Have such practices helped tweaking for the next year or two years, you resolve the industry given changes in market conditions. Every problem of attrition? time we have this meeting, we call some of our key customers. They openly tell the It has helped us, and it’s something board what they would like us to do or what we are proud of. While other companies they don’t want changed. This goes into our have the same level of attrition or retention, strategy plan. They help us quite a lot in it is on the back of conditions and service maintaining that strategic disciple. agreements. But without all that, if we are Similarly, with employees, an external able to maintain that high level, we are very agency carries out a survey. We’ve been doing happy about that. CIO this survey consistently for several years. It gives comfort to our 40,000 employees that they can be free to say whatever they want to say. It is used internally to determine employee satisfaction levels and best Senior copy editor Sunil Shah can be reached at practices that need to be replicated. sunil_shah@cio.in Employees:

40, 000

REAL CIO WORLD | a p r i l 1 5 , 2 0 0 7

4/13/2007 4:35:36 PM

es say is r p r e t n e t Mid-marke time e h t r e h it e n they have nd on e p s o t s e c r nor resou why e b y a m is h security. T g the in n r u t e r a s the crook into a... t e k r a m id m

d a b

neighborhood By AllAn Holmes

got Boo! ber and then em ec D in . ed JX T aller? hich got hack are you? ause TJX, w big and you’re...well, sm ec b Does that sc it Is e? ow com uary is ou. It doesn’t? H coals in the press in Jan e pants off y th s re a sc e It th . are you raked over It gnaws art. It does sc t a problem. o g e ’v u No. You’re sm o y ckers, ny, you know ht. You know that ha ing ld. a u p o m sh co it et d n rk ig a A n rget IO at a mid-m and keeps you up at ime are increasingly ta after C a e ’r u o y If going at you anized cr ons. They’re nd even org I: fraudsters a ’s systems and applicati e secrets. The bad guys Reader RO ny ce your ts and trad orking your compa How to redu omer accoun credit cards. They’re w nds st cu half , ta by a ty d ili l a a ab n le vulner person ) to get their h ods with sto o em g th g g p n in o si iz st a gn h to co rc you are are pu Tips for re s harder than lue to them. retail fraud hard (perhap yours that may be of va of ainst Guarding ag on anything internal thre

Feature.indd 50

ats

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/11

4/13/2007 9:52:19 AM

Security

Feature.indd 51

4/13/2007 9:52:21 AM

Security The truth is, you’re so worried about your security posture that you don’t even want to talk about it. You certainly don’t want to talk to CIO, even anonymously. But we know (because experts tell us) that compared with CIOs at large corporations, you mid-market CIOs don’t have the budget, the sophisticated IT skills on your staff or the time to take away from core IT operations to build better defenses. You’re wide open, and right now you’re just hoping you’ll get lucky enough to duck something terrible coming at you from an unknown direction. Increasingly, the neighborhood you live and work in has become a dangerous place. “A lot of attacks are being made on the mid-level companies because it’s a smaller hill to climb,” says Robert

Richardson, director of the Computer Security Institute in San Francisco. “That’s just a plain fact.”

Big Scary Numbers There’s no doubt that the 4,000-plus mid-market companies in the United States are extremely vulnerable. About 43 percent of mid-market companies have annual security budgets below Rs 45 lakh, while about the same proportion of large companies (40 percent) have security budgets that exceed Rs. 4.5 crore, according to the 2006 “Global State of Information Security” survey conducted annually by CIO and PricewaterhouseCoopers. On top of that, mid-market companies typically don’t have a security

Web Vulnerabilities The Open Web application Security project Foundation makes a list of the top Web application vulnerabilities and what to do about them. Here are five of the most common.

Unvalidated inputs Definition: Not checking whether text a user types into a field on a website is appropriate for that field. Problem: Hackers use these fields to type commands that allow them to scan for vulnerabilities and gain access. What you can do: Validate that each field accepts only those characters that are common for that field (such as numbers for a ZIP code field) and are an appropriate length. Run the inputs against a small library of ZIP codes and addresses to confirm that the information is valid. Broken access control Definition: Access controls determine what a user can access after logging in to his personal account and blocks access to other accounts. Problem: About half of all websites have serious access problems because of poor testing during development. What you can do: Test all possible 52

Feature.indd 52

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

permutations of what a user may do to try to access information that is not his own. Broken authentication and session management Definition: After logging into a website with a user name and password, you receive a cookie that works like a hand stamp at a night club, authenticating your identity as you go through the site. Problem: Sometimes companies will customize authentication, inadvertently allowing hackers to infiltrate sessions and use the ID cookie to access the legitimate user’s account. What you can do: Rely on the builtin authentication schemes in the application; use secured sockets layer (SSl) to encrypt the session. Cross-site scripting Definition: When a hacker sends commands embedded in queries to a website. Problem: A hacker types JavaScript into any text field, such as a change-of-

address field. When a legitimate user types information into that field, the JavaScript is activated, which allows the hacker to take control of the session and grants him all the user’s session rights, enabling him to move money or steal credit card numbers. What you can do: Make sure every text field will accept only those characters and length of characters that are suitable for that field — for example, five numbers in a ZIP code field and five numbers only. Buffer overflow Definition: Allows an attacker to input more data than the buffer can manage. Problem: Attacker can take control of application server, gaining access to all the data that the server manages. What you can do: Move away from C++ programming language, which is most vulnerable, to Java or .Net languages. If you must use C++, use static analysis tools to find overflow vulnerabilities.

