Cover_october011_checklist.indd 84
11/17/2011 12:11:48 PM
From The Editor
A few weeks back, Apple supremo Steve Jobs wowed the world with a demonstration
Prepare for Disruption Few enterprises are equipped to handle the gadgets that end-users are picking up.
of the iPhone, a touchscreen internet-access device that combines a cellphone with a music player with some PDA features thrown in. As with all things Apple, the iPhone demo has ensured strong opinion, with supporters and detractors being vocal in equal measure. Big deal, huh? I hear you say. What’s it got to do with enterprises and CIOs? Well, an online debate between two of my colleagues from CIO US — Tom Wailgum and Ben Worthen — on the iPhone’s impact (or lack thereof) on enterprises got me thinking. Why wouldn’t a consumer device that enables mobile data have an impact on you? If it didn’t, then the CSO of a leading Indian IT services would not have had to ensure that the staff could not connect their MP3 players to the network. (At last count he had close to 20,000 such devices to contend with.) Technologies aimed at individual users are showing a tendency to morph in ways that are unpredictable. Instant messaging, desktop search engines, social networking Technologies aimed at applications, smart phones, handhelds, individuals are showing digital cameras and MP3 players can have a tendency to have disruptive consequences for CIOs. disruptive consequences The funny bit is that many of these for CIOs. technologies can be enhancers of business productivity, when used with care. However, employees are often enthusiastic users of gadgets, gizmos and applications, which put pressure on the IT organization and can expose an organization’s IT infrastructure. I’m not going out on a wing by stating that many enterprises do not as yet have policies or strategies in place to maintain the security of their enterprises or data, or to even address the bandwidth squeeze that their networks are going to face given the speed with which these technologies are proliferating. To derive business benefit, while keeping users happy and your networks safe, take a look at Mobile Mastery (Page 58) and Consumer Appeal (Page 42). How do you deal with disruptive technologies and gadgets? Write in and let me know your thoughts.
Vijay Ramachandran, Editor vijay_r@cio.in
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Content,Editorial,Colophone.indd8 8
Vol/2 | ISSUE/06
1/25/2007 6:39:24 PM
content FEBRUARY 1 2007‑ | ‑Vol/2‑ | ‑issUE/06
Enterprise Architecture
Executive Expectations
COVER STORy | FROM HERE TO SOA |
VIEW FROM THE TOP | 39 For NFL Films CFO Barry Wolper, smart IT is key to delivering winning multimedia programming in a crowded market.
30
An exclusive MIT survey maps the evolution of IT architecture to SOA and explains why you can’t skip any steps. Feature by Galen Gruman
TAkInG A ByPASS |
38
Why Tamal Chakravorty, CIO of Ericsson, doesn’t completely buy the four stages or SOA. CoVEr: ImagIng by P C an ooP
By Vijay Ramachandran
Interview by Matt Villano
Executive Coach CIO In THE ROunD | 24 CIOs can push their leadership skills to the next level by using a 360 review to understand what they do well — and to start doing it better. Column by Susan Cramm
EmergingTechnology COnSuMER APPEAL | 42 Although emerging consumer applications can pose security risks, here are five that offer business benefits if you manage them well. Feature by Susannah Patton
more » 12
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Content,Editorial,Colophone.indd12 12
Vol/2 | ISSUE/06
content
(cont.) dEpArTmEnTs Trendlines | 19 CRM | Whatever Julia Wants... Careers | IT’s Hottest Jobs in 2007 e-Commerce | Pay with Your Fingerprint Book Review | After You’ve Broken All the Rules Web 2.0 | People Who Need People
Essential Technology | 58 Mobility | Mobile Mastery
By Galen Gruman Web 2.0 | Computing on Demand
By Bernard Golden
From the Editor | 8 Making of a Leader | A formal program is the only
way to build yourself a solid second line. By Vijay Ramachandran Ram
Inbox | 18
NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. go to www.cio.in
c o.in
Govern SMART MOnITORInG | 50 A national project that seeks to automate the processing of a host of transactions between the people and state transport departments could make life easier all around. Feature by Harichandan Arakali
TO DEFuSE A LOGIC BOMB | 54 Sushant Mahapatra, additional director general of police, Corps of Detectives (CoD), asserts that fighting crime on the Web calls for a multidisciplinary approach that goes beyond the traditional path of detection and vigilance. Feature by kunal n. Talgeri
16
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Content,Editorial,Colophone.indd16 16
2 8
Advertiser Index
ADVISORY BOARD Manage m ent
President N. Bringi Dev
COO Louis D’Mello Editorial Editor Vijay Ramachandran
Assistant Editor Harichandan Arakali
Special Correspondent Balaji Narasimhan
Senior Correspondent Gunjan Trivedi
Chief COPY EDITOR Kunal N. Talgeri COPY EDITOR Sunil Shah www.C IO.IN
Editorial Director-Online R. Giridhar
Anil Nadkarni
AMD
13
APC
9
APW
26 & 27
Head IT, Thomas Cook, a_nadkarni@cio.in Arindam Bose Head IT, LG Electronics India, a_bose@cio.in Arun Gupta Director – Philips Global Infrastructure Services Arvind Tawde VP & CIO, Mahindra & Mahindra, a_tawde@cio.in Ashish Kumar Chauhan President & CIO - IT Applications at Reliance Industries
Avaya
4&5
HP
3
D esign & Production M. D. Agarwal
Creative Director Jayan K Narayanan
Designers Binesh Sreedharan
Vikas Kapoor; Anil V.K. Jinan K. Vijayan; Sani Mani
Chief Manager – IT, BPCL, md_agarwal@cio.in
IBM
22, 23 & 64
Mani Mulki VP - IS, Godrej Consumer Products Ltd, m_mulki@cio.in
Microsoft
2, 10 & 11
Unnikrishnan A.V. Girish A.V. Vishwanath Vanjire
Manish Choksi VP - IT, Asian Paints, m_choksi@cio.in
Oracle
63
MM Shanith; Anil T PC Anoop
Photography Srivatsa Shandilya
Production T.K. Karunakaran
T.K. Jayadeep Mar keting and Sales
General Manager, Sales Naveen Chand Singh brand Manager Alok Anand Marketing Siddharth Singh Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar, Kishore Venkat Delhi Nitin Walia; Aveek Bhose; Neeraj Puri; Anandram B Mumbai Parul Singh, Chetan T. Rai Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar
Singapore Michael Mullaney UK Shane Hannam
Events General Manager Rupesh Sreedharan Manager Chetan Acharya
Neel Ratan Executive Director – Business Solutions, Pricewaterhouse Coopers, n_ratan@cio.in Rajesh Uppal General Manager – IT, Maruti Udyog, r_uppal@cio.in
Symantec
Wipro
14 & 15
6&7
Prof. R.T.Krishnan Professor, IIM-Bangalore, r_krishnan@cio.in S. B. Patankar Director - IS, Bombay Stock Exchange, sb_patankar@cio.in S. Gopalakrishnan COO & Head Technology, Infosys Technologies
s_gopalakrishnan @cio.in S. R. Balasubramanian Sr. VP, ISG Novasoft, sr_balasubra manian@cio.in Prof. S Sadagopan Director, IIIT - Bangalore. s_sadagopan@cio.in Sanjay Sharma Corporate Head Technology Officer, IDBI, s_sharma@cio.in Dr. Sridhar Mitta Managing Director & CTO, e4e Labs, s_mitta@cio.in
All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.
Former VP - Technologies, Wipro Spectramind
Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India
CTO, Shopper’s Stop Ltd, u_krishnan@cio.in
Sunil Gujral
s_gujral@cio.in Unni Krishnan T.M
V. Balakrishnan CIO, Polaris Software Ltd., v_balakrishnan@cio.in
Vol/2 | ISSUE/06
Content,Editorial,Colophone.indd17 17
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
17
1/25/2007 6:39:35 PM
reader feedBack
involved in others. It would be good to hear diverse views from CIOs who are implementing or planning something on the ground. All this apart, the peer-networking environment was great. Tamal ChakravorTy CIO, Ericsson India
Bouquets and Brickbats I found the roundtable on identity management (December 2006) to be a success. I would have liked it even more if the sponsor partner had shed more light on identity management (or related topics), its nature and challenges with a presentation. I am curious to know who is doing what with current technologies in India. While the sessions were good, they did not follow a prescribed format and seemed to end quite abruptly. Further, the thoughts of each of the 15 participants on the same topic can sometimes get repetitive and monotonous. I look forward to the roundtable being more interactive with questions on different aspects of the topic being thrown to various participants, so that an all-round view can be heard rather than everybody expressing similar thoughts on the same question. What could also enhance the value of such a roundtable is for each person to come prepared to talk on a given aspect of the subject from his personal and practical experience. By this, I do not mean that all CIOs should discuss everything they’re doing. Maybe, you could pick a few people who are active in certain areas and some others who are 18
Inbox.indd 18
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
I found the roundtable very useful. It was, of course, good to know where peer organizations stood, their aspirations and accomplishments in the area of identity management. Networking with peers was extremely useful. The time given for networking was conducive to healthy interaction amongst the participants. One value enhancement that you could provide could be a hard copy of any insightful contemporary articles on the subject under discussion, to be read by the participants at leisure. S.S. maT a hur aT GM- IT, Centre for Railway Information Systems
The roundtable did provide a wide perspective on how CIOs are approaching identity management. But instead of asking the dozen-odd participants to speak on the same lines, if the moderator had built on the first couple of participants and asked others to challenge or add, the discussion would have been livelier and more informative. Listen, challenge, debate, provoke are a few verbs that come to my mind.
"I found the roundtable useful. It was good to know where peer organizations stood, their aspirations and accomplishments in the area of identity management." The true value of this event lay in the networking, which was quite good considering the limited number of participants. arun GupTa T Ta Director, Philips Electronics India
The roundtable on identity management was great from a networking perspective backed with good insights from peers. I look forward to more productive events like this one. v muThukumar v. Senior GM-IT, Moser Baer
Corrigendum In ‘Bankable Vision’ (View From The Top, January 15, 2006), ING Vysya Bank’s net worth was incorrectly stated as Rs 102 crore. It should have read Rs 1,020 crore. The error is regretted.
What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.
editor@c o.in Vol/2 | ISSUE/06
Whatever Julia Wants...
*
hot
Think you’ve got prima donna users and finicky customers? At Creative Artists Agency (CAA), the powerful Hollywood talent agency that serves larger-than-life celebrities including Tom Cruise, Julia Roberts and Brad Pitt, customer relationship management takes on a whole new meaning — and importance. And whereas lunch at Spago and tons of phone calls used to be how
CrM
*
unexpected
business got done, CAA now views backend IT systems as key to its future. For the agency’s 200 or so high-flying agents who manage relations with clients (and shmooze prospects), a smart mix of applications, mobile devices and data feeds is paramount. “It’s about surfacing opportunities” for clients, says David Freedman, an executive within the IT department. (Like Google, CAA doesn’t believe in titles.) Finding those opportunities hasn’t been simple. During the past several years, a titanic shift occurred within the entertainment industry as clients’ talents and ambitions began spanning across CAA’s traditional service lines — movies, TV and music. (For example, some stars work in music, movies and
IllUST rATIOn By MM S HAnITH
new
(Continued on Page 20)
IT's Hottest Jobs in 2007 C a r e e r s What jobs should you focus on filling in 2007? Our Hot Jobs spec sheets describe the IT roles that are most in demand, explain why they’re so critical and offer suggestions on how to hire for them.
OffshOre PrOject Manager A manager who plans, oversees and coordinates projects with offshore components. The manager, who may work for either a domestic company or an offshore one with a stateside presence, ensures that offshore vendors meet project requirements. Business intelligence (Bi) analyst BI analysts use analysis tools to query data repositories and generate reports. These reports help managers make business decisions by identifying trends and patterns in a company’s operational data.
VOl/2 | ISSUE/06
Trendlines.indd 19
VendOr Manager A vendor manager orchestrates the IT department’s dealings with its suppliers, such as makers of hardware and software and providers of services. The vendor manager guides the purchasing of products or services for the department. head Of it finance The head of IT finance analyzes, forecasts and reports the operational budget for the IT department. Executives in this position also vet costs for the IT component of business plans for other departments.
— By Juan Carlos Perez
real ciO WOrld | F E B R U A R Y 1 , 2 0 0 7
19
1/25/2007 5:01:36 PM
(From Page 19)
Il lUSTrAT IOn By MM S H AnITH
Pay with Your Fingerprint e - C o M M e r C e Citibank Singapore recently rolled out a new way for credit card holders to make payments: using their fingerprints. “It’s an investment for our future,” says Anand Cavale, vice president and business director of credit payment products at Citibank Singapore, noting that this is the first time Citibank has used a biometric payment system anywhere in the world. Customers use the system by pressing a finger to a sensor at the cash register in outlets like coffee shops; the purchase amount registers to the corresponding Citibank account. With an affluent, tech-knowledgeable population of 4.5 million, Singapore is a competitive market for credit card issuers. Banks must look for any edge they can find. To encourage spending, banks regularly team with partners to offer special discounts — say, 10 percent off dinner at a trendy restaurant — if customers use a certain credit card. Citibank hopes the biometric technology makes purchases more convenient when time matters: “If you’re running to catch a train and buying a cup of coffee and a newspaper, your time has more value,” Cavale says. So far, the biometric payment systems are in place at only a few outlets in Singapore, including local retailers, clubs, restaurants and cinemas, and work only for holders of Citibank Clear Platinum cards. But the bank has plans to quickly expand the number of such systems and the number of Citibank cardholders able to use them. Citibank began with the Clear Platinum card because it is targeted at younger customers — from ages 25 to 34.
fashion.) This change fueled a desire for more integrated streams of information, Freedman says, and highlighted the technological disconnects between the divisions. Compounding the issue, CAA decided to enter new service lines, such as sports, marketing and theater, and quickly ramp up operations. “As we scale out more, as we’ve opened up additional offices, there’s a need for data transformation,” Freedman says. “We realized that it can’t all happen in hallway conversations anymore.” How did IT address those problems? Since early 2004, IT has developed a combination of CRM, business intelligence, knowledge management and enterprise search tools, and deployed Windows-based mobile applications. It’s now integrating siloed systems. This almost 100 percent Microsoft shop uses a multitude of customized .Net applications and Microsoft CRM 3.0. CAA’s IT team also adheres to an integration strategy built on an enterprise service bus — a core piece of a service-oriented infrastructure that can offer more flexibility and speed whenever CAA adds a new business. That’s critical: in the past it could take six to 18 months to get a new operation going, Freedman says, and now the business’s expectation has dwindled to within three months. “We work the way that our agents work, as opposed to some top-down companies where you can impose a certain technology-driven workflow,” he says. IT has also pushed to standardize data management principles so that client data can flow between CAA’s divisions. For example, while Tom Cruise may not be interested in acting in a particular movie, he may want his production company to produce it. Much of that information, Freedman says, also flows to agents’ handhelds. “We think all of the [internal] applications will eventually have a ‘light’ version on the Windows mobile applications,” he says. —By Thomas Wailgum
—By Sumner Lemon 20
Trendlines.indd 20
F E B R U A R Y 1 , 2 0 0 7 | real ciO WOrld
VOl/2 | ISSUE/06
trendlines
...Julia Gets.
