CIO August 15 2007 Issue

Page 1

Alert_DEC2011.indd 18

11/17/2011 11:29:43 AM


From The ediTor

Today’s war for talent starts at technology and business schools around the

What the Talent Crunch Means Even if engineering talent is available, skills required to run modern companies are scarce.

country. That obviously means the IITs and IIMs, apart from many other institutions. The bidding wars, so to speak, are a good indicator of the levels of demand. Last year, the top offer at an IIT was a Rs 45-lakh package offered by global oil major Schlumberger. Sometimes recruiters go a different way, seeking to tap far-flung talent. This not only helps unearth hitherto unidentified talent, but also offers significantly lower cost. Last year, TCS ventured to Tamil Nadu’s hinterland to recruit, revealing how far companies would go in this quest for engineering talent. Eventually, the K.S. Rangaswamy College of Technical Education in Tiruchengode didn’t quite work out because students at the semi-urban college — located about 20 km from the town of Erode — didn’t possess the skills TCS NASSCOM and McKinsey needs to service its global clients. believe that only 25 percent Talent, clearly, is in limited supply. of graduating engineers in Also, the numbers are fuzzy. Nobody India possess the skills to is quite sure how far or how fast we work for large companies. can grow. Figures for the number of engineers graduating each year are liberally thrown around in the media. It is common to imagine as many as 4 lakh. But reliable estimates suggest a much lower figure. According to NASSCOM, India produced about 2.15 lakh engineers in 2004. Of them, only 1.12 lakh were graduates with four-year degrees — the prime target of many employers. Both NASSCOM and McKinsey believe only 25 percent of the graduating engineers in India possess the skills to work for large companies or outsourcing firms. If we consider only the graduate engineers, the number is down to about 28,000 — less than the number hired annually by the IT majors. If we take the larger pool of 2.15 lakh, a quarter of that would be almost 54,000, which is closer to the number annually hired by Big IT. Add in the number of students who go in for higher studies, and those who migrate to other countries — it seems a miracle that the rest of the Indian companies find any IT workers. The point is: the situation is dire and likely to get worse with increased outsourcing. In the circumstances, CIOs across the country are getting smart about hiring, as our cover story by Special Correspondent Balaji Narasimhan reveals, and are even considering outsourcing. A decade from now, it could even mean offshoring to lower-cost countries, given the rising labor costs and the torrid pace of growth of the Indian economy. Smarter CIOs, I suspect, would soon even begin to pick up valuable offshoring lessons from western companies.

Bala Murali Krishna Executive Editor balamurali_k@cio.in 2

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/19

8/13/2007 11:17:51 AM


content AUGUST 15 2007‑ | ‑Vol/2‑ | ‑iSSUe/19

CoVEr: dESI gn by bI nESh SrEEdh aran Il lUStratI on by Un n Ik rIShnan aV

As CIOs, Vinod Sadavarte (L) of Patni Computer Systems, Amit Kumar of Max New York Life, and David Briskman of Ranbaxy are constantly exploring ways of maintaining highly-motivated IT organizations.

3 8

Project Management

Executive Expectations

COVER STORy | HIRE POWER | 38

VIEW FROM THE TOP | 48 Dinesh Hinduja, executive director of Gokaldas Exports, says that the garment industry is as reliant on IT as auto-makers.

CIOs are finding it a formidable challenge to build — and maintain — IT organizations with the right skills. So much so, some of them are beginning to consider outsourcing as an option. Feature by Balaji narasimhan

Interview by Kanika Goswami

Peer-to-Peer PAy ATTEnTIOn TO yOuR nETWORK | 36 The future of your business depends on your network. That’s why CIOs need to oversee it themselves.

Feature: Risk Management

Column by Moti Vyas

HOW yOu CAn FIGHT CyBER CRIME | 52 Online crime is organized, its perpetrators attack deliberately, and the likelihood that they will attack your company is growing. Here’s how to mitigate the risk.

Making IT Work

Feature by Christopher Koch

COLLABORATIVE CODInG | 24 A savvy entrepreneur is exploiting technical innovation to cost-effectively generate technical innovation. Column by Michael Schrage

more »

8

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/19


content

(cont.) departments Trendlines | 15 Support Services | Microsoft: Want a Hot Fix? Anti-spam | Of Pump-and-dump Scammers Security | Security Vendor: Yes or No? Storage | SAN, NAS: Your Boss Doesn’t Care Research | Swift Action on Security Services | Hacker Scare? Set Alarm Business Intelligence | Beating the BI Blues Mobile | CRM Released for iPhone Networking | New Bluetooth Standard Approved Broadband | Mobile Broadband: Post 2008

Essential Technology | 64 IT Architecture | Stuck in the SOA Soup

By Bob Violino Open Source | The Prospect of GPL3 Adoption

By Bernard Golden

From the Editor | 2 What the Talent Crunch Means | Even if engineering talent is available, skills required to run modern companies are scarce. By Bala Murali Krishna

Inbox | 14 NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Govern putting people first  |  60 To succeed, e-government projects need to avoid excessive focus on technology and find champions, says Dr. Rajendra Bandi, associate professor of information systems at IIM Bangalore.

2 8

Interview by Kanika Goswami

Project Leadership GETTING TO THE POINT  |  32 It is easy to shroud the truth about your project behind volumes of reports. Here is how you can get the bad and the good news to rise to the top every week. Column by Mike Hugos

10

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd 10

8/13/2007 11:18:01 AM


ADVISORY BOARD Management

Publisher & editor N. Bringi Dev

CEO Louis D’Mello Editorial Editor-IN-CHIEF Vijay Ramachandran

Executive Editor Bala Murali Krishna

Bureau Head - North Sanjay Gupta

Special Correspondents Balaji Narasimhan Kanika Goswami

Abnash Singh

Chief COPY EDITOR Kunal N. Talgeri

SENIOR COPY EDITOR Sunil Shah

TRAINEE JOURNALIST Shardha Subramanian D esign & Production

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

AMD

3

Group CIO, Mphasis Alaganandan Balaraman Vice president, Britannia Industries

Avaya

4&5

Canon

IBC

Alok Kumar Global Head-Internal IT, Tata Consultancy Services Anwer Bagdadi Senior VP & CTO, CFC International India Services

Senior Correspondent Gunjan Trivedi

Advertiser Index

Emerson

45

Arun Gupta Customer Care Associate & CTO, Shopper’s Stop

Fluke

9

Arvind Tawde VP & CIO, Mahindra & Mahindra Ashish K. Chauhan

Fujitsu

23

HP

35

President & CIO — IT Applications, Reliance Industries

Vikas Kapoor; Anil V.K. Jinan K. Vijayan; Sani Mani Unnikrishnan A.V; Girish A.V MM Shanith; Anil T PC Anoop; Jithesh C.C. Suresh Nair, Prasanth T.R

C.N. Ram Head–IT, HDFC Bank Chinar S. Deshpande CIO, Pantaloon Retail

Photography Srivatsa Shandilya

Dr. Jai Menon

Production T.K. Karunakaran

Director (IT & Innovation) & Group CIO, Bharti Tele-Ventures

T.K. Jayadeep

Marketing and Sal es VP, Intl’ & Special Projects Naveen Chand Singh VP Sales Sudhir Kamath brand Manager Alok Anand Marketing Siddharth Singh Kishore Venkat Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar, Chetna Mehta Delhi Nitin Walia; Anandram B; Muneet Pal Singh; Gaurav Mehta Mumbai Parul Singh, Chetan T. Rai, Rishi Kapoor,Pradeep Nair Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

Singapore Michael Mullaney

Events General Manager Rupesh Sreedharan Managers Ajay Adhikari, Chetan Acharya Pooja Chhabra

Intel

Lenovo

11

BC

Manish Choksi Chief-Corporate Strategy & CIO, Asian Paints

Microsoft

IFC, 20 & 21

M.D. Agrawal Dy. GM (IS), Bharat Petroleum Corporation Limited

Molex

13

Sigma Byte

17

Rajeev Shirodkar VP-IT, Raymond Rajesh Uppal Chief GM IT & Distribution, Maruti Udyog Prof. R.T. Krishnan

Toshiba e Studio

1

Professor, Corporate Strategy, IIM-Bangalore S. Gopalakrishnan CEO & Managing Director, Infosys Technologies

Wipro

6&7

Prof. S. Sadagopan Director, IIIT-Bangalore S.R. Balasubramnian Executive VP (IT & Corporate Development), Godfrey Phillips Satish Das CSO, Cognizant Technology Solutions Sivarama Krishnan

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited,

10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: N. Bringi Dev. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

Executive Director, PricewaterhouseCoopers Dr. Sridhar Mitta MD & CTO, e4e S.S. Mathur GM–IT, Centre for Railway Information Systems Sunil Mehta

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Sr. VP & Area Systems Director (Central Asia), JWT V.V.R. Babu

12

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd 12

Group CIO, ITC Vol/2 | ISSUE/19

8/13/2007 11:18:02 AM


reader feedback

more such thought-provoking articles in future. I also liked the ‘View From The Top’ section (‘Feeding The Acquisition Frenzy’) in the issue featuring Vijay Rekhi, president of United Spirits. I would suggest you cover more leaders from New Age sectors like real estate and BFSI. ANI NIl PuNjwANI jw jwANI

New Frontiers for CIOs I was immediately drawn to the cover story in CIO India, issue number 17 (June 15, 2007). What better way to pick on a CIO’s mind than the topic of On Higher Ground. The message that a CIO is not just focused on technology or IT infrastructure, but on all larger issues confronting him, was loud and clear with your coverage. My congratulations to the team! I was particularly pleased to see the CIOs who have comfortably taken on positions outside IT. However, I do not quite agree with the editorial statement that carrying technology’s burden restricts a person’s vision and understanding of larger business issues. In fact, in today’s world, technology is the binding force that connects an organization’s vital operations, production, sales and marketing, distribution and, sometimes, even the end customers. The technology thread running across all functions gives CIOs a unique visibility into all aspects of business in a holistic manner. Combine that with vision, CXO-level mindset and grit — and, wow, you have a potential business leader. Do CIOs want to get into other C-level jobs? You rightly picked this question. Do CIOs or, for that matter, do I want to get into something outside IT? Not so soon. If and when we do, technology should be the enabler and strength rather than hindrance. The story was very useful. I look forward to reading 14

Inbox.indd 14

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

IT Head, Philips Innovation Campus Philips Electronics India

With increasing demands from the organization to leverage IT for business, it is imperative for a cIO to outsource his networks.

Outsourcing the Network Your features in the network infrastructure special issue (Network Wonder, July 1, 2007) got me thinking on a number of issues, such as outsourcing. The choices before CIOs today are —doing it yourself completely, outsourcing — and a blend of both. Look at the challenges that a CIO faces today. With the increasing demands from his organization to leverage IT for business, it is imperative to have a reliable partner who can completely design, deploy and manage the organization’s network infrastructure. The outsourcing partner must have a strong network to support you in your endeavor. The outsourcer must also have the vision of high growth and be prepared to address the challenges of customer requirements proactively. Once the decision to outsource is taken, your partner is no more a vendor. He is more than a partner — he is part of your extended team and is totally accountable and responsible for all What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

editor@c o.in

deliverables. This outlook leads to a winning team that drives an agile network infrastructure. V. SubrAmANIAm CIO, Otis Elevator India

IT-enabled Commute I read the article (‘Stop. Ready. Go.’, June 15, 2007)) about how traffic data are collected by using cell phone traffic and displayed on a website. Though the practical utility of this service is still not clear to me, I hope this is the first of many future versions to emerge with useful features. At the same time, I am amazed how very little IT is used in the IT capital for one of its major problems. It will be great if your magazine can bring together a panel of experts in traffic management and IT to brainstorm. One simple system that can be introduced is for the traffic police to adjust signal timings. Once the basic system is installed, the switching patterns can be transmitted to a central computer. Traffic experts can then study the traffic patterns and come up with solutions. The data transfer can be done using mobile technology, and mobile companies will be interested in making such a system. SAmPAThgIrI Director, Bigtec

Vol/2 | ISSUE/19


new

*

hot

*

unexpected

Illustration by pc anoop

Microsoft: Want a Hot Fix? Support Services Microsoft customers can now request a hot fix by e-mail, avoiding the hassle of reaching the company's support staff on the phone. In a blog post, Steve Patrick, who works in a Microsoft group within support services, provided a link to an online form where customers can enter their e-mail address and the desired hot fix by referencing its associated Knowledge Base article number. Microsoft's support will e-mail a download link for the hot fix within eight business hours, the form notes. Hot fixes are patches that Microsoft writes for specific, documented problems but doesn't release to everyone via one of its update services, such as Microsoft Update. Typically, Microsoft support recommends that only users who have experienced the problem install a hot fix. Most of the

time, Microsoft does not make these fixes available for downloading from its Web site; instead, it demands that users call in and explain their situation to support before it releases the patch. A Windows Vista bug that locks up a PC when it's brought out of hibernation is a good example. In the May 7 Knowledge Base article, Microsoft said, "It is intended to correct only the problem that is described in this article. Apply it only to systems that are experiencing this specific problem. This hot fix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hot fix. To resolve this problem immediately, contact Microsoft Customer Support Services to obtain the hot fix."

"Man! This makes life SOOOO much easier for a lot of folks," said Patrick, who credited the change to ‘the Big Brainers’ at Microsoft. —By Gregg Keizer

Pump-and-dump Scammers Turn to Excel A n t i s p a m Pump-and-dump stock scammers have begun using Microsoft Excel spreadsheets to deliver their get-rich-quick schemes, another in a series of moves they've made trying to slip past antispam filters. E-mail security vendor Commtouch Software Ltd. spotted several spam runs Saturday that feature Excel attachments with file names such as ‘invoice20202.xls’ and ‘stock information3572.xls.’ The Excel worksheets contain the unsolicited message, which, as in all classic pump-and-dump scams, touts shares of one or more lightly-traded companies as hot and ready to climb. The fraudsters, however, have already bought shares and only spam their shills to get others to buy in. If enough do, the price goes up, and the scammers sell their holdings. The duped recipients of the spam are left holding the bag when the price later plunges. According to Amir Lev, Commtouch's chief technology officer, the turn to Excel is just the latest twist in the scam. "Excel is a natural progression after the recent spate of PDF spam, which itself is a natural development from basic image spam," said Lev.