— A.H.

Vol/2 | ISSUE/11

Security expert on staff. Only about 20 percent employ a CISO compared with 42 percent of large corporations. Finally, mid-market CIOs don’t have the tools to identify their weaknesses. Fewer than a third use vulnerability scanning software to find holes in their systems, while 46 percent of their larger counterparts do. Until recently, the security gap between mid- and large-market companies hasn’t been an issue. The percentage of mid-market chief information officers reporting successful cyberattacks last year was about the same as the percentage of large companies. But security experts agree that the number of cyberattacks on midmarket companies began rising last fall and continues to do so. The trend is clear. “Smaller corporations are where the problems are today,” says Paul Kocher, president of Cryptography Research, a security services firm. “[Attackers] know these companies don’t have the budgets or expertise to have strong security.” Like crooks of any stripe, cyberthieves are looking for easy targets, says Tom Sullivan, head of e-commerce risk for online travel site Expedia and also chair of the Merchant Risk Council, a nonprofit group that represents online retailers. If they come up against a site that’s even marginally more difficult to hack than others, in most case they’ll move on to easier prey. “That site may be your competitor...or it may be you,” Sullivan says. “You hope it’s not you.”

Assess, Then Patch Cyberthieves look for the path of least resistance. That means they’re looking for known vulnerabilities in applications and networks — those holes that have been published online and for which vendors may or may not have provided patches. That’s why security experts say patching known vulnerabilities is the most effective defense against cyberattacks, reducing your risk by at least half, if not more. We know, you’ve heard this before, ad nauseam. But the fact is, a large portion of CIOs simply don’t do it. Fewer

ing h c t a p y a s s t r e Security exp abilities is the r known vulne defense

ve most effectierattacks, against cyb y at least half. b reducing risk

The Changing Threat Last year was a relatively quiet one on the security front. No major viruses struck down entire networks, and the percentage of corporations hit by viruses has been on a steady decline, from 95 percent of all U.S. organizations reporting virus attacks in 2001 to just 65 percent last year, according to the 2006 computer crime and security survey conducted annually by the Computer Security Institute (CSI) and the FBI. But what that report doesn’t address, says Richardson, who oversees the report for the CSI, is the changing nature of the attacks and their targets. No longer are attackers trying to bring down large networks for hacker bragging rights; cyberattackers are now in it for the money. “Hackers and fraudsters are deliberately staying under the radar now,” Richardson says. “They’re going undetected until they do what they want to do. And even then, sometimes you don’t know until the money is long gone.” Consequently, many attacks go unreported. “[Survey respondents] will talk about getting hit by widespread viruses, but not about how they got completely cleaned out by a targeted attack,” says Richardson. It’s time to talk about it before you’re a victim. And here’s what you should be talking about.

Vol/2 | ISSUE/11

Feature.indd 53

than half of all mid-market CIOs say they have deployed some kind of patch management tool, according to CIO’s global security survey. No wonder hackers continue to find plenty of opportunities. So why not patch, and patch often? CIOs are not being purposely negligent, says Jeff Williams, chair of the Open Web Application Security Project (OWASP) Foundation, a nonprofit online community disseminating Web security best practices. Keeping up to date on the release of patches and determining which ones apply to your applications and networks is a time-consuming task, he says. Further, applying the patch, testing whether it affects the performance of the application or network, and then deploying it enterprisewide requires even more time and could slow your systems down. Jerry Maze, CIO of Royal Food Service, a Rs 270-crore enterprise that supplies produce to restaurant chains, is typical when it comes to the mid-market CIO’s view of patch management. Maze doesn’t follow a process other than to apply patches released by Microsoft and to make sure his vendor applies patches to the payroll system it operates. “I realize there are ways to make this happen automatically but we have not implemented that,” Maze says. “I’d like to, but there are too many other pressing issues right now.” REAL CIO WORLD | a p r i l 1 5 , 2 0 0 7

4/13/2007 9:52:22 AM

Security Questions to Ask Your Software Vendor

Developers are more focused on making software work than on making it secure. This is not a criticism; it’s just a fact of life. Security Innovation, a risk assessment consultancy, provides questions you can ask a software vendor about its development processes. The answers you get will tell you just how much effort is put into security. It’s up to you how much risk you want to assume.