If you want to be a great leader, you can't ignore human nature. booK reVieW For the best lessons about managing, study real-life experts — not the “absolute best freaks of managerial nature” but the “gentle but determined souls you will find half the time in a great company, and one out of 10 times in a poor one.” That’s the advice behind 12: The Elements of Great Managing, a follow-up to the best-selling First, Break All the Rules (1999). The first book drew on a massive base of research data about management from The Gallup Organization. Its
trendlines
After You’ve Broken All the Rules
12: the elements of great reat Managing By Rodd Wagner & James K. Harter Gallup Press, 2006, Rs 1,125
successor adds analysis of newer responses to expand upon 12 truths about employees that great managers must use to their company’s advantage. Much of the advice centers around two core beliefs: you can’t ignore human nature, and managers who treat individuals well and inspire strong personal support from their employees help companies realize better results and higher profits. The 12 truths range from the hard-to-argue “I know what is expected of me at work,” to the not-so-obvious “The mission or
purpose of my company makes me feel my job is important,” and the controversial “I have a best friend at work.” You may think this last one’s immature, but Gallup’s data shows otherwise. The book discusses each truth in the context of profiling an actual manager’s struggles and successes. The 12 profiles have a global flavor, including tales from Poland and Brazil, befitting cross-industry research done in 41 languages and 114 countries. If you’re trying to inspire your own team, you’ll find interesting examples here and not a lot of
clichéd, oversimplified advice. When the book discusses a Texas hotel manager’s travails, for example, you’ll hear why colleagues didn’t like her at first. You’ll also find supporting data if you’re trying to convince colleagues that managers who inspire loyalty in teams are key to a company’s success.
—By Laurianne McLaughlin
People Who Need People W e b 2 . 0 With all the hype surrounding Web 2.0 technologies, serious IT organizations may be tempted to dismiss them as just more consumer-oriented fads. After all, do we really need something like MySpace or youTube on the corporate network? Don’t dismiss Web 2.0 so quickly. The concept of bottom-up interaction, collaboration and communication within and across an enterprise promises leaps in productivity and other benefits at very little cost. The caveat for IT is to make sure Web 2.0 is adopted proactively and openly. It should be deployed where it makes the most sense and delivers the most benefits, and where the overall risk is minimal. The hardest part about Web 2.0 may be defining it, says David Smith, an analyst at Gartner.
VOl/2 | ISSUE/06
“Instead, people talk about the technologies, like wikis or blogs, or its social or collaborative aspects.” Fred Killeen, CTO at General Motors’ IS and Service Group in Detroit, agrees. “We think of Web 2.0 as a variety of technologies — so blogs, wikis, AJAX, rSS and some of the other collaboration capabilities fit,” he says. “It changes how people use the Web.” What’s much clearer is the promise of Web 2.0 in a business scenario. “Overall, as a concept, we absolutely say there’s a place for Web 2.0 in the enterprise,” Killeen says. “The technologies are simple and lightweight, and that’s what works for people. It changes the model of the Web from people interacting with brochures or ordering things, to people interacting with people. For a global organization like GM, that’s extremely useful and important.”
For example, Killeen recently had a request to use wiki technology to build GM’s user manuals. “Who knows how to use the system better than the users?” he asks. “We may have to start them out, but then we should let them help write and build the user manual over t ime. Because they are the ones who are using it, the overall results will be better.” There are caveats, however. “you need to keep an eye on it,” Killeen says. “On the one hand, you want to empower people to collaborate without a lot of inhibitors, but at the same time, if you don’t manage all the data and infrastructure, you’ll end up with chaos if you’re not careful.”
—By Joanne Cummings
real ciO WOrld | F E B R U A R Y 1 , 2 0 0 7
21
Susan Cramm
Executive Coach
CIO in the Round CIOs can push their leadership skills to the next level by using a 360-review to understand what they do well — and to start doing it better.
M
eet Mr. Average CIO. He is of average height, build and age. He is also, according to his recently completed 360-degree assessment, an average leader. Initially, Mr. Average was disappointed. But over time, he became sanguine; after all, what’s the point of getting worked up over survey results that are confusing and don’t jibe with his strong job performance reviews? Mr. Average’s situation is a common outcome of the 360review process, in which an individual is evaluated by customers, peers, direct reports, his supervisor and himself. It should be no surprise that when you average the responses of 15 reviewers to 60 or so questions (each testing a different leadership competency), the mathematical process often leads to results that cluster around the norm. To gain meaningful insights as to his specific leadership strengths and weaknesses, a CIO who has undergone a 360review must objectively analyze hundreds of feedback points. So, it’s easy to miss the forest for the trees. Mr. Average doesn’t know it, but there’s good reason for him to be concerned about his results; since he doesn’t have any competencies rated in the top 10 percent (scores greater than 4.5 on a scale of 5), he’s in the 34th percentile of all leaders. You see, it’s not the average score that counts on a 360-review. It’s the number of competencies rated in the top 10 percent, according to The Extraordinary Leader, by John Zenger and Joseph Folkman. The good news for Mr. Average (and all of you) is that it takes only five highly rated competencies to be considered a great leader, as long as two other conditions are met. First, the competencies need to be distributed evenly across five leadership sectors, defined by Zenger and Folkman as personal capability, character,
24
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Coloumn CIO in the Round.indd 24
Vo l/2 | ISSUE/06
1/25/2007 4:47:58 PM
Susan Cramm
Executive Coach
interpersonal skills, ability to focus on results, and willingness to lead change. Second, Mr. Average cannot have any fatal flaws, which are defined as an inability to learn from mistakes, a lack of core interpersonal skills, openness to new or different ideas, accountability and initiative. A handful of extraordinary strengths separates great from average leaders. And great leaders outperform average ones on productivity, turnover, customer service and employee commitment. By building on his strengths and eliminating fatal flaws, the average leader can become extraordinary. Armed with this knowledge, Mr. Average can pluck meaningful insights from the mountain of 360-degree data. With relatively simple analysis, the feedback can be understood — and practical, focused development plans can result. Mr. Average should begin by identifying ‘good’ competencies that can be improved to ‘great’. Fortunately, he has five competencies with solid ratings (around 4 on a 5-point scale), and they are balanced across the leadership sectors. Character — Mr. Average ‘walks his talk’. Personal capability — He can deal with technical issues. Focus on results — Our man spends time working on issues that are important to the organization. Interpersonal skills — Mr. Average has built a strong team. Leading change — The business sees him as a key partner. Mr. Average must build on these strengths to move to the top tier of leadership. He should do so by focusing on what Zenger and Folkman term ‘competency companions’, behaviors that, if improved, cast a positive halo effect. For example, by improving their interpersonal skills — that is, if they can explain what they know in a way that is ‘heard’ by others — individuals can improve the way their technical skills are perceived. The competency companion approach to development is the best way to move perceptions from good to great. Next, Mr. Average should analyze his 360-degree data to spot fatal flaws in any of the five leadership sectors. For example, the data shows that Mr. Average focuses his time and attention on his direct reports and customers, which makes his peers feel ignored. As a consequence, his peer ratings are pretty low. Improving peer collaboration and teamwork, by getting out of his office and interacting with his peers, is crucial for Mr. Average to continue his career progression. The best way to improve organizational performance is by moving bad leaders to good and good leaders to great. Given that most of us are good and aspire to be great, the implications are obvious. First, dust off your latest 360-review. Perform the analysis outlined above, and figure out how to build on your strengths and mitigate any fatal flaws. Once you have your own development on track, reach out and help others make sense of the 360-feedback they have received but have been unable to use. It’s what any great leader would do.
Vol/2 | ISSUE/06
Coloumn CIO in the Round.indd 25
Reader Q&A Q: Can you outline other ‘competency companions’ and explain how they boost the perception of leadership? A: In The Extraordinary Leader, by John Zenger and Joseph
Folkman, the authors identify competency companions for 16 key leadership behaviors. A few of the more interesting examples include the following: Assertiveness. Leaders who want to increase their character ratings should examine whether they have an issue with assertiveness. To receive strong integrity scores, the CIO must deliver on his commitments. This requires being assertive about fixing problems and ensuring that others are delivering as well. Risk taking. Leaders who set stretch goals that others can believe in and achieve are also strong in risk taking. By taking more risks and learning from them, CIOs will feel more comfortable setting stretch goals and, thereby, deliver more to the organization. Self development. Leaders who are strong in developing others are also strong in developing themselves. CIOs who want to improve their ability to coach and mentor others should start by working on themselves. Q: What strategies do you recommend for overcoming ‘fatal flaws’? A: Fatal flaws can derail careers. There are three
challenges to overcoming fatal flaws. First, there is often a lack of understanding regarding the true nature of the flaw. Quantitative 360-degree surveys are wonderful for identifying the issue, but it’s often necessary to conduct interviews in order to fully understand it. Second, the fatal flaw may be due to a mismatch among talent, motivators, goals and the organization’s needs. A leader in the wrong job can easily exhibit one or more fatal flaws. Third, once the flaw is understood, it is important for the individual to receive on-the-job coaching and frequent feedback, and to be held accountable for making the necessary behavior changes. Many companies use external coaches to help leaders ‘intervene’ on behaviors that are derailing their careers. CIO Susan Cramm is founder and president of Valuedance, an executive coaching firm in San Clemente, California. Send feedback on this column to editor@cio.in
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
25
1/25/2007 4:47:58 PM
George Day
Applied Insight
Preludes to a Customer Kiss Getting closer to customers seems like a no-brainer — but it may not make you any more profitable than you were before. The key is to take it slow.
I
Illust ration Un nik rish nan A.V.
n January 2005, one of the most resolutely productoriented companies in the world, semiconductor maker Intel, announced it was reorganizing itself around its customers. No longer would the firm simply announce new chips and expect customers to adopt them. Instead, it would focus on the bundling of processes, ancillary chips and software into platforms tailored to five customer segments. Intel is far from alone. Organizations have been steadily evolving toward closer alignment with customers. But the changes required by this evolution are disruptive in the short run and add coordination costs in the long run. These countervailing pressures are a warning to CIOs that while closer customer alignment may be correct, it is not sufficient to support a wholesale shift in strategy and organizational structure. The appropriate structure is guided as much by implementation realities as by the strategic imperative to get closer to the customer. So is it worth doing? The findings from our study of 347 midsize to large firms were mixed. Among those companies that made the shift, accountability for customer relationships sharply improved and information sharing was better. Firms organized according to customer segments were also easier to do business with and better at dealing with problems and queries. But these benefits didn’t immediately translate into superior financial performance. There was no direct correlation to increased profitability. Among the companies we studied, we saw four stages in the transition to being customer-focused. Stage one: product or functional silo. For small or highly focused firms, this simple structure usually suffices. Problems
28
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Coloumn Preludes to a Customer K28 28
Vol/2 | I SSUE/06
1/25/2007 4:48:48 PM
George Day
Applied Insight
arise as competitive pressures, fragmenting customer requirements and proliferating channels create performancesapping conflict. Stage two: informal lateral coordination. As customer requirements begin to fragment across functional or product divisions, the company responds by coordinating across independent areas. Product managers may serve informally as bridges across multiple business units. Rotation programs, such as moving salespeople through a stint in marketing, are also common at this stage, as is the development of a companywide CRM system. However, these moves are much more successful when done in tandem with the next stage of evolution. Stage three: partial alignment via integrating functions. Companies create formal positions for market segment or key account managers — sometimes even entire organizations — that span multiple boundaries in the organization to overcome a functionally partitioned view of the customer. IT systems that span functional boundaries are often part of this transition, creating integration issues for the CIO. Stage four: fuller structural alignment. Companies at this stage have created powerful, independent units to serve as central coordination points for the company’s various independent business units. These units act as the front end, assuming primary responsibility for the customer relationship. This design flourishes when customers want solutions from multiple business units that are customized to their individualized needs. However, product business units often retain the ability to sell directly to customers, which means there must be a strong corporate center to mediate the conflicting demands. Fidelity Investments’ evolution to the front hybrid model began with a strategy that emphasized credible advice and investment solutions tailored to the individual investor’s situation. This meant picking the customer segments to nurture and creating dedicated groups to serve each of these segments with personalized guidance and service levels appropriate to the profit potential of the segment members. The product groups continued to develop and manage a broadened array of funds and financial services that could be readily bundled and sold by the front-end customer unit. From an IT perspective, this kind of structural alignment is very difficult. Inadequate systems are a major source of delay. How can an organization be aligned to its markets if customer data is dispersed, segment profitability can’t be estimated and customer defections aren’t visible? Indeed, Fidelity Investments managers estimate that it took more than three years to accomplish 60 percent of their reorganization goals — mainly because of systems constraints.
