October 15 2007 Issue by Sreekanth Sastry

Alert_DEC2011.indd 18

11/17/2011 12:45:41 PM

From The ediTor

A few indian Ceos blog but I am unaware of Indian CIOs who do. I hope some of

Smartly Tracking Time Should IT chiefs measure the time they, and their staff, spend on strategic initiatives, as opposed to mere support?

you can point me to a few. Meanwhile, I read some by your counterparts out in the US or UK or other countries to get a pulse on the CIO community. These blogs often raise interesting subjects, not to mention viewpoints, and sometimes lead to lively discussions in which diverse viewpoints emerge. Recently, I found an interesting thought emerging from the blog of Will Weider, CIO of Ministry Health Care and Affinity Health System, of Wisconsin, US. Weider says his blog is about what “I have learned through my mistakes and other crazy things in the life of a healthcare CIO.” The question he raises is this: do IT Weider’s blog serves to raise chiefs measure the time they, and their CIO awareness about investing staff, spend on strategic initiatives, as time wisely. CIOs can lose opposed to mere support? sight of strategic initiatives Weider says he analyzed this and and larger goals in the hustle discovered that he and his staff spent and bustle of daily work. between 15 percent and 25 percent on strategic initiatives. That number, he believes, is “hardly enough to accomplish a big project.” Weider goes on to say that he spends a lot of time examining ways to nudge that number higher. He also has set a goal of 100,000 man hours on strategic projects in this fiscal year. I am curious about two things in the Indian context. One, do CIOs track the time they spend on special projects versus routine support and maintenance? Two, is this necessary or meaningful? I pose the second question because Indian CIOs are probably spending a fair amount of time on new projects, given both the rapid growth in the country and the low level of technology use in enterprises. Having said that, Weider’s blog serves to raise CIO awareness about wisely investing precious time. Often, CIOs can lose sight of strategic initiatives and larger goals in the hustle and bustle of daily work. It might be a good idea to closely review one’s work, reassign priorities, set loftier goals and perhaps find more fulfillment.

Bala Murali Krishna Executive Editor balamurali_k@cio.in 2

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/23

content OCTOBER 15 2007‑ | ‑Vol/2‑ | ‑issue/23

3 0 Security

Executive Expectations

COVER STORY | Your World Hacked | 30

VIEW FROM THE TOP | 44 Atul Nishar, founder & executive chairman of Hexaware Technologies, says a CIO’s ability to handle users is more important than the ability to manage technology.

As your business becomes more collaborative and global, the risks to your company’s trade secrets rise proportionately. Fortunately, there are new strategies to protect the data that allows you to compete. Feature by Stephanie Overby. With inputs from Balaji Narasimhan and Gunjan Trivedi

Interview by Kanika Goswami

Career Strategist On Wings of Cash | 22 Launch a profitable product and watch your career take off. Column by Martha Heller

Business Continuity Crashed | 38 What happens when a key player in a company goes down? Who takes over? Feature by C.G. Lynch

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd 6

Vol/2 | ISSUE/23

10/12/2007 5:07:09 PM

content

Essential Technology | 52 Outsourcing | E-mail Has Left the Building Feature by Galen Gruman Pundit | When Are We Getting Off the ERP Bus? Column by Christopher Koch

Endlines

| 56 Outsourcing Showdown: India vs. China By Stephanie Overby

From the Editor | 2 Smartly Tracking Time By Bala Murali Krishna

Inbox | 12 NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Govern Championing Change| 48 Ravi Rangan and Sriram Raghavan of Comat Technologies believe that willingness to adopt IT and a sense of ownership are crucial for the success of e-governance initiatives.

2 2

Interview by Kanika Goswami

Leadership | 26 How to Influence People Purdue University CIO Gerry McCartney approaches executive collaboration and influence by building alliances with the people behind the decision makers. Column by Gerry McCartney

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd 8

10/12/2007 5:07:42 PM

ADVISORY BOARD Ma nagement

Publisher & editor N. Bringi Dev

CEO Louis D’Mello Editor ia l Editor-IN-CHIEF Vijay Ramachandran

Executive Editor Bala Murali Krishna

Bureau Head - North Sanjay Gupta

Special Correspondents Balaji Narasimhan Kanika Goswami

Abnash Singh

Chief COPY EDITOR Kunal N. Talgeri

SENIOR COPY EDITOR Sunil Shah TRAINEE JOURNALIST Shardha Subramanian

Des ign & Production

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

Avaya

4&5

Canon

IBC

Group CIO, Mphasis Alaganandan Balaraman Vice president, Britannia Industries Alok Kumar Global Head-Internal IT, Tata Consultancy Services

Emerson

Anwer Bagdadi Senior VP & CTO, CFC International India Services

Senior Correspondent Gunjan Trivedi

Advertiser Index

Fluke

HID

Arun Gupta Customer Care Associate & CTO, Shopper’s Stop Arvind Tawde VP & CIO, Mahindra & Mahindra Ashish K. Chauhan

1, 15, 19 & 25

President & CIO — IT Applications, Reliance Industries

Vikas Kapoor; Anil V.K. Jinan K. Vijayan; Sani Mani Unnikrishnan A.V; Girish A.V MM Shanith; Anil T PC Anoop; Jithesh C.C. Suresh Nair, Prasanth T.R Vinoj K.N; Siju P

Photography Srivatsa Shandilya

Production T.K. Karunakaran

T.K. Jayadeep

Mark eting a nd Sa l es VP Sales (Print) Naveen Chand Singh VP Sales (Events) Sudhir Kamath brand Manager Alok Anand Agm (South) Mahantesh Godi Marketing Siddharth Singh Kishore Venkat Bangalore Santosh Malleswara Ashish Kumar, Chetna Mehta Delhi Nitin Walia; Anandram B; Muneet Pal Singh; Gaurav Mehta Mumbai Parul Singh, Chetan T. Rai, Rishi Kapoor,Pradeep Nair Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

Singapore Michael Mullaney

Events VP Rupesh Sreedharan Managers Ajay Adhikari, Chetan Acharya Pooja Chhabra

C.N. Ram

IBM

MAIA

Head–IT, HDFC Bank Chinar S. Deshpande CIO, Pantaloon Retail Dr. Jai Menon Director (IT & Innovation) & Group CIO, Bharti Tele-Ventures

Microsoft

IFC & 17

Manish Choksi Chief-Corporate Strategy & CIO, Asian Paints

Novell

M.D. Agrawal Dy. GM (IS), Bharat Petroleum Corporation Limited

Procurve - HP

9 & 28

Rajeev Shirodkar VP-IT, Raymond Rajesh Uppal Chief GM IT & Distribution, Maruti Udyog Prof. R.T. Krishnan Jamuna Raghavan Chair Professor of Entrepreneurship, IIM-Bangalore S. Gopalakrishnan CEO & Managing Director, Infosys Technologies Prof. S. Sadagopan Director, IIIT-Bangalore S.R. Balasubramnian Exec. VP (IT & Corp. Development), Godfrey Phillips Satish Das CSO, Cognizant Technology Solutions Sivarama Krishnan

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited,

10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: N. Bringi Dev. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

Executive Director, PricewaterhouseCoopers Dr. Sridhar Mitta MD & CTO, e4e S.S. Mathur GM–IT, Centre for Railway Information Systems Sunil Mehta

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

Sr. VP & Area Systems Director (Central Asia), JWT V.V.R. Babu

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone.indd 10

Group CIO, ITC Vol/2 | ISSUE/23

10/12/2007 7:34:34 PM

reader feedback

Path to Shared Goals I read your editorial ('Do CIOs Have Fragile Egos?' September 15, 2007) with some interest. I am both in partial agreement and disagreement with your views. I agree with everything you say relating to the need for CIOs to communicate and demonstrate their appreciation of financial metrics with CEOs. This is a given in today’s world for every leader — and CIOs are no exception. What I disagree with is the headline of the editorial: ‘Do CIOs have fragile egos?’ My submission is that CIOs are not alone in this; their peers, too, fall in the same boat. The CIO-CFO relationship has remained a topic of discussion for as long as CIOs and CFOs have existed in an enterprise. As the appreciation of each other’s domain and capabilities mature, this is bound to improve. Both are working to a shared objective driven by corporate goals and deliverables; the difference in their behavior is a reflection of how they are measured. Alignment of the measurement metrics will improve and drive consensus and collaboration. Arun O. GuPtA t tA

inspiring and highly informative, and would love to store the series over the past months in a PDF format as they are a treasure of knowledge and insights. While browsing the Internet, I chanced upon an article that was written in the same vein as your cover story on the skills crunch (' ('War for Talent,' August 15, 2007). It was a report in Fast Company Magazine, titled Seven Talent Imperatives on a breakthrough study by McKinsey and Co. Here are some takeaways that may be useful to my fellow CIOs: Instill a talent mindset at all levels of the organization — beginning with senior management. Create an extreme employee value proposition (EVP) that delivers on your people’s dreams. (EVP has four elements: great company, great leaders, great job and attractive compensation.) Build a high-performance culture that combines strong performance ethic with an open and trusting environment. Recruit great talent continuously. Develop people to their full potential. Make room for talent to grow. Focus on retaining high performers. V. SubrAmAnIAm CIO, OTIS Elevator Company (India)

A Wake-up Call I read the article, What It Takes for a CIO to Be a CEO (July 15, 2007), and felt that the topic was both relevant and welltimed. It should be a wake-up call to the two principal parties: top management

Top management recognizes that cIOs are the repositories of vital information — so why treat cIOs as ‘secondary’ leaders? decision-makers and the CIOs themselves (the younger ones, at least). There is tremendous latent leadership talent going unutilized. Interestingly, all commentators are unanimous on why CIOs are lagging behind others in seeking sthe mantle of a CEO. Top management recognizes that CIOs are the repositories of vital information (historical, current & future) for decisionmakers and business strategists, with all the pre-requisites of leadership — so why treat CIOs as ‘secondary’ leaders? CIOs should help themselves by learning from the success of some counterparts and draw confidence in their potential, nurture a desire to lead business at the corporate level and step out with conviction to be equal players in the corporate world, not merely at the business or functional level. rOSS D’SIlVA l , lVA CEO, Ross D’Silva Associates Management Consultancy

What Do You Think?

Customer Care Associate & CTO, Shopper's Stop

talent Imperatives t I found the series of columns by Michael Schrage and Mike Hugos 12

Inbox.indd 12

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

editor@c o.in Vol/2 | ISSUE/23

new

hot

unexpected

A Hand Signal for Trains There isn't anything more frustrating when you ride a train than seeing your station whiz by, as you realize the train you're on isn't making a stop. It happens often in Japan, but technology promises to come to the rescue. A prototype system developed by Mitsubishi Electric and East Japan Railway (JR East) will send information about a train to cell phones. The system uses Sony's Felica near-range communications system as a base. It is already embedded in many cell phones in Japan, and used by JR East for its IC-card commuter and travel passes. A communications session begins when the phone is brought within a centimeter of a panel inside the train. In seconds, the phone contains data including the railway line name, the car number and its scheduled stops, says Tomoya Shirakashi of Mitsubishi's Transport system engineering department. JR East is already installing some Mitsubishi Electric-developed systems in its trains. Trains running on the Yamanote Line (a line in central Tokyo) all have two LCD panels above each door. The righthand panel displays data about the train route, much like that to be sent on the cell phone system, while the left-hand panel shows advertising and other information. A wireless LAN system has been introduced on the trains, so that the latest information

Illustration by pc anoop

C O M M U N I C AT I O N

can be downloaded at stations. Recently, the left-hand screen has also begun running news reports. JR East hasn't decided on a roll-out plan for the new cell phone information service but development is now complete and the operator is considering a launch schedule, says Takayuki Matsumoto of JR East's research and development center. Matsumoto says that the rail operator hopes the new service will be especially useful for people who don't understand Japanese or English, the two languages currently used on the in-car LCD monitors. The cell phone system can be customized to offer information in additional languages such as Korean and Chinese. — By Martyn Williams

Business Intelligence Saves Paper Money S T O R A G E A 2006 IDC survey data based on 278 respondents in Australia, Korea, India and China showed that cost considerations were eighth on their list of priorities when buying a BI solution. Hard to believe? Still, any rookie salesman in the subcontinent will tell you that the Indian market is ‘price-sensitive’. But if the falling prices of unfussy BI tools aren’t enough for CIOs to convince management, there’s another way. Put away your bag of buy-in tricks and dire warnings of organizational extinction — it's not needed. Here’s a cause: business intelligence reduces costs related to use of paper, report distribution, and storage.

Vol/2 | ISSUE/23

Trendlines.indd 13

Haggen, the largest food & grocery chain in northwest America, installed a new BI tool called ARC, developed by Bangalorebased Manthan Systems in 2006. The move shaved off 60 percent in paper and report distribution costs, says Haggen CIO Harrison Lewis. Before ARC, multipage reports were printed and distributed

every week. “Some people only needed a page from that report,” recalls Lewis. Users today are asked to specify which report they need, he says. Subsequently, it is e-mailed to them every morning. The new BI system gives decisionmakers “visibility of product sales at the wholesale and distributor levels, inventory levels, how much of what is selling, its profitability, etcetera, on a daily basis,” says Lewis. The old system, he adds, could only churn out reports every Wednesday. “I’m amazed at the information we could get,” he says. This isn’t surprising, given the amount of data Haggen produced and its scope.