Do you review security at each phase of the software development lifecycle? A good answer: Yes, we have integrated reviews into our product development lifecycle, from requirements definition to code development and testing. likelihood of getting this answer: Almost zero. Even companies that have created secure development best practices, like Microsoft, have implemented them only on a small portion of their applications. What methodologies do you use for security testing your products? A good answer: We have adopted methodologies from a respected security consultancy or large software vendor. likelihood of getting this answer: Small. Although some methodologies are required reading and have been adopted by companies like Adobe, McAfee and Symantec, a majority of companies have yet to adopt them. Most software development teams don’t consider security testing to be their responsibility. Do third parties conduct security assessments on your products? A good answer: Yes, we have a pool of application security companies we use to conduct independent assessments on all of our products. likelihood of getting this answer: 50 percent. This is up from about 25 percent two years ago. Third-party security assessments are increasingly a mandatory requirement and show up in RFPs and SlAs for packaged and on-demand software. Do you have security squads that attack your products prior to release? A good answer: Yes, we create an internal red team that acts as malicious users and complements third-party security assessments. likelihood of getting this answer: 20 percent. Though red teams are a growing trend, most companies still lack the internal expertise to dedicate staff to testing. Do you use automated tools for security testing or code review? A good answer: Yes, we use tools from this reputable vendor for code review during development and tools from that reputable vendor for security scanning our Web applications after deployment. likelihood of getting this answer: 20 percent. Adoption of automated tools is increasing, but an untrained engineer doesn’t become better because he learns how to use AutoCAD. He finds value in the tool only after he is trained to use it.

Feature.indd 54

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

To make patch management less cumbersome, Williams suggests midmarket CIOs keep up to date on patches that are specific to the applications and systems that provide access to sensitive information. Firewalls that allow access to systems and data through a Web server should get more attention than, say, those connected to operating systems. To know which applications and systems are most critical, you will have to do a risk assessment or a threat-modeling exercise. That means knowing your business and where the most sensitive data is. Talk to business unit leaders to learn where sensitive data is stored and what applications are used to access it. That list then becomes your 'patch watch list' and should get a high priority in your weekly agenda. “You really have to think about this, but the time is well spent,” Williams says. “Nothing else you do will have such a big impact on security.”

How to Fight Retail Fraud Patches may be a good way to fend off hackers. But what happens when the fraudsters masquerade as legitimate customers to steal account information, credit card numbers or to make fraudulent purchases? For mid-market merchants, this is rapidly becoming an epidemic. This kind of fraud “is moving farther downstream to the smaller and midsize online merchants,” says Sullivan. “It’s becoming more sophisticated and organized.” But how you secure systems against it doesn’t have to be sophisticated or costly. Any company that stores sensitive data can follow some basic and inexpensive processes to scan for fraud. Here are some steps security experts say you can take: Familiarize yourself with buying patterns. An unusual increase in your company’s sales during a typically slow period could indicate fraud. But

Vol/2 | ISSUE/11

Security make sure you rule out other causes. Is the spike the result of an advertising campaign, the purchase of keywords on Google or some other promotion? “If not, I would be really nervous about the upswing,” Sullivan says. Know where the majority of your purchases come from. If large orders are being sent to, say, Tulsa or Boise or other places where you rarely, if ever, do business, that could indicate fraud. Fraudsters have advertised on Monster. com and other job sites looking for people willing to work from home, make large purchases on websites and then send the goods to their home address.

also cited temporary employees, as well as disgruntled and terminated employees, as posing the greatest security risks, according to the security and privacy advocacy group’s 2006 survey. By building a profile of high-risk employees, you can know what systems to monitor and thereby lower your risk, says Ken DeJarnette, who specializes in security and data protection at Deloitte & Touche. For example, focus on temporary employees (typically hired during seasonally busy times) who have access to sensitive data. These employees have less loyalty to a company and are more susceptible to being opportuned to steal. Call centers are a prime target for fraud. CIOs can reduce their risk there by following a couple of simple and inexpensive rules, says Brian Contos, author of the book Enemy at the Water Cooler and CSO of ArcSight, an information security firm. Benchmark what a typical call to the center looks like and then periodically scan the database for calls that do not fit that profile. For example, if a typical call requires a rep to access one file, you may want to flag any call in which a rep accesses three or four files. That’s what happened at a telephony company where private investigators working on divorce cases would call to ask for numerous phone records to use in their investigations. The information was protected by privacy laws. The CIO flagged those calls in which call center reps were accessing more than one file. As a result, as many as 14 call center reps were fired.

If you don't need to store any personal information, then don't.

Hackers can't steal something you don't

Check the quantity purchased. If most customers purchase one or two of a particular item and you see a single purchase for much more, you may want to check out the buyer. Call the customer, and if he declines to provide information about the bank or credit card he used, Sullivan advises that you decline the purchase. (Scanning purchases doesn’t have to take a lot of time and can be done quickly by downloading the files into an Excel spreadsheet and then searching appropriate columns for unusual numbers or addresses or patterns. And you don’t have to buy an expensive artificial intelligence application to do so. Kocher of Cryptography Research recommends midmarket companies hire a college student to sift through each order. “That can be remarkably effective,” he says. “Neural networks are no smarter than a smart college student.”)

have in your system.