CIOs can play a key role in success by clearly outlining implementation realities — but must also deftly avoid becoming the scapegoat for delays beyond IT’s control. linked databases. When individual product and geographic groups have their own information systems, including ordering and fulfillment, the firm is unable to coordinate its offering. The consolidation of information at the point of customer contact also makes it easier to separate the frontend customer solution units (at stage four) from the backend product infrastructure. Good performance metrics systems are also critical to success — they breed cooperation across formerly independent units that all had different goals and rewards. For example, Enterprise Rent-A-Car uses an IT system to rank its 5,000 branches with two customer survey questions, one about the quality of their rental experience and the other about the likelihood that they would rent from the company again. GE Plastics uses systems that track delivery performance, so it can reduce variability in delivery date — its number-one customer satisfaction metric. Mismatched capabilities, fragmented information systems and inadequate execution can all undermine the realignment process. The good news is that these obstacles are familiar and were overcome by the organizations we studied. (Other issues, such as customer resistance to the new model and internal cultural resistance, proved much more intractable among the studied companies.) Because it takes longer to reorganize the organization than to plan a change in strategy, there is an unrealistic expectation about how quickly the move to a market-focused organization can be accomplished. Those who are successful are able to factor the inevitable challenges into the overall strategy transition plan and don’t try to push it faster than the impediments allow. CIOs can play a critical role in success by clearly outlining the implementation realities in the time line — but must also deftly avoid becoming the scapegoat for delays beyond IT’s control. Compared to this challenge, the implementation will probably seem like the easy part. CIO
First Steps to a Customer Embrace A necessary early step on the path to customer alignment is unified customer information that is filtered through
Vol/2 | I SSUE/06
Coloumn Preludes to a Customer K29 29
George Day is a professor of marketing at the Wharton School at the University of Pennsylvania. Send feedback on this column to editor@cio.in
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
29
1/25/2007 4:48:48 PM
Cover Story | IT Architecture
Cover Story - 04.indd 30
1/25/2007 4:50:05 PM
From Here To
SOA By Galen Gruman
An exclusive MIT survey maps the evolution of IT architecture to SOA and explains why you can’t skip any steps. How to lay the groundwork for serviceoriented architecture The impact of mergers and acquisitions How architecture incrementalism works
Vol/2 | I ssuE/06
Cover Story - 04.indd 31
It was 1999, and addressing any potential Y2K flaws in all of State Street’s
computer systems consumed the giant financial services provider’s IT attention. But despite the tremendous focus on making sure that ‘00’ would be interpreted as Y2000 rather than Y1900, David Saul, then systems software manager and Y2K remediation lead at State Street, realized something else. All the remediation projects were connected, and to ensure that any Y2K-related change in application A would not cause problems for application B, the project team needed to understand the relationships among applications and all of their inputs and outputs. REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
Illustrat Ion by PC an oo P
Reader ROI:
31
1/25/2007 4:50:07 PM
Cover Story | IT Architecture For example, State Street’s applications use reference data to process security transactions (the currency, the exchange on which the trade is made and so on). Because this data is used across all applications, it made sense for Saul’s team to handle it independently from the specific financial applications that drew upon it. At the time, most applications handled their own reference data, rather than relying on a separate, common service. recognizing the value of common services, State Street formed an office of Architecture (which Saul has headed ever since) to create the architectural environment for them. “It was a natural progression from there to delivering reference data as a service to today’s serviceoriented architectures,” he says.
The SoA approach aligns software and data services directly with business processes so that specific services can be reused and mixed and matched as needed. That lowers technology development costs and improves the company’s ability to offer new or improved services to customers and supply chain partners. And all that’s good. But even if an SoA is what your enterprise needs, you may not be ready to deploy one. That’s one conclusion from a pair of recent mIT Sloan Center for Information Systems research (CISr) studies, IT Architecture as Strategy and IT-Driven Strategic Choices, both based on a series of research projects involving 456 enterprises between 1995 and 2006. The CISr research identified four distinct architectural stages — silos, standardized IT, standardized business processes, and business modularity — that both the business units and IT must pass through before SoA’s benefits can be fully realized. And no one gets to skip any stages. At best, you can speed up the process. For the CISr researchers, this conclusion was unexpected, says Jeanne W. ross, the studies’ principal How MIt's Jeanne W. ross, Peter Weill and David C. research scientist. “But when we tell robertson discovered and mapped it. people that, they say, ‘oh, that’s why it’s not going that well’.” And because the vast majority of ince 1974, the Center for Information systems research (CIsr) at MIt’s sloan enterprises are in the first or second school of Management has been studying how companies generate value from stage (and, again, they don’t get to skip), information technology. as part of that research, we developed a case study in 1995 it will be years, perhaps decades, before of Johnson & Johnson’s efforts to develop shared infrastructure services for subsets of its 170 autonomous business units. We noted that J&J’s infrastructure had been developed to SoA is widely adopted in an effective support the way it traditionally had done business — not the way it wanted to do business way, ross says. going forward. We quickly learned that J&J was not alone. and that realization led us to the CISr’s research provides a concept of enterprise architecture, one we decided to explore in depth. road map for both the business over the next 10 years, we developed case studies on about 50 It infrastructure and IT to follow so that they can transformations, ranging from technology standardization to ErP implementations and avoid fruitless diversions, not get e-business initiatives. Every company we studied faced essentially the same problem: the discouraged during the long haul business could not function as it wanted to unless It created new capabilities, but It could and understand what success should not implement those capabilities until and unless the business changed. look like when it’s finally achieved. We came to understand this dilemma as the challenge of enterprise architecture, and Happily, ross notes that each stage we sought out companies that were moving aggressively to resolve it. We found that comes with its own benefits, so there companies such as Cemex, Delta air lines, Dow Chemical, Metlife and uPs had each are short-term returns on the longembarked on a journey to re-architect their enterprises and build It capabilities around term architectural investment. that new architecture. switzerland’s IMD joined the research and let us extend the reach each stage takes about five years of the study to European companies such as InG Direct, toyota Motor Marketing Europe to get through, says ross, though and schindler. that period could shorten as more From those nearly 50 case studies, we developed a model for architectural maturity companies go through the process that we tested in 2004 by surveying 103 companies around the world. the survey and learn what missteps to avoid. provided further evidence of both the existence of architecture maturity stages and the “Seven years ago, there were no value of architectural maturity. the findings from our case study and survey research architectural practices at the research are highlighted in the accompanying article and in our book: Enterprise architecture as firms,” notes State Street’s Saul. Today’s enterprises, he says, don’t strategy: Creating a Foundation for business Execution. have to feel their way as much. — as told to Galen Gruman
T H e PAT H T o e n T e r P r I S e
ArchItecture
s
Vol/2 | I ssuE/06
Cover Story - 04.indd 32
Cover Story | IT Architecture The good news, according to ross, is that your competitors are likely to be at or near the same architectural maturity level as you are, and they can’t leapfrog any stages either. Those that try to could waste time and effort deploying business processes and IT infrastructure that they’re not ready to use. rather than attempting great leaps forward, ross suggests that CIos should partner with the rest of the business to move their enterprise forward incrementally, gaining expertise, building buy-in and reaping the roI that will sustain long-term maturity. Having the architectural maturity framework in mind during that evolution gives CIos and their business peers a way to evaluate if they’re really progressing, she says.
the SOA Buzz CIos can’t avoid SoA today. research firms and the business press trumpet its ability to make companies agile and efficient. Vendors apply the label, often speciously, to help sell their products. no matter where CIos turn, they hear the same message: you must deploy an SoA — quickly — or be at a competitive disadvantage. Indeed, there are advantages to adopting the SoA approach even if you’re not at the stage at which CISr says enterprises can reap its full benefits. “If you deploy SoAbased technology before your organization is ready, you might still get a more efficient integration system in IT,” says ron Schmelzer, a senior analyst at SoA consultancy ZapThink. Implementing SoA concepts, even in a limited fashion like creating Web services, also “helps create a common vocabulary so the business and IT groups start moving in the same direction,” notes Judith Hurwitz, Ceo of the consultancy Hurwitz & Associates. But while you might reap some positives from a premature SoA deployment, says Jim mcGrane, former CIo (now VP) of paper manufacturer meadWestvaco, you might harvest some negatives too. “Flopping a Web services interface on a bad process just makes it more visible,” he says. Understanding why your organization may not be ready for a complete SoA approach will help the CIo figure out what SoA-approach benefits can be gained at his organization’s current maturity level.
1
S tAg e FrOm SIlOS tO BuSIneSS mOdulArIty even if they don’t know it, ross says, most successful enterprises are moving through the maturity stages that CISr’s research has identified. Today, most companies
Vol/2 | I ssuE/06
are in Stage 2: standardized technology. Throughout the 1990s, it became clear that Stage 1 — business silos with IT efforts focused on specific departmental needs — created a mountain of overhead and support requirements. That level of complexity, which came to characterize the early days of IT, could never support enterprise growth (not to mention the fact that it cost lots of money). This led most enterprises to adopt standard platform technologies wherever possible, using just one or two PC configurations, a standard database technology for all departments or the same type of hardware and oS S for all servers. The third stage, standardized business processes, is where many advanced enterprises are today. Here, the business is viewed h o l i s t i c a l l y, and IT and business leaders see themselves as partners. Th e fourth stage, which very few enterprises have entered to date, is business modularity. Here, business processes and their supporting technologies become modules that can be reused for efficiency and recombined for agility — the quintessential promise of SoA. organizations rganizations know which processes should be local to specific business units and which should be standard across the enterprise — and the architecture supports the mix. “Going from Stage 1 to 2 is not rocket science,” says mcGrane. Although it requires real effort, the tactics and strategies for successful platform standardization are now well-known by vendors, consultants and IT staff. But “going from Stage 2 to 3 requires organizational change and business accountability,” mcGrane says, “and that’s a lot harder.” And the move to Stage 4 is even more difficult. “It requires a redefinition of what you’re doing as a company,” he says. Getting from Stage 1 to Stage 2 is mainly a job for the IT department, with the promised roI of cost reduction. moving to Stages 3 and 4, however, requires a fundamental shift in focus — from how IT can fulfill immediate and defined business unit needs to developing business processes that can be delivered through flexible, modular IT services, with the promised roI of enterprise agility.
CIoS SHoUlD PArTner WITH THe rest of the business to move their enterprise ForWArD InCremenTAllY.
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
33
1/25/2007 4:50:08 PM
Cover Story | IT Architecture “The point is not just to manage costs but to shift the enterprise. If the Ceo and CFo don’t understand this, you’re dead,” mcGrane says.
2
S tAg e PlAtFOrm SAnIty
In Stage 1, the pressure to move from silos to standardized platforms is easy for the CIo to identify. The business complains about escalating IT costs and longer delivery schedules as IT wrestles with the ever-increasing complexity of all the pieces it must manage and integrate. But standardizing an enterprise’s platform is not as simple as it may sound. The first step is deciding what exactly should be standardized. “It makes sense to standardize at the network level, but it doesn’t make sense for a specific business area,” says State Street’s Saul. For example, a common storage network and e-mail system both reduce cost and improve information sharing. But traders working with stocks may need different application functions than traders working with derivatives, even if many of the underlying
functions, such as client management and reporting, are the same. “Today, our enterprise architecture exists in layers, starting from things like the network, hardware and operating systems, and continuing up through middleware and databases until it reaches the applications. The differences across businesses may be quite slight and restricted to the application layer. The idea is to standardize on functions wherever possible, but not to force-fit them at the business level. That way, designers can concentrate on business services that give us an advantage while reusing core components,” Saul says. The next issue is figuring out how to handle the change from the existing systems to the new standards. not only must you actually transition your technology, you also must transition your users. And, Saul notes, you’re bound to come across non-compliant technologies that are doing an important job and doing it well. State Street started an architectural committee early in its standardization effort to address these issues. When resolving standardization priorities, the committee started with the business objectives, ensuring that IT didn’t inadvertently standardize away a business-critical technology. The committee approach planted the seeds for business-IT cooperation that would be needed in Stage 3, a few years later.
H oW I T Wo r K S I n e AC H
A r c h I t e c t u r A l S tAg e Stage 1 BuSineSS SiloS
Stage 2 Standardized technology
Stage 3 Standardized proceSSeS
Stage 4 BuSineSS modularity
IT capability
Local IT applications
Standard technology platforms
Enterprisewide standardized processes or data
Plug-and-play business process modules
Business objectives
ROI of local business initiatives
Reduced IT costs
Cost and quality of business operations
Speed to market, strategic agility
Funding priorities
Individual applications
Shared infrastructure services
Enterprise applications
Reusable business processes
Key management capability
Technology-enabled change management
Design and update of standards; funding shared services
Core enterprise process definition and measurement
Core enterprise process definition and measurement
Who defines applications
Local business leaders
IT and business unit leaders
Senior managers and process leaders
IT, business and industry leaders
Key IT governance issues
Measuring and communicating value
Establishing local vs. regional vs. global responsibilities
Aligning project priorities with architecture objectives
Defining, sourcing and funding business modules
Local/functional optimization
IT efficiency
Business operational efficiency
Strategic agility
Strategic implications
source: MIT Sloan Center for Information Systems Research
34
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Vol/2 | I ssuE/06
A more subtle issue in making the shift to Stage 3 is the human factor, says John Petrey, executive VP and CIo of TD Banknorth, a banking and insurance firm. Stage 1 businesses and their employees are focused (understandably) on solving their specific, individual problems. To problem-solvers, standardizing technologies may mean a loss of control and perhaps even a loss of optimal solutions. “It takes time for people to realize that to get the benefits everyone is after, you have to share more things,” Petrey notes. realistically, this cultural shift takes place in spurts. “You don’t wake up one day with a different culture,” he says. Companies also need a measure of resolve to succeed. often, a crisis makes it clear why change is necessary. other times, company leaders have the charisma or force of personality to effect the change. At TD Banknorth, Petrey implemented a ruthless approach to standardization for acquired companies. “We do rip and replace,” he says. That way, he says, platform heterogeneity can’t get a toehold in the organization.