(Continued on Page 14) REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 7

10/12/2007 8:21:07 PM

TRENdlINES

And Storage

Battling NEWER HaCKER CKER WARFARE For most large companies, an attack that brings down the corporate network means millions of dollars in lost revenue and unhappy customers. But if the net defenders of the US Army see their network go down or their defenses broken, the stakes are significantly higher. Net defenders are one of several specialties within the 1st Information Operations Command's Army Computer Emergency Response Team (ACERT), and their job is to maintain and protect the flow of data over the Army's network. "If you can't talk, you can't fight," says Thomas Blackard, a reservist with ACERT. Blackard and other members of the 1st Information Operations Command took part in the Hack In The Box (HITB) security conference in Kuala Lumpur, Malaysia, where they attended training sessions and competed against hackers in a capturethe-flag contest. "You can't really defend your network unless you know what's out there," says Mike Stan, another reservist. While Blackard and Stan didn't take part themselves, a three-person ACERT team put their tactics to the test at HITB in a capture-the-flag contest that drew nine other teams comprising top hackers from Asia and Europe. Under Army doctrine, network defenders cannot respond to an attack on their systems with a counterattack. The reasoning behind this policy is that hackers are likely to hijack a third-party server to use for an attack, and a counterattack against that server could have legal repercussions for the Army. The ACERT team, called Army Strong got its chance to shine in Kuala Lumpur as the contest rules allowed teams to attack and defend their systems. Teams were given a patched server with customized, hidden exploits that connected over a network to a score server and the other teams. To make things more challenging, all traffic on the network used a single IP (Internet Protocol) source address, regardless of whether that traffic was a request from the score server or an attack from another team. This prevented teams from using a firewall to block some packets and protect their systems. The goal was to re-create the challenge corporate IT managers face when defending their systems against attacks and waiting for a patch to be delivered. "You need to keep the service running even though there is a vulnerability," says Dhillon Andrew Kannabhiran, founder and chief executive officer of HITB. In the end, the Sao Vang team from Vietnam won the two-day contest with 8,900 points. Army Strong came in fifth place with 925 points, but all of its points were earned through defense, making them the top defensive team. "They did extremely well. Their day-to-day job is defending networks and they did precisely that," Kannabhiran says.

SECURITy

—By Sumner Lemon 14

Trendlines.indd 14

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

VOL /2 | ISSUE/23

IL LUST RAT IOn By UnnIKRISHn An AV

(From Page 13) Haggen has 32 supermarkets. In a given month, the chain sells about 24,000 types of items but takes into account special sales during various festive seasons — a figure that rises to about 2 lakh types every year. Lewis has also trimmed about a fourth of his data. “We are in the process of purging data right now. We have two-anda-half years of data stored offsite, on tape and on transactional systems for analysis. We also have legacy reports.” Re-arranging all that information in the data warehouse means Haggen is moving from 8TB worth of disparate data into 6TB of organized, report-ready information. Lewis, who has a number of BI implementations under his belt, says the BI solution was among the easiest he has ever worked with. “In the purest sense, it took only 16 weeks [to implement]. That includes data validation, which took some time because we needed to load about two years worth of data.” So how can a CIO get to all these costsaving goodies and re-create Haggen's painless BI implementation? The trick in finding that mythically trouble-free BI implementation for retail, Lewis says, is in spotting a solution that is retailcentric. And there are a few out there. Scott Langdoc, former VP and GM of AMR Research’s retail industry practice, calls QuantiSense, Manthan, MI9, and Seatab “a new breed of retail-centric, warehousing platform vendors.” Early adopters of retail BI, says Langdoc, love its benefits, but hate the battle scars. Retail-centric solutions come with retailspecific data models. “I have done several [BI implementations] and they were really hard. This was mainly because we need to understand the business and establish data models. Then, we had to find the data and generate reports. ARC is a much easier model to use. It accommodates all sorts of reporting requirements.” — By Sunil Shah

TRENdlINES

Twin Paths for IT to Traverse Most large IT organizations will divide into at least two parts in the next five years, said John Mahoney, VP of Gartner Research, at its European CIO convention. One will focus on sourcing and delivery of infrastructure and applications, and the other on architecture and change centered on business assets of process, information and relationships, he explained. This evolution shouldn't be surprising. IT shops have been evolving and adapting from their very inception. Most have long since emerged from the primordial ooze, in which their IT ancestors moiled, effectively cut off from the rest of the business. Somewhere along the line, they grew the necessary appendages to crawl out on land and walk upright among their business peers.

S T R AT E G y

Today's best CIOs are taking their organizations into territory that earlier IT shops never dreamed of going. Rather than mere pack animals, whose primary function is to relieve the business of its manual heavy lifting, leading IT shops are becoming champion thoroughbreds, selectively bred to enable the business to beat its competitors to the finish line. not only are these IT thoroughbreds fleet afoot, they are also a rung up on the influence ladder, and able to provide input into the strategic direction of the business. Mahoney also stated that a new IT organization type is emerging, one that will take the lead on information and process. "While it will grow from an IT base," he said, "its primary focus will be business

transformation and strategic assets of information, process and relationships. When mature, it may no longer be identified as an IT organization. "At that point, I suppose it is fair to imagine that the IT department will have sprouted wings and flown up into the corporate ether. Where it goes from there is anyone's guess," said Mahoney. yet, CIOs need to make sure that their IT y organization — no matter how evolved — never ceases to grow and change with the business, he asserted. "We all know what happens to those who get caught in an evolutionary cul-de-sac — they go extinct."

— By Dave Carey

l E A d E R S H I P So you're thrashing out the final details of, say, how to implement the next phase of your CMS or your ERP system. You've gone from the big picture ("We need a system to ...") and, after countless meetings, finally got down to details ("We need these fields on this form and this link will point to ..."). You're feeling good. You've finessed the departmental politics and got all of the stakeholders in agreement. You've lined up the budget, the resources, hell, you can see the goal posts in sight. You can make this happen! You are an IT god! And then ... In comes the Hippo. It could be your boss, the CIO, VP of sales, CTO — or even the CEO. You might be a big fish in the organizational pond, but the Hippo? Well, he's a Hippo. A much bigger beast than you. The Hippo's pitch usually goes something like, "Hey, that's cool but what about ...?" What follows is often bizarre, irrelevant, capricious, vague, foolish, simplistic, ridiculous, aggravating or pointless. Whatever it is, the Hippo is on a different page. He may have the right book and sometimes even the right chapter, but he has chosen a page you have never seen, let alone read. "What we need is ..." says the Hippo, and the result — if you're lucky — is a new field

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

or a new green button on a user interface that has little to do with what you need to achieve. If you're unlucky, he's going to invent a whole new business process that no one needs. The Hippo's reasoning for whatever he thinks to be crucial is usually vague. For something like a green button, he may mutter some article he read years ago in the Reader's Digest that said that humans recognize objects in green faster than other colors because when we were all dragging our knuckles on the ground, it aided our survival. And he's not kidding! He really believes this makes sense! Your problem is how to make the Hippo happy, because an unhappy Hippo at best means you're going to get into a knock down, drag 'em out fight. At worst, it could leave you concerned about your job. There is an answer for the Hippo: measure. Whatever it is — a green button, a field on a form, a new business process — track it and see, in detail, how it performs. When you get hard evidence that something in fact doesn't work, then you have grounds for getting rid of it. Until you have evidence, you and the Hippo will just butt heads and you know whose is bigger. It's a case of speak softly and carry a big measuring stick. —By Mark Gibbs

VOL /2 | ISSUE/23

ILLUST RATIOn By MM S HAn IT H

Dealing with Hippos

ILLUST RATIO n By MM S HAnITH

I . T . M A N A G E M E N T With the Web becoming central to many companies, cybercriminals are taking advantage of Web 2.0 and social networking sites to launch attacks, says Christian Christiansen, VP for security products and services for IDC. The Web isn't the benign resource that once people saw it as, says Christiansen. "One of the things that's disconcerting — and it's been growing over the last 10 years — is the blending of people's private lives with their corporate lives," he adds. Employees' personal lives — their online shopping habits and interactions with friends and families — get intermingled with the interactions they have at work with customers, fellow employees, partners and suppliers, he notes. "So that creates a perforated perimeter," he says. The problem is that employees don't always follow their company's security policies, probably because neither do they know what those policies are nor do they know what their company's acceptable use policy is. The result: employees don't know what's allowed and what they're barred from doing. Problems also occur when an IT department no longer controls the products being connected to the corporate network. That list could include everything from smart phones to new and untested laptops, he says. "We're seeing the realization that the internal security problem is growing — the threats are coming from inside the network," he said. The latest threats to network security now are coming from collaboration and Web 2.0 environments, where employees casually click on links that could lead them to malware. The threats also come from the wide variety of devices that may be accessing private as well as corporate networks, says Christiansen. "We're seeing a change in the threat environment," he said. "Instead of malicious code being distributed as e-mail attachments, we're seeing increasingly that they're being embedded in Web 2.0 links," he says. "In the past, there was an immediate effect. Now, we're seeing greater subterfuge and more sophisticated attacks." To better avoid potential problems, IT departments need to control user behavior, the types of devices being used to access information, the applications being used and content contributions. "Risk reduction requires policy managements and layered protection — at the gateway to the Internet as well as at the endpoint [desktops, laptops and servers]," he says. "You need a whole series of checks and balances."

—By Linda Rosencrance 18

Trendlines.indd 18

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

S E C U R I T y Based on a steady flow of reports on a vast variety of data security threats during the first half of 2007, security firm F-Secure Lab says the bad guys are winning. According to the company, the perpetrators of orchestrated security attacks are gaining an ever firmer foothold in an effort to build a stronger, sustainable commercial economy based on carefully crafted exploits targeting organizations. Social engineering malware reached a new level of sophistication with the appearance of the Small. DAM Trojan, which caused havoc when it began showing up in e-mail in January, 2007. The so-called Storm Worm appeared in emails purporting to offer information about shocking headline news linked to real-life events, such as the January storms in Europe. The Trojan spread at an alarming speed across the globe in just one night. The banking industry continued to be a key target for phishing scams. F-Secure says that scammers are implementing new techniques in their attacks, including content filters that keep closer track of consumers' online banking activity. Such detection methods make it easier for fraudsters to collect more account details using a variety of methods. Meanwhile, the banking industry appears to be making progress in finding solutions to thwart banking scams, notes F-Secure. The company stated in a press release, "We believe that toplevel domains inaccessible to scammers, such as .bank, could put a stop to some of the most alarming phishing activity." Malware targeting mobile devices also is becoming increasingly sophisticated, according to F-Secure. Personalized SMS spam, financial lotteries, and Viver Trojans masking themselves as utility programs are some of the examples of the fast-developing mobile scams, says the company. new spyware was also reported for some Windows Mobile and Symbian S60 3rd Edition devices.

—CIO Canada V OL /2 | ISSUE/23

TRENdlINES

Malwa warre Eco Ec ono nom my m y on the Rise

tren d l ines

Data Centers Lack Efficiency Tools R esearch Almost half the number of organizations lack basic management information and processes to ensure efficient running of their data centers, according to a survey of 100 data center organizations across a range of industries, conducted by Aperture Research Institute. The research revealed 49 percent of those surveyed are not able to track physical changes in their data center, including space, power and cooling. Data center managers admitted to using between three and five different systems to store configuration information, making it difficult to aggregate information onto a single view. Only 6 percent of those surveyed use a single system to document everything. Aperture Research Institute, which specializes in data center research, says one reason for this lack of basic management information was the slow implementation of the Information Technology Infrastructure Library.

"ITIL grabbed a lot of traction within IT groups, but it stopped at the server," says Steven Yellen, vice president of product and market strategies at Aperture. Just 29 percent of organizations were implementing ITIL in the data center, he adds. Data centers confess to poor configuration management with less than a third implementing ITIL, he added. Yellen says that the pressure to reduce the environmental impact of the data center is going to encourage data center managers to look at ITIL. "The move to a green data center is going to force people to bring that on. Power usage is just as important as storage. The push to go green, whether it be decommissioning old equipment to analyzing power consumption, will push organizations to have an added level of detail around change management processes, and look more closely at ITIL." —CIO Canada

Tiny Linux Hits the Streets

A very small Linux operating system, known as Puppy Linux, has had a ‘major upgrade’ after version 3.0 hit the streets this week. What makes Puppy Linux different from other distributions of Linux is that the Puppy 3.0 Live CD can be run direct from the CD, without installing to a hard disk. Indeed, the operating system is just 97.6MB in size. Puppy is designed to be a very small Linux operating system designed to be 'reliable, easy to use and fully featured.' The entire operating system and all the applications can be run entirely from RAM. It comes with applications such as SeaMonkey/Mozilla Application Suite, AbiWord, Sodipodi, Gnumeric, and Gxine/ xine. One of its most compelling features is that users can boot

Illustration by ANIL T

O pen S ource

Trendlines.indd 20

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

from the disk, work, and then save their files back to CD for the next time they boot the CD. It can also be run from USB storage sticks or Zip disks. This allows the Puppy operating system to be used on older computers, or as an emergency rescue system, a Linux demonstration system, or as a complete general purpose operating system. According to developer Barry Kauler, Puppy Linux 3.0 is a major upgrade over previous releases. One of the major changes in this release is a move to make Puppy Linux and Slackware compatible to allow users to install Slackware packages on Puppy. Slackware is one of the oldest Linux distributions, and aims to be the most Unix-like Linux distribution. "To that end, I used all the building block packages from Slackware 12, such as glibc 2.5, gcc 4.1.2 and gtk 2.10.13," says developer Kauler. "Most of the libraries in Puppy are now from Slackware. Note, though, this does not in any way make Puppy a clone of Slackware — apart from aiming for binary compatibility, Puppy is fundamentally unique from the foundations upward." Kauler has also "totally rewritten the key scripts that control how Puppy boots up, is configured, and shuts down." Other changes include better USB writing method, after "finally getting periodic flushing of RAM to Flash drive working properly; this is part of a mechanism that constrains writes to Flash drives, so that they don't burn out." —By Tom Jowitt

Vol/2 | ISSUE/23

10/12/2007 8:21:22 PM

Martha Heller â&#x20AC;&#x201A;

Career strategist

On Wings of Cash Launch a profitable product and watch your career take off.