Vol/2 | ISSUE/19

Trendlines.indd 15

"We expect other file formats to follow suit. Think of the spam potential in PowerPoint files or Word documents." Pump-and-dump spam has been rapidly changing tactics, dropping images and substituting PDF files to evade spam-blocking software. Virtually every security company has set out warnings of recent big spikes in the amount of PDF-based spam. In fact, Commtouch was one of the first. Spammers started using PDF files only a few weeks ago; before that, they relied on embedded images to get their content past filters. Most users associate danger and Excel files because of the latter's use by hackers to delivery malware. Sporadic attacks, often very narrowly focused, using Excel spreadsheets, as well as other Microsoft Office file formats have been launched since early 2006. For example, in June a Commtouch rival, UK-based MessageLabs Ltd., reported that 95 percent of all targeted attacks, those where one piece of spam was shot at one user, involved Office file attachments.

—By Gregg Keizer REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7

15

8/10/2007 7:28:40 PM


When it comes to picking a single ‘strategic security vendor', IT executives are decidedly at odds. Questioned whether they had such a vendor, 50 executives rendered a split decision, with 42.6 percent indicating they do and 57.4 percent saying they don't, according to a report from Nemertes Research. A ‘strategic security vendor’ is the one an IT executive would turn to, first as a preferred security partner. The in-depth interviews conducted by Nemertes Research for its report, Security and Information Protection: Technology Trends and Vendor Ratings, found Cisco, Microsoft and Juniper Networks fared the best. Among the respondents who said they did have a strategic security vendor, Cisco was cited most frequently. "Cisco was mentioned about 20 percent of the time and Microsoft about 10 percent," says Nemertes president Johna Till Johnson. "IBM and Symantec weren't even mentioned." The results are a remarkable turnaround for Cisco and Microsoft compared to the responses from 2005, when IT executives were asked the same question. It appears that the reason Cisco is viewed as a strategic security vendor isn't that IT execs buy Cisco gear for its security features, but that the presence of Cisco gear and the importance of security underscore Cisco's importance.

security

Do you have a strategic security vendor?

42.6%

Yes

57.4%

No

Most frequently cited companies with security vendors

10%

Microsoft

20%

Cisco

However, when it came to rating security vendors in customer service and support, and strength of technology and value, the top vendor was Juniper. Johnson said Juniper's ratings were significantly higher than anyone else's. Among IT execs who didn't have a strategic security vendor, about a quarter preferred a best-of-breed approach in selecting security products, and the rest responded that either they didn't need one, or they couldn't have one because of outsourcing or procurement restrictions. —By Ellen Messmer 16

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

SAN, NAS, Your BoSS DoeSN't CAre Storage is awash in TLAs (three-letter acronyms). LUn, SAn, nAS, ILM, SWD, SAS, HBA, DAS, CAS and FAn are all acronyms that regularly appear in storagerelated literature, publications and columns. But to many IT managers, they provide no meaningful information, and for storage technicians who use them too frequently without context, they may alienate rather than connect them with their manager. Storage-area network (SAn) and network-attached storage (nAS) are examples of acronyms that can drive a wedge between managers and techs. The acronyms look similar (nAS is SAn spelled backward), they both reference storage networks, and nearly every organization uses both SAn and nAS. y yet to say there is no difference in the acronyms is akin to saying oil and water are the same because they are both liquids. The trouble with trying to explain the meaning of these acronyms is that it requires using language that confuses rather than clarifies the situation. To the individual steeped in storage, it is intuitively obvious that a SAn only carries block-based storage over either an Ethernet or Fibre Channel infrastructure using iSCSI or Fibre Channel protocols, while nAS only carries file-based traffic over an Ethernet network. Provide that same explanation to your IT manager and he will look at you like you have two heads. Storage techs tend to forget that management lacks the time to learn every storage acronym. Though some managers just don't care, many more are consumed with setting corporate initiatives and meeting quarterly numbers than spending time trying to understand the differences between SAn and nAS. The use of acronyms is a clever way to appear knowledgeable and smart. But when your use of acronyms confuses the situation and leaves management in the dark, you are probably helping no one and only hurting yourself. —By Jerome Wendt storAge

VOL /2 | ISSUE/19

trendlines

Security Vendor: Yes or No?


B Y Ma r g r e t L o c h e r

Many companies approach business intelligence from the wrong angle, leading to a lot of wasted effort by IT. In fact, companies spend more than 70 percent of the time, energy and money they dedicate to business intelligence on people and process issues, according to a recent Gartner study of BI accessibility. That’s a costly sink, says Gartner analyst Betsy Burton. “The mistake a lot of executives make is trying to buy technology in the hope that it will apply to the business objectives, “ Burton says. “ Companies should start any business intelligence effort by defining the business objective and then the people, metrics and processes that support those objectives.” What are the key obstacles that IT faces in constructing efficient BI systems? A lack of effective support from senior management really hurts. Yet, of 350 global organizations Gartner surveyed, only 10 percent of BI and performance management efforts were sponsored by a C-level executive. Another problem: Many companies come at the BI issue wanting to ‘fix’ or ‘clean-up’ the data. “Cleaning up data is not a business objective,” Burton says. But that’s how many IT executives drive their company’s BI efforts, and as a result, the IT organization spends its time responding to tactical requirements, instead of driving business objectives. “It’s important to have a team to bridge the divide between IT and business expectations,” she says. Companies that are ahead of the game have formed business intelligence competency centers (BICC) to help their organization master intelligence management, she says. Smart BI planning will only grow in importance for CIOs. Most organizations are facing an information explosion but don’t yet have a management strategy for it and IT can sometimes be seen as the root of this problem, Burton says. Looking ahead, information management is one area where the CIO will be expected to act as a trusted adviser to the business.

trendlines

Beating the BI Blues

Best Practices

Business Intelligence

1

Get an executive to sponsor your

2

Define the objectives necessary to deliver the business strategy. Don’t get mired in cleaning up the data. Construct your BI plan to improve on current processes, with an eye toward technology that plays into achieving the business objectives.

3

Compare your plan with the current

information management efforts. Consider the organizational structure, so you are able to adapt to changing business priorities.

initiatives, tools and technologies. Your plan should strike a balance between strategic perspective and tactical requirements. It should be flexible to evolve over the next decade.

Where Are The BI Champions? This is Why…

by a C-level executive with a direct link to the business.

executives.

Between 2006 and 2012, Global 1000 organizations will experience a threefold increase in data, content and application quality issues.

2012

40% are sponsored by other business

2006

Only 10% of BI efforts are sponsored

25% are sponsored by an IT manager. 25% have no executive sponsor.

You’ll Need BI

Source: Gartner

18

Trendlines.indd 18

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/19

8/10/2007 7:28:40 PM


trendlines

Swift Action on Security s u r v e y IT managers are reacting increasingly quickly to security issues, a survey has revealed. Seven in 10 managers now deploy critical updates within eight hours, which is almost twice as many as last year. And 29 percent implement patches in only two hours; more than double the number that achieved that response time in 2006. The results come from a survey of 250 CIOs, CSOs, IT managers and network administrators across Europe, Asia Pacific and the US. The research was conducted by PatchLink, a manufacturer of security software. Zero day vulnerabilities, where hackers exploit security issues on the day that

they emerge, are the largest security concern, according to the survey, with 54 percent of IT chiefs citing them as their top worry. Vendors are also tending to act more quickly with their security fixes, in the face of pressure from businesses and from a growing army of unofficial patchers. In March, security vendor eEye Digital Security issued an unofficial patch to protect users of the Outlook Express email program, covering an area Microsoft had not tackled. Then the Zero Day Emergency response Team unveiled another patch days later. In early April, Microsoft responded with its own patch after it admitted the problem had become too serious to ignore.

Hackers as a whole are the second largest concern, at 35 percent, and malware and spyware stand at 34 percent. Charles Kolodgy, research director at IDC, said that businesses of all sizes faced zero day threats, and that the problem is worsened by a lack of resources to fight the problem. He added: "User behavior is difficult to control, and many hackers rely on users' lapses in judgement to carry out their malicious activity." Two thirds of those surveyed said they spent more than an hour each day monitoring security, and half had over 10 programs installed to counter threats.

— By Leo King

Hacker Scare? Set Alarm

1

VOL/2 | ISSUE/19

Trendlines.indd 19

the registration process (click for tips on using such e-mail accounts). Look for an e-mail from OneStat sent to the address you used when you registered. It will come with an attached file named OneStatScript.txt. Save that file, and note your account number. Then delete the e-mail, which has your account details. Give the .txt file a name that will catch a spy's eye, like ‘BankPasswords,’ and make it an .htm file so it opens automatically in a Web browser (and trips the counter). Send the file as an e-mail attachment to the Web mail account that you want to monitor. Use a similarly baited subject line, like ‘Account log-ins,’ for the message. Just be sure not to open the file when you send it — you don't want to set off your own alarm. Sit back and wait like the patient spycatcher you are. If anyone opens your rigged attachment, the hit counter will reflect that fact and will record information about them, including the IP address of the

2 3

4 5

accessing computer. To check the counter stats, just log back in to your account at OneStatFree.com. The excellent, free Stanford Password Hash browser add-on provides additional security by making it easy to use strong, unique passwords for all of your accounts. —By Erik Larkin REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7

ILLUSTrATIOn By MM S HAn IT H

s e r v i c e s Your Web mail account is a treasure trove of private and potentially valuable information, and thieves know it. In an online interview, one hacker claimed to make thousands of dollars every day by breaking into e-mail accounts. Normally you can't tell whether you've been hacked in this way. But you can create an electronic trip wire that will trigger whenever someone reads a rigged e-mail. I came across the idea, which takes advantage of a free Web hit counter, in a blog post by Jeremiah Grossman of WhiteHat Security. The gist of it is to keep an e-mail message in your account that includes the code for the counter. Opening the attachment trips the counter, thereby alerting you that someone was snooping. here's how to set it up: Head over to OneStatFree.com and register for a free Web counter account. You can list anything for the site URL, and use a disposable e-mail address to complete

19

8/10/2007 7:28:48 PM


N e t w o r k i n g The body tasked with maintaining the Bluetooth standard has agreed its new iteration, Bluetooth 2.1+ EDR (Enhanced Data Rate). The Bluetooth Special Interest Group (SIG) has announced unanimous approval of the new standard by its 8,000-member strong group. The new Bluetooth should be more secure, demand less power and be easier to use than before. Pairing devices, for example, should be more consistent and consumer-friendly. This version of the specification establishes new standards for pairing devices, establishing consistent scanning, pairing, security and authentication when using Bluetooth. Bluetooth 2.1+ EDR simplifies pairing, improves security and means users can hope that in future Bluetooth devices can be connected together "in a few seconds," promised the Bluetooth SIG. Battery life in Bluetooth devices such as mice and keyboards should increase 'by up to five times' using the new standard, the organization said.

With 13 million Bluetooth units shipped each week and an installed base of over one billion enabled devices, improvements in the standard are of consequence. Version 2.1+ EDR also enables an ultra short range technology called Near Field Communication (NFC). This will allow users to pair devices much faster. Component manufacturers Broadcom, CSR, Infineon and Texas Instruments are expected to make Bluetooth v2.1+ EDR chips available immediately, with the first products that implement the standard expected at retail by the end of the year. —By Jonny Evans

Illustration by BINESH SREEDHA RA N

trendlines

New Bluetooth Standard Approved

Mobile Broadband: Post B r o a d ba n d Services Mobile broadband connections are expected to reach 40 million worldwide by the end of 2008, according to figures released by Wireless Intelligence. By 2010, WCDMA HSDPA is expected to represent around 45 percent of total WCDMA cellular connections, exceeding GSM connections by the end of this decade. Wireless Intelligence, which is a joint venture between analyst firm Ovum Ltd. and the GSM Association, a trade body for mobile phone operators, expects a fast adoption cycle for mobile broadband particularly in the Asia Pacific. Senior analyst at Wireless, Joss Gillet, said WCDMA HSDPA will be commercially present in more than 60 countries by the end of next year.

22

Trendlines.indd 22

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

WCDMA HSDPA is a software upgrade to existing WCDMA networks with the aim of bringing broadband speeds to mobile networks. Gillet said WCDMA HSDPA will go through a slow adoption phase until the end of 2008. "There is still a lack of affordable devices, WCDMA coverage is still improving and services are only targeted at the mid- to high-end of the market," Gillet said. WCDMA HSPA is expected to represent around 6 percent of total WCDMA connections by the end of 2007 (11 million connections). "The fastest early growth is coming from the Asia-Pacific region, with operators such as KTF, Telstra and NTT DoCoMo already very aggressive in migrating their installed base to the new technology," Gillet added.