3
S tAg e
cOllABOrAtIOn tIme
As an organization gets its platforms standardized, the next logical place to look for efficiencies is business and IT processes. For example, chemical manufacturer Celanese saved about 40 percent of its IT costs through its four-year standardization and consolidation effort, notes CIo Karl Wachs, in which the company rolled seven data centers into one and 13 erP systems into one. The consolidation began in Stage 2 as a platform effort and was completed in Stage 3, when the company could begin the business-process standardization needed to run the company on one erP system. Understanding business processes sufficiently to standardize them is no small feat, says Wachs. It requires intense collaboration between IT and the business. But the effort helps both groups understand that different business units use many of the same core processes. “our base chemicals unit works differently than our plastics groups, for instance, so they have different sales processes and thus different implementations of Crm,” Wachs says. “But, in reality, they are different flavors of the same functionality, so we could put all the functions in one system and make them configurable for each of the business lines.” To do the deep analysis required to come to these realizations, you need ongoing metrics, Wachs says. Without them, you can’t assure proper governance of your services, much less of your business processes. ZapThink’s
Vol/2 | I ssuE/06
T H e r e ’ S n o P l AC e
lIke hOme Enterprisewide architectural transformation should begin within It. t t.
s
tarting your forays into more mature architectural stages within the It department itself lets you test approaches to make sure they work and reduces the chances that a botched effort in a business unit could kill further evolution, says Jim McGrane, former CIo of MeadWestvaco. such inside-It efforts also give CIos the proof of concept you need to gain business buy-in. Plus, starting within It disarms the common complaint that “CIos like to change everyone else’s processes but their own,” he says. Merck is also taking this tack, says Joe solfaro, executive director of information management. “We’re going to work our way from the inside out,” he says. at Merck, It is using an integration platform to unify the messaging architecture at the company, which at first seemed to be a very It-focused efficiency gain. but the effort is forcing It to change its own internal operations and provides a natural interface with the business. “layering information into a single bus gives us access to information that we know the business will want, such as process management, and it gives us more visibility into business processes,” solfaro says. approaches such as the Capability Maturity Model for Integration (CMMI) and It Infrastructure library (ItIl) are good process methods to help It transition to stage 3, note both McGrane and solfaro. “they help focus the organization on a process basis, and they force you to determine the value of services and to run like a business,” McGrane says. —G.G.
Schmelzer points out that governance in this case means both the policies for specific business and IT processes and the system by which the enterprise decides how it creates and deploys its business and IT systems, such as architectural review requirements and funding priorities. moving from the second stage to the third can produce subtle benefits. At TD Banknorth, the business units needed more sophisticated products to compete. That required IT to keep improving its abilities and levels of sophistication. At the same time, cost pressures require the CIo to deliver these more sophisticated tools with the same level of resources. This pressure leads to an optimization approach, bringing the enterprise into the third architecture stage. It is at this third stage that architecture begins to mean more than IT infrastructure. Data architecture, IT governance, Six Sigma process optimization and REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
35
e.A. CHAnGeS
yO u r j O B as the architecture changes, so a does the CI CIo role.
a
s an enterprise evolves through the various stages of architectural maturity, the CIo role evolves along with it, says Jeanne W. ross, the principal research scientist at the MIt sloan Center for Information systems research. In stage 1 companies, the CIo’s job typically is focused on maintaining the technology plumbing. In stage 2, the CIo needs to play a more strategic role to coordinate the shift to a common platform and its effect on the enterprise. sometimes, as organizations go through stage 2, “there’s a weird tendency to bring in a non-It person” ross observes. as the technology stabilizes in stage 2, process issues come to the forefront and a technology-focused CIo may seem less able to handle them, according to ron schmelzer, a senior analyst at soa consultancy Zapthink. the CIo role begins to cross organizational boundaries in the journey to stage 3. Ironically, as an enterprise moves into stage 4 and business leaders gain more control over the deployment of It services, the CIo role can again become more tactical, says former MeadWestvaco CIo (now VP) Jim McGrane who, seeing that shift begin at his own company, has decided that’s not a job he wants. (He left his position in april of this year to focus on other areas.) but losing the policy dimension of the CIo role is not inevitable, argues Judith Hurwitz, CEo of the consultancy Hurwitz & associates. “you can focus on innovation because the operational efficiencies achieved [by soa] give you that time,” she says. as enterprises move through latter maturity stages, ross argues that It “should be part of something bigger, such as shared services, operations or finance,” shedding its role as a mere technology provider. In that evolution, the CIo becomes the head — or a leader — in a more broadly defined operation. at financial services provider state street, for instance, It and operations have merged. Pharmaceuticals company Merck has made It part of shared services. and paper maker MeadWestvaco has recently done the same. but it’s the enterprise’s view of the individual CIo’s abilities that really matters in determining what role he will play in a stage 4 organization. schmelzer notes that many companies have a VP of marketing and sales, a role that combines two very different functions, while other companies have a separate VP for each. It’s role is even broader, he notes, combining architecture, design, and integration and operations. Few CIos will be strong in all three; some will be strong in only two. Management may view It as a discrete function or as a subset of a greater services organization. but no matter the organizational structure, the CIo needs to be as knowledgeable about the business as the technology. —G.G. 36
Cover Story - 04.indd 36
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
business-IT alignment become critical aspects of the enterprise architecture, with the focus of IT shifting from simply managing the technology plumbing efficiently to contributing to the business’s operational excellence. efficiency remains important, but its goal has changed from saving money for the sake of reducing costs to freeing up resources that can be used to grow the business, says Petrey. For example, TD Banknorth began paying much more attention to data architecture as it entered Stage 3. “You need to put real resources into evolving and planning it,” says Petrey. That involves ensuring standard definitions of data to make it easier for multiple systems to work with the same data and interpret it correctly, as well as to be able to glean patterns that help better serve customers. TD Banknorth has designated IT staff who entrench themselves in the lines of business and act as relationship managers with their business colleagues to ensure true IT-business alignment. Although TD Banknorth has standardized its technology platforms, it didn’t always enforce its architectural standards on the applications it bought or created. “It happened because of the rapid growth — we were most concerned with just getting something in,” recalls Petrey. “We’ve recognized that we committed these sins in the past and that it reduced our service levels and interfered with our ability to move the company forward.” Petrey is now working to make those architecturally deviant systems fit his new IT architecture, so TD Banknorth can continue to mature into Stage 4. And stricter governance is now in place to make sure it doesn’t happen again. A focus on architecture can also lay the groundwork for future benefit, says Joe Solfaro, executive director of information management at pharmaceutical maker merck. much of the company’s IT efforts are focused on standardizing its platforms, but it’s also mapping its business processes and data architecture so it can be more agile once it has a more cost-effective platform on which to operate. The company began two separate data-standardization efforts several years ago but more recently brought in enterprise architects to develop a common data architecture to underlie both. “even if the systems have tactical differences, they’ll still support the same strategic direction,” he says. That means easier data management that will ultimately support a full-blown, Stage 4 SoA. Culturally, Stage 3 requires both IT and business staff to let go. “You have to stop being tactical. You need to trust others to manage the details,” Petrey says. Some of that shift occurs in moving from Stage 1 to Stage 2, but in Stage 3 the letting go is more difficult because now very different types of people — IT and
Vol/2 | I ssuE/06
business — must depend on and trust each other. And as with the change from Stage 1 to Stage 2, the shift to Stage 3 happens over time as the organization sees the roI of the new approach and buys into the transformation.
4
S tAg e
BuSIneSS mOdulArIty
Very few enterprises are at Stage 4. They account for just six percent of the roughly 450 companies CISr surveyed. Still, CIos in the latter part of Stage 3 can already see how Stage 4 might look. At Celanese, CIo Wachs says parts of his organization are in Stage 4, focusing on modular processes that can be easily managed within an enterprisewide architecture. “Companies can be agile only if they can turn specific functions on and off,” Wachs asserts, and that requires understanding what the functions are, where they are used and what they affect. That in turn requires having an architecture designed for both flexibility and consistency, he says. State Street also believes it is in the beginning of Stage 4, says Saul. “We know we’ll have to get the IT people better at understanding business processes and at communication,” he says. “The lines between IT and business are blurring,” he continues, “and it’s clear that someone will have to manage both.” For some companies, that means IT may become part of a shared-services effort. less clear is what a mature Stage 4 organization will be, what it will look like, says meadWestvaco’s mcGrane. “The understanding of how to use IT for agility and game-changing things versus incremental improvements is just starting,” he notes. And he’s not sure the enabling technologies are really there yet. one thing mcGrane is sure of: “You can’t move to Stage 4 until the entire enterprise has achieved Stage 3, because Stage 3 sets up the process orientation necessary to view the enterprise as modules, as Stage 4 requires.”
A jOurney, nOt A PlAce While it’s tempting to think of each stage as a place to arrive at, a truer way to see it is as a transformative process with the enterprise gradually transitioning from one stage to another, CISr’s ross says. That’s because the volume of change is immense, and more important, people must change along with the technology. That’s why CIos should promote incremental deployments and promise incremental value, both to ease the impact of change and to nurture management’s enthusiasm for the effort, says Celanese’s Wachs. In fact, because of the legacy of mergers, different levels of business need and buy-in, or external forces such as regulation, companies often find that they’re in different stages
Vol/2 | I ssuE/06
HoW HoWeVer An enTerPrISe mAnAGeS its architectural evolution, it must rememBer THAT THe JoUrneY IS THe reWArD.
simultaneously. For example, at Celanese, the Hr r system is still in Stage 2 because of payroll requirements, while other parts of the company are entering Stage 4, says Wachs. no matter the pressure to improve enterprise efficiency and agility — Today! If not sooner! — companies, unlike the X-men, cannot leap over stages in their evolution, says CISr’s ross. each stage lays the technological, procedural, cultural and behavioral foundation for the next. The impossibility of skipping stages holds true even in companies where one entity is ahead of the others. For example, in 2002, mcGrane considered mead to be at Stage 3, but then the company merged with Westvaco, which was at Stage 1. As CIo of the new meadWestvaco, mcGrane had to bring the newly acquired parts of the company through Stage 2 before moving them to Stage 3. now, the unified organization is moving closer to the same maturity level. enterprises should also understand that architecture is never done, says ZapThink analyst Schmelzer. “The idea is to continuously adjust the service — not necessarily the implementation — such as composing two finer-grained services into a more composite one or vice versa,” he says. Typically, CIos don’t have those skills, so they should have a chief architect or architecture team reporting to them, Schmelzer advises. However an enterprise manages its architectural evolution, it must remember that the journey is the reward. Says CISr’s ross, “The end point is much less important than the continuous improvement you gain. You need to get a little better every day. It’s not about how to get to Stage 4.” CIO
Galen Gruman is a frequent contributor to CIO. Send feedback on this feature to editor@cio.in
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
37
Cover Story | IT Architecture
by pas s Do you think it is necessary for a business to go through each stage on its way to developing SOA?
Tamal Chakravorty: From my exposure in the IT industry, I can’t give a yes or a no. However, with Ericsson and a few other companies that I have worked for, that os the case. Ericsson went from silos to a standard operating environment to SAP, and is now looking forward to modularity. But from my viewpoint, that is not always necessary. There are companies who have taken conscious decisions to link all their business applications (ones which yield financial results or ones which introduce productivity improvements) under one mega application like SAP, Oracle or Baan. Business process ownership and standardization is anyway an integral part of any business and need not necessarily fall in any stage. Standardization is a must for any business whatever their setup may be. It is only when they see a need for exchanging data between nonlinked applications that they start looking at modularity and exchange. Can a phased architectural approach along with SOA help a business become more agile and increase the ability to respond to unanticipated change?
Agility is listening to your customers and reacting to their changing needs quickly. In my view, it has nothing to do with architecting an approach. Application develop development, integration, SOA, etcetera, are just a few means of getting there. Look at it from this angle: we’re customers to
Why Tamal Chakravorty, CIO of Ericsson, doesn’t quite buy the four stages or SOA. some vendor. If our customers want something quickly and we need to deliver, we will need to work with our vendors to ensure delivery. This is assuming the delivery is not 100 percent dependent only on our products and services. In such a case, a staged approach will take a longer and may even create potential difficulties. How does the enterprise architecture at Ericsson involve integration?
As I mentioned, we moved from silos to ESOE (standard operating environment) to SAP and standard environment, and are now willing to look at SOA. We will have to integrate various business processes run on various platforms into one cockpit view for users and management. Is there a need for an industrywide effort to align packaged applications with standardized IT components and standards? Otherwise, wouldn’t it be a constant challenge to integrate disparate packages and components?
I agree that there should be an industrywide standards body that should look at these aspects and realign our efforts accordingly. Without this, much more jargon could emerge and by the time I retire, I will be blessed with 50,000 more pieces of jargon! Finally, in your opinion, does SOA live up to the hype?
I can’t comment. But really, haven’t there been many products that were SOA for some years? It’s just more jargon. (I’m guessing somebody’s patenting jargons!) I am not very hopeful that SOA will live up to the hype. It is just another passing phase; we will soon have SOA version 2 or a different standard. It would have to go through a standards organization like IEEE before I can comfortably say that it will live up to what’s expected of it. CIO
P hoto by SrivatSa Shan dilya
TAkIng T TA kIng A
B y v i j ay r a m a c h a n d r a n
Send feedback on this interview to editor@cio.in
vol/2 | iSSUE/06 SSUE/06
Cover Story - Interview.indd 30
1/25/2007 6:49:58 PM
Cover Story
For NFL Films CFO Barry Wolper, smart IT investments are key to delivering winning multimedia programming in a crowded entertainment field.
View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.
Vol/2 | ISSUE/06
View from the Top - 01.indd 39
Winning
Tackle By Matt Villano John Facenda might be the ‘voice of God’ on NFL documentaries, but at NFL Films, the source of top-rated commercials, documentaries and other video programs about football, the CIO listens to CFO Barry Wolper. A subsidiary of the National Football League, NFL Films has recorded football images since 1962. In 2002, Wolper quarterbacked the budget process for the company’s Rs 225-crore, 200,000square-foot headquarters and production facility in Mount Laurel, New Jersey. About a year later, the 32 NFL team owners voted to invest Rs 450 crore to create the NFL Network — a cable channel to show football, all the time. The owners turned to NFL Films to oversee construction and operation of another studio in Culver City, California. As a result of the owners’ decision, NFL Films changed its business model, taking a creative leap from documentaries and commercials into studio shows, cable specials and other programs. In the process, the company has pioneered new tools and techniques for broadcasting sports, such as the use of graphics to analyze game strategy. For this to happen, Wolper teamed up with CIO Dave Franza (who reports to Wolper) to deploy a new network infrastructure and
applications designed to support current and future programming. Wolper bankrolled a gigabit Ethernet voice and data backbone that delivers highspeed communications (including voice over IP) between NFL Films headquarters in Mount Laurel and the NFL Network’s Culver City production facility. He also funded enhancements to two systems: a digital video archival system (which stores video clips of all NFL plays from the past 12 seasons) and a broadcast asset management system (a database that indexes completed programs and segments, so production staffs have access to metadata about source material, including total running time and show subjects). The investment has scored big. Wolper declines to share revenue data, but USA Today reported last year that the future pool for revenue sharing among NFL owners, projected at up to Rs 4,050 crore, is expected to come primarily from digital media. As consumers adopt new communications and entertainment technologies, Wolper says
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
39
1/25/2007 4:52:41 PM
View from the Top
a big challenge for his organization is to keep up with viewer demand. For example, earlier this year, the NFL inked a five-year, Rs 2,700 crore deal with Sprint to deliver programming from the NFL Network on cell phones. “The challenge for us, and especially for our IT folks, is to figure out how to make those links between what consumers want and the ways that they are accessing it,” he says. Wolper spoke about his expectations of IT in a fast-changing, rapidly growing market for sports programming.