Illustration by Bi nesh Sreedharan

his is an amazing time to be a CIO. The integration between technology and a company's revenue stream is becoming so seamless that every company is (or will be) a technology company; and this provides enormous career opportunities for CIOs. Keep your focus on supporting the business through efficient internal processes and systems, and you will live a gratifying CIO life. But expand your focus to customer-facing product development, and you will set yourself up for a wealth of new roles. To understand how to make that happen, I spoke with four CIOs who successfully launched revenue-generating products and leveraged that experience to carve out a more multi-faceted role for themselves within their respective organizations. They share their lessons below. Partner with the business. In 2006, the marketing department at VistaPrint, a Rs 600-crore company that provides customized printed products to small business, identified the need to offer customers the ability to design logos online. "Our software engineers created a way to algorithmically map the elements of a good logo," says Wendy Cebula, then CIO of VistaPrint. "We worked with marketing and developed a logo design tool that blew away the competition, and we integrated it as a new service on our site." The logo design tool successfully enhanced revenue in three ways: VistaPrint customers tend to order more print products while using it, thus growing existing revenue; customers design logos for free but pay for reuse rights, a new revenue stream for the company; and businesses in search of logo design now visit VistaPrint, allowing the company to tap a new customer segment.

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn On Wings of Cash.indd 22

Vol/2 | ISSUE/23

10/12/2007 5:14:52 PM

Martha Heller

Career strategist

The divide between technology and a company's core product line is decreasing. CIOs should capitalize on this shift and start producing revenue. The tool was successful from a career perspective as well: Cebula was promoted to COO nine months later. Give IT accountability for revenue. About 80 percent of VistaPrint's IT staff is in the Capabilities Development Group, which consists of software engineers, project managers, process experts and DBAs. "The group acts like a consulting organization for our business units," says Cebula. "Whenever the business needs a new process or product, the group starts early and works broadly across the whole capability. We pull together the entire solution, not just the technology." While the product managers own the P&L, the capabilities development teams are measured on how they help the product managers meet their revenue goals. "My staff's responsibility is to meet or exceed the revenue goals for what they are developing; they make decisions based on those objectives," says Cebula. "Any one of our developers could tell you in an instant what their product's revenue projections are." Use the two-way mirror approach. H&R Block CIO Marc West partnered with a VP of store operations to develop a major new business unit, H&R Block Commercial Markets. The new business provides tax preparation software as a service to companies who in turn offer tax preparation to their customers. West, who is now both CIO and group president of Commercial Markets, projects significant profits for the business in 2007. West came up with the idea for Commercial Markets during an RFP process for some tax preparation software he was evaluating to support the business. "We used that RFP to review the major software providers to our competitors," says West. "From that software review, we learned a lot about the independent market and what our next move could be." West calls this approach a 'two-way mirror' model, where in the course of evaluating technology for your own business, you ask the right questions to gain insights about how your competitors are using that technology. "Every time you look at a technology, consider not just what it does for you, but what it does for your competitors," says West. "Then you can have a real conversation with your CEO about new market opportunities." Know how technology impacts your industry. In 2006, Guido Sacchi, CIO and VP of corporate strategy of CompuCredit, a direct marketer of branded credit cards, established an innovation committee. He, the CFO, CEO and other business heads met to discuss new ideas. Last year, the committee decided to look into entering the mobile phone market. "The CFO's role was to ask, 'Can we afford this?' The head of business development asked, 'What is the 24

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn On Wings of Cash.indd 24

market potential?'" says Sacchi. "My role was to ask, 'Can we operationalize this? Can we make it happen?'" When Sacchi came back to the committee with a plan for implementing the new business idea, his CEO offered him the reins. While retaining his CIO title, Sacchi is now the senior operations executive and P&L manager for the new business, which will launch later this year. "CIOs should capitalize on the fact that the technology content of products and services in every industry is increasing," says Sacchi. "The credit card may disappear with its functions embedded in some other device. Financial services are now offered in virtual networks like Second Life." CIOs intent on business innovation and revenue generation need to stay on top of how technology is permeating their industries. And it doesn't hurt to establish and lead an innovation committee that is poised to turn new ideas into action. Pick the right company. As technology moves to the core of all businesses, CIOs will have a better shot at creating revenue-generating products if they pick a company that embraces its technological destiny. Like all of the companies mentioned here, Advanced Health Media is not, strictly speaking, a technology company. Its business is in managing promotional events for pharmaceutical companies, and it uses technology to fulfill that goal. In the process of supporting this business objective, CIO Greg Miller created a new technology product, a tool that tracks every transaction for every promotional dollar spent by its customers, that will begin generating direct revenue over the next 12 months. Serendipity? Not at all. Miller made sure going in that this was a company that would allow him to move seamlessly between internal systems and new customer products. "Prior to this position, I owned a software company, and Advanced Health Media was a client of mine," says Miller. "The founder of the company told me that he liked my approach and that he wanted to lead with technology." In nearly every industry, the divide between technology and a company's core product line is decreasing by the minute. The time is now for CIOs intent on moving into "the business" to capitalize on this shift and start producing revenue. Show your CEO the money, and chances are good that he will show you a terrific new career opportunity in return. CIO

Martha Heller is managing director of the IT Leadership Practice at ZRG, an executive recruiting firm based in Boston. Send feedback on this column to editor@cio.in

Vol/2 | ISSUE/23

10/12/2007 5:14:52 PM

Gerry McCartney â&#x20AC;&#x201A;

Leadership

How to Influence People Purdue University CIO Gerry McCartney approaches executive collaboration and influence by building alliances with the people behind the decision makers.

ig universities are like holding companies:we have several different businesses (in our case, colleges and administrative departments) that provide their own services and products under a single brand. Obviously, there are inefficiencies in this environment, and my job as Purdue University's CIO is to reduce resource duplication and provide centralized services. But the control that I have is limited. Half of the 1,000 staff members of Purdue's IT organization are located in the colleges and departments, and I have little authority in those areas. For example, if I decline a purchase request, our colleges and departments can make the purchase with their own budgets. Therefore, my primary course of action to accomplish my objectives is through collaboration and influence. The raw ingredients of influence are straightforward: you have a story about a problem or an opportunity you want to address, a logical argument for your position and the supporting evidence for it. You mix those ingredients in proportions that seem just right for the decision makers you are targeting. But it's the approach that you choose to follow that can make or break your success. There are very few people in the world with the reputation or personal magnetism to make things happen purely on their own. The way people like me to get things done is to get others to help us. To do this, I first concentrate on a small number of opinion makers who aren't necessarily in charge, but who are close to the top and help form others' opinions. Being able to identify those opinion leaders and make them your

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn How to Influence People.indd 26

Vol/2 | ISSUE/23

10/12/2007 7:51:29 PM

Gerry McCartney

Leadership

Innovative IT.

There are very few people in the world with the reputation or personal magnetism to make things happen purely on their own. allies is the secret sauce of influence, a sauce you would like to taste.

Identify Your Allies At Purdue's Krannert School of Management, where I was the assistant dean before taking the university CIO job, I knew who the opinion leaders were and knew them well. I also knew which people thought they were opinion leaders but really weren't. Now at the university level, there are a lot of people I don't know, and I'm trying to discern who the players are. Being sophisticated professionals, even if they are not relevant opinion leaders, they know how to create the impression that they are. To help me see past that, I have a trusted businessside ambassador in each area who can tell me who the players are. Then, it's up to me to verify that I know the right people to influence. To do this, I arrange to be part of a collaborative situation with them — such as a project or a committee — and I start to build a relationship. I'll observe whether the people follow up, keep their word and have a good sense of the pulse of their group. I'll usually try something small early on — something about which it doesn't really matter whether I win or lose — and see how the relationship plays out. For example, I might suggest to a hiring officer that we involve IT people in the interview processes for a faculty or administrative position. The hiring officer may make that happen, or tell you no way. Or she might be initially supportive of the idea but it never quite works out. Whatever happens, you'll discover whether this person is someone you can work with. When I have an idea, my general strategy is to sound it out with the people who advise the person I'm trying to influence. Most people, when you pitch them something big, will have a couple of people they talk to about it. So my first pitch is to those ‘sounding board’

Vol/2 | ISSUE/23

Coloumn How to Influence People.indd 27

Transformative

IT.

IT that drives the business forward.

Leading companies are marked by IT that works in true partnership with the business.

That partnership can provide new areas for growth and set a company apart from its competition.

CIO Chief Innovation Officer

Press Play

to see CIOs discuss innovation within their enterprise

http://www.in.idgcast.com

10/12/2007 7:51:29 PM

Gerry McCartney

Leadership

Competency in collaboration and influence is not something you can switch on. You have to follow basic rules, such as being honest, and work hard to avoid being defensive. study your fellow executives to pick up their techniques. people. I don't ask them to bring my idea up with the decision maker herself; instead, I ask them what they believe the decision maker will think about it. I listen to how they poke at my idea. From those conversations, I'll determine whether I'm good to go, whether I need to tweak my pitch or whether my proposal is likely to be dead on arrival. Only rarely will I come on strong and let the decision makers know without a doubt that I want something I believe is critical to the university and thus to me. I will already have sounded out the people around them â&#x20AC;&#x201D; and if necessary, applied pressure from underneath and sometimes from above â&#x20AC;&#x201D; so that they know I'm going to do everything in my power to make this happen. That's not a tool you want to use every time you need to influence someone because you use up a lot of credibility with such an all-ornothing approach.

Let Your Allies Influence You I always keep in mind that collaboration is a two-way street. People want to influence us, too, and we have to let ourselves be open to that. There are opportunities for collaboration even when decision makers think we've made a mistake. An example: the college of engineering is putting up a new building. The university's process for installing wireless services is to wait until the building is finished before we design and implement the technology system. There are some reasonable engineering reasons for doing it that way, but the process also derives from our experience, which comes mostly from retrofitting

existing buildings. The dean of engineering called me to tell me this wasn't satisfactory. To her, it looked like we had dropped the ball. So I consulted with my technical people, then with the university architect who is managing the building construction. We concluded that it's better to tweak the wireless installation after it's installed than to wait until the building is finished. The architect and I went back to the dean with an accelerated schedule for wireless network installation and a plan to revise how we do wireless in all new construction. The dean feels rightly that her influence has improved our institutional processes. Because I took her complaints seriously, I may be able to turn to her the next time I need something. Additionally, I have established a new relationship with the university architect. Competency in collaboration and influence is not something you can switch on. You have to follow some basic rules, such as always being honest, and work hard to avoid being defensive. You can study your fellow executives to pick up their techniques. But mostly, you've got to get in there and practice to find your own style. It's like negotiation; you'll win some, you'll lose some. But by becoming an expert in strategic collaboration, your business will be better off for your efforts. CIO

Gerry McCartney is vice president of IT and CIO of Purdue University and a member of the CIO Executive Council. Send feedback on this column to editor@cio.in

ONE OF A KIND! Ever heard about a highly available chasis 10G Core Switch with a lifetime warranty?