Compare the IP address with the physical address. If the purchaser says he lives in Denver but the IP address is in Georgia, call the customer to verify credit card information. Don’t be a pack rat. If you don’t need to store credit card numbers or any personal information, then don’t. Keep the information for as long as you have to for business purposes, such as during a billing cycle, and then delete it from all databases. If you don’t have personal information in your system, hackers can’t steal it.

The Enemy Within Employees account for about 90 percent of all fraud and data theft in a company, according to a recent Ponemon Institute survey. Two-thirds of the survey’s respondents

Vol/2 | ISSUE/11

Feature.indd 55

Pay Less Now or More Later Security experts want to make sure that mid-market companies get one clear message: Common sense goes a long way. CSI’s Richardson compares it with going into a dangerous part of town for dinner. You take simple precautions — parking on a well-lit street, locking your car — and you enjoy your meal. Mid-market CIOs should approach security much the same way, following some basic precautions that will do a lot in protecting your systems even if it doesn’t build an impenetrable wall. Any statistician will tell you a 50 percent reduction in your risk is huge. These steps, if followed, can provide that reduction, security experts say. Not to do so, Kocher says, “is irrational. Those who have been attacked and lost almost everything always wish they’d at least done something.” Anything. CIO Send feedback on this feature to editor@cio.in

REAL CIO WORLD | a p r i l 1 5 , 2 0 0 7

The country is losing out by locking government applications into proprietary silos, notes Sunil Abraham, manager of UNDPâ&#x20AC;&#x2122;s International Open Source Network and director of Mahiti.

Interview.indd 56

4/12/2007 6:21:33 PM

By Balaji NarasimhaN

Sunil Abraham, director of Mahiti and manager of UNDPâ&#x20AC;&#x2122;s International Open Source Network, is a staunch advocate of open standards. It is freely available, maximizes choice, has no royalty implication, and does not include any predatory practice, he asserts.

SunIl AbrAhAm: After working on FOSS (Free and Open Source Software) and related issues over the past three years in 42 countries in the AsiaPacific region, we have identified core principles for e-governance from the FOSS perspective. First, intellectual property created using public funds should be freely licensed to the public. Whenever the government creates software, it should be available under a FOSS license. Second, the public should not be forced to purchase or pirate software to interact with the State. The government should use truly open standards without any royalty implications. Open standards drive down the costs of technology, retard obsolescence, and improve usability and interoperability. Third, public digital infrastructure, which directly impacts the quality of citizenship, should stand public Vol/2 | ISSUE/11

Interview.indd 57

scrutiny. For example, if the State expects citizens to download and install tax computation software on their personal computers, then citizens should be allowed to reverse-engineer this software to make sure that the State is not spying on them by accessing browser and media player history. Fourth, even if the state commissions bespoke application on a proprietary platform, it should be licensed under a FOSS license. Many people in government confuse FOSS with GNU/Linux or the LAMP (Linux, Apache, MySQL and PHP) platform. They donâ&#x20AC;&#x2122;t know that they can license an ASP application built on .NET platform under a FOSS license. By doing this, they can ensure that different vendors are available to upgrade or maintain the application. They can also ensure that the solution can be redeployed in different states and departments without incurring huge development costs.

Photo by Sr IVatSa Shan dIlya

CIO: How does the International Open Source Network (IOSN) look at e-governance?

ImagIng by bIn ESh SrE Edharan

united Open

REAL CIO WORLD | a p r i l 1 5 , 2 0 0 7

4/12/2007 6:21:35 PM

Interview | Sunil Abraham same companies submitted their modified operating system for compliance testing by NIC. This is a wonderful example of how some corporations attempt to gain monopoly over government digital infrastructure and how intelligent government policies can help. SCOSTA’s successes in the area of transport applications have led the Home Ministry to accept the standard for the pilot of Multi-purpose National Identity Card to be conducted in 10 states and one union territory. This also illustrates the ideal role of government in e-governance. Ideally, government should not be a software developer. It should only develop and recommend open standards, so that private parties can develop quality hardware and software at an affordable price.

Only 15 percent of e-governance projects are successful. What are the common causes for failure?

Many e-governance projects fail because governments focus on technology and institutions rather than people. There are two types of technologies in the world: first, technologies that empower citizens and build communities and, second, technologies that disempower citizens and destroy communities. Wikis and blogs fit in the first group. They have tremendous potential in areas such as the Right to Information, especially for proactive disclosure. But most e-governance projects look at citizens only as passive recipients of information. That is why computers usually have speakers but no mikes. They have printers but no scanners. They have monitors but no cameras. Even the software applications are built completely from a technobureaucratic perspective without considering citizens as co-producers. This has resulted in the building of many technically sophisticated applications that don’t find any favor with the people. Good e-governance will recruit citizens as partners in the process of governance. Many e-governance projects also fail because of poor usability. Can you provide examples of successful e-governance projects?