At an operator group level, Vodafone Group could reach 4.5 million WCDMA HSDPA cellular connections by the end of next year. From 2009, WCDMA HSPA uptake in Western and Eastern European countries will trigger a fast adoption of the technology worldwide. "In 2010, worldwide WCDMA HSDPA cellular connections are expected to represent around 45 percent of total WCDMA connections, numbering around 278 million cellular connections," Gillet said. Wireless Intelligence has a database on the global mobile market which contains more than a million individual data points drawn from 670 operators in 221 countries. GSM Association (GSMA) members serve more than two billion customers, that is 78 percent of the world's mobile phone users. —By Sandra Rossi

Vol/2 | ISSUE/19

8/10/2007 7:28:52 PM


Michael Schrage 

Making I.T. Work

Collaborative

Illustration by MM Sh an it h

Coding

24

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn - Collaborative Coding MS.indd 24

A savvy entrepreneur is exploiting technical innovation to cost-effectively generate technical innovation. Vol/2 | ISSUE/19

8/10/2007 6:02:51 PM


Michael Schrage

Making iT Work

O

ver brunch in a cheap Brooklyn restaurant, a He and his team found quite a few virtual solutions this way. "But longtime MIT friend proudly demonstrated what about context?" I asked. After all, not everyone documents his latest startup’s software. The idea is clever, their C++ in English. He dismissively waved his hand: "Code is code. I found something that looked like what I needed in the and its beta implementation is sweet. I liked middle of what looked like a bunch of Chinese. You paste it in and it; usually the stuff I see turns my stomach. So I’m pleased that Hans Peter Brondmo’s Web-based personal information see what happens. It worked." The ultimate result? He’s never done a startup where the organizer has technical chops and global business potential. Then again, I usually pay close attention to Brondmo’s software development has been better, faster or cheaper. "In digital designs. He’s not an uber-geek who’d rather write code the past, I’ve had to raise lots of money to support the burn rate and the licenses necessary to than chat up prospects. A reasonably develop real software over a couple successful entrepreneur, he’s a get-itof years; the costs are huge," he said. done pragmatist who won’t coddle "You had to deal with the venture programming prima donnas. He capitalists. They had the money." wants to hit the market cheap, fast "Development cost is still and hard with products that aren’t significant, but it’s now focused on hard to upgrade or maintain. value creation, not infrastructure So when Brondmo told me his development," he added. "Open software, called Plum, was the first source and the availability of tools time he’d done serious coding in reduce our infrastructure cost. We over a decade, I was taken aback. "I don’t have to pay for expensive couldn’t believe how much things software licenses and engineers to have changed," he confided. "When 7 SEPTEMBER 2007. NEW DELHI implement ’commodity’ functions. my development teams wrote code 10 So, more money can be focused on years ago, it took us three days to find innovation, not plumbing. We do and kill a bug. Today, it takes us only more features faster. Development three hours." What’s more, he continued, whenever his (geographically isn’t really an obstacle." Even allowing for hyperbole — perhaps Brondmo’s ‘three distributed) development team runs into trouble, they can usually instant message their way into a just-in-time partnership days to three hours’ time compression is really closer to ‘two that simultaneously solves the problem while alerting everyone days to five hours,’ we’re still describing at least a fourfold productivity leap. That’s impressive. Marry that to the evolving to potential conflicts. "We do better real-time collaborative development and review now remotely than we did back at MIT array of development-oriented communication, collaboration and search tools spilling into the global digi-sphere, and the when we were all in the same building," he notes. Brondmo’s favorite development discovery occurred when he serious CIO might want to delay a Bangalore RFP. The new was stuck for a few lines of code. He realized that by Googling he economics of software development may render India and could see if anyone anywhere had posted something he could use. China yesterday’s fad.

MICHAEL SCHRAGE

LIVE!

Presents

MICHAEL SCHRAGE KEYNOTE SPEAKER

7 SEPTEMBER 2007. NEW DELHI

7 SEPTEMBER 2007, NEW DELHI

THIS PRESENTATION IS BROUGHT TO YOU BY THE GREY MATTER: A THOUGHT LEADERSHIP SERIES BY AIRTEL ENTERPRISE SERVICES


Michael Schrage

Making iT Work

Plum’s provenance may not be typical, but there’s nothing economic equations for IT investment away from outsourcing extraordinary about it either. A savvy entrepreneur is and toward value-added innovation. IT becomes a better, exploiting technical innovation to cost-effectively generate faster and cheaper innovation partner for both key business technical innovation. The stuff works. This is where savvy units and core enterprise processes. ERP systems are goosed CIOs need to sit up and take notice. The implementation and spruced by customized Web apps instead of extended by implications are enormous. packaged procurements like Siebel or PeopleSoft. I’m the last person to suggest that busy CIOs should immerse The third scenario has IT bypassed by ambitious business — or, God forbid, reimmerse — unit leaders who can’t — or won’t themselves in code. But any CIO — wait for the CIO to get his act preaching the gospel of productivity together. So, they pursue scenario better know if his organization’s one and scenario two-type behaviors methodologies discourage — or invite independent of whomever the CIO — healthy experimentation with is and whatever the CIO wants. Like these nascent development platforms. the rise of the software spreadsheets A CIO should know if he can now more than 20 years ago, the rise of consistently get a year’s worth of Plum-like digital platforms and software development in 90 days. A processes proceeds without the need CIO should know if 75 percent of a for central approval. project portfolio can go to value-added Scenario-three CIOs will have features instead of infrastructure a hard choice: Either be seen as 7 SEPTEMBER 2007. NEW DELHI maintenance. This matters. enablers and champions of creative Transforming the economics of enterprise interoperability or get software development completely used to losing a lot of fights. transforms the economic rationales for outsourcing. Reducing My personal belief is that the variation IT’s been witnessing both the cost and time-to-market of new features and functionality since 2000 will accelerate: The ‘IT doesn’t matter’ crowd will completely transforms a company’s economics of innovation. continue to manage and invest in IT as a commodity, while Ideally, CIOs should ‘own’ these transformations. Do you? the ‘strategic IT’ companies will be exploiting these new Three clear implementation transformation scenarios development economics for better and faster differentiation, emerge. The first scenario is the easiest and most obvious: these segmentation and innovation. These emerging economics will development economics create a new generation of Salesforce. further fragment the CIO community. The rich will get richer; coms and other ASPs that offer suites of mix-and-match the smart smarter; and the not-so-rich and not-so-smart will business processes for enterprise consumption. For example, find themselves struggling to remain ‘fast-followers'. while Brondmo has given little thought to Plum as an enterprise When you look at the core economic dynamics driving ‘knowledge management’ platform, it could easily be adapted to software development and business become one. With a little goosing, it could become an ‘account competition, it seems painfully clear: There management’ app too. More choice, less money. has never been a better time to be a smart CIO at an organization that wants to win. CIO

MICHAEL SCHRAGE

LIVE!

Toward Value-added Innovation

Scenario two has IT recommit to enterprise software development. These tools and technologies turn the internal

Michael Schrage is co-director of the MIT Media Lab’s eMarkets Initiative. Send feedback on this column to editor@cio.in

Presents

MICHAEL SCHRAGE KEYNOTE SPEAKER

7 SEPTEMBER 2007. NEW DELHI

7 SEPTEMBER 2007, NEW DELHI

THIS PRESENTATION IS BROUGHT TO YOU BY THE GREY MATTER: A THOUGHT LEADERSHIP SERIES BY AIRTEL ENTERPRISE SERVICES


Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM


Michael Schrage

Making I.T. Work

Hiding Behind

Il lustrat ion by PC ANOOP

Certification

28

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn - Hiding Behind Certification MS.indd 28

Many CIOs increasingly look to certification and accreditation standards as ‘market signals’ indicative of professional quality and reliability. Vol/2 | ISSUE/19

8/10/2007 6:05:00 PM


Michael Schrage

Making i.T. Work

P

rofessional circumstances have twice required me Unfortunately, these silly and pointless questions are templates to become an ‘instant expert’ on certification. The for the questions so many CIOs ask themselves when they first time involved grasping the byzantine ins and seek to outsource development or weigh the quality of outs of healthcare plan accreditation. The second their own human capital investments. For reasons I fully time required understanding the politics (and economics) of understand but totally reject, many CIOs increasingly how different universities granted diplomas and certificates look to certification and accreditation standards as ‘market for their business, technical and professional extension signals’ indicative of professional quality and reliability. This represents the laziest and most dangerous kind of covercourses. I learned far more than I bargained for. Both experiences recalled Bismarck’s famous epigram that your-backside thinking by C-level executives. The truth as we all so bitterly know is that the IT world is one should never see either laws or sausage being made. I was shocked. Professional certification and accreditation turned filled with certified, credentialed and accredited idiots. I bet you’ve hired a few. I know I have. out to be processes as messy, political, The fact that someone has an aptly misleading and dysfunctional as most named BS from Harvard topped enterprise software development off with a misleadingly named and implementation initiatives. The master’s from MIT does not make critical difference, of course, is that a good developer (or employee). testing software quality is easier We have to ask ourselves why we and less ambiguous than testing the make the assumptions we do about quality of a certification. individuals with ‘elite’ credentials. That’s why I’ve been struck by the The answer says far more about seemingly pathological need so many our personal biases than their CIOs have for the certification of skills professional attitudes, aptitudes and accreditation of organizational and skills. Shame on us. performance. I find this craving Similarly, the fact that an misguided and pathetic. What does it 7 SEPTEMBER 2007. NEW DELHI organization is CMM Level 3 or really say when someone is Microsoft even CMM Level 5 may be far certified? Or has a certificate in less revealing about its development ‘network engineering’ from a quality university? Or if a development organization has a Capability capabilities than the Software Engineering Institute (SEI) had in mind. Maturity Model Level 3 rating? Or is ISO 9000 compliant? What does this have to do with the challenges of IT In many respects, these questions are as pointless and silly as asking, what does it mean to graduate summa cum laude implementation? Everything. To put it politely, we look at from Harvard in English? Or, how good a lawyer will you be credentials and certifications as brands and risk management if you performed brilliantly on the multistate bar exam? Or, to investments. After all, how incompetent could a Harvard be a total jerk about it, how superior an executive would you or MIT graduate be? How incompetent could a CMM Level 4-rated offshore development shop be? be if you had an MBA from a top-20 school?

MICHAEL SCHRAGE

LIVE!

Presents

MICHAEL SCHRAGE KEYNOTE SPEAKER

7 SEPTEMBER 2007. NEW DELHI

7 SEPTEMBER 2007, NEW DELHI

THIS PRESENTATION IS BROUGHT TO YOU BY THE GREY MATTER: A THOUGHT LEADERSHIP SERIES BY AIRTEL ENTERPRISE SERVICES


Michael Schrage

Making i.T. Work

But regular readers of this column know I’m not polite: The business reality is that credentialed brand names are little more than shortcuts for executives who are either too busy or too lazy to do their homework. Don’t get me wrong, I have nothing against shortcuts. The question should be, is this a good shortcut or a bad shortcut?

jump through hoops to demonstrate how much they care about being seen as top-notch. In other words, the willingness to procure credentials can reveal more about attitude than aptitude. That can be critical. One insurance company IT executive told me about how a development shop itched him long and hard about how much it wanted to do some of his company’s cutting-edge development A Dangerous Delusion work. The shop’s credentials were I asked several senior-level IT impeccable. The client references folks who had overseen significant said the organization was technically outsourcing of their operations how excellent but a bit arrogant. So, the IT much time they actually spent with exec invited the shop to send three of their new contractor. Slightly over its developers to a morning ‘code walkhalf of these executives said they through’ to see what each side might spent more than a day visiting the contribute and learn. The development actual worksites of their outsourcer 7 SEPTEMBER 2007. NEW DELHI shop CEO immediately tried to talk and not one spent a cumulative week him out of that invitation. "At that there before signing the contract. moment," said the insurance IT exec, We’re talking tens to hundreds of "I knew I would never hire them." millions of dollars here. To a person, these executives waxed on about how these Actions speak louder than certifications, unless the act of getting companies were filled with supremely well-educated engineers that certification (or not getting that certification) truly says from the finest schools and CMM Level 3+ ratings, and so on. something important about the individual or the organization, To be sure, their references were excellent too. But when I CIOs are foolish to give them weight in any meaningful decision asked these IT execs if there had been a lot of communication process. After all, what does certification really buy you in this between the in-house folks and the outside company to assure development and deployment marketplace? My observation is: not nearly as much as promised. The cultural and organizational compatibility, the answers were shockingly similar: "We’re outsourcing so that we don’t have dubious quality of so many certifications and credentials to worry about cultural compatibility; we just want the best inherently mismanages expectations. Few things at C-level IT investment management are costlier than mismanaged technical systems and the best possible price." expectations. I’m comfortable arguing that, on average, the costs associated with credential-driven IT decision-making Actions Speak Louder Than Credentials Sorry, folks, but this is a post-industrial recipe for disaster. An over consistently outweigh the benefits. CIO reliance on certification credentials as an IT investment criterion is as professionally dangerous as an over reliance on IQ as a hiring criterion. Frankly, I’m with the school of economic thought that argues that the real value of credentials and certifications like CMMs and MBAs is not that they indicate greater skill, but they Michael Schrage is co-director of the MIT Media Lab’s eMarkets signal to the market that these individuals and organizations will Initiative. Send feedback on this column to editor@cio.in

MICHAEL SCHRAGE

LIVE!

Presents

MICHAEL SCHRAGE KEYNOTE SPEAKER

7 SEPTEMBER 2007. NEW DELHI

7 SEPTEMBER 2007, NEW DELHI

THIS PRESENTATION IS BROUGHT TO YOU BY THE GREY MATTER: A THOUGHT LEADERSHIP SERIES BY AIRTEL ENTERPRISE SERVICES


Mike Hugos 

Project Leadership

Getting to

Il lustrat io n by PC ANOOP

thePoint

32

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn - Getting to the Point MH.indd 32

It is easy to shroud the truth about your project behind volumes of reports. Here is how you can get the bad and the good news to rise to the top every week. Vol/2 | ISSUE/19

8/10/2007 7:46:59 PM


Mike Hugos

Project Leadership

I

t is possible to use information to confuse and intimidate. Status reports can tell all and yet reveal very little. They can ramble on for page after trivia filled page, and in the act of telling everything they bore you to tears and you miss the important information hidden in the data dump. If you are in charge of a project, you can be lulled into a false sense of security as the weeks go by, yet the status reports become a paper trail that comes back to haunt you. Because important information is in those reports somewhere and because you don’t see it, you will pay the consequences unless you take steps to make sure key issues and potential problems are clearly highlighted.