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Cover Story | Security

By Stephanie OverBy

Your World As your business becomes more collaborative and global, the risks to your company’s trade secrets rise proportionately. Fortunately, there are new strategies to protect the data that allow you to compete.

he call to Bob Bailey, an IT executive with a major government contractor, came on an otherwise ordinary day in October 2003. “Why are you attacking us?” demanded the caller, an IT leader with a Silicon Valley manufacturer. He wanted to know why Bailey’s company had launched a denial-of-service attack against his network. Bailey (not his real name), deputy CIO in charge of IT operations, was thrown. He spent the next several hours reviewing logs and profiling systems. He discovered Reader ROI: that someone had taken over one of the company’s servers and was using it to Why online IP theft is a growing global threat launch attacks against other companies in the valley. After conducting a forensic review of the drives, Bailey learned that intruders Strategies for protecting crucial corporate data had been lurking on two of his company’s servers for almost a year. These hackers, How to craft an incident who were traced to a university in Beijing, had entered the company’s extranet response plan through an unpatched vulnerability in the Solaris operating system. As far as

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/23

Cover Story | Security Bailey could tell, they hadn’t accessed any IP the way they approach all IT security: cost of theft classified information. But they were able to view focusing on the corporate perimeter and mountains of intellectual property, including developing security tactics and policies from design information and product specifications the system level up. Instead, CIOs must related to transportation and communications take a top-down approach. What’s required systems, along with information belonging to today is a counterintelligence mindset the company’s customers and partners. that assumes someone, somewhere, “It was such a sobering experience,” Bailey wants your data, along with multiple says, not least because three years earlier he had layers of defense to thwart would-be cyberspies conducted a network security audit and patched and respond when (not if) they get through every hole. But he hadn’t done the same with your defenses. Source: US Department the extranet. “There are wide-ranging attacks against of Commerce Bailey will never know who hacked his commercial organizations,” says Bill Boni, CISO servers. China’s poorly defended servers are of Motorola. “It’s incumbent on organizations often used to launch attacks. He likes to believe that the culprits — be they governments or commercial enterprises or academic were a couple of students who launched the DoS attacks out institutions — to understand what their crown jewels are and of boredom, grew bored with that and went on their ways. But make sure they are protected commensurate with their value.” he knows that comforting scenario may be wrong. It’s just as possible that the intruders were after his company’s IP. And they easily may have gotten it. (CIO agreed to Bailey’s request for anonymity in order to protect the identities of his company’s business partners.) he most widely-known cybercrimes have to do with the theft of customer information and credit card fraud. But the cost of lost customer information could pale in comparison to the long-term damage done when a hacker targets a company’s critical IP, says Borg. ccording to cybercrime experts, digital IP theft is a growing According to the 2006 Computer Crime and Security threat. Although precise numbers are hard to come by, the Survey by the FBI and the Computer Security Institute, theft US Department of Commerce estimates stolen IP costs companies of proprietary data and unauthorized access to information are a collective Rs 1,000,000 crore each year. And that number does among the four most common sources of loss due to cybercrime not include hacked or hijacked information that goes unnoticed (along with viruses and hardware theft). Although the survey or unreported. The economic costs on a nationwide scale are did not report any increase in losses due to IP theft, the authors impossible to quantify just yet. note such costs are hard to measure accurately. Security experts Suspected state-sponsored espionage against the US assume, however, that the losses are significant. government has received the most publicity, thanks to the “We’ve seen a big shift in the last two years to more investigation of a series of coordinated attacks on federal sophisticated, stealthy attacks,” says Gartner VP and Security computers dubbed ‘Titan Rain’. The 2003 attacks may have been Research Fellow John Pescatore. Sometimes, he says, the aim the work of a China-based cyberespionage ring that was trying is purely financial — hijack some data and get the company to to steal government information, according to articles published pay you to return it; or steal a customer database and sell the in The Washington Post and Time magazine in 2005. personal identification to whoever will pay for it. “Other times, But companies in any industry may be vulnerable. it’s industrial espionage. And as people started to look at where As businesses increasingly collaborate with external partners those targeted attacks were coming from, they found they were and expand globally, they’re also increasing their exposure coming from all over the world.” to criminals — and possibly foreign governments — who Experts point to China, Russia, France and Israel as big may have more on their minds than scoring some Social players in this black market. CIOs may be less aware of the Security numbers. threat to IP than to their systems, and therefore less prepared “There’s a ceiling on how much money can be made by stealing to protect the former. “Companies are thinking about worms and identities,” says Scott Borg, director and chief economist of the viruses, things that will not have very bad consequences and US Cyber Consequences Unit, an independent nonprofit institute have always been wildly exaggerated,” says Borg. “Or they’re set up at the request of the federal government to examine thinking about ID theft, which attracts a lot of attention, even the economic and strategic consequences of cyberattacks. though the number of cases is remarkably low.” “You can actually steal the business — its processes, its There’s a difference, too, in the systems an intruder looking internal negotiating memos, its merchandising plans, all the for corporate secrets may target. IP thieves “won’t necessarily information it uses to create value. That’s a very large payoff.” look at obvious financially sensitive areas,” says Borg, thereby Unfortunately, most IT organizations approach the risk to

Rs 1,000,000 cr. the estimated amount it costs companies in the US each year in stolen IP.

The Global IP Threat Landscape

Exposed

Cover Story - 01.indd 32

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/23

10/12/2007 8:30:51 PM

PH oTo By S R I VATSA SHA NDIlyA

Cover Story | Security escaping detection. “They may be looking at technical data, controls systems, automation software.” The results of IP theft can be hard to see — a slow degradation of one’s competitive position in the market may easily be attributed to other, noncriminal factors. Until recently, the most conclusive public evidence that sustained industrial espionage has taken place in cyberspace has come from the military. Titan Rain was “the most systematic and high-quality attack we have seen,” says Ira Winkler, author of Zen and the Art of Information Security. Chinese hackers successfully breached hundreds of unclassified networks within

the Department of Defense, its contractors and several other federal agencies. One Air Force general admitted at an IT conference last year that China had downloaded 10 to 20 terabytes of data from DoD networks. But it’s not just high-profile targets that are at risk. “The intellectual property needed to build a new type of safety restraint for an aircraft is just as important as anything else,” says Howard A. Schmidt, former CISO of eBay and former special adviser to the president for cyberspace security. IP thieves have targeted companies as diverse as retailers and high-tech

HACkED anD BACk

If you thought India was not on the radar of global cybercriminals, you should speak to P.A. Kalyanasundar, head of IT at Bank of India.

he morning of August 31, 2007, began badly for P.A. Kalyanasundar, head-IT, Bank of India, a nationalized Indian bank with over 2,600 branches. A blog entry posted in the wee hours by security solution provider, Sunbelt Software, cautioned people against visiting the bank’s website. Soon, news that the site had been compromised by a criminal gang,

Russian Business Network, was making headlines and Kalyanasundar's team was inundated by calls. “As soon as people started calling us, we tried to log onto the website. Initially, the agency handling our information security reported nothing amiss. But soon, we realized that users logging onto our site were being re-routed to another website, which was pushing out a large number of malware,” recalls Kalyanasundar. The Russian Business Network manipulated an IFRAME exploit on the Windows web-server, and embedded rogue code on the site’s HTMl, thereby redirecting visitors to another hacked server that dished out 22 different identified malware. However, most fully patched systems, with a good antivirus, were completely safe and the bank’s site itself was not defaced and had no traces of malicious keyloggers. Kalyanasundar, as a target of global cybercrime, agrees that as IT becomes more of a business enabler, its inherent challenges like IS are increasing proportionately. “However, the threat is not insurmountable,” he states. “The moment we came to know of the incident, we brought the site down. We created a new, static page to avoid further damage,” says Kalyanasundar. Fortinately, the internal systems and

— p. pa. Kalyanasundar Head-IT, Bank of India

applications of the bank, including its core banking system and Internet banking app, were unharmed. “Except for our user-facing website, we faced no further damage, thanks to the security in front of the internal business apps. No apps were harmed; no IP or user information was stolen and no money was lost,” states Kalyanasundar for the record. (The bank has ISo 27001 certification for its datacenter and DR site, a rarity among PSU banks.) The attack was discovered on Friday and by Monday the site was partially up, starting with core customer services. “The internal IT team, the hosting company, and our security agency all sprang into action. I directed the operations myself. The only challenge was logistics as we had to regroup our resources over the weekend,” he says. Their corrective measures were followed by a vulnerability assessment for all of the bank’s IT systems and apps. Post the attack, periodic vulnerability assessment and monitoring has been made continuous. Some of the bank’s apps, which were already on a 24x7 monitoring cycle, were monitored closely for any untoward activity. “We have been given a clean chit by various security agencies. And a number of blogs are praising our short turnaround time in mitigating the threat,” he smiles. — Gunjan Trivedi

Cover Story | Security manufacturers. In incidents nicknamed ‘the Trojan Affair,’ 18 Israeli executives from several companies were arrested for their involvement in an international computer espionage conspiracy that targeted competitive information from rivals, including the Israeli divisions of Ace Hardware and Hewlett-Packard in 2005. In the same year, several executives from software company BusinessEngine also pleaded guilty to hacking rival Niku’s systems to access its trade secrets. Nevertheless, some companies are more exposed than others. Large, distributed organizations provide more opportunities for attackers to gain access to corporate networks, says Alfred Huger, vice president of engineering for Symantec Security Response. Historically, the biggest risk to IP has been from insiders. A few years ago, Motorola detected suspicious unauthorized activity on its network. Boni’s security team traced the activity to an employee workstation, which contained a directory populated with a

complete hacker toolkit. Under questioning by investigators, the employee admitted that he’d been asked by a competitor to hack into Motorola’s systems to access sensitive IP; he was terminated. In today’s global economy, the number of insiders within any organization has increased dramatically if you count external partners among them. “Organizations now have to deal with employees connecting from home offices, the local Starbucks and shady hotels,” says John Bumgarner, research director for security technology at the US Cyber Consequences Unit. “They also have to deal with business partners and customers having access to their networks via VPNs, dial-up connections and Web portals, any of which can be used to compromise the organization’s resources.” It was a connection to these externally-based insiders that got Bailey, at the government contractor, in trouble. “The extranets pose a problem because many of them are controlled by program managers for the benefit of the customer,” says Bailey. “And that can make policy enforcement problematic.” But the focus on pleasing the customer backfired. “There’s nothing worse than having to call up your customers and say, Because of our negligence, we’ve compromised your proprietary information,” Bailey says.

HOW VuLnERABLE aRE YOU TO I.P. THEfT?

ou’re at risk for online IP theft, If your intellectual property is digital. But there are varying degrees of exposure. “It has to do with how valuable a target you present and how well-defended you are,” explains o. Sami Saydjari, president of security consultancy Cyber Defense Agency. The types of organizations that currently face the highest risk include: large, globally distributed organizations Small to midsize businesses in niche markets Companies with foreign partners or that sell directly in foreign markets organizations with decentralized IT Military or government organizations that rely heavily on contractors and suppliers Industries like telecommunications that supply critical national infrastructure organizations lacking executive sponsorship of security issues, technical enforcement of security policies, adequate security monitoring or process/preparedness for dealing with security breaches External partners, locally and globally, are a major source of risk. “you you can y spend millions on your own defenses,” says John Bumgarner, research director for security technology at the US Cyber Consequences Unit. But attackers may find a way in through weak spots in the systems of customers or suppliers. As intruders’ sophistication increases, however, all organizations may face similar vulnerabilities. “With new hacking methods, if the information is not encrypted and it is very valuable, it’s at high risk,” says Alan Paller, research director for the SANS Institute. — S.0.

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

The counterintelligence Mindset

s hacking has grown more purposeful, the traditional IT security mind-set has failed to keep up. “There’s virtually unlimited information to protect and unlimited supply of threat and vulnerability,” says Motorola’s Boni. And there are no easy solutions. “Risk management oversight over distant suppliers is an emerging art,” Boni says. The vast majority of IP loss incidents are simple errors: posting information to externallyfacing websites wrongly assumed to be protected or including confidential information in a reply to an e-mail that includes external recipients, says Boni. The most successful hacks, says Bumgarner, occur because attackers get lucky, stumbling across a vulnerability while scanning thousands of IP addresses. But the most dangerous attacks are deliberate. To defend against targeted attacks, Motorola uses traditional controls such as firewalls, intrusion detection tools, antivirus software and digital forensics — but with a difference. “We’re operating our information security toolkit with a counterintelligence mindset,” says Boni. Like the military, Boni assumes there’s an enemy looking for an advantage and it’s his job to outwit him. “Putting

Vol/2 | ISSUE/23

Cover Story | Security those tools together with an understanding of what is or could be of greatest interest to competitors allows a more granular focus on the data,” he says, “not just on the network.” Boni partners closely with business units to attempt to forecast the risk to particular IP-related information. “Every product or service has market share and projected financials. We try to understand what pieces of information are key contributors to that product or service and if they are at risk to targeted attacks.” More companies need to adopt this more nuanced approach, agrees O. Sami Saydjari, president of Cyber Defense Agency, a security consultancy. “They’ll hire white-hat hackers — doorknob turners who shake all your doors and tell you where they got in,” Saydjari says. “And the company will try to figure out where to close those vulnerabilities. That’s primitive analysis.” When Bailey, the government contractor, conducted penetration testing of his internal systems, the white hats delivered a five-inch-thick report of vulnerabilities. He says he closed every hole, but he ignored the extranet. Nor did he have a comprehensive program for updating systems and installing patches. “The lessons learned from the exploit were not uniformly applied across the business,” says Bailey. “That was my mistake.” While monitoring and patching of systems is essential to any security strategy, many CIOs and IT security professionals approach the task backward, says Schmidt. “The discussion always seems to be, Tell me where the threat is and I’ll secure that system,” Schmidt says. “You need to test systems for vulnerabilities before deploying, have a plan in place to patch them, and audit to see who’s doing what and where data is.” Turning the traditional approach to security on its head can help IT organizations prioritize spending to protect critical IP. “You need to look at the mission of the organization from the top down as opposed to the bottom up,” Saydjari explains.