The Smart Card Operating System Standards for Transport Application (SCOSTA) project is an good example of e-governance. SCOSTA is a specification that National Informatics Centre (NIC) developed for the Ministry of Shipping, Road Transport and Highways in response to requests from different state governments. Different states were considering various proprietary standards, which meant driving licenses would no longer be readable and writeable across different states. SCOSTA, though, is an open standard. An open standard is a standard that is freely available, maximizes choice, has no royalty implication, does not discriminate 58

Interview.indd 58

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

What role does FOSS play in e-governance initiatives in India? Is it enough?

Most e-governance projects see citizens as just passive recipients of information. based on technology platform or business model, allows users to make extensions or subsets, and does not include any predatory practice. By requiring compliance with this open standard, the government was able to foster competition and reduce the price from Rs 300 per card to Rs 30 per card. Initially, large corporations that had a monopoly on the card market launched a state-level disinformation campaign to convince bureaucrats and politicians that the SCOSTA specification was not technically feasible. But, with support from IIT Kanpur, the government was able to create a reference implementation of the operating system and publicly demonstrate technical feasibility. Within 20 days, the

FOSS is playing an increasingly important role in Indian e-governance. NIC has built several portals and applications using Plone, a FOSSbased content management system. CDAC-Chennai has developed BOSS, a GNU/Linux distribution that is aimed at government departments. Many states like Kerala, Tamil Nadu, and also Delhi, are migrating to FOSS in small steps. FOSS is becoming politically mainstreamed. The Communist Party of India (Marxist) has asked the Centre to use FOSS in all its egovernance initiatives. The draft IT policy of the government of Kerala recommends the use of FOSS in e-governance. From the government’s perspective, FOSS plays several important roles. First, it reduces cost of technology — a predominant motivation for using FOSS. Second, it increases the agility of the government: in times of disaster or war, the government can quickly download, install and use software without having to navigate a circuitous and complicated purchasing procedure. Third, it increases the bargaining capacity of government. Even if the government

Vol/2 | ISSUE/11

4/12/2007 6:21:45 PM

Interview | Sunil Abraham does not intend to use FOSS, it could drive down the costs of proprietary software by talking about FOSS applications during negotiations. C. Umashankar, MD of Electronics Corporation of Thailand, was able to get Windows XP Starter edition for an equivalent of Rs 400. His example should be emulated by other departments purchasing proprietary software. Does the extent of technical support limit usage of FOSS by government?

Yes it does. This is why e-governance practitioners like Rajeev Chawla, secretary of e-governance, government of Karnataka, avoid using FOSS. He says that FOSS is like a Mercedes Benz that cannot be repaired in a village in Raichur district. But proprietary software, he says, is like the Ambassador and can be repaired by a village mechanic. This is because most computer science and computer engineering degrees in developing countries like India focus only on proprietary software, unlike other engineering and scientific disciplines where students are provided with generic skills. This means our graduates are ‘computer operators’ and not ‘computer scientists’. They are ‘point-and-click’ engineers who operate computers like factory workers manipulating lathes without any real understanding. Rarely do these engineers come up with new products or services that capture global imagination and markets. Very few Indian IT companies own the copyright, patents and trademarks associated with the software application they build. These jobs that are now moving to India will move again to other countries that are able to provide cheap Englishspeaking programmers. The problem can only be addressed by introducing a vendor-neutral curriculum. This will ensure that students are introduced to FOSS in schools and colleges. It will take at least five years after the curriculum is revised for us to see a change in the FOSS ecosystem. By introducing a vendor-neutral curriculum, the government will ensure that it can get support for e-governance applications built on open standards. It will also ensure that the IT jobs stay in India as companies will be able to build solutions on top of FOSS.

Vol/2 | ISSUE/11

Interview.indd 59

Which country, according to you, has used FOSS well?

Does India have a similar master document? If so, how does it stack up against the other countries?

I think the US is a good example for effective usage of FOSS. The Department No, India does not have such a policy of Defense uses FOSS almost exclusively document. Officially, the government of for obvious reasons of national security India does not have any policy on FOSS. that have eloquently However, I believe been articulated by the that actions speak President of India during louder than words. The THE BIG Pay-out the visit of Microsoft’s Centre, through CDACchairman Bill Gates to Mumbai, has already Rashtrapathi Bhavan. set up an Open Source The private industry is Resource Centre in is the government generating wealth and Mumbai in partnership spend for 26 new increasing savings by with IBM and IITprojects under the adopting FOSS. This is Mumbai. Through National e-Governance one area, where I would CDAC-Chennai and Plan over the next recommend adopting the KBC Research Centre five years. ‘American Way’. at Anna University, it Source: Ministry for has setup a National Communications & IT Resource Centre for What is the role played Free and Open Source by the FOSS master Software. The Centre plans and policy has introduced FOSS documents issued by electives in 300 engineering colleges in of countries like Malaysia, Vietnam, Tamil Nadu. NIC is also considering a Cambodia, Peru and Australia? National Centre for Open Technologies. There are three different policy positions This Centre will support government that a government can take. One, the departments with FOSS, Open Standards, government can mandate FOSS. At IOSN, Open Content and Open Processes. So, we do not support this position because even though we lack an explicit policy, the in many areas, FOSS may not be the best Indian government is undertaking many candidate for the job and this could result in initiatives to promote the growth of open heavy disruption, especially for countries technologies in the country. that have large existing investments in the field of ICT. Unfortunately, the master plans and policy documents of Vietnam If there was one thing you could change and Peru take this position. about e-governance in India, what Two, the government could prefer would it be? FOSS. This means that if all else is equal, I would like to see greater adherence to then the government will choose FOSS. open standards. We are losing out on the This policy is also called the ‘Value network effect by locking our applications for Money’ policy. This is a pragmatic into proprietary silos. Even though we policy adopted by governments such are a country with a huge population, as Malaysia. Three, the government adoption of e-governance is still slow. could remain silent on FOSS, but could The Internet was such an extraordinary mandate Open Standard instead. This is success because it was founded on open becoming increasingly popular across standards. Different players — private the globe; the European Union and and public, large and small — were able to Australia are good examples. These innovate around these open standards. We policy documents are usually called should try and emulate this success in the GIFs or Government Interoperability area of Indian e-governance. CIO Frameworks. Regarding Cambodia, as far as I know, the policy is still in draft Special Correspondent Balaji Narasimhan can be form, just like in the Philippines. reached at balaji_n@cio.in