CIO: As a CFO, how do you perceive IT?
40
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
View from the Top - 01.indd 40
Barry Wolper wants I.T. to: Support producers
Imagin g by Bi n esh Sreedharan
Barry Wolper: I see IT in two different ways. One is the historic role, what was called MIS in the old days, which is to keep the administrative operations of the company going smoothly and efficiently. Secondly, and perhaps even more importantly, I look to the IT department in a very important support role to give the producers of our television programs and other programming the tools they need to do their jobs well. The biggest challenge [in developing NFL Films’ infrastructure] was trying to predict the future. We were designing our facility in the heat of radical changes going on in the tele-production industry. Everyone still doesn’t quite understand what to make of the new world. We wanted to design a facility that would last for 30 years and have the infrastructure that would last for 30 years but also be flexible enough to endure the many changes that were sure to take place in technology and equipment. We’re seeing some of those changes already, with high-definition television and video iPods and PDAs. It’s clearly a challenge for our IT department, which they solved mostly by their ingenuity in working with league partners such as EA Sports and Apple to figure out ways that the creative people can exploit these new media in the most exciting ways for our fans.
Take initiative to learn about user needs Help with competition from other mediums including Internet, video games and wireless
Vol/2 | ISSUE/06
1/25/2007 4:52:44 PM
View from the Top
What is NFL Films’ technology planning process? Every initiative is brought before a committee comprised of our vice presidents and senior executives. Everyone has a chance to opine on a proposal and understand how it may affect users. It’s the best way to prioritize our projects, and also to give Dave an understanding of things that he needs to know before he embarks on projects. It is incumbent on Dave to understand the needs of the users. Because ours is such a rapidly changing area, Dave and his staff are required to know all the alternatives that are available in a given situation. When you have a couple hundred people working on a thousand hours’ worth of TV shows, the tools that Dave is implementing are critical to their day-to-day, minute-to-minute activities.
Has your IT department ever fallen short of expectations? No, definitely not. They have pulled rabbits out of hats too many times to count and people here at all levels, especially in operations, have come to rely on them and know that they won’t ever fall short of what the objectives are.
Where, in general, do you think CIOs make mistakes? Technology is seductive. It’s easy to fall prey to the syndrome of finding solutions to problems that don’t exist. I don’t think Dave falls prey to that, but I certainly recognize that as a risk.
Have you ever funded projects you wish you hadn’t? We all know this dynamic that as the cost of information and storage comes down, the speed of equipment goes up. Therefore, you
Vol/2 | ISSUE/06
View from the Top - 01.indd 41
can always wait until next year SNAPSHOT To do this, we have to stay on to invest in something, and top of new developments. We presumably you’re going to get have people who work closely a bigger bang for your buck. with IBM, people who follow Headquarters: Mount Laurel, New Since almost all of developments with Apple and Jersey our production tools are people who keep after other Primary business: computer-based, from big companies in Silicon Valley. Media strictly a business point We have video engineers who Employees : of view it’s easy to preach travel to Japan every so often 275 delaying investment because to sit with the engineers at CIO: the product will be better Sony and Panasonic, as well Dave Franza and cheaper next year. as other consumer electronics IT employees: Following this to its logical companies. We make careful, 22 conclusion, we should never educated decisions about what Technology invest in anything. But we we want to invest our scarce partners: know we have to. So we capital in, and we have a really Apple, EA Sports, make technology investment good idea what the purpose is. Panasonic, Sony, Sprint decisions very carefully, Technologies that are worth weighing today’s perceived the risk are those that perform need against the current stably, are scalable and are and future cost. No one is going to be able affordable in the context of the revenue to be to have a perfect track record on knowing generated from its usage. At the same time, the most propitious time to invest in every we have to venture at least a very educated aspect of the equipment you need. guess about what the obsolescence factor is going to be. It’s a challenge.
NFL Films
So how do you manage the risk of new technology investments?
It comes down to intense preparation before we embark on any material expenditure. We try to be bleeding edge in our adoption of new technology. We need to turn incoming audiovisual information (film footage, video footage and audio), whether originated by us or from third parties, into edited segments as quickly as consumers want those segments in this new on-demand environment. We’re competing with all other forms of media and entertainment that consumers spend time with — not just sports television, not just television in general, but the whole wide world of digital media: Internet, video games, wireless, iPods and more. In some of these areas, the NFL’s business partners have invested large sums of money to associate themselves with the NFL, so we have an obligation to provide them with what their customers want.
What do you perceive to be your biggest challenges to investing in IT at the NFL Network? We’re all living through the blending of traditional television with digital media. We have many mouths to feed in other areas of the company, too, so no funding decisions will ever be made in a vacuum. We’re ready to invest in whatever our users want, but I don’t see a huge investment needed [in IT] for the foreseeable future. Because it’s been designed intelligently, the digital studio can grow over time without any major overhauls. CIO
Matt Villano is a freelance writer and editor based in Half Moon Bay, California. Send feedback on this interview to editor@cio.in
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
41
1/25/2007 4:52:44 PM
Feature.indd 42
1/25/2007 4:53:25 PM
Emerging Technology
Consumer Appeal By Susannah Patton
Reader ROI:
Which emerging consumer technologies offer benefits to business The risks of letting employees use unapproved software and devices How to manage unauthorized applications on the corporate network
Vol/2 | ISSUE/06
Feature.indd 43
When Paul Tang first downloaded Google’s desktop search application, he was impressed by its speed and power. Instead of painstakingly looking for data and files on his hard drive, he could find them with the ease of a Web search. However, Tang, chief medical information officer at the Palo Alto Medical Foundation (PAMF), quickly realized that the slick application could also be dangerous. Tang saw that this early version of Google Desktop (it was released in 2004) would index encrypted webpages from the hospital’s online patient health system, caching the data on his PC. “We take great pains to avoid leaving personal health information on PCs, and we noticed that the search tool was doing that by default,” says Tang. While he didn’t ban the software, the hospital advised users to change its settings so that encrypted webpages — including those within its medical records system — would be excluded from searches. Tang isn’t as worried now. Google has since changed that default setting, so that it no longer leaves cached information on a user’s computer, and he counts himself an enthusiastic user of the software, among other consumer applications. But as a guardian of patient privacy, Tang knows he has to keep his eyes open for potential vulnerabilities. “Consumer technologies are useful and powerful — and difficult to regulate,” he says. “You have to be careful and conscientious about how you use them.” REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
Illustratio n by b ines h sreedharan
Your end users are downloading Skype and sharing links to company webpages on Del.icio.us. But don’t panic. Although emerging consumer applications can pose security risks, here are five that offer business benefits if you manage them well.
43
1/25/2007 4:53:27 PM
Emerging Technology Not long ago, corporations were on the leading edge of technology adoption, providing employees with better equipment and software than they could purchase on their own. Now, however, consumer applications are easy and fun to use, and often free. In many cases, they also work better than corporate software. And the tables have turned on CIOs, as employees download software from the Internet, bring their handheld devices to the office and merge their home computing life with work. Concerned about losing control of their networks, some IT departments have banned all unauthorized software and electronics from the workplace. While it’s true that consumer technologies such as desktop search, Internet telephone services such as Skype and devices such as iPods can weaken network security, the trend is hard to stop. In many cases, users are downloading software unbeknownst to the IT department. In a Gartner survey conducted last year, half of the respondents reported that more than 60 percent of their IT users were employing consumergrade software, whether approved or not.
Furthermore, employees may be on to something: emerging consumer applications, when adapted to the enterprise, can make workers more productive and cut IT costs. In fact, Gartner predicts that between 2007 and 2012, the majority of new information technologies that enterprises adopt will have their roots in the consumer market. Instead of building a wall to keep consumer technologies out, CIOs need to be pragmatic and provide a place for employees’ favorite applications. A willingness to let employees experiment requires management strategies and policies for using external applications that will prevent serious security and privacy breaches. It will also mean, in some cases, making sure networks and architecture are configured to handle the consumer gadgets and software. “CIOs are in a balancing act,” says Michael Gotta, principal analyst at the Burton Group. “Suddenly, there are all of these lightweight, easy-to-use applications that people want to work with, but IT still has to make sure they’re meeting security and compliance requirements.” Among dozens of technologies gaining momentum in the consumer market, we look at five that are making their way into the enterprise. These technologies — social networking software, Skype, desktop search, handhelds and mashups — exemplify the most important trends in software that will have an impact on business.
1
Social Networking Software What it is: Social networking software allows users to interact and share information. Consumer versions of these applications include ones to which the younger crowd flocks to post pictures and network among friends like MySpace.com and Facebook.com, and also those where the professional set keeps up with colleagues and finds out about job openings such as LinkedIn. Other popular consumer applications include Flickr, which allows users to ‘tag’ personal photos (a process in which users choose keywords or descriptive terms to classify them), and Del.icio.us, a service for storing Web bookmarks. These sites, both owned by Yahoo, enable users to share their photos and favorite websites. Tagging is sometimes called social bookmarking because it allows multiple users to categorize online content. A few software companies, including Contact Networks and Visible Path, offer corporate applications that mirror these consumer sites, promising to help business users organize and find information. Business benefits: In two words — knowledge management. Corporations have “You don’t want to lose control,” says struggled with KM for years, trying to get Fred Pretorius, IS director with the law employees to share information. Now, some firm Mintz Levin. “But you don’t want companies are experimenting with social to stifle innovation either.” networking applications, hoping employees 44
Feature.indd 44
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Vol/2 | ISSUE/06
1/25/2007 4:53:41 PM
Emerging Technology will adopt them if they see these systems are easy to use and deliver benefits quickly. Other companies are working on ways to help employees find data more easily by adopting tagging technology like Flickr uses. At the Boston law firm Mintz Levin, attorneys search for contacts on the firm’s intranet using Contact Networks’ software. Fred Pretorius, Mintz Levin’s director of IS, says he decided to give the enterprise social networking software a try two years ago, after attorneys complained about floods of messages from colleagues that would begin, “Does anyone know…?” Now, the firm’s 475 lawyers can search for contacts within the firm from a link on the company intranet page. Pretorius provided Contact Networks with the firm’s global address list, and the software company then installed the application on an existing server. The harder part, he says, was convincing attorneys to expose their client lists. “This was a huge cultural obstacle because contacts are what defines their work,” Pretorius says. At first, 20 percent of the attorneys opted out of the system. As they began to see how it could help them, however, that resistance began to fade. Now, 99 percent of Mintz Levin attorneys use the system. In addition to sharing personal information and contacts, companies are also trying out ways to organize corporate information using employee-generated tags or keywords. Tagging makes information easier to find than is often possible on a corporate intranet. “I know of no organization that has an intranet that works well for everybody finding what they need,” says Thomas Vander Wal, founder and senior consultant for InfoCloud Solutions. (Vander Wal created the term folksonomy, which refers to a tagging system created within an Internet community.) Mitre, a non-profit research and development company, is experimenting with tagging using a customized application that was built on an open-source tool called Scuttle. The pilot project, dubbed onomi, is similar to Del.icio.us in that it allows employees to share annotated bookmarks. Donna Cuomo, chief information architect with Mitre’s center for information and technology, says the idea arose after she noticed that employees were using Del.icio.us and Flickr to share company information. So far, 900 of Mitre’s 6,000 employees are using onomi to organize their own bookmarks and share them with colleagues. “A lot of people have adopted it as the only way they want to share resources,” Cuomo says. The risks: As consumer technologies go, social software poses few major risks. Employees may use consumer social networking sites for business purposes, sharing photos on their corporate blogs using Flickr or posting company information on LinkedIn. If employees start using such applications under the radar, however, there could be confusion about where and when it’s appropriate to share information. Mitre’s Cuomo says that she feels more
Vol/2 | ISSUE/06
Feature.indd 45
Enterprise Software Gets a Face-Lift Consumer IT provides the model for new business applications. Enterprise software look out. The hard-to-install, hard-to-use software of the past is quickly becoming a dinosaur. “The way that consumers use software is bleeding into the enterprise,” says Paul Holland, general partner at Foundation Capital, a venture capital company. That means that more companies will be choosing ondemand software akin to Salesforce.com for non-strategic tasks. It also means that users will expect business applications to be as easy as the ones they use at home. “In the past, enterprise software was hard to use and people got discouraged,” Holland says. “Users are driving the trend — they are the new heroes of the organization.” Just ask Roger Hoffman, director of technical service management at car research site Edmunds.com. Employees at Edmunds.com have been using an on-demand application called Service-now since February to log incidents, changes or problems with the production environment. Service-now was inspired by business-to-consumer software such as home banking applications, Amazon.com and Google. Hoffman says he is pleased so far and that users are happy with the easy-to-use interface. Hoffman adds that users are increasingly looking for simple applications and attractive interfaces that mimic the software they use at home. Software vendors are taking note, following the lead of such vendors as Rearden Commerce, which enables customers to order business services online. The trend is even drifting into supply chain applications. The startup Ketera Technologies offers an ondemand procurement application that promises companies it will ‘consumerize’ purchasing and make ordering supplies as easy as ordering something from Amazon.com. — S.P.
comfortable using an internal tagging system because employees won’t be putting links to company information outside of the firewall.