Defense in Depth

ithout a clear idea about which IP assets most need protecting, CIOs may put their security dollars in the wrong places. “Most large organizations have all done basic blocking and tackling — firewalls, antivirus products, etcetera,” says Amit Yoran, CEO of network forensics company NetWitness and former director of the Department of Homeland Security’s National Cyber Security Division. But perimeter defense goes only so far. Companies need a cyberdefense strategy that is multilayered with different types of protection at each layer. One strategy, called ‘defense in depth’, derives from the military technique for slowing down rather than trying to stop the advance of an adversary. An early example of defence in depth are the development of concentric castles. The model applies when the question is not if, but when, hackers will break in. “If you reinforce one area, [attackers] will look to another,” says James Lewis, director and senior fellow with the Center for Strategic and International Studies. “The job is to reduce the chance that they’ll be able to get in.”

Vol/2 | ISSUE/23

On the network, defense in depth means traditional perimeter security is supplemented with advanced intrusion detection systems, segmented networks with tighter security around some information, demilitarized zones for public data and security audits. But a good defense-in-depth strategy takes its multilayered approach to people, processes and technology as well. The approach enables IT security teams to get beyond dealing with hackers as if playing a game of whack-a-mole and treat the problem more like a chess game, says Jim DuBois, general manager of information security and infrastructure services security for Microsoft. DuBois has worked at Microsoft for 14 years and lived through a public incident in 2000 when

ompanies need a multi-layered cyberdefense strategy. One strategy, called ‘defense in depth’, derives from the military technique for slowing down rather than trying to stop the advance of an adversary. The model applies when the question is not if, but when, hackers will break in. hackers, who The Wall Street Journal reported were traced to Russia, allegedly accessed some of Microsoft’s key applications and source code. (DuBois was not part of the security group at the time. A Microsoft spokesperson argues that the incident was not portrayed accurately in the media, but that it reinforced the importance of security controls and helped drive adoption of several projects, including smart cards for remote access and a public key infrastructure. This allows for the secure and private exchange of data in unsecure environments.) “The thought process is no longer making sure nothing bad ever happens,” says DuBois. “There may be a bug in the Cisco code or someone might misconfigure a device. If [attackers] get at that chess piece we left unprotected, what will we do?” Microsoft has moved toward host-based controls, meaning they protect the data on a device or a network. “You have to protect everything, not just important data. Controls are more onerous than they need to be,” says DuBois. He wants to get more granular. His goal REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 7

COmmOn sEnsE aPPROaCH Biocon's security blanket is a thick security policy and layered with plenty of training – challenging common wisdom that complex rules don’t work.

iocon’s IT chief Radhakrishnan G. has a very simple way of ensuring the safety of his company’s intellectual property: a detailed useraccess policy. “All IP is treated as vulnerable, he says. “Data of all our R&D projects are stored on lotus Notes and are secured based on access levels.” When asked how companies should protect their IP, Radhakrishnan says a multilayered defense strategy is the best approach. He says his first priority is to protect all projects, and his second priority is to give access to certain users in a restricted manner. “This way,” he points out, “even if a user wants to leak information, he will find it difficult.” Biocon has set up authentication at three levels.

It first authenticates the user, then the projects he or she can access, and on top of that it controls how the user accesses the information. Biocon also has controls on what can be taken out by users and a list of people who are barred from even printing certain kinds of information. Carrying this security policy further, Radhakrishnan says computers don’t have CD writers and though they have USB drives, access to USB ports is granted based on username and credentials. Also, “all outbound mails are scanned for confidential information,” says Radhakrishnan, adding that Internet access is restricted. This means employees cannot access Web mails or IM, and even outbound attachments are quarantined to ensure security. Despite these elaborate security measures, Radhakrishnan acknowledges that there could be a breach, but goes on to add that systems are in place to handle such incidents too. “If somebody is doing something that breaches confidentiality, we inform his HoD and also the HR department – it’s a policy,” he says. In minor cases, a warning is issued, but termination is possible in case a breach is severe. That hasn’t happened yet. And they aren’t counting on firing anyone soon — thanks mainly to training says Radhakrishnan. “All employees go through an induction program, where all matters concerning security of IP and confidentiality are covered. I haven’t come across any problems in the last two years,” he says. — Balaji Narasimhan

—radhakrishnan G GM-Systems, Biocon

is to secure the data itself, not the hardware or applications in which it resides, with next-generation digital rights management tools.

classifying lassifying Information

ver the years, Microsoft has sought to increase protection of its source code. But sometimes, it has done too much. “We found a lot of places where we had too many controls around code we’ll actually give away for free,” says DuBois. The right level of protection can be difficult to pinpoint, however. Too often, organizations apply the same standards of security for everything. That leaves some less valuable data overprotected and some more critical IP relatively exposed. Not only that, says Borg, but when CIOs think about what to defend first, they’ll often think of the company’s mostcritical systems, like ERP or customer databases. However, he adds, “that’s usually not where the liabilities are created, because that’s not where the company creates the most value.” Motorola has developed what it calls an enablement zone environment, which segments the network, allowing groups of systems and applications to share a set of targeted security controls. In this way, security controls are aligned with the risk to the information the systems contain, as well as with relevant regulations or contractual terms. The most intrusive security solutions — including digital rights management, virtualization of content (to prevent its propagation outside the controlled environment) and role-based identity management — “are only warranted on breakthroughs,” Boni says. He advocates revisiting the classifications often. “If eternal vigilance is the price of freedom,” says Boni, paraphrasing Thomas Jefferson, “continuous monitoring

Vol/2 | ISSUE/23

Cover Story | Security and preparation to respond quickly is the cost associated with global digital commerce.”

Your Incident Response Plan

nother layer of defense in depth is being prepared when intruders strike. “The IT model for dealing with a disruption is to get that server back online as fast as possible,” says Boni. But before that happens, he adds, ask yourself how important the contents of the system are, whether intruders

IDEnTIfY YOUR CRItICAL I.P. nOW

ou may think you know which pieces of your company’s intellectual property are most valuable — and therefore most vulnerable to intellectual property theft. But you’re probably wrong. Even at Microsoft, which is known for zealously guarding its IP, “one of the hard things to do is to get business leaders to articulate what pieces of information are most valuable in running their businesses,” says Jim DuBois, general manager of information security and infrastructure services for Microsoft IT. To capture the information, you need to plan IP protection, ask questions, says Bill Boni, Motorola’s CISo. y you might start by inquiring what information might let a competitor move ahead in the market or help a counterpart in a foreign company achieve personal gain. A good business intelligence department can use its data to help. once you’ve identified your company’s critical IP, which controls and countermeasures you put in place may come down to how much you want to spend defending certain know-how. Because there’s little accurate data available on the costs of IP theft, there aren’t any concrete cost-benefit models to work with. Boni uses Motorola’s own financial predictions. “you’ve you’ve already done a lot of financial analysis y about the benefits of a product or service,” he says. “you y you can use those to estimate the damage if that IP is lost or stolen.” The cost-benefit calculation comes down to the probability of IP theft times its consequences, says o. Sami Saydjari, president of Cyber Defense Agency, a security consultancy. “If there’s a decent probability that attacks could cost you Rs 2,000 crore, it might make sense to invest Rs 20 crore,” Saydjari says. “Without that expected loss, you can’t make the business case.” — S.0.

any critical data and whether the attack might be meant to distract you from the real target. Boni does a first-level analysis. If triage determines that the incident could have a high impact, or if it appears deliberate, it may warrant a more significant response than the vast majority of intrusions that can be addressed through analysis of log files and systems profiling. (For instance, he may call law enforcement, and secure affected systems and servers for evidence.) “Prudent incident response means planning ahead,” says Yoran of NetWitness. “People need to know how to receive and interpret various clues and deduce [what] may have occurred or may be occurring.” Communication is also critical. “Incident response is still very siloed and technology focused,” says Khalid Kark, a senior analyst with Forrester Research. For serious breaches, Boni brings in a cross–functional team that includes, among others, crisis managers, internal auditors, lawyers and HR to assess the incident and determine who needs to be involved in the response. Yoran suggests interacting with public relations advisers, user communities and vendors, where necessary. When the problem is global, the challenge escalates. “It may require interface with the local or regional staff, [which], given language, time zones and differences in operating practices, may be more difficult to coordinate, even inside an organization,” says Boni. “Establishing working relationships with federal law enforcement ahead of time also helps,” says Yoran. “They regularly work these issues with foreign parties.” When it’s time to pick up the pieces, Alan Paller, research director with the SANS Institute, pushes for root-cause analysis to determine which exploits the hacker used and what can be learned from that. That’s what Bailey, the government contractor, did once he discovered his problem. After contacting law enforcement, making a full disclosure to affected customers and partners, and completing a forensic analysis, he moved to cover the holes in his data protection strategy. These included better procedures for installing patches. He also recruited a manager of information security, expanded her department and set up a computer incident response team. Among its activities, the team lurks on hacker boards to keep up with the latest exploits and conducts intrusion detection exercises. Today, most important, Bailey fully appreciates the risks. That’s the key for CIOs who must manage the growing threat to corporate knowledge, says Borg: “Simply appreciating the stakes. “There’s some very sophisticated hacking taking place — some of it state-sponsored — and they’re going after IP,” says Bailey. “We can never be 100 percent secure, but we’ve redoubled our efforts. It taught us a big lesson.” CIO

Stephanie Overby is senior editor. Send feedback on this feature to editor@cio.in

Vol/2 | ISSUE/23

REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 7

What happens when a key player in a company goes down? Who takes over? By C.G. Lynch

Reader ROI:

Why continuity plans need to factor in the human element Why succession plans need to reach beyond the C-level How to avoid gaps in succession planning

Feature.indd 38

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

imaging by an il t

n February 2, at 5:15 PM, Alan Boehme, 47, VP and CIO of Juniper Networks, left his office and climbed into his black 2004 Infiniti G-35. He pulled out of the company parking lot and began the 90-minute drive to his home in Half Moon Bay, a coastal town in Northern California’s San Mateo County. Boehme’s work had been going well. In December, he had completed an ambitious restructuring of the Rs 10,000-crore networking company’s IT infrastructure, globalizing its operations and laying the foundation for its future growth. Boehme took California Highway 280 to Highway 92, a two-lane road about 10 minutes from his house. A few seconds later, a drunk driver in Boehme’s lane hit him head-on. “The person in front of me swerved off the road because he saw the guy coming,” Boehme recalls. “The next thing you know, these headlights were coming straight at me. We hit headlight to headlight. I remember thinking, my wife and son are going to lose their husband and father.” They didn’t. But the aftermath was ugly.

Vol/2 | ISSUE/23

10/12/2007 5:20:48 PM

Business Continuity

“I felt blood just gushing down my face and I was in a state of panic and shock,” says Boehme. “Somehow, I was able to get the seat belt off, kick the door open. I got out of the car and just started yelling, ‘Help me, help me.’” A witness to the crash helped Boehme to the side of the road. An artery in his nose had been severed and he was bleeding profusely. “I had broken bones in my face, and my nose was turned sideways and crushed,” he says. “I ended up with a contusion of the skull and a fracture at the base of the skull, along with, we found out later, a series of injuries to the left side of my body, including my knee, where there were torn ligaments and a crushed kneecap, as well as a broken finger and torn muscles in the shoulder from the seatbelt.” Boehme lay on the side of the road as emergency medical technicians attended to the drunk driver, believing his stomach wound was more life-threatening than Boehme’s injuries. “I was very upset that here’s this person who for all I knew had ended my life, and at the very least dramatically impacted my life. And they’re rushing to save him,” he recalls. Feeling cold and abandoned, Boehme asked the man who had stopped to grab his BlackBerry. He called his wife, Alisa , who arrived 20 minutes later with their 11-year-old son, David. They found Boehme lying on the roadside, still waiting to be taken to the hospital.

Vol/2 | ISSUE/23

Feature.indd 39

Later that night, at Stanford Medical Center, doctors monitored what they believed was a fluid leak in Boehme’s brain. They stitched up his face and put IVs in both arms. Boehme drifted off on painkillers. He awoke Saturday morning to find his BlackBerry by his side. “I don’t know if my wife picked it up or if they put it on my person,” says Boehme, “but I e-mailed Danny Moquin [his VP of IT operations and infrastructure]: ‘Been in a car accident. You need to take over.’”

The Importance of Succession Planning What happens when a key player in a company goes down? Who takes over? What effect will replacing an individual have on operations? While most businesses have organizational charts that map out what to do after disruptions — whether they’re caused by resignation, firing, retirement, sickness, injury or death — these are often crude in format and live in dusty filing cabinets in HR. And because succession planning often falls under the categories of disaster recovery and business continuity, it frequently receives less attention than does preparing for sexier events such as hurricanes, earthquakes and terrorist attacks, even though these are far less likely to occur than, for example, a car accident. REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 7

10/12/2007 5:20:49 PM

Business Continuity Planning for major catastrophes also emphasizes information systems and the proprietary data within them and all too often gives short shrift to the people who manage it all. “The old question is: what if someone gets hit by a bus? Well, we know the answer to that now,” says Moquin, who took over for Boehme during his two-and-ahalf-month convalescence. Companies often lack succession plans that reach beyond their C-level officers and their direct reports. In a report by Aberdeen Research, 82 percent of the companies surveyed claimed to have a succession plan for their executives, while only 17 percent did for lower-level workers and just 12 percent for their IT staff. This leaves less-visible (and often younger) employees stepping into managerial roles after a disturbance in the head ranks, often without sufficient training or preparation. “Ideally, it starts with the C-level and the direct reports, but it can’t just stop at the management level,” says Sam Bright, an analyst at Forrester Research. “There are key people on the technical side that if the company were to lose them, it would have a huge impact on performance.” Today, after the collision on Highway 92, Boehme and his staff know that no matter an organization’s size or how solid and well thought out its processes, individuals matter. “Obviously, a well-run corporation isn’t about a single leader,” says Boehme. “But still, what are those unsaid things that a person does or that a person contributes to that are not in the process? Those are the hard things to measure, and those are the hard things to plan for.”