Rs 23,000 cr.

REAL CIO WORLD | a p r i l 1 5 , 2 0 0 7

4/12/2007 6:21:45 PM

Essential

technology Where does software-asa-service (SaaS) help midsize enterprises the most? Think key business functions like accounting. For CIOs with lean staffs, the advantages of SaaS add up.

Essentisl Tec.indd 60

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

From Inception to Implementation — I.T. That Matters

SaaS Appeal By John Edwards ENTERPRISE APPLICATIONS | Like other midsize enterprises shopping for CRM software, Ventana Medical Systems faced two basic choices in 2005: choose a traditional application or opt for the newer software-as-a-service (SaaS) model and have CRM tools delivered directly to end users via the Web. In hindsight, the decision turned out to be something of a no-brainer, says Anthony King, CIO for the medical diagnostics equipment manufacturer. “SaaS beats the alternative in maintenance, training, user flexibility and several other key areas,” he says. In the past few years, several key factors combined to make SaaS an increasingly popular choice at companies like Ventana: Web technologies matured, applications grew more standardized, and the appeal of lower up-front capital costs, streamlined maintenance and easier scalability only became stronger. Robert DeSisto, an applications industry analyst at Gartner, predicts that “by 2011, 25 percent of new business software will be delivered as a service.” Most midsize enterprises turn to SaaS expecting significant cost, deployment speed and maintenance benefits. (And, of course, many midsize companies don’t have the in-house IT staff to manage more applications.) They’re looking to SaaS to improve efficiency for core processes such as CRM, sales compensation management and ERP. But before they rush toward SaaS, these organizations also need to be sure that the functionality of the solution

Vo l/2 | ISSUE/11

4/13/2007 9:49:33 AM

essential technology

meets their business requirements and that they can integrate with their existing applications without a hassle. In some cases, customization options are limited. Nevertheless, a growing number of midlevel enterprises have decided SaaS’s benefits far outweigh its drawbacks. “There’s no application in the world that you can’t run in-house if you have the money, resources and expertise,” says Laurie McCabe, an analyst at technology research firm AMI Partners. “The problem is that most medium [-size] businesses don’t have that capability,” she says. “In most cases, SaaS is economically a better way to go.”

Ditching the CRMAntiques Many midsize businesses first test the SaaS waters with an on-demand CRM application. That’s because many midlevel companies have a dire need to overhaul antiquated customer support processes. Fortunately, SaaS meshes well with CRM technology, allowing companies with small IT budgets to run modern, sophisticated customer analysis applications on a pay-as-you-go basis, with only a minimal up-front investment. At Ventana, the search for a CRM solution had reached critical mass by 2005. Customer contacts, crucial to the company’s continued financial health, were not readily available for field personnel because the data was either on paper or buried in an ERP system. “We basically were manual for the most part — Day-Timers, paper files and such,” says King. After evaluating several on-demand and traditional CRM products, Ventana settled on SaaS technology from Salesforce.com — a mix of marketing automation, analytics and other applications. “The benefits of having a hosted solution outweighed the benefits of the in-house solution,” King says. “Plus, the time to get it up and running was significantly shortened with a hosted solution.” Initial deployment and training took less than four months, King says. SaaS technology gives Ventana the same features offered by traditional CRM software — including capture, storage and analysis of customer information — without incurring

Vol/2 | ISSUE/11

Essentisl Tec.indd 61

Your Service Plan Before you march forward with SaaS technology, here are some cautionary words from three companies that have been through the drill. 1. Software as a service (SaaS) still requires front-end work. Despite cost and operational benefits, SaaS software still must satisfy its end users. “As with any tool, adoption is the key to success. So spending time on the front end, building up your plan and creating a communications strategy will all help garner adoption.” –Anthony King, CIO, Ventana Medical Systems 2. Consider the state of your own data. How much work will be required to feed it to the SaaS app neatly? Trex found that Centive’s Compel app worked well — once Trex’s IT team exported the necessary data from an aging J.D. Edwards ERP engine that put up a longerthan-expected struggle. “Don’t underestimate the complexity of making sure system mergers can be handled.” –Mitch Cox, VP of sales, Trex 3. Don’t get optimistic on time frame. SaaS has a reputation for rapid deployment, but perhaps not as rapid as you may think. Set a realistic schedule. “I really thought we would be able to do this within a quarter, and that may have been just too aggressive.” –Mitch Cox 4. Examine your business processes. Some SaaS applications are difficult to customize, so make sure your business processes match the software’s design. “It’s a good opportunity to simplify the processes and to make your business more efficient.”