Signing Off Your Project's Future Some years ago, I led a team of developers on a big development project. We were subcontracting to a much larger company that was the prime contractor on this multimillion dollar project. Every Friday by lunch time, I had to turn in a report on my doings for that week. I listed tasks completed, tasks that were challenged and obstacles that my team faced. I also listed all sorts of project statistics such as man-hours planned versus man-hours actual that week, earned value credits on my work, and projected critical task man-hours for the coming week. Then, the prime contractor would take my report and all the other similar reports from the other project team leaders and compile a grand all-encompassing status report that reviewed all aspects of the project. This report was then delivered to the business executives at the client company who were responsible for project oversight and who were approving payments on the project. After the project had been going on for about a year (and getting nowhere), the client company began to get impatient. Senior managers from this company began to

Coloumn - Getting to the Point MH.indd 33

Team leaders spend 20 percent or more of their time filling out reports. A large project office churns out voluminous status reports, and still nobody really knows what is going on. investigate what was going on; they demanded to know what was happening on the project and where their money was going. This is typical. On projects like this, team leaders like me spend 20 percent of their time or more each week filling out reports; a large project office organization churns out voluminous status reports filled with words and statistics, and still nobody really knows what is going on. Vice presidents at the client company had routinely been signing off on the status reports they received each week without ever reading them in detail. Who has time for all those words, all that boring, badly written text that takes forever to get to the point? But therein was their downfall. When the client company figured out that not much was getting done and demanded a refund of some of the tens of millions of dollars they had spent, the prime contractor brought out the loose leaf binders full of those voluminous weekly status reports. A weekly status report was typically 35-40 pages long with a few bar charts and line graphs thrown in to illustrate whatever point the report writer wanted to emphasize. At the end of these reports was a spot for several signatures indicating that the report had been read and its information therefore communicated.

8/10/2007 7:47:00 PM


Mike Hugos

Project Leadership

A five-point questionnaire about what was accomplished in a week and what will be next week is never more than two pages — so it actually gets read by everyone. There is no place to hide the bad news. The prime contractor showed that several of the client’s vice presidents had signed off on these reports week after week, month after month. Then they began pointing out certain sentences and paragraphs buried here and there in those weekly reports. In those passages were statements about problems and delays and cost overruns on the project. “We told you there were problems,” the prime contactor said, “and you didn’t say anything, so we assumed you wanted us to just keep going.” I can only imagine the sinking feeling in the pit of their stomachs as the vice presidents whose signatures were on those status reports began to contemplate the mess they were in. After that meeting, the project went on as if nothing had happened for another couple of months and then the project was quietly wrapped up and shut down. The client company wrote off more than Rs 400 crore and I heard that the vice presidents who had signed those weekly reports had all left the company 'to pursue personal interests'.

that could become big problems for the project. My status report is composed of five questions that cover all the major problems that can occur on a system development project. They are yes or no questions, and if you answer yes to any one of them, then I ask for a short description of the problem and suggestions for how to resolve the problem. After the five questions, I then ask for only a few sentences about what was accomplished this week and what will be accomplished next week. Such a report is never more than two pages long, so it actually gets read by me and everyone else who needs to know what is going on. There is no place to hide the bad news so I quickly find out what is happening. This format has saved me more than once from the fate of those former vice presidents. Here are the five questions that get to the heart of the matter so effectively: 1 H as the scope of any project task changed? (Yes/No) 2 W ill any major activity or milestone date be missed? (Yes/ No) 3 D oes the project team need any outside skills/expertise? (Yes/No) 4 A re there any unsolved technical problems? (Yes/No) 5 A re there any unresolved user review/approval problems? (Yes/No) (For all questions marked Yes, explain the problem and recommend possible solutions.) CIO

To the Bottom of Things in Five Steps I realized I could easily have made the same mistake as those vice presidents. I resolved to learn from their misfortune and thereafter, on my own projects, I instituted a short and simple format for the status reports I requested from by development team leaders. This format is designed to get to the main points right away, to give clear answers, and to quickly flag issues

Coloumn - Getting to the Point MH.indd 34

Mike Hugos is CIO of Network Services, a distributor of housekeeping supplies, janitorial products, packaging and paper goods. He is the author of Building the Real-Time

Enterprise: An Executive Briefing. Send feedback on this column to editor@cio.in

8/10/2007 7:47:01 PM


Photos by Srivatsa Shandi lya and prav een

Illustration by unnikrishnan av

Cover Story |Staffing

Cover Story - 01.indd 38

Vinod Sadavarte (L) of Patni Computer Systems, Amit Kumar of Max New York Life, and David Briskman of Ranbaxy are using diverse strategies to recruit and keep their IT crews together.

Reader ROI:

Keeping current IT staff motivated Ways of involving your team in challenges of business growth Why outsourcing has become an option

8/10/2007 8:27:35 PM


CIOs are finding it a formidable challenge to recruit — and retain —people with the right skills. So much so, some are beginning to consider outsourcing as an option. by balaji NarasimhaN


Cover Story |Staffing

Amit Kumar, Group CIO, Max New York Life and Max Healthcare, recalls a time when he had to hire somebody with no knowledge of the life insurance industry. He did it because the recruit was technically competent and — crucially — had the ability and the willingness to learn. To Kumar, that was enough in the tough market for IT talent. In an industry where churn is constant, CIOs are finding that they have to hire the best they can get, and then invest a lot of time and resources in training. Big IT, with its big brand-name image and fat paychecks, is getting bigger, attracting the best IT professionals, leaving other companies scrambling for precious talent. In this war for talent, CIOs need to be both aggressive and creative. As WWII US General and war hero Douglas MacArthur, said, “In war, there is no substitute for victory.” CIOs who can keep their ranks full can help redefine the success of their companies, and losers will be one step closer to becoming history. But how can CIOs recruit faster and better? How can they retain qualified people with better rates of success? Is outsourcing a viable option?

How Do You Size up TalenT? rup Roy, senior research analyst at Gartner, notes the industry-wide staffing crunch and adds that while “There is no dearth of quantity, quality is questionable.” In his hunt for talent, Kumar has learnt that he needs to re-evaluate what goes into the making of a quality recruit. Today, he puts the ability to learn above most criteria. “Two years ago,” he recalls, “we took someone from the automobile industry. She was well-educated, and we were convinced that she was willing to learn. She also had a high sense of responsibility. We trained her in the life insurance domain. Now, she’s the go-to person.” But is ‘eager to learn’ enough to make the cut? In the age-old debate where industry experience is pitted against natural intelligence combined with the ability to learn, Kumar backs the latter, but with a rider: “While the willingness to learn is important, we also look for the ability to learn.” Breaking away from the traditional view of a potential employee requires boldness — and the support of the HR department. “HR is an integral partner to the CIO function — not only for hiring people but also for employee and organizational development, says Vinod Sadavarte, CIO of Patni Computer Systems. Both Kumar and Sadavarte believe the HR department has a strong role to play in ensuring that the right people are hired. In fact, they take HR’s role so seriously that they have one HR resource dedicated to the IT department. At Ranbaxy, CIO David Briskman says HR goes even further to help ensure that the right people are hired. “HR is crucial to hiring people and our employee retention and satisfaction programs. HR participates in all aspects of hiring from job description, development, recruitment and career planning. They also 40

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

participate in all IT senior staff meetings,” says Briskman. As important as HR’s participation is, it is the CIO’s job to ensure that the right parameters for recruiting are set. Kumar is quite clear about what he wants: “What we look for are people with the right attitude, who are willing to take up responsibilities, are customer focused, and are willing to learn,” he declares. Patni has encoded their needs in a process called LEAP (Leadership Excellence at Patni). Sadavarte says Patni pushes processes strongly and describes a system that has spelt out the skill requirements for each job role in the HR framework. “We follow a rigorous recruitment process in line with this standard, and hire candidates that conform to the competency requisites or have the potential for it,” he adds. But, setting the recruitment parameters can only be a first step, especially in a marketplace that is hungry for talent. Getting talent at the right cost is important. Talented hands, Roy says, are expensive, and this raises the cost of operations. Sadavarte is aware of this and says: “Dearth of talent is a very serious issue that the entire industry is facing. Getting the right skill at the right time and most importantly at the right cost poses a challenge.” Kumar believes that problem results in a lack of organizational stability. “With the IT industry in the country growing so rapidly, there are a lot of opportunities available. We are interested in a person's stability. Is he looking at the job for the long term? Obviously, we want people who are looking for a growth path in the company.” And this, he says, is not always easy to get.

Vol/2 | ISSUE/19


Cover Story | Staffing And if getting talent that will stay with you, at the right cost, isn’t hard enough, CIOs who work for smaller brand-name companies have it harder. “Fewer young people are pursuing careers in IT, and many of those who do are more interested in working for a Google than an enterprise IT organization,” says Samuel Bright, IT staffing & careers analyst with Forrester. Nonetheless, at Ranbaxy, Briskman leverages his company’s brand image extensively for recruitments. “I believe that many people join Ranbaxy to be a part of an organization that provides high quality pharmaceutical products to the world. It is a very dynamic and exciting environment to join,” he says. “With over eight acquisitions in the past year, and a portfolio of global solutions, there are always interesting challenges for the IT team,” he says. Another option is to look for less demanding recruits. Both Roy and Bright feel that colleges are an ideal place to start. “IT should draw talent from three audiences — college students, current IT professionals, and business professionals,” Bright points out. Roy also says that CIO should take a strategic approach. He says that the CIO should first draw up a roadmap for the IT department and answer a crucial question: will it be a highly automated environment, a technology-based setup, or will it be based on people? Only when this is answered, feels Roy, will the CIO be able to proceed on his staffing issues. Roy also believes that people from tier II and tier III cities tend to stay longer if they are groomed well. He believes that CIOs should focus on these cities and towns.

people,” he puts it bluntly. He insists that employees can be kept happier — and longer — by other means. “I’ve recently had a case where somebody wanted to move from Chandigarh to Delhi to be with his parents. I ensured that this could be done, because it would make him happy,” says Briskman. He says that, in his team, some people want a change of roles, some want to move from one department to another, or even move from a support function to a project role. And Briskman merely takes advantage of Ranbaxy’s appetite to acquire new companies. (In March last year, Ranbaxy bought out three European companies in a week.) Accommodating employees, he says, also increases their motivation. It’s an approach that seems to work. At Max New York Life, Kumar says that they have put processes in place to cash in on that insight. “We post all internal jobs publicly, and have transparent criteria for applying for these jobs. If somebody from IT wants to move to operations or to sales, they can at least apply. This way, they know that there is a career path other than IT.” He claims that Max New York Life has among the most ‘clear’ career-paths for its employees. But there is still no getting away from the fact that it is much harder for enterprises to retain talent because of fierce competition from IT companies. “There is a continuous movement from user companies to IT companies for

are emploY mplo eeS mploY GolD DiGGerS? here are those who believe that the best way to retain talented people is to keep adding to their pay packets. Briskman begs to differ. “If you only address money, you will lose

A

t Patni, says CIO Vinod Sadavarte, they use a methodology called SPARK (Systematic Pooling, Analyzing and Researching Knowledge) to evaluate and reward employee ideas. It also helps to retain employees longer and build a greater sense of ownership.


Cover Story |Staffing various reasons, like wider experience, onsite opportunities, and the ability to earn in dollars,” says Roy. Roy has come to terms with this state of affairs. He’s taken a ‘when you can’t beat them, join them’ approach. He has a simple mantra: since most employees are bound to leave in two or three years, the best thing to do is to get excellent work out of them while they are with you. But CIOs still need to stretch the time that an employee spends in their companies by looking for ways to motivate them. Sadavarte wards off dollar pay checks and wider experience with "opportunity to work with cutting-edge technology, multiple career tracks to choose from, rotation possibilities across projects, a cultural environment, monetary gains, and training." He reiterates Briskman’s feeling about remuneration not playing a dominant role in hiring or retaining people. This doesn’t mean that CIOs can get away with offering poor pay packages. Briskman’s company evaluates compensation plans and job descriptions annually through market surveys. Max New York Life, where Kumar is CIO, also uses annual appraisals but says that some positions are evaluated semi-annually. Sadavarte says Patni has special incentive schemes associated with particular projects. The problem with all these companies throwing money at employees

is that there’s always going to be some company out there who can match your offer. Another tactic CIOs can use is creating selfworth. “IT leaders must quit treating employment in IT as a great honor that others should instinctively understand,” points out Forrester’s Bright. Kumar agrees. “One important thing that keeps the IT team motivated in a non-IT company is communication. It is important to let your people know how important their job is to the organization.” Kumar also stresses that communication should run two ways: CIOs need to tell the teams how important they are to the organization, and tell the organization how crucial the IT team is to its overall success. At Patni, they practise this. Using the SPARK (Systematic Pooling, Analyzing and Researching Knowledge) methodology, Sadavarte says Patni not only gets employees to stay longer but also secures greater employee buy-in and ownership. SPARK, says Sadavarte, is used to evaluate employee ideas transparently. “One of our employees,” he recalls “came up with an application portfolio rationalization system, while another employee came up with a service offering based on SOA. Both ideas were evaluated by SPARK, and those who suggested the ideas worked with SPARK to generate a concept and substantiate it in an iterative manner.” It helps that Patni backs the self-worth SPARK brings with monetary rewards. The amount, Sadavarte says, is based on the quantum of benefits realized from the idea.

praY raY raY Y,, How Do i Train? ccording to a November 2006 Forrester survey of 281 IT decisionmakers, IT professionals with project management, security, and architecture skills will be in higher demand in 2007. Gartner’s Roy believes that there is a

T

o keep an IT team motivated in a non-IT company, Amit Kumar, CIO of Max New York Life says it is important to let your people know how important their jobs are to the organization.