The succession plan of Alan Boehme, CIO of Juniper, only covered C-level executives because his IT department was being restructured.

Feature.indd 40

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

The Pre-Crash Plan In the year leading up to his crash, succession planning had come up in conversations Boehme had had with his direct reports. They had a plan laid out on spreadsheets. The document, which resembled a standard org chart, lived in HR. It covered Juniper’s C-level officers, IT executive team, and their direct reports — and not much else. This type of succession plan is typical in the majority of America’s top companies, 62 percent of which use the same method, according to the Aberdeen survey. While Juniper’s HR stored résumés on its system as well, Boehme says “you couldn’t just press a button to get what you need.” The reason Juniper’s plan went no farther was not laziness; it was, says Boehme, time pressure. During his first year and a half as CIO, Boehme restructured Juniper’s operations and infrastructures in Asia, Europe and the US — each with its own networks and systems — and put them all under one umbrella. This was not just about technology for Boehme; it was a managerial challenge. The direct reports he inherited after he came on board in 2005 were, he says, lukewarm about the integration. “Change is difficult,” Boehme says. “Some people selfselected themselves out of the organization. I literally replaced the entire leadership team of the IT organization, all of my direct reports, with the exception of one.” As Boehme’s some 300 IT employees and contractors adapted to a lot of change, it was hard for him to focus on a formal succession plan, at least until he conceptualized their new roles and established a new chain of command. “Because we’d just gotten through the restructuring, we’d just started to move to standardizing the job ladders,” he says. “We’d done some of the work, but [at the time of the car crash] it was basically a work in progress.” Since his return, Boehme has made installing Oracle’s PeopleSoft software, which logs employee data for succession planning, a high priority. However, he says he won’t implement it until Juniper has collected sufficient information about his employees’ skill sets and work histories. Experts say that’s wise. An automated solution of this type is only as good as the information put into it. A lot of companies don’t have enough information about the skill sets, leadership skills and experience levels of their employees to warrant spending on an automated system, notes Kevin Martin, research director of human capital management and analyst at Aberdeen. “The primary reason that companies are still paper-based is that they don’t have the succession planning process nailed down yet,” he says.

The Ripple Effect In Moquin, Boehme had the benefit of a fairly obvious replacement while he was recovering. As a friend and colleague (they worked together at GE Energy, a Rs 80,000-crore division of the company that Boehme worked

Vol/2 | ISSUE/23

10/12/2007 5:20:55 PM

Business Continuity the managerial ranks,” says for from 1999 to 2003), Moquin Forrester’s Bright. “When attrition was put in charge of Juniper’s IT occurs, you can’t take the time to operations and infrastructure catch people up when you have a when he was hired by Boehme gaping hole to fill.” in June 2006. “It was pretty clear Boehme says that before the that Danny was going to be the Get help capturing employee accident, Moquin was in the person we went to,” says Bill Skeet, skill sets and experience. process of laying out a training director of IT communications and program for managers and people Web technology, one of Boehme’s 2006 report by Aberdeen Research who aspired to be managers, but direct reports. “Sometimes, it’s notes that 62 percent of companies “we had been somewhere between just enough to know that when operate their succession planning in a the beginning and mid-stages someone is absent, there is a paper-based, spreadsheet format. Prior of laying it out.” They plan to ‘Number One’ that fills in, taking to CIO Alan Boehme’s car crash, Juniper continue with the program in the the Star Trek analogy.” Networks largely worked on that model. future to develop a deeper bench, Approval processes were shifted Now, Boehme says he hopes to implement he adds. “You need it from the to Moquin, who began sitting in an HR solution from Oracle’s PeopleSoft bottom up as well.” on the senior leadership meetings that will help capture more employee data. that Boehme normally attended. Other companies might consider similar Almost immediately, however, systems when forming a comprehensive Clout That’s Moquin noticed something plan, but Kevin Martin, an Aberdeen analyst, Hard to Replace obvious but inescapable: his old notes that there are very few vendors Moquin says the momentum work didn’t suddenly go away. dedicated solely to developing software for Boehme had established kept “The eye opener was that succession planning. However, here’s a list things moving forward after the as I started taking on Alan’s crash. “Having everyone within of ERP and Human Capital Management responsibilities, especially his the organization focused on the (HCM) software that he says could help: strategic ones, I had to look to my same goal made it easier to carry team and start delegating both on,” he says. “There weren’t a ERP Solutions some of Alan’s work and some of bunch of different agendas.” Oracle (PeopleSoft) my own,” he says. That may have been true, but Infor The consequences rippled after Boehme’s crash, Juniper’s IT through the entire IT department. projects didn’t all move forward Human Capital Management And as work was passed down with the same momentum they Solutions the chain of command, it became had in the past. Juniper employees SilkRoad Technology clear that simple delegation had say this wasn’t due to a lack of Softscape its difficulties. For instance, one IT leadership at the top; everyone SuccessFactors lieutenant, Brian Nichols, senior contacted for this article lauded Meta4 director of business program Moquin’s leadership. But they Sapien management, was charged with say Boehme’s C-level pull across — C.G.L overseeing an upgrade to a business the organization just couldn’t be process management software replaced, particularly with senior project that had hit some snags in Boehme’s absence. But executives. “[Boehme] has relationships and understands because some of Boehme’s responsibilities had trickled down the needs of business partners at the senior VP level,” says to him, Nichols found himself with full plate. Although he Nichols. With Boehme out of commission, communication could have passed the BPM project on to one of his reports, at that level was compromised, Nichols adds. he didn’t feel that any of them had sufficient management For example, Juniper was in the process of implementing expertise to handle it on their own. “I had to step in when I a new document management system. The decision to would have liked to have delegated,” Nichols recalled. begin the project had been made at an executive steering Nichols now says he recognizes the importance of giving committee meeting that Boehme had attended. After his direct reports the same type of leadership training that the decision was made to do the upgrade, he placed he, Moquin and other director-level reports have received. Nichols in charge of implementing it. Nichols found a Analysts say this is especially vital in a field like IT, where company that had the appropriate software and bought technical workers usually have the requisite skills to do the licenses. However, when he began implementing it the job but often lack the necessary managerial expertise. during Boehme’s absence, a problem arose. One of the “You need to encourage employee development beneath user groups didn’t want it, preferring a homegrown

Your Succession Toolbox

Vol/2 | ISSUE/23

Feature.indd 41

REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 7

10/12/2007 5:20:58 PM

Business Continuity system. “We had some pushback,” says Nichols. “I had to fight that battle without Alan and without knowing the context within which the decision was made. Normally, Alan would have taken care of it.” Without Boehme — and without a subordinate with Boehme’s full authority and knowledge of the situation — a conflict that normally could have been resolved in a few hours took much longer and absorbed more energy than it needed to.

Back to Normal? Boehme takes the train to work now. His days of driving fast, sporty cars are over. He recently bought a BMW X5, which is “probably the heaviest SUV I could find short of getting a [Chevy] Suburban,” he says. He attends physical therapy sessions two to four days a week. Doctors tell him that his brain injury will take up to 18 months to fully heal. Since the crash, his blood pressure has risen and he now takes medicine for it. He still hurts. He gets tired earlier in the day. “I come home from work and the first thing I do is sit down and rest for 20, 30 minutes before I can continue with my evening,” he says. Boehme’s injuries kept him out of the office for two and a half months. He admits that when someone misses that much time, it’s not like coming back after a vacation. It’s

3 Key Succession Planning Tips Expert advice on how to leave your business in a position to move forward when the predictably unpredictable occurs.

Extend succession plans as far down the chain as possible. When a disruption occurs, “it cascades through the entire organization,” says Kevin Martin, an analyst with Aberdeen Group. “You should be prepared at every level, two to three people deep.”

Encourage people to step in for others during vacations. This builds expertise. “It’s like trying to tell if someone can ride a bicycle when you’ve never seen them ride,” says William J. Rothwell, a consultant who deals with HR management and succession planning. “An excellent way to find out is to let them ride the bicycle for short distances.”

disorienting. In fact, he spent a lot of time planning his reentry with Moquin, COO Stephen Elop (to whom Boehme reports) and with Juniper’s HR department. Boehme says he couldn’t pick up where he had left off. “It wasn’t like all of a sudden, I’m back,” he says. Succession planning, however, has risen on the list of Boehme’s business continuity priorities. He says he has nearly 45 people working on the new PeopleSoft HR system. It will include areas that log employee history to help Juniper executives and managers make a more comprehensive succession plan, from top to bottom and across the whole company. Other companies seem to be moving in that direction as well. According to Aberdeen, 39 percent of companies report now having a fully or partially automated solution for succession planning. “Although [Juniper’s] was paperbased and it worked, the accident wakes you up to realize that it can be much more efficient if it is systematized,” Boehme says. He reiterates that Juniper will continue to train workers at all levels in leadership and managerial skills to create a deeper, more agile bench. Analysts on succession planning and human capital suggest mentoring programs that have lower-level technical workers shadow their bosses from time to time and make connections with other leaders in the business. “Establishing political relationships helps grease the wheel,” says Forrester’s Bright. “They’ll have established credibility.” And perhaps that will help avoid situations like the one Nichols found himself in with the engineering group on the document management project. For now, Boehme is working on regaining his energy while adjusting his schedule. He works at home more. He’s set up a special router in his house that will ensure a secure connection to Juniper’s network. He uses videoconferencing to help communicate with other Juniper sites across the globe. But more time working at home doesn’t mean taking it easy; he says he’s now as busy as ever. The crash has given Boehme a new understanding of and appreciation for the human side of business continuity planning. “When you think of business continuity and disaster recovery, you tend to think of earthquake and tornadoes and events,” he says. Today, Boehme thinks about what most people don’t want to think about: what can happen to a person in a bad moment. “We don’t personalize these things,” he says, “because you don’t want to wish what happened to me on anybody.” CIO

Assess employee skill sets. This could prevent you from having to go into the market and overpay for talent you might already have in-house. “There are so many skills in demand,” says Sam Bright, an analyst at Forrester Research. “If you have to go outside, you’re going to pay a premium. You need to know what you have in-house.” —C.G.L.

C.G. Lynch is associate staff writer. Send feedback on this feature to editor@cio.in

Feature.indd 42

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

Vol/2 | ISSUE/23

10/12/2007 5:21:01 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Atul Nishar, founder & executive chairman of Hexaware Technologies, says a CIO's ability to handle users is more important than the ability to manage technology.

People Dynamics Is The Key

By Kanika Goswami The CIO is a man of the people — that’s the view Atul Nishar has of technology heads. The most important quality, he says, is a CIO's ability to manage the dynamics of people. The CIO has to be a change agent and his forté is the perseverance in getting new technologies and ideas accepted. At Hexaware, rated among the top five PeopleSoft service providers globally, the IT team consists of people who interface processes across applications. This ensures that IT and its head align technological processes with business strategies, says Nishar.

CIO: What is the role of IT in the growth of Hexaware? Atul Nishar: A better-aligned organization is important to the growth and development of any organization. Hexaware’s internal systems facilitate institutionalizing processes and aligning people to work on a common framework throughout the organization. View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

View from the Top.indd 44

How does the CIO add to your strategy? Understanding challenges from a business perspective, while looking at

processes from the customer’s perspective, make an impact on the implementation of internal systems. Each IT initiative needs to have a purpose with clearly-defined business benefits, including increasing the operating efficiency. Thus, a CIO has to play a dual role. When business and IT put their heads together, they can transform the company’s operating efficiency: from identifying a market opportunity, converting it into business and successfully delivering the service. The IT team is structured to work from a business-process perspective instead of looking at the application level.

Vol/2 | ISSUE/23

10/12/2007 5:22:17 PM

At Hexaware, all people who interface a process across applications are grouped together under one team. This approach helps our team to align processes with business.

Why do you think Indian companies should outsource? We advise our customers to leverage outsourcing because we believe it enables them to focus on strategy and growth. In our own organization, standard work like supporting IT infrastructure, messaging and office automation applications — stable applications with no direct relation to our business like payroll, employee benefits processing, etcetera — are outsourced.

What is your criteria in choosing an outsourcing partner? As a leading IT outsourcer, we display the following qualities and seek the same in an IT outsourcing company: It must be a durable company. It should take ownership and have a stable workforce. It must be process driven and have the required expertise. Find the flexibility to respond to unknown or unpredictable scenarios. Understand our customer’s perspective.