—Fabrice Cancre, COO, Olympus NDT

the extra burden of running its own servers, operating a network to connect branch offices and hiring a large IT staff. “It’s just significantly easier,” King says. “We have a very good Oracle ERP system, but keeping it updated across the organization and supporting it is a substantial effort.” With SaaS, the service provider does all the work to run and maintain the CRM system. Ventana also values Salesforce.com’s ability to provide multiple language interfaces on demand, facilitating work with offices worldwide and a staff that speaks more than 20 languages. “To change the language, you click a button on the screen,” King says. This contrasts sharply with Ventana’s on-premises ERP system, where adding a new language requires IT staffers to painstakingly design and test new modules. For a government-regulated company like Ventana, SaaS can also save time and money by cutting red tape. “In a regulated

industry, you spend most of your time validating and updating software,” King says. “That’s not your true competency; it really doesn’t add value to your business.” On-demand software drops much of the time-consuming validation onto the software provider. “We don’t have to validate the Salesforce.com tool, only the way we’re using it,” King says. He feels that his SaaS-based CRM technology offers more features than most premises-based counterparts while creating less work for business and IT staffers. “We have much more operational flexibility, more current information about our customers and the ability to make more informed decisions,” he says. The only significant “road bump” he faced was convincing end users to take full advantage of the system’s information management and analysis features. “Once they could see that, then there was a lot of buy-in,” he notes. REAL CIO WORLD | a p r i l 1 5 , 2 0 0 7

4/13/2007 9:49:34 AM

essential technology

Compensation Strife Sales compensation management has something in common with CRM at some midsize companies. Even though calculating compensation for sales reps is a key process, especially for firms in growth mode, it may be ignored until it creates a true mess. At Trex, a decking and railing manufacturer, business users found themselves caught in their own version of ‘Excel Hell’. Sales reps and managers were tracking compensation via spreadsheets, leading to endless conflicts and disputes. “Excel spreadsheets are typical for a lot of companies our size,” says Mitch Cox, vice president of sales. “You end up doing the calculations manually and, unfortunately, the accuracy is always called into question.” The activity also burned away time. “You’ve got a bunch of people spending an inordinate amount of time tracking something that, frankly, they shouldn’t have to waste their time tracking,” Cox says. Looking for a faster, better way to gauge compensation, Cox turned to SaaS provider Centive and its Compel software. But why did a sales VP spearhead a new software initiative? Cox says he was drawn to the software, and the SaaS model, because Trex simply wasn’t in a position to run onpremises compensation software. “Our IT department is a dedicated group of people that’s very small,” he says. “I needed to have this capability provided from the outside to avoid adding to their burden.” Compel’s dashboard view gives sales representatives a real-time view of their position and ultimate objective during any given quarter. “Managers love it because they’re able to focus their time where it’s needed most,” he says. “They can understand right away who’s winning and who’s losing on a sales rep basis — and there’s no disputing the data.” On the downside, although the project was envisioned with the need for minimal IT involvement, things didn’t quite turn out that way, though not for reasons having to do with the Compel product. The deployment took longer than anticipated, because it took Trex’s IT staff 62

Essentisl Tec.indd 62

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

longer than planned to create the necessary export file, using data from Trex’s aging J.D. Edwards ERP data engine. During this process, Trex IT also discovered that the data in the J.D. Edwards application did not always reconcile with the data that its finance department used to calculate commissions. The deployment spanned most of 2006’s second quarter; tweaking, training and other follow-up tasks dragged well into the next period. “Compel integrated easily with our source systems once we reconciled our data and created the necessary data feeds,” Cox says. He says he’s pleased with both Compel and the SaaS model. “There’s been a decent productivity gain, because people aren’t doing that one-off tracking like they were in the past,” he says.

Suite Success As SaaS builds a real-world track record, more midsize enterprises entrust the technology with not one but multiple core business tasks. Olympus NDT, a manufacturer of testing equipment, uses NetSuite, a fully integrated suite of services, for accounting, CRM and e-commerce. Data integration was NetSuite’s biggest drawing card, says Fabrice Cancre, COO of Olympus NDT. “The sales reps, the accountants, the inside salespeople taking the orders, the customer services reps — everybody is entering data into the same database,” says Cancre who oversees IT at Olympus NDT. While every ERP package offers data integration, SaaS gave Olympus NDT the ability to obtain ERP benefits without complex hardware and maintenance infrastructure that usually accompanies onpremises ERP packages. “The entire system is managed by NetSuite,” Cancre says. “We don’t have any need for (ERP) servers, backup systems and the other things that add up to a big cost for a midsized business.” Scalability also attracted Olympus NDT to SaaS. The rapidly growing company is expanding both domestically and internationally. “We have six locations in the US, and we’re also using the system

On-demand financial management apps and salesforce automation will win mainstream adoption within

two to five years.