2
Skype What it is: Skype is one of a slew of applications in the emerging voice over IP telephony market that allow users to engage in voice and instant messaging conversations with each other. (Phone calls via Skype are free when made to another Skype user.) It has emerged — mainly through word of mouth — as one of the most successful Internet applications of all time, with more than 300 million REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
45
1/25/2007 4:53:42 PM
Emerging Technology
Skype can’t log and monitor phone calls, so companies that have to track calls for compliance purposes may want to avoid it. downloads and more than 100 million registered users. Skype was acquired by eBay last year for Rs 11,700 crore. Competitors include AOL’s AIM Triton and Microsoft’s Windows Live Messenger. Skype’s appeal is that it’s easy to use and the quality of its voice service is high. “It’s better than most VoIP products out there,” says Steve Cawley, CIO with the University of Minnesota, where he suspects Skype is popular among international students and researchers. Business benefits: VoIP technology offers huge cost savings over traditional telephone service, especially for companies that make a lot of long-distance calls or have employees working in places subject to high long-distance fees. Skype and applications similar to it can also help companies that haven’t deployed VoIP yet to create a converged communications suite, including voice, video and instant messaging, writes Irwin Lazar, an analyst with Burton Group, in a report about the technology. For example, Lazar says, many Burton Group employees use Skype for internal and external communications. At first, most were motivated by cheaper long-distance calls. But many are now using it for instant messaging. Saul Klein, vice president of marketing with Skype, says 25 percent to 30 percent of its customers use the application for business. In the corporate environment, Skype poses some security risks. But companies, especially small ones that are more focused on cost savings than security, may be willing to take that risk. Even CIOs at some larger companies such as Greif, a maker of industrial packaging products, report that they are willing to test Skype and aren’t overly concerned with potential security risks. The risks: As with any application exposed to the Internet, “the potential that some flaw will be discovered that would enable an attacker to either gain control of or disrupt a Skype user’s computer or mobile device is real,” notes Lazar. (In general, VoIP can pose a security risk because calls travel over data lines that may be vulnerable to Internet worms and viruses.) These risks are magnified in the case of Skype because, unlike with enterprise VoIP systems from vendors such 46
Feature.indd 46
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
as Cisco and Avaya, there’s no way to track who is using Skype or how it is being used. That’s because it can be downloaded and installed by employees themselves. Finally, Skype can’t log and monitor phone calls, so companies that have to track calls for compliance purposes may want to avoid it. Pharmaceutical company Novartis has banned it, and schools including Oxford University and the University of Minnesota have issued warnings against using Skype. Minnesota’s Cawley also discourages using Skype because of the security risks. He worries about the capability for Skype users with a public IP address to become ‘supernodes’, acting as hubs that route calls for other users. In the meantime, he suggests that users pick another VoIP service, such as Free World Dialup, which has clients for Windows, Mac OS X and Linux. And although students and faculty can use Skype if they choose, they are asked to turn the application off when they are done calling. “If we do see a problem with Skype, we may go ahead and block it,” says Cawley.
3
Desktop Search What it is: A free tool offered by Google, MSN, Yahoo and others that allows users to quickly search the contents of their hard drives. The latest version of Google Desktop can also be used to share files between computers. Users download the tool, which indexes everything on their hard drives in the same way that Google indexes the Web. The software can be set to return results on e-mail, text files, spreadsheets, photos, PDFs and more. Business benefits: Desktop search can make work easier and increase productivity, especially for employees in industries such as biotechnology who need to find technical information quickly to do their jobs. Palo Alto Medical Foundation’s Tang says that though he had concerns initially about the security and privacy implications of desktop search, it can be a valuable tool if users know how to protect their information. Tang and other CIOs see desktop search applications growing in popularity, and they are putting together policies to determine when these tools can be used. Chris Holbert, CIO at Launchpad Communications, which operates an inbound sales call center in Los Angeles, says he currently sees no business need for desktop search. However, Holbert worked for seven years as head of IT at a biotech firm, where researchers made frequent use of a customized desktop search tool. Even some CIOs who currently ban desktop search applications say they are preparing for the day when they might have to change their position. “Desktop search seems to have a lot of momentum and we won’t be able to ignore it,” says James Kritcher, VP of IT at White Electronic Designs. The risks: Company data may be exposed inadvertently. Once the tool is installed and files are indexed, a snoop can
Vol/2 | ISSUE/06
1/25/2007 4:53:42 PM
Emerging Technology theoretically search someone’s hard drive for information. At PAMF, Tang went out of his way to help users understand how to make sure that sensitive data doesn’t get indexed, but freewheeling users may not always pay attention. Google’s desktop search software also has a feature that lets users search for content on multiple computers. The ‘search across computers’ feature stores copies of PDFs, Word files, spreadsheets and other documents on Google servers. In theory, Kritcher points out, storing documents even temporarily on an external server could expose a company to litigation for violating its privacy, security or document retention policies.
4
Handheld Devices What they are: Pagers, cell phones, iPods and PDAs have been around long enough that plenty of companies sanction them for everyday work (think BlackBerry). The devices are becoming so entrenched in daily life that lots of people (including you, probably) bring their own devices from home too. Business benefits: While handheld devices are disdained as providing little more than a distraction during meetings at many companies, early adopters of the technology on an enterprise scale use them for more than idle chat or diversion. A doctor in Geneva, for example, has reportedly devised a software program that allows physicians to view medical images on their iPods. At Mintz Levin, IS director Pretorius is testing a proposal from an associate suggesting that the firm build a podcast library of attorneys’ legal presentations. Some managers at the PAMF use PDAs to read e-mail that is not patient-related, look up information about drugs and check medical protocols. The risks: Mobile phones and PDAs are usually not password protected; therefore, companies risk compromising corporate data if it is downloaded onto the devices. The same goes for iPods, which can be used as backup storage devices. Data security standards set by the Payment Card Industry Security Standards Council could prohibit most pagers and cell phones from being used in offices where information about cardholders is known by employees, such as in call centers or at e-commerce sites.
competition to create the most innovative applications. One of the most talked about mashups is the combination of Google Maps and the CRM application Salesforce.com. Business benefits: Mashups offer faster and easier integration of some services than may be possible using Web services within a service-oriented architecture (SOA). Mashups are less complex, and developers concern themselves less about complying with technical standards because the applications are browser-based, according to consultant Dion Hinchcliffe, president and CTO with Hinchcliffe & Co. One way mashups are making inroads into the enterprise is when corporate developers adopt the mashup approach for integrating data internally, says John Musser, a consultant who operates the website Programmableweb.com. Investment management company T. Rowe Price, for example, has combined data from multiple applications in order to simplify its call center systems. Kirk Kness, VP of architecture and strategy at the company, says he prefers to call the development technique “composite applications,”
5
Mashups What they are: Mashups are applications that combine data from two or more online sources and run within a Web browser. Think of mashups as Web services lite. Mashups were born a little more than a year ago when Paul Rademacher, an animation expert at Dreamworks, created HousingMaps.com, which merged Craigslist and Google Maps to help people locate real estate listings. Since then, mashups have gained ground among developers; there’s
Vol/2 | ISSUE/06
Feature.indd 47
Paul Tang, chief medical officer with the Paulo Alto Medical Foundation, allows managers to use PDAs to read e-mails that aren’t patient related.
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
47
1/25/2007 4:53:46 PM
Emerging Technology because “the term mashup implies that we might be winging it, and we’re not doing that.” Kness and his team are using portal software from IBM and Ajax, a development methodology for generating interactive Web applications. Meanwhile, IBM is working on a project called QEDWiki (so called because it uses wikis, a tool that allows multiple users to edit a webpage) that is designed to let businesspeople create their own webpages by dragging information from both private and public websites. Using QEDWiki, an employee could integrate weather
Start by determining which consumer technologies are popular with employees and why they want to use them. data, information from an ERP system and the location of company facilities in a single webpage. “Companies have been wrestling with integration for decades,” says Musser. “Mashups offer a whole new level of power and sophistication that comes for free.” The risks: These applications can have a lot of security holes. Some mashups that use Ajax scripts, for example, expose their code in the browser, which may allow the mashups to be used maliciously. What’s more, passwords for accessing components of a mashup may also be exposed in the browser, putting the underlying services at risk. Hinchcliffe says that many mashups pull code in live from the Web (think of any service using Google Maps) and run without being previously tested. The danger there, he says, is that the code from an underlying source could change the next time the mashup is loaded, and users won’t know what’s in it.
consumer technologies are popular with employees and why they want to use them, IT leaders can figure out the best ways to adapt them internally. Some technologies that have taken off on the consumer side already have offshoots better suited for enterprise use. For example, Google Desktop 3 for Enterprise, currently in beta, allows administrators to disable features they don’t want employees to use. X1 Technologies, which has partnered with Yahoo, offers a competing enterprise search tool. Identify and mitigate risks. If employees need a particular technology to do their work, companies might need to shore up their network security or add bandwidth to support it. If a company allows the use of Skype, for example, it will want to block unsolicited incoming connections to Skype clients to discourage malicious activity. Govern usage. If you’re going to ban an application, set up controls to prevent it from slipping in. Among the options: identity management systems, network access controls and intrusion prevention. “Rather than trying to create a secure perimeter and keep the consumer technology out, you should assume a hostile environment and drive security deeply and broadly into everything you do,” says Gartner analyst David Smith. If you’re open to experimentation, make sure users know how far they can go. “You don’t want to lose control with what’s happening on your network,” says Mintz Levin’s Pretorius. “But at the same time, you don’t want to stifle creativity and innovation. Balancing the concerns and benefits related to consumer technologies is a constant battle, but I see it as a major part of my job going forward.” CIO
How to Manage the Consumer IT Invasion There are several steps CIOs can take to manage consumer technologies as they make their way into the enterprise: Find out what’s happening. By determining which 48
Feature.indd 48
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Susannah Patton is a writer based in California. Send feedback on this feature to editor@cio.in
Vol/2 | ISSUE/06
1/25/2007 4:53:46 PM
Trendline_Nov11.indd 19
11/16/2011 11:56:19 AM
Smarter A national project that seeks to automate the processing of a host of transactions between the people and state transport departments can potentially rid the system of tax defaulters and forged documents. By H a r i c H a n da n a ra k a l i
50
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Govern Main - 01.indd 50
Vol/2 | ISSUE/06
Smart Cards
When they set out to computerize transport departments across the country, the hardworking staff of the National Informatics Center was not exactly looking to win an award. But that’s what they got, at least in the state of Jharkhand, for their efforts to automate the processing of various transactions between citizens and the state transport department. Shahid Ahmad, technical director of NIC’s unit in Jharkhand, and the state’s informatics officer, says NIC implemented both Vahan and Sarathi software in all the 18 district transport offices (DTOs), four regional transport authority and state transport authority offices. Vahan will help to register vehicles, collect tax, issue various permits and record the fitness of vehicles. Sarathi, which complements Vahan, is used to issue driving and conductors licenses and licenses for driving schools, Ahmad says.
How standardizing data can help governments enforce the law Why smart cards are a great way to provide hassle-free service for end users Vol/2 | ISSUE/06
Govern Main - 01.indd 51
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
Illust ration s by anil t
Reader ROI:
In 12 districts, including Dhanbad, Ranchi, Hazaribagh, Jamshedpur, Bokaro, and Koderma, registration certificate (RC) booklets and driving license are now issued as smart cards. Jharkhand is ensuring that by the end of this financial year, all 18 DTOs will issue smart cards. So far, the registration certificates of 1.15 lakh vehicles and about 20,000 driving licenses have been given out in a smart card form, he says. Ahmad credits Jharkhand’s success with the implementation, and the lead its taken in introducing smart cards, to the excellent working relationship between the NIC, the state IT department and the state transport department. For Vahan, Jharkhand won an award at the 9th National Conference on e-Governance, under the service delivery category. 51
1/25/2007 4:54:44 PM
Smart Cards
National Project
of implementing Vahan and Sarathi were the quick and hassle-free issuance of RC books and driving licenses, collecting road tax, monitoring vehicle records and tax defaulters more easily, and enabling other government departments to access information instantly. NIC was asked to figure out the nittygritty of the project. This included coming up with hardware specs and planning the kind of software that would be required, and what exactly the software would do. The project was then approved for execution by NIC. In Karnataka, it started with testing the software at one transport office, in Yeswantapur in Bangalore. Later it was extended to four other transport offices as part of the pilot. This took about a year. “We got the entire operation to be done by existing case workers and other staff of the transport office, without bringing in any new data entry operators,” he says. NIC trained the existing manpower of the front office of the transport offices.
While Jharkhand was nimbler than other states, two-thirds of the states in the country — under a project called the National Transport Project — are at various stages of rolling out two homegrown computer software applications. Vahan and Sarathi will introduce transparency and efficiency to the process of registering a new vehicle or getting a driving license or paying various taxes related to owning and running motor vehicles. The National Informatics Center, whose state units are entrusted with rolling out the software in their respective states or with aiding the roll out, also built and pilot-tested the software. In the next step, when states from Jharkhand to Kerala complete the roll out of the software across DTOs, sharing data can happen at the touch of a few buttons and enforcing becomes real-time. In parallel, smart cards are being introduced that will hold relevant information about a vehicle and its owner. The result was an increase in transparency, A. Venkatesan, a senior technical director a reduction in delays, which meant that with NIC and Ahmad’s opposite number in people didn’t have to go back and forth Karnataka, says the computerization of the trying to figure out what was happening transport department in the state started with their applications — and an increase in 1998-99. in revenue generation because Around that time, other states were going defaulters were easier to track that way too, working on various basic with computerization. computerization projects for their transport “The state government, departments. By late 2000, it was apparent which funded the entire that common standards were required pilot project, has recovif data was going to be shared among ered its investment,” departments not only within a state but at Venkatesan says. the national level. But in Jharkhand, Two important objectives of e-goverAhmad has a more nance hinged on the ability to share data quickly and securely: hassle-free service to citiSome zens, and enforcing the of Vahan and law. The national transport project Sarathi’s objectives sought to do this, were issuing RC books and thus Vahan and driving licenses quickly and Sarathi and without hassle; and were conceived. monitoring tax defaulters Ahmad said more easily, says Shahid that the top four objectives Ahmad, technical director,
Photo by f iroj
The Benefits
extensive list of benefits they wanted from the system. Benefits to the department: Monitoring of transport fees and taxes better Taking subjectivity out of tax and fee assessment Ensuring that activities like ownership transfers, the issuance of no-objection certificates (NOCs), hypothecation addition and deletion are not done without the payment of fees Generating a list of tax defaulters, and sending notices to vehicle owners National permit drafts Computerizing record of drafts received from other states and clearance status given by the bank Creating a state-level vehicle register with ease Benefits to citizens: Tax reports any time, after a formal request RC books and driving licenses now come in tamper proof smart cards The bonafides of a second-hand vehicle can verified
NIC, Jharkhand & state informatics officer
Govern Main - 01.indd 52
1/25/2007 4:54:45 PM
Smart Cards A single window system that affords swifter services; Hassle-free transactions More accurate data A simplified process to issue driving licenses Removing the need to bring a photograph while applying for a driving license On-line cash transaction at department counters taking away the need to go to banks to deposit fees.