You did not mention scalability. How does Hexaware handle this? Hexaware’s differentiator has always been its ability to scale up quickly. We believe a scalable delivery engine needs to be developed in order to sustain

Vol/2 | ISSUE/23

View from the Top.indd 45

Atul Nishar expects I.T. to: Break individual authority Align business goals with the organization’s vision Excite people in IT

REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 7

10/12/2007 5:22:24 PM

View from the Top

growth, whether it is scaling up the size of a team or providing specialized expertise to an underserved market. At the stage we are in, it is critical that we manage our current growth rate to continue to scale in terms of talent and competencies. Additionally, by implementing a niche strategy, we address client-needs in a more focused manner. We expand our management team to create levels of expert decision makers. This not only gives us flexibility but also leads to superior growth.

Hexaware provides service across verticals. Is it hard to integrate your processes? As I’ve said, at Hexaware all people who interface processes across applications are grouped together under one team. This approach further helps us align our processes with business.

“The CIO is a change agent. He should align a business manager’s goal with the overall vision. ” — Atul Nishar Is mostly technology-oriented. Spends less time developing technology and networking.

How are Indian CIOs different from their global counterparts?

Why did Hexaware create an India Service Center with PeopleSoft?

Let’s take this point by point: The US CIO... Manages a bigger IT budget as compared to Indian CIOs. Has higher dependence on outsourcing and engaging more contractors. Spends significant time in networking and keeping himself abreast with technologies. Restricts involvement in details. Mostly manages IT operations and program management. Very few CIOs have transformed the organization through IT. Works more closely with CEOs. Have business orientation. The Indian CIO... Manages smaller IT budgets. The CIO’s role is yet to get real acceptance in the truest sense.

Hexaware’s partnership with PeopleSoft to set up their development centre, created PeopleSoft professionals in the country. Consequently, PeopleSoft awareness increased in India and the application has become increasingly popular. This reduced the cost of ownership since local expertise became available and the application could be sold and implemented locally.

O C T O B E R 1 5 , 2 0 0 7 | REAL CIO WORLD

View from the Top.indd 46

What do you think sets a good CIO apart? Can a CIO become a CEO? What sets a good CIO apart is his ability to manage people dynamics. Organizations have people from different backgrounds, with different levels of commitment and flexibility, and who work a business function in different ways. People have

seen varied systems, technologies and processes in their career, within and outside an organization. Depending on their experience, they behave in a certain way and develop an opinion of the best way to do things. Some business managers may have technological preferences, which they enforced without knowing the overall picture. Automation, the institutionalization of business processes, the transparent flow of information across an organization — these break individual authority. Sometimes, people misunderstand this and think they are losing control and/or their identities. In order to bring systems and processes in place, a CIO’s ability to handle people dynamics is more important than his or her ability to manage technology. The CIO is an organization’s change agent. In order to be successful, the most important quality for a CIO to possess is the perseverance in making people and groups accept new ideas and different way of doing things — which may obliterate old processes. Also, to bring change, a CIO should be able to excite people within the IT infrastructure and align a business manager’s goal with the organization’s vision. Often, an IT team focuses more on technological solutions and ignores the business perspective. A good CIO has to see that effectiveness gets higher priority than high technology. Typically, CEOs are responsible for focusing on making business plans, looking at customer acquisition and retention strategies, managing market shareholder expectations and profitability. They are also responsible for driving sales in order to mitigate the risk that the gap between planned and expected business outcomes produce. The CIO can extend his role from IT and program management to enterprise transformation. Therefore, I think a CIO can scale up to become a successful CEO. CIO Special correspondent Kanika Goswami can be reached at kanika_g@cio.in

Vol/2 | ISSUE/23

10/12/2007 5:22:26 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Interview | Ravi Rangan & Sriram Raghavan

Ch a

Sriram Raghavan (L) and Ravi Rangan of Comat Technologies assert that IT solutions cannot operate independent of the larger environment in which it needs to operate, especially in governance.

h ampioning Change

Sriram Raghavan and Ravi Rangan of Comat Technologies believe that willingness to adopt IT and a sense of ownership are crucial for e-governance initiatives. By KaniKa Goswami

entered the e-governance space. It implemented the first-ever Election Photo Identity Cards project in Karnataka in 1995. Its success paved the way for other governance initiatives that Comat has enabled. Today, Comat has e-governance projects based on public-private partnership (PPP) running in 14 states. Its current projects include Nemmadi, the tele-centers project of the Karnataka government. In this interview with CIO India, Ravi Rangan, CEO and co-founder of Comat Technologies, and Sriram Raghavan, its president and co-founder, share their views on e-governance and rural empowerment through IT.

Vol/2 | ISSUE/23

REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 7

P hotoS by Sr IVatSa Shan dIlya

More than a decade ago, comat technologies

Interview | Ravi Rangan & Sriram Raghavan CIO: Being in a PPP with state governments for e-govern projects, what kind of support do you get from governance agencies while implementing solutions? Is the support enough? Sriram Raghavan: Both state and central governments have been consistently plagued by manual systems for many years. So e-governance was a big opportunity and a challenge for us, especially because e-governance systems were significantly left behind in this large space. We felt that we can pick citizencentric projects and bring a technology focus to make the departments more efficient. There have been various ways of doing this, one of which is to go for projects that the government is giving out. With PPP, the government and we evolve a business model that involves a share of risk and revenue. We get good support because the government is the largest NGO in India. What projects are you currently running, apart from Nemmadi?

Ravi Rangan: In Karnataka, apart from Nemmadi, we have another project for food and civil supplies. In the PPP model, we have tele-centers projects in Haryana, Tripura, Uttaranchal and Sikkim.

In addition to telecenters, what other kinds of projects does Comat work on? RR: The ration cards project aims

to computerize civil supplies records — from issue of ration cards to the way food supply is monitored. There are three areas. First, there is a beneficiary database. All official databases are outdated. The project’s first objective was to clean that database, clean up the historical baggage and ghost cards — for which we are adopting technology such as biometrics. We collected data from every village and details of each citizen to look for repeats and found almost 4 percent of people had duplicate cards. SR: The most important part is that we are able to reach the rural citizens who have, over the years, been oblivious (of access to essential services). We are fortunate to have the opportunity of delivering essential services to them. Comat has e-govern projects running in a new, largely unindustrialized state like Uttaranchal. Tell us something about this experience. RR: In Uttaranchal, we are doing

work in the social welfare department. We essentially identify and focus on key citizen-centric departments — schemes

that provide support for pension, houses and so on. Social welfare encompasses about 80 schemes, where computerization does the end-to-end job: from the point of installing an application up to the point that benefits are delivered to citizens. The software also tracks the entire process. The schemes have multiple levels of screening involved and the software handles these. Whenever an official logs in, he gets a list of transactions. Essentially, we intend to make it a lot more transparent. So, the higher-ups know how many applications are pending, which official has how much work pending, and so on. It makes the entire thing a lot easier and more transparent. SR: More than 50 percent of Uttaranchal’s population is tribal, rural and backward. There is a huge dependency on records. So, we have targeted an important department, and computerization has had a huge impact on the ground. What must a technology company seek in the e-govern space? SR: As far as an IT company’s approach

to e-governance is concerned, one has to have a willing department. You need a project champion, somebody who will conceive

One needs to have a technology solution in governance that does not mimic existing processes, but helps improve on them.”

Interview.indd 50

10/12/2007 8:13:31 PM

Interview | Ravi Rangan & Sriram Raghavan level of customer service, data becomes and take onus of the project. You must have critical. If you do not have reliable ways of reasonably good buy-in from officials, so using and recording data then it really does you need to ensure that tehsildars and the not work. The classic example is Bhoomi. district magistrate are on board and in sync The reason why it is such a success is (with the technology partner). because a lot of attention is paid to how Then, you need to have a technology data is collected, and how it was defined. solution that does not mimic existing Technology is but a small part of it. processes, but helps improve on it. All these things are important. Being a Do you think the lack of the big payout technology company preparedness affects the helps, but you have to project’s outcome? work more on the ground. RR: Preparedness You have to understand is very critical. It isn’t is the central budget the backend office and just important at the allocation for the environment you will secretary or the director e-governance for FY be implementing in. level, but must go down 2007, exclusive of the to functional levels like RR: It is critical for projects to computerize the patwari. In terms of us to recognize who the the Public Distribution technology, it is important people impacted by the System and Food that when we are project are. Only then Corporation of India. deploying a solution, we can we look for the best Source: Union Budget have to consider all costs ways to address their — not just the cost of the concerns. For instance, card or equipment that in the civil supplies will be deployed. So, any technology has to project, the officials are stakeholders at be capable of multi-use infrastructure and one level and fair price shop owners are we have to think of how they can be used the ones impacted by the transparency in more than one way. The technology we and governance. If you are doing away develop and the solutions we create often with ghost cards, the fair price shop consider these things. owner may not make enough money. One could say that the whole system is designed assuming there are going to be What were the major issues Comat faced ghost cards. So, we need to work — not during the deployment of Nemmadi? just on the technology — but on the larger RR: I will just point to a couple of things. solution. We are tying up with banks to First, though the certificate is issued, a see if we can provide them credit and large part of the procedure is still manual. if we can enable them to deliver other Then, there are vested interests. One services. One looks at all stakeholders thing is that to make something good, we while implementing solutions. If you do must have the database in place. It cannot not, it will not be implemented — or it will be subjective. The other place where we take its own path. would have liked deployment speed is in digital signatures. That is taking time. So, I guess one of the things for the next How does Comat balance technology rollout has to be policy changes. and governance? RR: In our opinion, the two biggest challenges in any e-governance project Compared to your projects in other states, are databases, and the preparedness and how does the government of Karnataka training of the department. fare in terms of support? Technology is just an enabling element SR: It has been an extremely good and not the most important one. Besides, experience across the states. Haryana most projects in our opinion suffer from is much more forward, and we find the lack of focus on data. If you look at any IT government itself being very supportive. system that provides transparency and a The demand and need for such services is

much higher in such states. The southern states lead the IT revolution but lot of things need to be faster. The richer states have got responsive governments, and that makes a difference in the little things like space for kiosks, and people being helpful. Uttaranchal is a new state with a large rural population. That is a great opportunity for us. That is where we can really function. So though Tamil Nadu may be a great state, the opportunity in Uttaranchal will be higher.

Vol/2 | ISSUE/23

REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 7

Rs 719 cr.

Interview.indd 51

How has Comat’s Electronic Document Management System contributed to the efficacy of e-governance projects? SR: The Electronic Document

Managment System (EDMS) was used for the Land Allotment Application program for Delhi Development Authority. Prior to the implementation, the paper-based allottee file search process required 2-4 weeks. With our implementation, the time for search has been brought down to three minutes. The full benefit to the citizen will come when DDA deploys the necessary hardware for citizens to access the electronic search system based on the EDMS. We understand that Wipro has been awarded the project for hardware deployment. Within the next six months, it will be possible for citizens in Delhi to perform online searches for land allotment applications. To facilitate faster time to deployment for citizen access, we have taken a new approach in Karnataka. We are starting a pilot in Udupi, where we will do a BOT (build, operate and transfer) for the backend equipment and kiosks will be used as the front-end for citizens. Through this mechanism, citizens will be able to access grievances applications, and track progress. The pilot should go online in less than two months. This type of a model, which leverages the kiosk infrastructure to speed up access to citizen for G2C services, is sustainable and will become the prevailing model across India. CIO Kanika Goswami is special correspondent of CIO

India. She can be reached at kanika_g@cio.in

10/12/2007 8:13:31 PM

Essential

technology How can you stop enterprise e-mail management from gobbling large amounts of IT time and money? Outsource it, say a growing number of CIOs.

Essentisl Tec.indd 52

O C T O B ER 1 5 , 2 0 0 7 | REAL CIO WORLD

From Inception to Implementation — I.T. That Matters

E-mail Has Left the Building By Galen Gruman Outsourcing | Global staffing firm Adecco Group began an effort one year ago to consolidate and outsource its five data centers into one, when Dave Bossi came to a realization. Moving the data center, he discovered, would also move three separately managed Microsoft Exchange e-mail servers of different versions and a fourth legacy e-mail technology — with potentially huge disruption to 10,000 e-mail users. Bossi, the North American vice president of IT, thought this might be an opportunity to rethink the company’s e-mail strategy. “E-mail tends to get lost in the mix. It becomes an afterthought,” Bossi says. Unless, of course, something goes wrong. Bossi’s case for outsourcing broke down like this: if Adecco moved the e-mail servers to a separate outsourced provider, the e-mail systems would be unaffected in the event of any trouble (like network overloads) at Adecco’s data center. Having a dedicated e-mail provider also makes administering e-mail accounts, managing servers and handling frequent software patches more efficient and less dependent on other data center resources. It shifts the responsibility for malware protection to a specialist — and eliminates the need

Vol/2 | ISSUE/23

10/12/2007 5:25:00 PM

essential technology

to manage anti-malware appliances. CIO Alwin Brunner liked Bossi’s logic. Adecco is consolidating its four e-mail platforms into one, which is hosted by USA.net (separate from Adecco’s outsourced data center that IBM manages). Today, Bossi and Brunner say they’re very happy with the performance and lower cost of e-mail outsourcing. For example, Adecco cut its e-mail administrator staff in half to three people and repurposed much of the physical infrastructure to other projects, saving thousands of dollars and eliminating the need for future equipment purchases. Like Adecco, an increasing number of large enterprises are deciding that e-mail is mission-critical but is plain-vanilla enough to be outsourced, says Mark Levitt, vice president of collaborative computing at IDC (a sister company to CIO’s publisher). The proliferation of malware is also pushing the trend, says Don DePalma, president of consultancy Common Sense Advisory. Now that spam accounts for more than half

a recent IDC survey. Lack of IT resources tends to drive small companies toward outsourcing much of their IT operations, and e-mail has gone along for that ride. The Arthritis Foundation is a case in point. Four years ago, “we were spending all of our time keeping the systems running, not bettering the foundation’s goals,” recalls VP of Strategy Management and CIO Marla Davidson. “We realized we could get a lot more depth from our staff by using a managed service provider for those operations,” she says. Outsourcing also reduced the risk of failure: “We had just one e-mail admin. So if that person was on vacation or got sick, we would just hold our breath,” she says. Now, the foundation gets 24/7 coverage it didn’t have before. “Our costs declined and our service levels improved. Plus we get more disciplined management and better security,” Davidson says, letting the foundation now support some SarbanesOxley rules that it couldn’t afford before. (While not obligated to follow them,

Over half of all small businesses outsource their e-mail accounts or are considering it, according to a recent IDC survey. Since they are outsourcing much of their IT operations, e-mail has gone along for the ride. of all e-mail messages, many businesses are looking to outsource message filtering because the internal burden has gotten too great. This is often the first step a company takes toward eventually outsourcing the entire e-mail burden.