Source: Gartner

in Germany, France, England and Japan,” Cancre says. Adding users in new locations requires little more than logging them in to the Web-based system. While Olympus NDT has handed over all of its customer-facing interactions to NetSuite, it still relies on traditional software, Infor Visual Manufacturing, to support another core business process, production operations. The onsite software tracks parts, coordinates ships and handles various other manufacturing-oriented tasks. “NetSuite is definitely not able to do that,” Cancre says. On the other hand, NetSuite does exchange key business data with the manufacturing ERP software. “We’ve set up our systems so that we consider our factories as a vendor, at least from the NetSuite point of view,” Cancre says. “NetSuite then trades with the ‘customer.’” Cancre says midsize enterprises need to view software in the same light as other essential business services. “I mean, we could have our own lawyers too,” he notes. “But we don’t have them — we hire them as we need them.” CIO

John Edwards is an Arizona-based freelance writer.

Vo l/2 | ISSUE/11

4/13/2007 9:49:34 AM

Pundit

essential technology

Sightings from the Open Source Ecosystem The heated discussions around open source show just one thing: it's getting more popular. By Bernard Golden OPEN SOURCE | Interesting events have taken place in the open source world that I thought deserved further examination. 1: The endless discussion on Linux's potential to be on the desktop has made it easier to use and install, though it's still not a mainstream item. Now Dell, in its attempt to get back to being an innovator in terms of customer service and satisfaction, has opened a request page where people could write up what products they’d like to see Dell release, and allowed people to vote, Digg-style.

one political candidate would tar another by pointing out that the opponent had an agency that had used Linux. I mean, really. Linux is used all over the world. As Enderle himself notes, there is already a version of Linux used within a communist country: Red Flag Linux, widely used in the People’s Republic of China (although Enderle feels this is not so dangerous, since it has its own ‘brand’). 3: In shocking news, open source vendors use open source as a competitive weapon. CIO’s sister publication Computerworld ran

Get over it. Open source is a movement with many different motives and perspectives. There’s no doubt that companies like IBM calculatedly use open source as a competitive tactic. I view their donation of Derby more as a way to dump an unsuccessful product than a way to harm competition — more apt is their creation of Eclipse as a direct fusillade against Sun and Borland. We’ll see more of this as vendors begin to apprehend the power of open source and leverage it as a competitive tool. I wouldn’t be surprised

With open source, users have the ultimate trump card, which is access to the source. There is no final lock-in. The big surprise: the most requested and voted item was: pre-loaded Linux on Dell PCs. In fact, of the top six or seven requests, open source figured in three or four of them. Perhaps there’s more promise for Linux on the desktop than most people think! 2: Free software advocate Richard Stallman was in Havana recently and spoke at the International Conference on Communications and Technology. Host nation Cuba announced that, along with Venezuela, it would begin using Linux. It didn’t end there. Well-known ‘analyst’ Rob Enderle reacted saying that Stallman, appearing as a fellow traveller in Cuba, would somehow harm the ‘brand’ of Linux. In Enderle’s febrile vision, the fact that Cuba would use Linux somehow meant that the NSA would never consider using it and that 64

ET-Pundit.indd 64

a p r i l 1 5 , 2 0 0 7 | REAL CIO WORLD

an article discussing the number of vendors using open source as a competitive weapon against commercial rivals. IBM’s sponsorship of the open source database Derby is cited as an example to harm its competitors. After a few observations about how it seems like there’s ‘good’ open Source-using companies and ‘bad’ ones (example cited that if Microsoft released Visual Studio for free, it would have been a bad company pursuing predatory market practices), the article goes on to quote Dave Rosenberg, well-known in the open source community, saying that IBM probably didn’t plan to do anything particularly harmful with its open source efforts, and it was pretty much OK. I don’t get it. It sounds like little boy’s clubs where much energy is spent discussing who doesn’t deserve to be a member.

if Microsoft followed its rapprochement with Novell to its logical conclusion and purchased the company, with the aim of better competing with Red Hat and Oracle. The difference between open source and proprietary software is key. The company sponsoring an open source product can influence its direction, but has no iron control of it, as it would if the product were proprietary. With open source, users have the ultimate trump card, which is access to the source. There is no final lock-in. All of these maneuverings mean that the logic of open source (low prices and users holding the upper hand) is permeating the industry. CIO Bernard Golden is CEO of Navica, an open-source consultancy. Send feedback on this column to editor@cio.in

Vol/2 | ISSUE/11

4/13/2007 9:50:52 AM