Outsourcing Six years ago, getting the transport offices to replace pen and register with a computer keyboard and monitor was a challenge. They were being exposed to the work-flow-based approach for the first time, Venkatesan says. Basic hardware maintenance too was a challenge and required that the RTO staff be trained. “We trained between 300 and 400 people,” he says. Today however, that has changed with plenty of outsourcing outfits picking up work like this, leaving transport offices with the time to concentrate on their work. The statewide rollout of Vahan and Sarathi in Karnataka will be handled by a third-party outsourcing vendor in a public-private partnership. In a build-own-operate-and-transfer deal, the private partner will invest in the hardware and maintain it. The transport department will pay the vendor on a quarterly basis for the use of the hardware, based on stringent service level agreements, Venkatesan says. Jharkhand however, is going it on its own. “The IT department of the state government itself is handling the hardware maintenance part,” Ahmad says. The smart cards, however, are being supplied by a private vendor in Jharkhand, Amity Infosystems, which charges a fee to end-users for the cards. The software comes from NIC — Vahan was developed by NIC Delhi, and Sarathi was developed in Bangalore, Hyderabad and Delhi. “The national rollout of Sarathi is now being supported from Hyderabad,” he says. In Karnataka, a proof-of-concept was tested in 11 transport offices and the statewide rollout of Vahan and Sarathi
Vol/2 | ISSUE/06
Govern Main - 01.indd 53
will be done by the vendors in all the 54 transport offices in the state. The request for proposal for outsourcing hardware and software maintenance and other related infrastructure maintenance has been approved and the tender is to be floated soon. “We expect the state-wide roll out of Vahan and Sarathi to happen in six months.” The vendors will do the backlog data entry as well, which will be then verified by transport offices.
“We have higher end servers connected to the statewide area network (which is yet to go live),” Venkatesan says. The state data center as SNAPSHOT well as the NIC data center Vahan and Sarathi will be used for back up and Implemented: 18 states (pilot facilitating the integration completed) of transport applications In Process of with other services and in Implementation: integrating the national 14 states level transport database as State Database: well as making it available to 1 (Delhi) other enforcement agencies Replication such as the police. across states to The c l i e nt - s e r ve r complete in 10th Plan: architecture will ultimately 23 be replaced by a “three-tier technology,” Ahmad says, as the smart cards become common. This involves generating The objectives behind introducing ‘keys’, digital codes at the central, state smart cards included replacing paper and regional levels, for securing the documents; storing information securely information on the smart cards. on a chip; inter-operability across the At that stage, more management country; eliminating fake reproductions; information system reporting capability and monitoring tax collection. will be built into the software applications; While Jharkhand has already and data will be hosted in state-of-the-art introduced the smart cards, other states data centers, he says. CIO are at various stages of doing so. In Karnataka for instance, a separate project is being rolled out to introduce smart cards. The cards will have optical strips and will be issued for both licenses and registrations. They will replace the plastic cards being given out now. The strips will have enough capacity to store more than just the basic information — chassis number, color of the vehicle, and some details of accidents the vehicle was involved in.
Smart cards
The Future In the future, Vahan and Sarathi will integrate with other web-enabled government-to-citizen transaction services, as part of a single web-based view. Already, four transactions, including learner’s license extension and tax payment, are available as part of the Bangalore One e-governance project, based on the backend data provided by the transport offices. Currently, the software runs on clientserver architecture with the possibility of certain components being web-enabled.
Assistant editor Harichandan Arakali can be reached at hari_a@cio.in
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
53
1/25/2007 4:54:47 PM
Interview | Sushant Mahapatra
Sushant Mahapatra, additional director general of police, Corps of Detectives (CoD), asserts that fighting crime on the Web calls for a multi-disciplinary approach that goes beyond the traditional path of detection and vigilance.
To Defuse
a Logic Bomb
Imaging by Unn ikrishnan AV
I
Ph oto by Srivatsa S han dilya
By Kunal N. Talgeri
54
Interview.indd 54
On January 23rd, 2007, a Swedish bank with 22 lakh customers disclosed what European media is calling the world’s largest online fraud: a theft of Kroner 8 million (Rs 4.95 crore). The criminals reportedly siphoned money from Nordea’s customer accounts after obtaining login details using a malicious program that claimed to be anti-spam software. Continents apart, in Bangalore, the threat hasn’t reached such proportions yet. Nevertheless, it’s a growing menace, says Sushant Mahapatra. In this interview with CIO, the erstwhile inspector general of police in the Corps of Detectives’ economic offences wing notes CIO: Is the Nasscom-supported cyber lab in Bangalore that online fraud is underestimated by Indian fully operational? What is its function? Internet users. Recently promoted to additional Sushant Mahapatra: We’ve always had a director general of police, Mahapatra still heads lab, which has been functional and operational, with the economic offences wing, which oversees the necessary software and other equipment like cyber Bangalore’s cyber crime police station as well image backup system. With the Nasscom initiative, the CoD has chosen to use a public-private partnership as India’s third cyber crime lab.
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
Vol/2 | I SSUE/06
1/25/2007 6:58:03 PM
To monitor economic offences better, Sushant Mahapatra Additional Director General of Police, CoD, says there is a case for setting up small units in range headquarters in three or four districts.
Interview.indd 55
1/25/2007 6:58:05 PM
Interview | Sushant Mahapatra approach for the first time. The objective is primarily to train our police personnel and then people from other police departments. This Rs 50-lakh project, which is funded by Canara Bank, is a holistic training program wherein we also follow up with experts in institutions of science and technology to come up with common solutions for cyber crimes and IT problems. People from IT companies speak to our participants on new subjects in technology like Internet security, which adds to our inhouse knowledge. The idea is to expose as many as departments as possible to cyber detection and vigilance. The cyber lab has concluded its first 10-day course, and feedback has been good. Is the approach to detection and vigilance of cyber crime different from those used by the traditional wings of the police?
Yes. In many cases, the approach now has to be multi-disciplinary. There are several instances of Internet banking frauds, for which the CoD alone does not have solutions. Many of even the so-called established banks are victims. Then, there are e-ticketing frauds are taking place. The problems to different cyber crimes, however, are common. So, we have to seek common solutions. There is an element of traditional investigation from whatever we gather.
There is also the part of digital evidence — or cyber forensics. We are training our people in that area. But we also now need to develop expertise in the business where these crimes are taking place such as banks and other services. This could help determine how the crime may have happened. Most companies and institutions today have internal security management teams, risk containment policies, or internal emergency response teams in place. Still, these crimes occur. It’s not always about the amount of money involved in a single instance of fraud. But this reflects on the credibility of the system. And also, are all banks coming forward or is it just a few people who are complaining? For instance, there are logic bombs, where small amounts are deducted through programs, which you or I may not be aware of. But the total volume of transactional loss will be incredible. In some cases, we have seen how these amounts are transferred to tax havens. What are the broad challenges that the cyber crime police face?
You don’t get cooperation when it comes to servers that are located outside our country. Countries like the US cite privacy laws. Typically, they say that a specific case is not connected to terrorism in any way or doesn’t affect national security. Cooperation across geographical boundaries is the biggest problem that the
cyber-police faces. Requests have to be made through the CBI, which takes time and log details for most cases that are not related to terrorism or national security are maintained only for three weeks. It’s a dead-end if something has originated from foreign countries. Further, as I mentioned earlier, most people keep quiet if they have lost small amounts in online frauds because they do not how in the big picture small amounts can add up. In the meanwhile, e-commerce transactions are getting increasingly popular. People tend to believe what they read on the Internet and, in many cases, are unable to determine if their transactions are being made at a real or fake website. This trend enables miscreants to gain access to the users’ financial details. How has the economic offences wing — and cyber crime, in particular — evolved in Karnataka over the years?
The economic offences wing, which comes under the CoD, came into existence in 1999 and immediately took over certain traditional functions such as counterfeit cases, arms & explosives cases with interstate ramifications. With cyber crime, by and large, the legal regime is not fully in place. The law has not kept pace with technological developments. We follow traditional statutes, the IT Act 2000, some IP laws,
It is a challenge that
we don’t get cooperation with servers located outside India. Countries
56
Interview.indd 56
d E c E m B E R 1 5 , 2 0 0 6 | REAL CIO WORLD
like the US cite privacy laws. Also, most people keep quiet because they have only lost small amounts online.
Interview | Sushant Mahapatra and relevant sections from the Indian Penal Code. We are likely to see major changes in the law in the near future. We usually deal with cases of source code tampering (Section 65), hacking (Section 66) and obscene emails (Section 67) or any kind of mobile messages. These form the majority of crimes.
What is the way forward for the economic offences cell in Karnataka?
Frauds and misappropriation cases, referred to by the government, form a majorSNAPSHOT ity of the cases in the CoD’s Cyber Crime economic offences wing. I Police believe that there is a case for partial decentralization Budget: Rs 10 lakh or setting up small units in range headquarters in three Staff: 4 deputy to four districts. This can superintendents expedite investigations in How has the CoD enforced 1 police inspector cases where there are lots cyber crime vigilance in of documents involved for Karnataka? 4 constables examination that have to be If you go by the numbers, 4 armed constables collected from all over the almost half our cases (in the Facilities: state, like from Gulbarga economic offences wing) 1 police station and Bidar. Otherwise, a are cyber crimes. The local 1 lab-cum-training person from here has to police usually take up center keep traveling to places these cases, and we enter Head: like Bidar, to look into even the picture only when they Sushant Mahapatra small developments. Partial require digital evidence. Big decentralization can allow companies do not approach this to be done from there. us with their cases, such as hacking Second, we need to involve the or stolen data, in the fear of adverse vernacular media. A lot of economic publicity. Only small- and mid-sized offences, like scams related to fly-bycompanies tend to come with us with night/vanishing companies, get reported their cases. in the vernacular newspapers and media. As I said before, we need a multiThis coverage needs to be monitored and disciplinary focus and there is a need followed up constantly in those areas. At for officers to stay here for more than present, district SPs have been appointed three years. We are attempting publicas nodal officers. private partnerships towards this end. The private sector has the expertise, and the cyber police has lots to gain from it. Is there a strong enough case for Can you comment on the infrastructure at the cyber crime police’s disposal.
We are understaffed, although we are taking steps to correct that. In addition, officers who are trained in handling cyber crime tend to get transferred like any police officer, which is unfortunate since this area needs a unique perspective. Take for example those who were trained in the first lot — they have already been transferred. Perhaps, cyber crime should not be handled like the traditional wings of the IPS. In the cyber crime wing, in particular, we need to have lots of trained staff because plenty depends on the expertise and experience of the investigating officer.
Vol/2 | I SSUE/06
Interview.indd 57
and demand identity proof — like voter IDs, student IDs or PAN cards — from users. This hasn’t worked yet because not all cyber cafes are able to afford infrastructure like Web cameras. Besides, students resent being monitored. How are you encouraging big enterprises to partner with you in tackling cyber crimes?
On an in-house basis, I think, companies have to invest a great deal in putting the right teams in place for security and contain damage. They must also be aware of the implications of disclosure if something goes wrong — and be able to assess damage accurately. Two years ago, for example, a virus directed at the server of a large banking establishment found its way to the servers of a large IT services provider that was managing the bank. It led to a six-hour system shutdown, which neither the bank not the service provider acknowledged. Such damages are probably caused by competitors, interested parties or mere pranksters. But, we need the cooperation of large companies for better vigilance. And, cases need to be reported. CIO
decentralization in the area of cyber crime vigilance?
There is a strong case for setting up cyber crime police stations in Mysore and Mangalore, apart from one or two more such police stations in Bangalore. Decentralization will help monitor a range of crime activities related to economic offences. Are there regulations to aid cyber police put forth by the state government?
The Karnataka government has put regulations in place for cyber cafes. These require cyber cafes to place Web cameras, maintain registers to keep track of browsing habits in cyber cafes,
Chief copy editor Kunal N. Talgeri can be contacted at kunal_t@cio.in.
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
57
1/25/2007 6:58:20 PM
Essential
technology Treos, BlackBerrys and smart phones don’t have to wreak havoc on enterprise IT. Here’s how to keep users happy, data secure and costs in check.
58
Essentisl Tec.indd 58
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
From Inception to Implementation — I.T. That Matters
Mobile Mastery By Galen Gruman MObility | A mobile mess looms for CIOs who ignore the rising popularity of connected
handhelds. New third-generation (3G) cellular networks make handheld computing more convenient for everyone from executive travelers to salespeople and field technicians. This trend poses new challenges to CIOs who need to maintain enterprise network and data security, plus keep end-user support costs down. Yet, most enterprises have no policies or mobile management strategy in place to achieve these goals, notes a recent study by the BPM Forum, an industry association. And without a mobile device management strategy, a trickle of connected devices brought in by individuals can quickly become a nasty, unmanaged torrent. That nearly happened at American Family Life Assurance Company of Columbus (better known as Aflac) a few years ago. The IT department had been willing to set up e-mail access for a few handheld devices brought in by frequent travelers, handling them on a case-by-case basis. But after returning from Christmas vacation in January 2004, Greg Gatti, vice president of infrastructure services in IT, had 3 dozen connectivity requests for shiny new Hewlett-Packard iPaqs — that year’s must-have gadget — and other PDAs that various staffers got as presents.