Smaller Firms Lead the Way Small companies — those with fewer than 100 employees — have gotten the jump on outsourcing e-mail, notes IDC’s Levitt. More than half of all small-business e-mail accounts are now outsourced or under consideration for outsourcing, according to

Vol/2 | ISSUE/23

Essentisl Tec.indd 53

executive management saw several as beneficial governance approaches.) Originally, Davidson outsourced all IT operations to one vendor. But after several years of seeing the systems actually outsourced, it became clear that some, such as e-mail, could easily be handled separately. “We now view Exchange as a commodity service. It’s OK to be separate,” Davidson says. So when the foundation asked for bids to take on the outsourcing as part of its contract renewal two years ago, she separated e-mail into its own RFP to open up more competition.

Corporate e-mail is mushrooming. Today, every employee requires an average of 17.5MBof e-mail storage per day. This will increase to 21.3MB by 2009. Source: Radicati Group

Making Your Case The case for outsourcing e-mail has been harder for enterprise IT to make, notes IDC analyst Levitt. “It’s not easy to hand off; it’s as core to IT as you can imagine,” he says, with a lot of resources and expertise already invested. That investment acts as an anchor that keeps the e-mail servers and administration in-house. However, as large enterprises consider consolidation, system upgrades or large outsourcing efforts, it makes sense to consider an e-mail outsourcing strategy at the same time, Levitt says. “We wonder why we didn’t do it sooner,” says Tom Roets, vice president of IT at Sonic Automotive, a national retailer. A year ago, the company had two e-mail systems: Microsoft Exchange at its corporate headquarters and Ipswitch IMail for its national sales and dealer offices. For years, managing those systems had been a growing burden. “We spent a lot of time on patches and monitoring the platforms. We spent seven days a week keeping up the mail systems,” says Chris Maritato, the national director of IT. But there were many REAL CIO WORLD | O C T O B ER 1 5 , 2 0 0 7

10/12/2007 5:25:00 PM

essential technology

fears to overcome. “We have to be compliant with Sarbanes-Oxley and have disaster recovery,” he notes. Then there was the fear of such fundamental change, Roets says: “When you’re faced with 11,000 people in the field, that’s a lot of angry people if there’s a hiccup.” But by last year, another pressure was bearing down on Roets and Maritato. “We could not reliably support 11,000 people the way we were doing it. The user satisfaction scores were going in the tank,” Roets says. So the company decided to both consolidate its two e-mail platforms into one (Exchange) and outsource e-mail, to Verizon Business. “We did a pilot for 30 days,” Roets recalls, before committing to the switch. To be safe, “we also put the most mission-critical people at the end of the transition,” he adds. Within four months, the transition was complete. Not only did the management headache disappear while costs stayed about the same, but e-mail service also actually improved, Roets notes. Rather than rely on one e-mail administrator to manage user accounts, Sonic could now rely on its whole help desk staff to do so, using a management portal provided by Verizon that didn’t require the expertise that the previous setup did. This let Sonic redirect a staff member to other IT needs to meet strategic business objectives, Maritato says. Although there were some fears about having e-mail data hosted outside the company, Sonic performed a security assessment on Verizon that showed “there was no additional risk to outsourcing,” Roets says. Adecco’s Bossi and the Arthritis Foundation’s Davidson came to the same conclusion. If anything, Davidson believes security is higher when outsourced because an outsourcer can leverage its knowledge across all clients, which means it can be more capable and efficient than any individual client could. “They do security monitoring that we could never do,” she says. 54

Essentisl Tec.indd 54

O C T O B ER 1 5 , 2 0 0 7 | REAL CIO WORLD

A Few Caveats Outsourcing e-mail at large companies can work, as the experiences at Sonic and Adecco show. But it does require careful strategic planning because of the integration between e-mail and other applications that may exist, notes IDC’s Levitt. “You need to understand how your e-mail system is being used before you do a consolidation or migration,” echoes Bossi. When consolidating his four e-mail platforms, Bossi found real differences among user groups. Some frequently use features like public folders, for example. “You need to understand all of that to transmit the right requirements to the outsourcer,” he says. You may also have some custom integration with other enterprise systems, such as ordertaking systems, which get their input from e-mail, Bossi notes. For organizations that aren’t ready to make the leap to complete outsourcing, there’s an interim step: have a managed service provider remotely monitor and control the e-mail servers in-house, says Levitt. IBM, Hewlett-Packard and other consultancies have long offered this service. Still, outsourcing e-mail will not work for everyone. The city of Seattle’s CISO, Michael Hamilton, has contemplated migrating his e-mail to an outside provider, but decided against it due to several challenges. The toughest one is the city’s use of Novell’s GroupWise e-mail server, which very few outsourcers support, he says. Another challenge is the high level of heterogeneity among city agencies, many of which have very specialized requirements. The police, for example, don’t want their data stored offsite, for security and privacy reasons. But Hamilton did outsource his e-mail anti-malware operations to Postini to get that burden off his plate.

Plan Ahead Enterprises considering e-mail outsourcing should think expansively, recommends Wu Zhou, a senior research analyst for network lifecycle services at IDC. As voice and data technologies merge, e-mail will morph into or become part of a unified messaging platform,

Securing 64,000 Inboxes In an age of unrelenting spam, it's hard work securing 64,000 in-boxes from viruses, phishing scams, and other e-mail threats. Renate Tomesch, global enterprise messaging manager at Johnson Controls, Milwaukee, Wisconsin, doesn't have to. She outsources it. The decision was made after Johnson Controls’ the e-mail security appliances buckled under the load of spam. "With servers we normally assume a three-year life. After two years with these appliances we realized they weren't doing their job anymore," she says, adding that not only were the appliances letting more spam through than was acceptable, but they were also slowing down the flow of e-mail. Tomesch figured the cost difference of outsourcing e-mail security vs. performing the task in-house was not great enough to factor in, and with the outsourced service she wouldn't again be put in the position of having her infrastructure pass its capacity limits. "Maybe we were a little visionary in saying that with a managed solution, we never again would have to concern ourselves with the growth of spam," she says. Particularly since spam has grown significantly over the past year, and shows no signs of letting up, "I look back and say `Oh am I glad I made that choice.'" — By Cara Garretson

she says. “Find the partner that can provide cost-effective outsourcing of e-mail, and work with you to grow the functionality.” It makes sense to anticipate other e-mail needs when you outsource, agrees Adecco’s Bossi. For example, mobile messaging at Adecco is today split between Palm Treo and Research in Motion BlackBerry devices. But his outsourcer supports Microsoft gadgets too. So if and when his users want those devices, he’ll be covered. And he can let someone else handle the details. CIO Galen Gruman is a frequent contributor to CIO US. Send feedback on this feature to editor@cio.in

Vol/2 | ISSUE/23

10/12/2007 5:25:00 PM

Pundit

essential technology

When Are We Getting Off The ERP Bus? Your ERP deployment is a one-way ticket to exploitation. By Christopher Koch Software | It’s time to begin calling enterprise software what it really is: a legacy system. The politically-correct definition of the L-word usually describes systems developed around the time of Woodstock. But while the hippies have long since given in to shoes and pre-nups, the core computing systems of most companies still have the peace signs painted all over them. Except they’re much more difficult and expensive to maintain than a peace sign. That’s because while it may look like there is competition in the enterprise software market, there isn’t really. Once you choose your company, whether it be SAP, Oracle,

Back in the 1990s, CIOs had a shot at keeping the CFO happy by pointing out that some of the maintenance and support fees were going to future R&D. Since upgrades to the next version were free, there was potential payback for that investment. Today, the free upgrades have disappeared. Just as well, because they were never free anyway. Most companies have customized the software so much that any upgrade would be more like doing a new installation because these customizations need to be ripped apart and rewritten to work with the new version. The result is that like mainframe systems before them, the driveshaft of enterprise

code changes. This makes it hard to consider cutting the love beads that tie customers to the vendors — especially when the vendors’ powerful marketing departments keep promising them, apparently convincingly, that a new model is just around the corner. The other problem is that no one is going to make the decision for anyone. Most software in the mainframe era was custom developed by consultants, many of whom have passed to the Grateful Dead concert in the sky. CIOs had to take on maintenance of the stuff themselves, or give it to an outsourcer. Not so with enterprise software. The vendors aren’t going to make the same

You would think that CIOs would rebel against 20-25 percent yearly support fees. But very few have. Siebel or the myriad smaller vendors out there, you buy into a market of one. These companies have cornered the market on support for their applications. They can get away with charging anywhere from 20-25 percent of the current purchase price of the software for maintenance and support. Doesn’t seem like such a bad deal when you first buy the software and your people are burning up the 800 lines, but after a few years, your developers and customer service representatives get used to the stuff and don’t need much help. But the fees continue. The CIO fights a pitched budget battle each year trying to justify these costs to the CFO.

Vol/2 | ISSUE/23

ET-Pundit.indd 55

software has locked up inside organizations — especially midsize and smaller ones with limited staffs and IT budgets. Given the state of things, you would think that CIOs would rebel against 20-25 percent yearly support fees. But very few have. They keep giving millions to the IT mechanics. Partly it’s fear. The market has consolidated so much since the dotcom bust that few dare to anger the owners of the software — have you forgotten that you don’t buy this stuff, you simply have the right to use it for a while? — that keeps their businesses alive. And though the software is unchanged inside most organizations, it still leaks oil in the form of bug fixes and updates for things like tax

mistake with enterprise software that IBM made with the PC: give up control over the software. They can’t afford to do it under the licensing model they created, which they cling on tightly to. The logic goes that customers would never be willing to pay for enterprise software if they were charged for its real value up front. The maintenance and support fees are like paying back a long-term loan at 20-25 percent a year. Such a deal. To know how Big IT could be cleaning up your chances of finding inexpensive legacy support, read my column next fortnight. (To be concluded) CIO Send feedback on this column to editor@cio.in

REAL CIO WORLD | O C TO B ER 1 5 , 2 0 0 7

10/12/2007 5:25:57 PM

By STEphaniE OvERBy

It’s a battlefIeld out there.

outsourcing showdown

IndIa vs ChIna

offshore ffshore outsourcing’s reigning champion, India, squares off against upstart rival, China.

Who's better? Popularity Contest Ranked number-one location for offshore IT services by Western IT services buyers. (Good job, Nasscom!)

Tied for number three with Eastern Europe (latin America is number two).

Average IT Staffer Salaries $10,095

$9,896

Wage Inflation 11 percent annually

8 percent annually

Technology Infrastructure Top-notch IT infrastructure within technology parks and on major IT campuses.

tie

Solid IT infrastructure within technology parks, although not quite as good as India’s.

Scalability Tier-one vendors have tens of thousands of employees; can set up dedicated offshore centers for customers

Most work remains product-based only, due to the fragmented nature of the IT services industry

Geek Quotient Approximately 1.7 lakh four-year bachelor’s degrees in engineering, computer science and IT.

over ver 5 lakh (the accuracy of these numbers has been called into question.)

Most Valuable Customers US and Europe

Japan

The Languages of Business English/Hindi

Mandarin/Mandarin

Advanced Business Skills Skills like project management and business analysis are getting better. But there's room for improvement.

Poor project management and business analysis skills; limited experience serving Western IT clients.

Jaywalking as a Sport You’ll get hit by a car or a rickshaw.

Drivers will make an attempt to stop.

Cheeseburger Far from Paradise Good luck. If all else fails, try Millers 46 Steakhouse in Bangalore.

Many Western-type burger joints (with local flair).

SoURCES: CIo.com; NeoIT; Forbes.com; MIT; Forrester Research; China Ministry of Education; "Next Generation offshoring 2006" by Duke University Fuqua School of Business and Booz Allen Hamilton.

O C T O B E R 1 5 , 2 0 0 7 | real CIo World

Vol/2 | ISSUE/23