CaTCH ’em YounG Four tips to attract college graduates and student interns. Start young(er). once a student is in college, it may be too late. Spend time at local high schools; reach out to guidance counselors, and offer summer camps and internships to promising teenagers. Create a college relationship manager. This person can develop relationships with key faculty, coordinate on-campus evangelizing and even follow up with new, young hires. Bring back the interns. They’re cheap, they’re eager and they may eventually want a full-time job. Invest in a robust program and it will pay big dividends. Solicit advice from your former interns about what worked and what didn’t. Take advantage of your vendors. They share your interest in attracting students to IT. Make the most of existing vendor programs in this area and look for win-win opportunities. — By Stephanie overby

serious shortage of skills in areas like high-end consulting, project management, core applications, and mainframes. With the shortage of skills covering such large parts of IT, it should come as no surprise that CIOs have taken to experimenting with people in their quest for employees who have the right skills. Kumar, who believes that crossindustry talent is less important in a potential employee who has the ability to learn, substantiates his philosophy with an example of a staffer who has been with Max New York Life for over four years. “This person has a management degree and worked in the IT industry doing a pre-sales job,” he recalls. “He had absolutely no idea of the life insurance industry. Today, he’s known to have a lot of knowledge in his domain.” Briskman has another approach. He prefers to look at a potential recruit as a ‘whole’ before hiring him or her. “We have a variety of skills that we look for. But the primary role of the IT team is to understand the business, know how to apply technology to improve productivity, and create competitive advantage,” he points out. He prefers people with varied experience, like knowledge of SAP modules and exposure to research & development solutions or pharmaceutical solutions. Does the attitude of an employee count? Kumar is emphatic about its importance, posing key questions about the potential recruit: “Can he take up responsibilities in areas that are new for him? When confronted by a problem, does he step forward to take up the challenge, or does he step back?” You can tell if a recruit will step up to the plate by carefully studying the responsibilities that he or she took up in the past, says Kumar. If a person has the ability to take up challenges, and possesses skills required by his company — like business analysis, technical management, IT services, and project management, to name a few — then Kumar is confident of hiring him. 44

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

This works fine in theory, but as Roy points out, there is a serious lack of connect between technical knowledge and business knowledge. “Someone could know all the latest technologies like .Net and Java programming, but may not be very good with business knowledge,” he says. But what with the current shortage of IT talent, can someone with expertise in just the technical domain be ignored? Roy doesn’t think so. “Companies should invest in getting such people into the groove,” he says. If you need people with plenty of business knowledge, he advices, then hire people with at least four years of experience. Kumar is not alone. Sadavarte also puts a lot of weight on business skills. “Our overall IT strategy is aligned with our business goals. This is why I need people who understand the business,” he says. Since Patni works with multiple domains and platforms, he faces some difficulty in getting people with all the right skills. Bright has a word of advice for CIOs: as hard as it is to avoid, don’t confuse buzzwords with skills. In a report titled, Recruiting IT Talent: Adjusting to a Hot Market, he wrote in July for Forrester, Bright says: “CIOs have trouble finding people with the specialized skills they need. When they place job ads on boards or in newspapers, they receive resumes from candidates with the right buzzwords but not the corresponding skill sets. Recruiting firms and HR departments without sufficient IT knowledge fall for this ruse. It lengthens the time and cost it takes to find truly qualified candidates. One CIO experienced this phenomenon firsthand, albeit as an employee. His resume included Lotus Notes and he kept receiving calls for Lotus Notes administrator positions.”

iS ouTSourCinG riGHT GHT for me? iven how hard it is to round up and retain the right people, are CIOs considering outsourcing as an option? Kumar of Max New York says he recently faced some attrition with business analysts and as a result, that function was temporarily outsourced to two different companies. “Our staffing strategy is a mix of outsourcing of services and turnkey projects,” he says. Some services like data center operations are completely outsourced and turnkey projects are only outsourced because his company doesn’t

Vol/2 | ISSUE/19


Cover Story |Staffing always have the domain expertise, he says. However, with core aspects of the system, Kumar believes in a mix of outsourcing and in-sourcing. While a job may be outsourced, responsibility cannot, points out Kumar. “Take data center operations. These are completely outsourced but we still have our own employee as the data center manager,” he says. Sadavarte says that he has to optimally use all the resources at his disposal in order to reduce costs and enhance value. To do this, he says he has to balance between in-house resources and outsourcing. “Outsourcing also helps to balance the peaks,” he says. As far as using outsourcing as a tactic to tackle a staffing problem, he says. “We outsource, but for different considerations. Not to address the attrition issue. Being an IT company, we internalize critical processes and outsource for volume and niche skills.” Is this a route more CIOs should take? Should they outsource something temporarily if they face a staffing crunch? Gartner’s Roy finds this untenable. “Outsourcing can never be used for the short term,” he states. “It has to be well thought out and has to be a well carved-out strategy.” Briskman agrees with Roy. “We believe that partnering with other organizations to take care of certain day-to-day support helps leave IT staff

HirinG ‘SHaDow’ iT super users, business project leads, members of the “shadow” It department: they may all be great additions to your It t organization Market, market, market. When you think you’ve just about overdone it marketing opportunities in IT, at company presentations, in department newsletters and at technology fairs or road shows, do it again. Some large IT organizations employ full-time marketers. Create IT ambassadors in the business. The best ones are IT employees who used to work in business functions. Start business-IT rotations. Yes, they should go both ways. If that seems like a leap, start by meeting with counterparts in the business to discuss the business users you’d like to bring to IT. This may lead to further discussions of rotation programs to benefit the business and IT. Keep on top of the business candidate pool. layoff in another department? That may mean there are IT-savvy business professionals looking for a new opportunity. ERP project winding down? That project lead in the business may be receptive to a job offer in IT. —By Stephanie overby

R

anbaxy CIO David Briskman says he believes in outsourcing to take care of some areas in day-to-day support. Thsi helps leave IT staff to manage more strategic challenges, thereby increasing staff satisfaction and retention.

Cover Story - 01.indd 46


Cover Story | Staffing

Interpersonal Skills Sought For I.T jobs Comm.

Decision Making

Team Work

Planning, prioritizing, goal setting

Systematic Problem Solving

Multi-tasking

Project management EA and design Security Business process skills Network management Legacy programming Infrastructure architecture Vendor/sourcing management Change management Emerging tech and R&D Service management Risk management Packaged app support Apps maintenance management Financial management IT HR management Account management

Ranked 3rd in importance I Ranked 2nd in importance I Base: 281 IT decision-makers Note: Forrester included analysis, respecting diversity, tolerance of ambiguity, and negotiating in the survey but none was ranked as a top three interpersonal skill.

to manage more strategic challenges,” he feels. This, he believes, helps enhance satisfaction of the in-house IT team, and impacts retention positively. But Briskman agrees with Kumar on the tactical reasons behind outsourcing, and says that outsourcing should be need-based and can take place at any level depending on organizational context. Forrester’s Bright adds that outsourcing ultimately depends on the skill being outsourced. “Some skills cannot be outsourced,” he says firmly, because they require an underlying knowledge of business processes. Other areas where he feels outsourcing is not suitable are for processes that are inherently client-facing. Gartner, however, is very gung-ho about outsourcing. According to a recent Gartner survey of more than 1,400 CIOs worldwide, IT budgets in India had the highest growth of 16.19 percent, compared with an average of 3.16 percent for the rest of the world. Gartner predicts

Vol/2 | ISSUE/19

Cover Story - 01.indd 47

Ranked 1st in importance

Source: Forrester Research

Indian companies will increasingly go offshore in their sourcing strategies, which will result in outsourcing deals offered by some Indian companies that include higher end parts of service (for example, design and architecture, and business consulting) delivered from other parts of the world. Strategies used for recruiting and retaining the people with the right skills are a little like buying wine — tastes vary from CIO to CIO. But research conducted by Forrester and Gartner seem to indicate that CIOs should try innovative ways to recruit and retain the people with the right skills, and outsource when required. But what is sauce to the goose is not sauce to the gander, and CIOs will have to evolve their own strategies based upon the requirements of their company. CIO

Special correspondent Balaji Narasimhan can be reached at balaji_n@cio.in

Online Exclusives Signing up the Pros: The pool of talent is bigger than you think The Talent Is Out There: How Indian CIOs can find them Narrowing IT Down: So you’ve got a pool, now what? Go to www.cio.in

cio.in

REAL CIO WORLD | AU G UST 1 5 , 2 0 0 7

47

8/10/2007 8:27:54 PM


Dinesh Hinduja, executive director of Gokaldas Exports, asserts that the garment industry can benefit from IT, in much the same way the auto industry has.

Weaving IT Into the

Fabric of Design By KANIKA GOSWAMI

CIO: Gokaldas is India’s largest exporter of apparel. Can you describe the journey?

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

48

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

View from the Top-02.indd 48

Dinesh Hinduja: Before the Partition, my father moved to Bangalore from Pakistan, and set up a silk scarves and stoles business. The late 1960s saw a sudden glut in the market, and the business had to change. In 1971, while in Copenhagen, someone gave him two shirts to copy. Those two cheesecloth shirts became the cornerstone of our business. There was nearly no mechanization in our manufacturing back then. I entered the

industry in 1979, with $5,000 (Rs 50,000 then) and 40 leg machines in a 1,000-sq-ft. rented space. We worked in shifts, making garments in the morning and packing them towards the evening in the same area. We started directly with exports. That year, with no knowledge of IT except for a friend from HP, Ravi Thambuchetty, I brought a computer into the company. I started with the (HCL) Workhorse, which we have preserved as an antique piece. This was the beginning of technology for us. It was largely used for accounting, and my first experience was making the company run like a horse. However, my father, who was responsible for accounting in those

Photo by Srivatsa Shandilya

Dinesh Hinduja, executive director for production & marketing at Gokaldas Exports, has tapped IT to augment manufacturing and processes at the Rs 1,144-crore company, which is also India’s largest garment exporter. In 1979, he bought Gokaldas’ first desktop computer to maintain accounts. Today, the organization has developed a specialized accounting system that it plans to sell in countries like China.

Vol/2 | ISSUE/19

8/10/2007 7:11:30 PM


View from the Top

Dinesh Hinduja expects I.T. to: Help grow his business by 15-20 percent Increase operational efficiency Run his assembly line remotely Track workers across various factories

View from the Top-02.indd 49

8/10/2007 7:11:32 PM


View from the Top

days, was very skeptical about computers. Even after we had the Workhorse, he would keep manual records, anticipating the day the machine would let us down.

Garment design is not traditionally associated with high-end technology. How does Gokaldas Exports use IT to enable business? When we used computer tools in manufacturing for the first time, it was a design software imported from France called Prima Vision. It was expensive; we could hardly afford one license. This software is still being used across the company. In the 1980s, IT support came to us in the form of Ravindhran, a techie who owned Vedha Automation. He helped develop software systems for Gokaldas. We designed a system for all our operations encompassing the entire process, manufacturing, order writing, the invoice generation, fabric design orders, and accessory orders. This was probably the first software application in the apparel export sector in India. It ensured greater efficiency since it replaced at least 40-50 people, all of whom would otherwise create manual orders to instruct factories about manufacturing plans. Then, a friend came back from the U.S. and set up the World Fashion Exchange. I was impressed by his system and started working with him for an e-business gateway, a netbased software linking us with our vendors. Today, we also have software that lets us look into our customers’ systems and know exactly which styles are selling.

How does Gokaldas Exports use technology as a manufacturing aid? Everybody thinks garment manufacturing is a dignified tailoring shop. But, you'd be amazed at the kind of IT that goes into a manufacturing setup of our size. We are more like Toyota's assembly line — we have 50

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

View from the Top-02.indd 50

“I am thinking of marketing garment export accounting packages to China and other places. I want to be the Tally of garment business.” — Dinesh Hinduja the systems they have. On the production line, all mechanical systems are controlled by computers. You can operate the entire assembly virtually. At the manufacturing level, patternmaking constitutes an important area. We used to have pattern-makers whose patterns caused problems at the production line, and we paid through our nose. CAD systems replaced these inefficiencies. And instead of having 70-80 manual pattern-makers, we could do with five to six systems generating patterns effortlessly. Our need for devices enabling bulk cutting production grew with time. Our tremendous growth in volumes triggered greater automation needs. Today, we have reached the level of technical expertise where cutting instructions are sent by e-mail. We started using different types of computerized sewing machinery, which had

inbuilt pattern programs manufactured by Gerber. We are its largest client with more than 120 systems, and almost 20 automatic cutters. Apart from that, all factories have cameras. There’s no need to travel across 48 factories within a 15-kilometer radius. Another big saving has been virtual fit — it’s called Browse Wear. With it, we can virtually fit the style on the system since speed–to-market is the essence of this business. People want to buy according to the season and sellers don’t want inventories held for a long time.

Do you plan to become an application service provider to your domain? In India, no one provides this software, even though these applications have a fantastic market. Maybe someday, the domain knowledge we have can be put to good use by a technocrat and Gokaldas may start selling software applications too.

What role does your CIO play in your strategic planning? We have a very well-qualified CIO. We do our line plans with the help of systems, so IT and the CIO are an integral part of our planning. The CIO is an enabler. He can suggest the way forward, but he is not a businessman. Even though he is very thorough with his knowledge and very efficient, that’s the only line I would want him to stay in. I don’t want him to interfere in the business.

What would be the best approach for your CIO to justify a technology strategy for Gokaldas? I am very open to new ideas. Ours was the first company to bring the barcode to India. When The Wearhouse (Gokaldas’ retail store) opened in 1986, I had seen

Vol/2 | ISSUE/19

8/10/2007 7:11:34 PM


View from the Top

SNAPSHOT buyers. We have been barcoding in Hong Kong, trying to go paperless but and I got Ravi to develop it not all international trade here. Till today, his systems is paperless; you still need are the ones that are running documents. Payment systems in retail outlets across India. Primary Business: Manufacturer and have become faster and All the shops have barcoding exporter of apparel easier with IT applications software that originated here. Revenue: in payment gateways and A technology that will give Rs. 1,144 crore banking procedures. an impetus to my business Workforce: Comparing ourselves will always convince me. 39,000 with foreign counterparts One of the suggestions that Factories: in technical skills, I would my CIO made, and which 48 say that we are technically turned out to be very useful, IT Team: superior. I remember was to do with labor movement 40 the first e-mail there (in around the factories. We often Annual IT Budget: Hong Kong) was called had people leaving our factories Rs 1 crore CompuServe. You could and joining factories in our CIO: purchase it in Hong Kong, own group. We needed to keep B.Jaychandran and I made those packages track of them. My CIO came and sent it out to my clients. up with thumb impression ID No one was comfortable with software. Every new recruit it. Everybody sent the packages back to will have one and we can catch them if they me saying it was Greek and Latin to them. move into another factory. They can give a The only one who understood and used fake name, but cannot fake these prints. is the the boss of WFX (World Fashion Exchange) today. What new technology is

Gokaldas Exports

Gokaldas trying now? We are studying the applicability of RFID, but at the moment it is too expensive for garments. Putting a Rs-40 RFID tag on 1 lakh garments per day, I would have nothing left. But maybe, we could consider RFID for machinery and for inventory since we move it around so much. Our embroidery machines, washing machines and dyeing machines are computer-operated — all developed in-house. Our latest initiatives are also a part of the same process.