Vol/2 | ISSUE/06
1/25/2007 4:59:50 PM
essential technology
“Very quickly, we had so many devices that it was a nightmare for our computer support team,” he recalls. And just as quickly, Aflac created a strategy and set of policies to get in front of the connectedhandheld wave. Like other financial-sector companies, Aflac had to get its smart phone house in order not only to reduce management complexity but also to meet federal requirements around data management and security. Aflac’s ultimate strategy: ban all noncompany-issued handhelds from connecting to enterprise servers and computers, lock down PCs so handheld-synchronization software couldn’t be installed by users, and forbid the use of POP3 and SMTP e-mail access to the corporate network so wireless Internet users couldn’t sneak in the back door. Aflac also decided to rely on a mobile e-mail server to manage both e-mail access and the handhelds themselves, and ensure
contact information or e-mails about a deal in progress, can expose a company to high notification costs (if customers must be contacted regarding a privacy breach) or reveal insider information, Dyer notes. Fortunately, securing handhelds is not hard if you centralize communications through a mobile server, such as the BlackBerry Enterprise Server for Research in Motion’s connected handhelds, or the GoodLink Server from Motorola subsidiary Good Technology for Palm Treos and other devices. These mobile servers act as proxy servers for cellular-connected mobile devices, routing approved connections to the corporate e-mail, data and applications servers as appropriate. You set rules to set limits on data access. “We don’t keep sensitive information on the servers available to the BES [BlackBerry server],” notes Evans Wroten, CIO of InterAct Public Safety Systems,
Using a mobile server ensures that only authorized devices can access e-mail and corporate applications. In addition, mobile servers can tie into identity servers. automatic installation of firmware patches and enforcement of password policies. This strategy is common in the financial services sector, with similar policies currently in use at Citigroup’s Primerica subsidiary, Farmers & Merchants Bank, IndyMac Bank and Russell Investment Group, among others. Non-financial companies could mimic this approach, says Yankee Group analyst Nathan Dyer, but the research shows that many companies are yet to craft a mobile management plan.
Our Data Went Where? Your first big CIO headache regarding handhelds: they are easily lost or stolen, putting any data they contain at risk. Even data that seems routine, such as personal
Vol/2 | ISSUE/06
Essentisl Tec.indd 59
which provides emergency data and communications services. Similarly, Microsoft Exchange Server can manage communications to Windows Mobile devices like the T-Mobile MDA and Motorola Q, though Windows Mobile devices in general are not popular among enterprise users because of overly complex user interfaces, Dyer notes. (Even IT departments don’t like the Windows Mobile interface complexity, or the fact that huge variation in interfaces from device to device increases support costs, he says.) Using a mobile server ensures that only authorized devices can access e-mail and corporate applications. Mobile servers also can tie into identity servers, such as Microsoft Active Directory, to share one
Tips from a Mobile Master Early adopters of mobile devices have identified three components for a successful mobile management strategy. Here’s the lowdown from Tastykake CIO Brendan O’Malley: Get ahead of your users. Develop a management strategy before user demand surges, covering device standards, personal usage (and any reimbursements for it), security and access controls, and cellular providers. O’Malley advocates allowing reasonable personal usage of mobile devices without reimbursement: if usage is excessive, that needs to be addressed, but reimbursement is pretty tough to manage effectively, he says. Provide leading-edge devices, so that you minimize the chance of powerful users forcing in ‘cool’ but nonstandard equipment. Reduce complexity where you can. Decide which devices you will buy or allow, then stick to those. Respect the fact that mobile devices and their operating systems have significant differences that matter to different groups of users, and be prepared to support a couple of platforms. “If people out in the field think a new device is worthwhile, we’ll give it a shot,” says O’Malley. Carefully weigh costs. But keep users’ needs in mind. For example, Tastykake pays for traveling execs’ BlackBerrys but does not use cellular connections in the handhelds that its distributors use on delivery routes, since there’s no need to get real-time delivery data. Further, the cost of cellular service quickly gets expensive as you add users. — G.G.
set of network permissions between the corporate network and the connected devices. The BlackBerry and GoodLink servers can also enforce security policies REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
59
1/25/2007 4:59:51 PM
essential technology
such as password rules and keep antivirus software updated wirelessly. For field forces, Motorola’s Symbol Technology subsidiary offers the similar Mobility Services Platform server to manage connections of the specialized handhelds used by warehouse, transportation and hospital users: you can use this to track handhelds’ battery life, keep firmware updated and disable errant devices. At the same time, IT can prevent users from sidestepping the official system in three ways. First, prevent or restrict access to the network over a Web, POP3 or SMTP interface, so Internet-enabled personal devices can’t get in. Second, lock down company PCs so users can’t install their own software (such as synchronization software for mobile devices). Third, disable the USB ports so users can’t plug in a handheld’s docking station. Desktop management software from Altiris, Hewlett-Packard, IBM, Microsoft, Novell and others — which many enterprises
pay a per-user fee for a client license. That’s a rip-off,” he says. “Enterprises historically have not seen much of a need to spend Rs 2,250 to manage a device that costs about the same amount of money,” concedes Rhett Glauser, an Altiris spokesman, though he says the costs of data loss are starting to change that calculation. But enterprises have another option: using the same BlackBerry or GoodLink mobile servers they already have to manage e-mail, since those servers can also track users, audit user activity, and manage firmware and software updates. The desktop management tools don’t offer the server functions, so they cannot replace the BlackBerry or GoodLink servers. One related issue: the wider the variety of handhelds you must manage, the bigger the challenge. The mobile servers are typically designed for one class of handhelds, sometimes two. Different types of users prefer — and sometimes really need — different types of PDAs. So, it’s easy to have,
It’s better to pay extra to support an additional platform than force users to a single device that doesn’t serve them. already use for patch management and software license management — lets you centrally apply these lockdown and port management capabilities across all users.
Support Costs (Plenty) Handheld headache number two: support costs can get you. Handhelds are hard to manage because they’re typically with users who aren’t in the same building as the desktop PC support team. That means handhelds need to be managed wirelessly. Although several desktop management tools can manage software updates and track device ownership (for support and cell service chargeback, for example), they’re often not used for that purpose. Cost is a big reason, notes David Wade, CIO of Citigroup subsidiary Primerica. “You don’t want to 60
Essentisl Tec.indd 60
F E B R U A R Y 1 , 2 0 0 7 | REAL CIO WORLD
for example, executives standardize on the BlackBerry but salespeople standardize on the Treo. If the BlackBerry is one of those platforms, IT will need to manage at least two mobile servers in parallel, which increases IT’s overhead. (GoodLink can manage both Palm and Windows devices.) Third-party management tools that can manage all three types of devices (Palm, Windows Mobile and BlackBerry), such as iAnywhere Solutions’ Afaria and Credant Technologies’ MobileGuardian, still need a separate mobile server. While CIOs would prefer a single management platform, they say the extra overhead is manageable. “It’s not that much effort for IT to support the two systems for day-to-day support,” says Bob Graham,
Mobile Server Helpers The applications to manage your connected devices depend on your mix of handheld PCs. BlackBerry Enterprise Server Research in Motion’s server and management software acts as a proxy between your e-mail server and BlackBerrys, using the carrier networks to wirelessly manage the devices. GoodLink Good Technology’s connectedhandheld service includes the GoodLink Server to act as a proxy to the enterprise e-mail system, the GoodLink e-mail software that resides at the carrier, and two software applications for the GoodLink Server to manage the access and security settings. Supported devices include Palm OS and Windows Mobile devices (support for Symbian devices is planned). Microsoft Exchange Server 2003 The standard Microsoft e-mail server includes the ability to manage connections to and settings for Windows Mobile handhelds. Afaria This software from iAnywhere Solutions provides central management of devices and cellular laptops, for software updates, access control and security management of BlackBerry, Palm, Symbian and Windows Mobile devices. However, it does not replace the need for an e-mail proxy server that works with the devices. CMG Enterprise This software from Credant Technologies supports the same devices as iAnywhere’s Afaria, with similar management capabilities, and the same need for a separate e-mail proxy server. —G.G.
senior vice president and CIO at Farmers & Merchants Bank. Furthermore, it’s better to take on the extra cost of supporting an additional
Vol/2 | ISSUE/06
1/25/2007 4:59:51 PM
essential technology
platform than to force all users to a single device that doesn’t serve their needs well, says Brendan O’Malley, CIO of cupcake maker Tastykake. “Still, we have two device [platforms], not 17,” he notes.
Get Ahead of Your Users While IT executives say you can’t allow a free-for-all of devices into the enterprise, you can choose among different strategies
in their own phone because they belong to family plans, notes CIO Wroten. But when it comes to devices that can access e-mail and other corporate data, InterAct supports only the BlackBerry devices it provisions. Primerica gives its thousands of independent contractors a list of approved handhelds they can buy, but it provisions the BlackBerrys and Treos used by employees, since employees have access to
Afinal concern: you must manage the number of cellular providers.While many companies can standardize on one if their usage is within a region where one carrier has good coverage, firms with national or international presence often need multiple carriers. to manage the choice and acquisition of the connected handhelds. At Liquidation World, for example, “only company-owned equipment is allowed on the network. That gives us control,” says IS Director Chad Richardson. At InterAct Public Safety, the fact that IT manages email and network access through a mobile server tied into a specific type of device gives the enterprise a simple way to manage the devices people use, says Wroten. End users can’t simply buy their own device and ignore IT, since devices have to be registered with the mobile server to get any network access. Farmers & Merchants Bank, IndyMac Bank and Tastykake take the same approach. InterAct and Primerica strictly control some devices but are flexible on others. InterAct, for example, relies heavily on text messaging to communicate with its field and sales forces, so all employee-provided phones must support text messaging. While most employees choose to take the company-paid cell phone (some even port their personal number to it), some bring
Vol/2 | ISSUE/06
Essentisl Tec.indd 61
corporate data that the contractors do not, says Tom Swift, the bank’s executive vice president of field technology. No matter how tightly the enterprise chooses to manage handheld provisioning, the consumer nature of the devices — which are typically sold through the cellular carriers — means that there can be multiple versions of devices to manage. Fortunately, the makers of the two most popular types of connected handhelds — the BlackBerry and the Treo — have reduced the version churn in recent years and have kept the interface and management functions consistent across models, says Greg Nelson, senior consultant in the IT group at Russell Investment Group, a brokerage and financial services provider. That wasn’t the case just a few years ago. A final management concern: you must manage the number of cellular providers. While many companies can standardize on one if their usage is within a region where one carrier has good coverage, firms with national or international presence often need multiple carriers.
Giving a choice of cellular carriers, while often necessary for coverage reasons, can lead to device envy: carriers often get shortterm exclusive distribution deals for new devices, so users of one carrier may not be able to get the same sexy device their colleagues using the other carrier can. Also, devices typically can’t be replaced without a penalty for two years, so some users get itchy when the new devices arrive. “These are challenges for us, so we explain that it could cost Rs 27,000 to terminate a plan so they can upgrade,” notes Greg Inginio, the senior vice president of IT operations at IndyMac Bank.
Get in Front Whatever variation works for your enterprise, “the key is having strong policies up front. Control what they do,” says Farmers & Merchants Bank’s Graham. But don’t forget the carrot. “Encourage the use of [company] smart phones and PDAs, so employees don’t carry their own,” he says. At Tastykake, O’Malley makes a point to provide the leading-edge connected handhelds, so users — especially executives with the power to say no to IT — aren’t tempted to get their own devices. “We figure out what people need and give it to them,” he says. Encouraging connected-handheld use does increase costs — for equipment, cellular plans and device management — but is well worth the extra productivity and the data security protection, Graham and O’Malley say. But not having a mobile plan will cost you more in the long run. As InterAct’s Wroten puts it, “This is a cost of doing business.” CIO
Galen Gruman is a frequent contributor to CIO. Send feedback on this feature to editor@cio.in
REAL CIO WORLD | F E B R U A R Y 1 , 2 0 0 7
61
1/25/2007 4:59:51 PM
Pundit
essential technology
Computing on Demand Is Amazon creating a new business model that offers processing and storage on-demand with pay-as-you-go pricing? BY Bernard Golden
web 2.0 | I admire Amazon. Unlike other ‘Web 2.0’ startups that seem to be little more than a concept in search of a real value proposition, Amazon puts Web 2.0 elements like user-generated data and application access for end users to do business the old way: sell stuff. And stuff Amazon has: watches, shoes, you name it. Amazon has leveraged wide Internet access, dispersed product storage, and clever
Amazon charges Rs. 4.50 per hour and Rs 3,150 for a month's machine time. Amazon offers a web services interface to create, store and tear down the machines at a moment's notice, but how? What Amazon has done is fiendishly clever. It uses the open source virtualization technology called Xen to provide the machine capability I've mentioned. The underlying physical hardware is divided up to deliver
EC2 offers more than short-term computing power. Making processing and storage functionality available ondemand with pay-as-you-go pricing creates the foundation for a whole new class of technology business models. An example of the type of business is called called DigiSense. It will offer the SMB MSP market automatic data backup for SMB infrastructure, particularly for Exchange
What Amazon has done is fiendishly clever. It uses the open source virtualization technology called Xen to create, store and tear down the machines at a moment's notice. logistics design to provide products at rockbottom prices. And, crucially, it offers better info about the features and benefits of a product than sales reps trying to steer you toward the week's ‘special’. Amazon's ambitions appear to be broader these days. I recently attended a Software Development Forum Emerging Technology SIG presentation given by Jinesh Varia, evangelist for Amazon Web Services. Jinesh's presentation focused on Amazon's new technology offering, Elastic Compute Cloud (EC2), which may be thought of as a processing counterpart to its S3 storage offering. Essentially, EC2 offers the ability to immediately bring up a remote machine with the capability of dual-core Xeon power, 2 gig of RAM, and 160 gig of local storage. For this, 62
ET-Pundit.indd 62
F E B R U AR Y 1 , 2 0 0 7 | REAL CIO WORLD
each EC2 machine. The web services interface encapsulates the Xen admin commands, enabling remote control. The underlying hardware is probably something on the order of a dual processor box; anything more powerful would be too expensive to support the pricing Amazon has offered. So, Xen can bring up and take down a machine and offer processing capability; but how do you store your data and machine state if you decide to take it offline? Remember, Amazon is only offering the 'capability' of 160 gigs of storage, not a physical amount of hard drive. For that, you can use the Amazon web services capability called S3, which is virtualized storage, charged at Rs 7 per gig stored and Rs 9 per gig transferred. Naturally, S3 has a web services interface to control it.
servers. DigiSense will deliver an appliance that will seek out shared storage resources and automatically begin backing them up to reliable storage. The storage mechanism DigiSense will use? You guessed it, S3. What's so brilliant about DigiSense is that it takes advantage of financially-appropriate resources to create an offering that can be delivered at an SMB-appropriate pricepoint. Amazon's role in this is truly amazing. It has in stealth created a vision of a new style of computing, delivered in marketappropriate, market-transforming fashion. I believe they've shown one path forward for the IT industry. CIO Bernard Golden is CEO of Navica, an open-source consultancy. Send feedback on this column to editor@cio.in
Vol/2 | I SSUE/06
1/25/2007 5:00:24 PM