Are your export processes EDI compliant? What insights have you got from your overseas counterparts? Yes, we are EDI (Electronic Data Interchange) compliant with all our

Vol/2 | ISSUE/19

View from the Top-02.indd 51

Is IT changing the face of manufacturing/design in the Indian apparel industry? Yes, it is. There is a lot of IT in the pipeline today and many companies are getting into this kind of technology. Everybody is following the trend.

Could you compare the Indian and Chinese industries with regard to technological progress? China doesn’t have process systems at all; they are nowhere near us even though they are bigger manufacturers. They have very average IT skills. They can do much better if they have the IT knowledge that we do. India is very advanced in this field.

In fact, I am thinking of marketing garment export accounting packages to China and other places. I want to be the Tally of garment business.

Do you think the entry of new retail giants will affect your market? That is why I am moving out of retail. At the moment, it is not our core business and we don’t have time to study it. That is also why I am in the process of withdrawing my last two Wearhouse shops from the market. But I would definitely be interested in coming back sometime, maybe in a partnership with some big international brand that we have been working with. The best brands — Gap, Nike, Adidas, Decathlon, Puma, Polo and Esprit — are all my clients. Even brands like Tommy Hilfiger. In fact, Hilfiger himself was here in Bangalore in 1979. We started with him and he never forgets to mention it. We make Abercrombie (and Fitch) jackets as well. So maybe, someday we can partner with them in India.

In the absence of quotas and restrictions, do you think your market can grow bigger? Till 2004, the entire market was controlled by quotas. Post 2004, we jumped from Rs 250 crore to Rs 1,000 crore in two years, that speaks for itself. I used to make a 1 lakh trousers in the old days. Now, we are free. I make a million trousers a month. It’s growth all the way. I would also like to increase the brand basket and grow by at least 15-20 percent. We have technology to help us along. CIO

Special correspondent Kanika Goswami can be reached at kanika_g@cio.in

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7

51

8/10/2007 7:11:37 PM


t H g i F n a C u yo

r e b y C

w o H


risk management

By Christopher KoCh

Kevin Dougherty has seen his share of spam and phishing scams, as has any IT leader in the financial services industry. But the sender’s name on this particular e-mail sent a shudder down his spine: it was from one of his board members at the Central Florida Educators’ Federal Credit Union (CFEFCU). The e-mail claimed in convincing detail that there was a problem with the migration to a new Visa credit card that the board member was promoting to the credit union’s customers. The fraudulent message urged customers to click on a link — to a phony website set up by criminals — and enter their account information to fix the problem. But what happened later that Friday afternoon — after Dougherty, who is senior vice president of IT and marketing, had wiped the credit card migration information off the website and put up an alert warning customers of the scam — really scared him. Around 2 p.m., the site suddenly went dark, like someone had hit it with a baseball bat. That’s when Dougherty realized that he was dealing with something he hadn’t seen before. And he couldn’t describe it with conventional terms like phishing or spamming. This was an organized criminal conspiracy targeting his bank. “This wasn’t random,” he says. “They saw what we were doing with the credit card and came at us hard.” Dougherty’s website lay in a coma from a devastating distributed denial-of-service (DDoS) attack that, at its peak, shot more than 600,000 packets per second of bogus service requests at his servers from a coordinated firing squad of compromised computers around the globe. That the criminals had the skill and foresight to launch a two-pronged attack against Dougherty and his customers was a clear

Reader ROI:

How cyber criminals are becoming more sophisticated Steps companies can take to combat the threat How CIOs can gain toplevel business support for security investments

e m i r C tack t a s r o etrat p r e ill p w s t y i e , h d t that ganize d r is o o o — s h i i n l e e w k m o i i l cr the t it d u d h n s a Online , n y ve isk. el r e t a e r — h e t y b deli igate mpan t i o c m r o u yo ow t h s ’ e r attack g. He n i w o r g

Vol/2 | ISSUE/19

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7

53


Risk Management indication of how far online crime, which is now a Rs 11,200 crore business according to research company Gartner, has come in the past few years. Though this dark business largely targets financial services companies, there are signs that criminals are beginning to covet new victims. Since January, phishers have been documented going after “many types of websites not typically targeted,” such as social networking and gambling sites, according to the Anti-Phishing Working Group, a research group. As cybercrime enters this second wave, criminals with no programming experience can buy illegal packaged software to carry out sophisticated attacks, and information security can no longer be addressed merely with a firewall. It has become not just an IT risk, but a business risk. The threat extends beyond systems,

After a cyber attack disabled the website of the Central Florida Educators’ Federal Credit Union, Senior VP of IT and Marketing Kevin Dougherty convinced his CEO and board to consider security as a critical business issue.

affecting everything from marketing and the customer relationship to government compliance, insurance costs and legal liability. Beyond IT and a trusted cadre of security vendors and consultants, information security requires understanding, involvement and consensus from all parts of the business at all levels, right up to the board, before problems occur. Security to combat cybercrime needs to be part of a company’s disaster and business continuity plans, with security-spend based on the overall threat that cybercrime poses. If security is viewed simply as an IT cost and responsibility, companies will never be truly ready for the risks they face. “If you do have an attack, it’s never just the data that you lose or the 56

Feature.indd 56

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

customers who are victimized, it’s [also] the larger effects that the attack has on everything else,” says Ian Patterson, CIO at online brokerage Scottrade. “It’s the marketing effects, the customer service effects, the business effects.”

How Cybercrime Is Changing The crooks are still after the money, but they are developing more sophisticated ways of getting at it. They’re willing to hang around longer and in places where the money isn’t immediately available. For example, the breach disclosed earlier this year at retailer TJX unfolded during more than a year, as criminals accessed the system multiple times to extract customer credit card numbers, using technology that has, “to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” according to TJX’s annual report filed with the Securities and Exchange Commission. “The new paradigm is to not make big, noisy attacks,” says Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property Division at the US Department of Justice. Phishing attacks increasingly use subtle ways of gleaning information that are not apparent to even the most educated computer users. As the sophistication of the attacks continues to improve, the percentage of consumers who click where they shouldn’t has risen from 18.6 percent in 2004 to 24.9 percent last year, according to Gartner. Online crime “will spread from financial services as the use of indirect attacking grows,” says Markus Jakobsson, a security consultant and associate professor of informatics at Indiana University. “For example, perhaps you go to a funny cartoon website where it asks for information that mimics what’s needed to impersonate you on eBay.” That threat is mounting every day. The number of people who believe or know they received phishing attacks doubled between 2004 and 2006, from 57 million to 109 million, according to Gartner. Although fewer victims are losing money, the losses per victim have more than quadrupled since 2005 and the percentage of that money recovered has dropped from 80 percent in 2005 to 54 percent in 2006. Even if victims don’t lose money, there is a cost. The Federal Trade Commission estimates that it takes consumers an average of 30 to 60 hours to clean up a credit history damaged by identity theft. For businesses, the unseen costs are even higher. For 56 organizations studied by the Ponemon Institute that experienced the loss or theft of customers’ personal data, the loss of business resulting from the breach eclipsed by nearly Rs 160 lakh the combined cost of detecting an attack, notifying customers and helping them work through any resulting problems (on average, Rs 5,120 per compromised record and Rs 10.4 crore in total). Meanwhile, the administrative savings that make the online channel so attractive for businesses are being eaten up by consumer fear and avoidance. A recent Gartner survey found that 23 percent of online banking consumers have fled the channel because of security concerns. Nearly 24 million people won’t even consider online banking because of them. “That means you have people doing transactions at the bank that cost Rs 600 each when they could

Vol/2 | ISSUE/19

8/10/2007 6:16:41 PM


be doing it online for pennies,” says Tim Renshaw, vice president of product solutions for TriCipher, a security software company. In addition, plummeting trust in e-mail has made it a dicey customer communications vehicle. More than 85 percent of respondents to the Gartner survey said they delete suspect e-mail without opening it. Dougherty says CFEFCU has abandoned e-mail altogether. “We have had to go back to snail mail,” he says, noting that it’s about 90 percent more expensive and much slower and less flexible than e-mail.

wHat Happens wHen you’re unprepared Dougherty faced these broad risks on that awful Friday afternoon last August, when a criminal website intent on stealing the identities of Dougherty’s members was his only operating face to the world on the Web. Obviously, the first thing Dougherty had to do was stop the attack. He had to hurriedly assemble a coalition of vendors and consultants to help him, and then he had to convince his CEO that drastic steps were needed — steps that would temporarily cut off customers from any possibility of getting to their accounts online until the problems were completely eradicated. Dougherty wanted to have the site temporarily blacklisted with his telecom provider, BellSouth, to deflect the attack, thereby reducing pressure on the site and giving him the time and flexibility to make protective changes. But his CEO resisted — as might anyone who has not experienced an attack. “He wanted to keep it up so we could service the members,” says Dougherty. At 11 p.m., after a long night of battling the attackers and plotting strategy, Dougherty finally convinced his CEO to have the site blacklisted and to take a break until morning. Continuing in a tired and emotional state would have played into the attackers’ hands. “It’s a mind game,” says Dougherty. By Saturday morning, Dougherty had RSA, a security vendor he called in when the attacks began, working to set up a ‘take-down’ service that seeks out and dispatches criminal websites (in this case, more than 30) with its own cyber baseball bat. Meanwhile, BellSouth began beefing up security around the credit union site to try to thwart attacks. Dougherty also began planning with RSA to build multifactor authentication into the website. As these solutions emerged, the CEO became comfortable with Dougherty’s blacklisting decision. “We built heightened awareness with the board and the executive management team,” says Dougherty. The site was back up by Saturday evening. In the end, 22 customers gave up their information to the thieves and the total losses were “less than five figures,” says Dougherty. Though the credit union had averted disaster, “it was a rude awakening,” he says.

Vol/2 | ISSUE/19

wHo you gonna Call? C When cybercriminals strike, law enforcement agencies are often overwhelmed. So, CIos are looking elsewhere for help. When the website of the Central Florida Educators’ Federal Credit Union was attacked by phishers last August, CIo and VP of Marketing Kevin Dougherty’s first instinct wasn’t to call the police. Though he did eventually contact the FBI, “unless you can say you were hit with some very large dollar amounts, I don’t think they have enough people to deal with this,” he says. And so CIos like Dougherty are assembling crime-fighting coalitions from among consultants, vendors and telecom providers. There’s a historical parallel, says Peter Cassidy, secretary general of the AntiPhishing Working Group. When banks opened up 150 years ago, there wasn’t an FBI, “so banks hired private law enforcement like the Pinkertons,” he says. one day, there will be routine cyber-investigations, “but for now, we are still in the Wild West.” law enforcement faces several challenges. First is the nature of cybercrime: global and independent of geography. Hackers in Russia can steal money from a bank in the United States using a computer in France quickly, cheaply and with no human intervention required. And their fingerprints — the IP addresses of the computers that initiate the attacks — can be made to disappear before investigators can track them, according to Ron Plesco, director of the Privacy and Special Projects Group for consultancy SRA International. Internet service providers keep logs of every connection but can’t afford to hang on to the piles of data for more than a few days without overwhelming their storage systems. There’s also a shortage of computer expertise among the FBI and Secret Service, which investigate cybercrime, and the US Department of Justice, which prosecutes it. Given the manpower shortages, investigators need to limit themselves to cases with big losses. Unfortunately, the majority of cybercrimes are committed by small operators, says Uriel Maimon, senior researcher in the office of the CTo of security provider RSA.“There aren’t many Rs 1-crore frauds,” he says, but there are a lot of Rs Rs 80,000 cases — a big-enough haul for a criminal in an impoverished country. Finally, there is the complexity of fighting crime across different countries, many of which lack laws that specifically target cybercriminals. Experts speculate that we could someday see the rise of a new global organization specifically targeted at cybercrime, much as the FBI was created to take on the automobile-fueled rise of interstate crime in the 1920s and ’30s. Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property Division at the US Department of Justice, is skeptical. “What we need to do is connect the dots rather than create a new über-organization,” he says. Painter chairs a G8 committee that has agreements with 48 countries, which have identified cyber-investigators whom they make available to the network 24/7, he says. — C.K REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7

57


Risk Management Firewalls Aren’t Enough Dougherty also woke up to the fact that he needed to communicate more with his executives and the board about IT security and its link with the bank’s risk and security strategies. Now, he scans banking conference agendas for security content and encourages his executives and board members to attend. Sometimes, he accompanies them. “I was with our chairman at a conference and there was a security presentation, and I said, 'Why don’t you come down and we’ll go to this together?' Then, when he had questions, I was there to answer them. Sometimes, the technology scares them and you have to get them comfortable with it.” Every month, Dougherty also sends three or four security articles to executives and the board that he encourages them to read. He has subscribed to a fraud intelligence information service from RSA that gives updates on the latest threats and suggested responses, and he passes that information along too. “It’s vital to have data to relay to my management team,” he says. Dougherty is also in charge of all training for employees and has broadened that educational effort to include security. He now demands that at least one security article go in each edition of the bank’s quarterly newsletter. He doesn’t think he has a choice because the auditors have become tougher. In the wake of the attack, the bank strengthened its audits that tested for vulnerabilities, both online and off. One of those tests inside branches found that crooks didn’t need the Internet to gain access to data. “We had guys sling monitors over their backs and tell the tellers they needed to fix the computers. They got past our tellers in three branches,” Dougherty sighs. “But, I would rather have the auditors find these things than someone else.” With so much at stake, however, CIOs have to move beyond such traditional defensive strategies. They need a protection strategy for the data too. The threat of security breaches by rogue employees or contractors has always been higher than the threat from criminals outside. But now, the outsider threat is increased due to the greater portability of data via mobile devices, says Joe Nackashi, CTO of Fidelity Information Services, which hosts data not just for Fidelity but for other financial services companies as well. In 2004, Fidelity began encrypting all of its financial data, not just on its internal systems, but on any device that enters or exits the data center, including laptops, thumb drives and magnetic tapes for mainframes. This way, “even if you lose the data, it will be scrambled when someone tries to recover it,” says Nackashi. But encryption is expensive (because of the effort involved to dress data in extra scrambling code) and complex, requiring processes for deciding what to encrypt when, where, why and by whom. Furthermore, encryption is only as strong as its weakest link. If business partners and contractors don’t follow the same processes and use the same encryption methods, all that scrambling is for naught. These difficulties probably account for why only 16 percent of organizations surveyed by the Ponemon Institute said they had an enterprisewide encryption strategy. Yet more companies, including those outside of financial services, will need to consider encryption for their most sensitive 58

Feature.indd 58

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

data. The growth in mobile devices and the ability of employees to install and run their own software gives data legs to run around the firewall — what Nackashi calls “data in flight.” Though Nackashi won’t say how much Fidelity spends on its encryption effort, it is evident in the amount of management time he has devoted to it. “Two years ago, it probably consumed 100 percent of my time because we were planning the strategy,” he says. “Today, we’re in implementation mode, so it is probably 30 percent.” This despite the fact that Fidelity has a full-time chief information security officer who is Nackashi’s peer. Overall, Fidelity’s security staff has grown 30 percent over the past two years, he estimates. “This isn’t something you can compromise on from our perspective,” he says. “The nature of the business we operate in leaves us no luxury to play fast follower.”

Get C-Level Buy-In Such dramatic increases in security staffing and spending are a barometer of cybercrime’s evolution from IT nuisance to business risk. Scottrade’s Patterson has quadrupled his security staff from two to eight since 2004, and he estimates it will more than double next year. Anyone who resists this growth in security spending needs to consider the bigger picture, says Patterson. “What if a breach among a small number of customers caused us to lose 170,000 or 300,000 customers overall, what would be the business ramifications of that? Everyone has to be in agreement that whatever that number is, you build your ROI from that.”

The proliferation of mobile devices means companies need to protect their data, not just their networks, says Joe Nackashi, CTO of Fidelity Information Systems.

Vol/2 | ISSUE/19

8/10/2007 6:16:49 PM


stop tHem beFore tHey CliCk — again a Educating users won’t prevent them from giving up info to fraudsters. Take them out of the loop. You may need to wait a minute for another sucker to be born, but you can find one anytime you want online. In a recent MIT-Harvard study to determine online gullibility, 36 percent of test subjects logged in to their online bank accounts despite being presented with a strong warning page saying that their bank site’s security certificate was not valid. Not one person noticed when HTTPS, the secure form of HTTP, was stripped away — they offered up their passwords anyway. Although our instincts tell us that better education might have saved these users from themselves, there is a growing consensus among researchers that education will never stop many people from clicking when they shouldn’t. The problem, says Markus Jakobsson, a security consultant and associate professor of informatics at Indiana University, is one of focus. “When people

go online, they are focused on other things besides security,” he says. “They want to pay their bills online or talk to their friends. People don’t pay attention to security clues online.” Even when, as in the MIT-Harvard study, they are reminded to pay attention to warnings. Meanwhile, the kind of information that lulls victims into a false sense of security is still widely available online. In a 2005 study, Jakobsson was easily able to find the Social Security numbers and mothers’ maiden names of millions of Texans online. “When the e-mail comes with your mother’s maiden name already in there, it’s a lot easier to click,” he says. So what to do? Some suggest issuing new passwords through small electronic fobs called tokens each time someone logs in to a site, or requiring account holders to verify withdrawals via a cell phone call. But both solutions are costly, complex and potentially inconvenient

As a way to give information security the billing it deserves, Patterson has pushed Scottrade to link it with the company’s disaster recovery and business continuity strategies. “We lost some of our branches in [Hurricane] Katrina,” says Patterson. “If you have a DDoS attack you have to do some of the same things. You have to reroute people and phones and make sure the communications about the situation are clear and concise.” Meanwhile, at CFEFCU, Dougherty has consultants to do a data breach business impact analysis that links to the organization’s disaster recovery strategies. But CIOs can’t be left as the sole advocates of a broader risk strategy, or it will never happen. Executive committees and boards have to be involved in the decision making. “I put up a picture of the Kremlin when I present to the executive committee. Whatever it takes,” laughs Scottrade’s Patterson. The picture is a reference to Russia as a hotbed of cybercrime. “The business has to be just as aware of this as I am.” One way he builds awareness is to present a set of security key performance indicators to his executive committee every month.

Vol/2 | ISSUE/19

to customers. The best answer may be to relieve home computer users of responsibility for computer security. Already, some ISPs are offering security software as part of their subscription pricing, judging that the extra cost is more than balanced out by reducing the risks they face from the pipe-clogging spam and malware. With 2.4 million unsecured broadband connections in the United States today, according to Consumer Reports, it may be time for the IT industry to face that consumers will never close the security gap by themselves. To the extent that end-user companies could be liable for their customers’ inaction, they need to weigh the risk of leaving the responsibility for managing security in the hands of customers who may never do it adequately.

— C.K.

For example, he gives an overall report on internal and external vulnerabilities by tracking intrusion alerts and monitoring the security patching efforts, broken down by data center and hardware at Scottrade’s corporate facilities as well as at its branches. Eighteen months ago, he says, “we were not tracking this information.” Dougherty’s CEO and board now also are vested in security as a critical business metric. Perhaps the best evidence of this was when his site was attacked again later in the summer. The attack was neutralized within a few hours, says Dougherty, because of the new strategies he had in place, but also because there was no need to argue any of them with the CEO or the board. “They just need to understand what’s going on,” he says. “They need to know that responses are being made.” CIO

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7

59


Rajendra Bandi, associate professor of information systems at IIM, reiterates the need to involve government officers in the development phase of IT projects.

Interview.indd 60

8/10/2007 7:38:33 PM


Interview | Prof. Rajendra Bandi

To succeed, e-government projects need to avoid excessive focus on technology and find champions, says Prof. Rajendra Bandi of IIM, Bangalore.

People Putting

PhoTo By SRIvaTSa Shan dIlya

I

I MagIn g By unnIkRIShn an av

By KANIKA GOSWAMI

vol/2 | ISSu E/19

First

Rajendra Bandi, associate professor of information systems at IIM, Bangalore, has varied interests in academia. He has studied the social impact of computing, computing ethics, knowledge management, and IT in government, among others. As a member of the technical advisory panel established by Karnataka’s Department of IT, Bandi has guided several e-governance initiatives. Further, he has made comparative studies on some of these e-government projects. In an interview to CIO India,, Bandi talked about the state of e-government projects across the country, and suggested ways to improve them. Excerpts:

broader phenomenon. Technology is but one component. But unfortunately, in most governance applications, more importance is given to technology than to other components. In that sense, it has been more than adequately utilized, and it’s not really good. In e-governance the ‘e’ should simply precede the hyphen and governance should be core; ‘e’ should not drive the entire project. Far too often, we see projects which are pushed so aggressively by technology; governance objectives should take priority.

CIO: Do you think technology has been adequately utilized in e-governance projects across the country?

I would attach more importance to people-ware, then software, and then hardware. In the government, I have seen that a good number of projects are run the other way round. In a broader sense, it is nothing but an information systems implementation. Where you see projects that are successful, it’s because they have got the priority right.

RajendRa

BandI: I would use the word ‘appropriately’ utilized. I would also say that most e-govern initiatives undertaken in the country, with a few exceptions, are technology-obsessed. To me, e-governance is a much

What is more important in a govern project — technology or people?

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7

61


Interview | Prof. Rajendra Bandi How do you think technologies like GIS (geographical information systems) help in real-time planning? Do you feel GIS has got the place it deserves in planning?

You bet it has. I think GIS technology is mature today. In fact, I would say that it is one of the most underutilized things, particularly in government projects. Wherever there are spatial issues involved, there is scope for GIS. I cannot visualize a government project where GIS cannot be used. I see it being core, as databases are core to most systems. Given the kind of maturity we have reached in today’s ecosystems, the tools of GIS are affordable, extremely easy to use, and nicely integrated. So, I would expect to see more and more of GIS. You have been associated with a number of e-govern projects in Karnataka. Which of them do you think have succeeded in meeting their objectives?

I can’t comment on which ones (have been successful). For those that were successful, I can point out a couple of factors responsible for the success. One is the tenure of the champion of the project. In fact, preceding that is the presence of a champion for a particular project. But once there is a champion, his continuing presence helps. Most often, ownership is associated with a high rank, where the officer doesn’t have a sense of security about his permanence. Very often, by the time the project reaches its climax, the champion is shunted out and the next person either has no incentive to see it through or the sense of ownership doesn’t exist. In your experience, how does a developer’s approach to IT make a difference to a project?

I categorize the project heads’ approach to IT into one of four ‘I’s: Ignore: Those who say, ‘My department is unique’, ‘our focus is

much more on people interface’, and ‘we cannot spend time and money on technology.’ Today, most departments don’t do this. Isolated: Those who say, ‘Yes, technology may be important but that’s not my job.’ A good number of organizations in the government in today’s context think this way — a substantial majority. They usually pass the buck to a more technologically inclined department. Idolize: Project heads who take IT to the other extreme. Those officers who think technology is the beginning and end of everything, and can solve any problem. Unfortunately, there is an emerging trend with a significant number of instances where this approach is taken. Integrate: where officers understand that technology is just one component in e-governance. If I introduce IT, it is only a new change introduction. Technology is one of the change factors. This exists in very few departments. The departments that can take this perspective are the ones that have been successful. They use the right mix of technology and governance. These are departments that will continue to survive even after the officer has moved away. Fortunately, there are more and more people who are coming into this category. Do you think there is adequate training and education before governance projects?

IT usage and applicability vary drastically from project to project. There are two different issues. One is the extent the officials are involved in the development process. Training is the second part. Training is not merely showing the features of a software — it’s also about making it usable. In some cases, training given to the implementation people is not synchronized with the timing of a launch. In one case, training was given, but the system was not ready. And by the time it came, the people had forgotten what they were taught.

In e-governance the ‘e’ should simply precede the hyphen, and governance should be core; ‘e’ should not drive projects. Governance objectives should take priority.

62

A U G U S T 1 5 , 2 0 0 7 | REAL CIO WORLD

vol/2 | ISSuE/19


Interview | Prof. Rajendra Bandi Another situation is when a vendor has trained everyone, but when role of a CEO, standing behind his officers and giving them support, you ask the staff they are not comfortable with the application. The saying: go ahead and do it, I am with you. That support from the CEO problem need not be with the trainers, it could also be because right is important, whether he is a politician or a bureaucrat. inputs weren’t given, or were not given at the right time, or the trainer Another situation could be where the politician can be a technology did not understand the usability part. master, an individual who understands both the technology issues as Another aspect of training is preparing operators for a change of well as business issues relating to the particular department. mindset because of a completely different environment. Operator Politicians can play a critical role in ensuring success by just leaving training sessions have to be about preparing the the implementing officer alone. (Interference from operators to think differently, about the usage in politicians can also ruin a project.) If they want to, THE BIG roll-Out the changed context. they can finish a good govern project by a seemingly In Bhoomi, for instance, when a new technology insignificant move. I remember an instance where was being introduced, 30-40 officers were given a politician did not do anything more than cause training and were sent back to their villages with delay of payments to the private partner in a publicthe assurance that they would get help. When private-partnership project. How long can the private The number of common implementing in rural areas, training is very crucial company sustain? This was his way of making sure services kiosks to be set — in a metro it’s different. I talked to some officers the initiative died a natural death. up under the National in far-flung areas and one consistent input was e-Governance plan. that whenever they wanted help, they called this In your opinion, what are the major reasons for one operator. That kind of backup is what helps, not the failure of govern projects in India? Source: Press Information just a training manual. Reasons for failure of the projects are Bureau, Government of India straightforward. It’s not always only about politicians. There are other factors like the lack You have evaluated several e-government of a stable champion, a good, clear objective and projects. Could you compare citizen services inappropriate training. Sometimes over-emphasis on technology while programs such as Bangalore One and eSeva? compromising on governance issues is also a reason for failure. Bangalore One and eSeva are not really quite different. eSeva has been around for a longer time, and Bangalore One has explicitly gone on record saying they are copying the success of eSeva. They How tech-savvy are state governments? have the same business model and even the same technology There are highly varied experiences, one cannot really say. partners. NISG (National Institute of Smart Governance) happens Successful projects are there everywhere. One thing I can say for sure to be one of their consultants. is AP (Andhra Pradesh) has a lot of media mileage. There are a whole It is not fair to compare eSeva with Bangalore One because the latter range of other states doing equally well. Their variety of initiatives are is only in Bangalore, not across Karnataka; eSeva is a statewide project. better, and I may even go on to say that you will see interesting projects There is also Project Nemmadi (peace), offering citizen services, a rural in the North-Eastern states, even Bihar and UP. There are differences, initiative in Karnataka. It doesn’t get into many services; it is focusing but one cannot form opinions based on media coverage. I can safely say on core governmental issues like birth certificates etcetera. that in terms of IT usage, no state is really left behind. Friends in Kerala, for example, in terms of the architecture and service providers, have taken an entirely different business model, Is any estimation or evaluation ever done on the expenditure and quite in contrast with the eSeva model. investments on e-govern projects in India? I don’t want to compare projects, though there are common points. Expenditure in hard numbers is done but what is not done is The best known common points are centralization-decentralization really the outcomes of these projects and whether they have met their approach where all the centers throughout the state have been objectives. Often the impact is not really measured. This is because, in connected like in eSeva, or one has taken a decentralized approach, as a good number of cases, objectives were not well-defined. That needs in Bangalore One. The second one is, top down versus bottom up. The to be done first, in order to evaluate a project. Even if estimates are first is where everything is pushed from the secretariat downwards, given, it is mostly one-time. Operating expenses are not accounted as in most projects; while the bottom up is one where citizen initiative for and very often not even budgeted for. So, accounting over a long carries the project forward. Friends is a bottom up initiative. term becomes difficult. Very often, this contributes to the failure of the projects. I can give one example of a project where funds were sanctioned, What role do politicians play in the success or failure of governance hardware was procured, people were trained, but everything was lying projects in India? unused. There was no budget provided for consumables, so there was Bureaucracy is one area which has to have an interface with no printing paper. Recurring expenses were not budgeted for. How can the political machinery. So support from the appropriate political we evaluate a project until all its aspects are taken care of? CIO machinery is absolutely important. Without impetus from political leaders, it is difficult. In his role, the politician can be a CEO. For instance the last CM of AP (N. Chandrababu Naidu) was playing the Special correspondent Kanika Goswami can be reached at kanika_g@cio.in

100,000

Vol/2 | ISSUE/19

Interview.indd 63

REAL CIO WORLD | A U G U S T 1 5 , 2 0 0 7

63

8/10/2007 7:38:50 PM


Essential

technology Illustration by PC Anoop

From Inception to Implementation — I.T. That Matters

An alphabet soup of industry standards has emerged around service-oriented architecture. But you don’t have to drown in this bowl of acronyms.

64

Essentisl Tec.indd 64

A U G U ST 1 5 , 2 0 0 7 | REAL CIO WORLD

Stuck in the SOA Soup By Bob Violino

| While the potential benefits of SOA are clear, like the ability to reuse existing assets, the standards picture looks anything but settled. In its most recent study on the topic, Forrester Research counted some 115 standards floating around SOA and Web services! It also found it impossible to confirm which vendors support which standards. Yet, CIOs must press ahead with SOA projects in order to meet business needs. Hong Zhang, director and chief architect of IT Architectures and Standards at General Motors, has been balancing the standards dilemma with ongoing SOA work for several years. Zhang says it’s actually good that there are many standards related to SOA. “This indicates that the software industry is moving toward a broad adoption of SOA,” he says. “The challenge is that there is no common, consistent architectural framework to guide the evolution, integrity and integration across these standards. Many of these standards are not yet mature.” How can CIOs navigate the muddy waters until those standards do grow up? Technology executives and industry experts offer this advice: closely monitor the standards scene

I.T. Architecture

Vol/2 | ISSUE/19

8/10/2007 6:21:21 PM


essential technology

and keep your options open but, by all means, don’t delay the launch of key SOA projects. Several strategies can help you avoid getting stuck in a standards pickle.

The Standards That Matter First off, you can construct just a key list of standards, not a comprehensive one, as you do your SOA planning. For instance, standards such as SOAP and WSDL have been broadly adopted and others, including WS-Security, are ready for wide adoption, says Randy Heffner, an analyst at Forrester Research. But other specifications needed to build Web services that operate with high quality of service — such as standards for management, transactions and advanced security — are mature enough only for aggressive technology adopters, he says. Of the emerging SOA and Web services standards, Heffner says CIOs should focus on the following: SOAP 1.1, WSDL 1.1, WS-I Basic Profile 1.0 or 1.1, UDDI 3.0.2, WS-Security 1.0 or 1.1, WS-BPEL 2.0, BPMN, WSRP 1.0, XML Schema 1.0, XSLT 1.0, XPath 1.0, XQuery 1.0, XML Signature and XML Encryption. CIOs should favor standards-based SOA over native protocols, Heffner says, “but don’t sacrifice needed quality of service (QoS) for any given app just to use standards.” Where an application must have greater QoS than Web services can provide, “do tactical workarounds that stay close to the design models of emerging specifications,” he says. Is it necessary for CIOs to know which vendors are supporting which standards at this point? “Not in a comprehensive way,” Heffner says. “But CIOs that are making a major software infrastructure partner choice should get a strong picture of candidate vendors’ current and future support for SOA and Web services specs.” You need to understand your current vendors’ plans as well, he says. Otherwise, you risk investing in technology that might not meet the longterm business goals of the organization or its SOA strategy.

Vol/2 | ISSUE/19

Essentisl Tec.indd 65

Many organizations will look for temporary solutions — say middleware — to overcome a lack of mature standards. “From the CIO’s perspective, there’s a lot of pressure to adopt a middleware platform to fill in where standards are not there, but in a way that doesn’t lock them into it,” says Jim Stogdill, CTO at Gestalt LLC, a defense and energy consulting firm that helps clients launch SOA projects. But it’s important not to commit too much to one middleware vendor, “because it will be much more disruptive later to swap out,” he says. Stogdill advises organizations to stick with fairly common standards such as SOAP and WSDL, “and also look to where your line of business application vendors are providing services: then, integrate line of business applications via those service interfaces using unintrusive middleware.

GM’s Selective Strategy For its part, General Motors learned in its early SOA efforts to identify which standards were most important to what the company was trying to achieve. GM launched its first SOA project in 2000, an architecture called Northstar, for its global online vehicle showroom services (GM Global BuyPower). Northstar’s goal: to establish a global common SOA plan flexible enough to support the dynamics of GM’s business, says Zhang. To achieve this, GM designed the architecture to separate business functions from business process flow (the sequence of the business functions to be performed). The company also separated the physical locations of business data from those of the business functions using the data, and user interfaces from the business process flow, business functions, and business data, Zhang says. GM successfully deployed the Northstar architecture in more than 40 countries in 2001. The architecture helped GM fulfill various business needs quickly, such as meeting data location regulations, making business process flow changes based on business engagement rules and varying

3 SOA Implementation Tips Three tips for navigating the sea of serviceoriented architecture standards. 1. Use your early SOA efforts to help decide which standards are most important to your business goals. 2. Ask for examples of successful SOA standards deployment stories. Just because standards have been out for a year doesn’t necessarily mean they’re ready for full-scale deployment. 3. If you’re using middleware to provide a temporary integration fix because of the lack of a suitable standard, make sure not to overcommit to one vendor or product.

—B.V.

the end user’s software experience based on culture differences in individual countries, says Zhang. Since the company also uses SOA in other consumer-focused online services, including GM OnStar services, it plans to develop an enterprisewide strategy and governance program for broad deployment of SOA internally and with external partners, he says. As part of the planning for GM’s next-generation SOA implementation, he’s evaluating the latest enabling standards and technologies. For GM today, the most important specs are those that help standardize the interfaces among services across the well-defined service layers (presentation, business process and so on). The next most important specs are those that help standardize the implementation of the services within each of the service layers. As part of developing its enterprisewide SOA strategy, the company is identifying the REAL CIO WORLD | A U G U ST 1 5 , 2 0 0 7

65

8/10/2007 6:21:22 PM


essential technology

SOA standards around which of its needs are mature, which should be monitored and which are mandatory. Among these, GM is looking at WS-I Basic Profile 1.1 for enterprisewide interoperability. After this, the company will be able to make a wellinformed decision about which vendors and products to use in its broad rollout of SOA. Another SOA adopter, TD Banknorth, has taken a strategy of prioritizing standards adopted by vendors recognized as market leaders in the SOA space (for example, webMethods) and those recognized by

That’s resulting in a substantial reduction in service development time and the creation of higher-quality services that require less debugging and testing, he says. To date, TD Banknorth has adopted basic standards around Web services, including XSD, SOAP and WSDL, says Petrey. “Going forward, the most important standards will be related to WS-I, like policy, reliability and security, and, to a lesser degree, addressing,” he says. The bank works “only with standards adopted by vendors recognized as market leaders in the SOA space…and regarded as

At smaller organizations, some CIOs are forging ahead with SOA without a major emphasis on standards. They do this by focusing on the 'glue' that hold various SOA-enabled commercial systems together. several key standards organizations. The banking company is using a servicebased architecture as a framework for the development of Web services for application integration, according to CIO and executive VP John Petrey. TD Banknorth initially used SOA in 2004 when it deployed webMethods’ Fabric software suite to use a Web service to simplify the process of completing customer address changes. The Web service, being implemented now, allows TD Banknorth’s call center agents or branch employees to make changes in address, then automatically have those changes take effect in each of the customer’s accounts with the bank. Today, TD Banknorth is planning other SOA projects, one involving a small-business loan origination service and another for the company’s online banking system. “The primary benefit of SOA we realize is significant reuse of services across the integration solution space,” says Petrey. 66

Essentisl Tec.indd 66

A U G U ST 1 5 , 2 0 0 7 | REAL CIO WORLD

sufficiently mature” by industry research firms such as Gartner, Petrey says. “The standards we adopt are recognized by multiple standards organizations like W3C and WS-I,” he adds. TD Banknorth queried companies that had adopted standards such as WS-Security and SAML, “and found that most were struggling,” says Petrey. “The standards supposedly were ready for adoption over a year earlier, yet no one was really using the standards the way they were designed or marketed. We didn't find a success story.” Among the lessons the bank has learned in its foray into SOA: build an architecture in a way that promotes a modular, flexible and incremental deployment, “with placeholders for those standards to be adopted as subsequent functionality requires,” says Petrey.

major emphasis on standards. The John F. Kennedy Center for the Performing Arts in Washington, D.C., is a midsize organization that uses a lot of commercial software products, some of which are moving toward SOA, says Alan Levine, the CIO. For example, the center’s enterprise resource planning vendor, Lawson, is moving to a services architecture. The Kennedy Center’s customer relationship management platform, Tessitura — an industry-specific application developed by Impressario, a wholly owned subsidiary of the Metropolitan Opera — also is moving toward SOA. Levine says he’s taking steps to implement SOA without being overly concerned about standards. “We focus on creating the ‘glue’ that allows the SOA capabilities of the different commercial systems to fit together.” To that end, the center is developing middle-tier solutions in-house, he adds. “Our focus is rather than trying to choose a standard, knowing what to do to get the back ends to interoperate,” says Levine. Of course, middleware strategies depend on your organization’s size and existing systems. Overall, keep your eyes on the prize: a nimble IT organization. As GM’s Zhang puts it, the ultimate goal of using SOA is “to establish a flexible information systems and services environment that can quickly realign” as business needs change. CIO

Mastering Middleware At smaller organizations, some CIOs are forging ahead with SOA without a

Bob Violino is a freelance writer. Send feedback on this feature to editor@cio.in

Vol/2 | ISSUE/19

8/10/2007 6:21:22 PM


Pundit

essential technology

The Prospects of GPL3Adoption The new license ensures that source code ownership is respected, but will it also see widespread buy-in? By Bernard Golden open source | After an extended gestation, the Free Software Foundation (FSF) released its update to the GPL Version 3 license. From the point of view of end users, one of the most attractive things about the license is that it specifically states that using a GPL3-licensed program over a network does not trigger a need to offer source code. Originally, I thought this was one of the most problematic aspects of the GPL3 drafts, as many organizations would never allow themselves to be put in a position to need to distribute source code to end users, customers, or even internal employees.

use, meaning that GPL3-licensed code will slowly make its way into production infrastructures. Some technology providers will begin using it, while others, particularly in the embedded market segments, will resist adoption, perhaps going as far as to fork products in order to keep GPL2 versions around. When it comes to Linux, on balance I think it will not move to GPL3. Despite Linus Torvald's recent not-so-negative comments regarding the license, I heard pretty negative things about it from kernel developers at the recent Linux Foundation Community Summit. In any case, there

involved folks (and Rob Enderle, who is more of a general industry analyst). Our general conclusion was that GPL3 would not have dramatic impact. However, a couple of the participants felt that adoption of the license would be more rapid than I expect, and one of them, Matt Asay, was pretty disappointed with the provision that use over a network did not trigger the need for source code distribution, feeling that this enabled companies to freeload on the work of others. In the end, this license seems more evolutionary than revolutionary. Most organizations will digest its conditions and

The license seems more evolutionary than revolutionary. Most companies can move on without great disruption. Another attractive aspect of the license for end users is that it allows organizations to give code to other parties that are doing software development for them without being defined as conveying code. This has been a grey area in the past, and the new license addresses it unambiguously. What are the prospects for GPL3 adoption? That's the critical question. The earlier drafts were such that many organizations would have never adopted GPL3-licensed code. The current license is likely to see inconsistent adoption. End users are likely not so much to embrace it, as not prohibit GPL3-licensed code from internal 68

ET-Pundit.indd 68

A U G U S T 1 , 2 0 0 7 | REAL CIO WORLD

are significant practical challenges to any thought of migrating the kernel to GPL3, so conversion is unlikely. Where can you learn more about GPL3? Obviously, a good first stop is the Free Software Foundation website itself. Another good source I found is written by Luis Villa, an ex-Novell employee now attending Columbia Law School. He wrote a series of articles on the license beginning with Part 1- The License available at http://tieguy.org/ blog/2007/06/26/gpl-v3-the-qa-part-1-thelicense), discussing the license and its effect on developers and users. I took part in a podcast about GPL3 last month along with some other open source-

be able to move on without major disruption to their activities. Many of the things that motivated Richard Stallman to update the license seem to have been watered down in this final version, for which we should all be thankful. Overall, this license will neither accelerate nor retard the rapid march of open source software throughout the technology industry, which is the most significant trend in software today. CIO (Concluded) Bernard Golden is CEO of Navica, an open source consultancy, and the author of Succeeding With Open

Source (Addision-Wesley, 2004). Send feedback on this column to editor@cio.in

Vol/2 | ISSUE/18

8/10/2007 6:23:43 PM


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.