April 1 2008

Page 1

Alert_DEC2011.indd 18

11/17/2011 5:15:55 PM


From The Editor-in-Chief

Burnout (noun) [búrnòut]: the reduction of a fuel or substance to nothing through use or combustion. overheating of an electrical device or component. physical or mental collapse usually as a result of prolonged stress or frustration.

Eliminating Ennui Kill the habit of wallowing in cynicism and focus on what makes you the best.

Let me begin with the tale of a senior IT leader who moved about a year ago to this rather well-respected and diversified organization as group CIO. Once there, he got a fairly good team, a lot of respect and nothing much more. There just wasn’t too much ‘new’ or interesting happening. The result, I’ve seen him get increasingly cynical and disenchanted month-on-month. Burned-out? You bet he is. And, from doing too little (and not your typical ‘damn, I’ve got so much work’ that goes Burnout needn’t result from with the territory). too much work. Sometimes Whenever I find myself or anyone the lack of a challenge can do I know grappling with burnout or even you in equally well. a lack of drive, I think of Marvin M. Johnson. A career spanning almost six decades would be enough to prove his extraordinary motivation levels. But add close to 250 patents to that, and you’ve got to wonder what kept him going. A while back, I asked him how he managed to get back on his feet following a setback or multiple reverses, this is what he had to say: “I started out life in the arid Southwest and as a pre-teen herded sheep and watched cattle graze from the back of a horse. If you can suggest anything more boring or mind-numbing, let me know… When I feel tired, bored or burned out I consider what the alternative to being a scientist in a large research organization was for me, what my life could have easily become and rejoice in the choices I made.” When things got really bad, Marvin returned to his roots and visited old friends of his youth and cousins who stayed on the ranches and immediately started to feel better, a lot better. Everyone suffers from malaise and discontent, he observed, and stressed that “the good ones get past it and make a success of the decisions they made at an early age.” His final piece of advice to me has kept me going these many years: “Stay the course, become the best in your field and take pride in your accomplishments. Do whatever it takes to have a good family and enjoy their success and progress.” How do you deal with burnout? Write in and let me know.

Vijay Ramachandran Editor-in-Chief vijay_r@cio.in

2

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 2

Vol/3 | ISSUE/10

4/2/2008 4:59:03 PM


content april 1 2008‑ | ‑Vol/3‑ | ‑issue/10

Prasad Dhumal of DHL Express India, Charles Padmakumar of Aricent Technologies and S.N. Roy of Cholamandalam MS General Insurance share their views on dealing with business, finance and evaluating IT strategies

IT Strategy

Everyone agrees that having a strategic plan for IT is a good thing but most CIOs approach the process with fear and loathing. In fact, the majority of CIOs (and the enterprises they work for) are faking it when it comes to strategic planning. Isn’t it time we all got real?

PhotoS Photo S by Sr SrIV IVat atS S a ShandI Shand I lya, Chandroo and FotoC Foto C o rP rP

CoVEr: dESI gn by bI n ESh SrEEdharan

COvER sTORy | sTRATEgy sTRAIghT up | 24

Feature by stephanie Overby with balaji narasimhan and kanika goswami

2 4

Career Counseling ThE LOngEsT InTERvIEW | 18 Three CIOs on how to make the most of an interim job and turn it into a permanent one. Column by Martha heller

Applied Insight WhAT IT REALLy MEAns | 20 What’s IT worth? If end users are to understand, you have to tell them exactly what they get for their money. Column by n. Dean Meyer

Virtualization REAL RIsks InsIDE vIRTuAL bOxEs | 42 What are the biggest virtualization security risks now and how can you combat them? It’s time to separate fact from fiction and get down to work. Feature by Laurianne McLaughlin

more » 4

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/10


content

(cont.) departments Trendlines | 11 Study | Widescreens Boost Productivity Quick Take | Rajiv Seoni on Working Hours Voices | Migrating to WS 2008 IT Management | Who Moved My Tools? Internet | More Companies Ban Social Networking Opinion Poll | Why Employees Misbehave By The Numbers | Virtualization: New Rules Survey | No Takers for SaaS Reserach | Wanted Best Practices Security | Not So Excel-lent Storage | The Ever Growing Digital Universe

Essential Technology | 51 Vendor Management | Getting Your Vendors to Flock Together Feature by Galen Gruman Pundit | Sleeping Laptops Risk Encryption Column by Mario Apicella

From the Editor-in-Chief | 2 Eliminating Ennui

By Vijay Ramachandran

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Case Study Putting the Price war to Rest | 32 Every company wants to establish its brand as a household name, but few succeed. And they succeed because they follow an age-old, time-tested formula: building credibility. Sometimes IT can do that for you. Feature by Balaji Narasimhan

1 8

Executive Expectations VIEW FROM THE TOP | 36 R. Seshasayee, MD, Ashok Leyland, says IT masks the auto major’s mammoth size. It also gives it innovation and agility — allowing it to go places more compact firms typically reach. Interview by Kanika Goswami

6

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 6

Vol/3 | ISSUE/10

4/2/2008 4:59:18 PM


ADVISORY BOARD Management

Publisher & editor N. Bringi Dev

CEO Louis D’Mello Editorial Editor-IN-CHIEF Vijay Ramachandran

assistant editors Balaji Narasimhan

Gunjan Trivedi

Abnash Singh

ADC Krone

IBC

Group CIO, Mphasis Alaganandan Balaraman Vice President, Britannia Industries

AMD

1

APC

7

Alok Kumar Global Head-Internal IT, Tata Consultancy Services

Special Correspondent Kanika Goswami

Anwer Bagdadi

Chief COPY EDITOR Sunil Shah

Senior VP & CTO, CFC International India Services

Copy Editor Shardha Subramanian

Advertiser Index

Emerson

BC

Arun Gupta D esign & Production

Creative Director Jayan K Narayanan

SENIOR Designers Binesh Sreedharan

Vikas Kapoor, Anil V.K Jinan K. Vijayan, Jithesh C.C Unnikrishnan A.V, Suresh Nair Designers MM Shanith, Anil T

PC Anoop, Prasanth T.R Vinoj K.N, Siju P

MULTIMEDIA Designers Girish A.V, Sani Mani

Photography Srivatsa Shandilya

Production T.K. Karunakaran

T.K. Jayadeep

Customer Care Associate & CTO, Shopper’s Stop

HP VP & CIO, Mahindra & Mahindra Ashish K. Chauhan

Events VP Rupesh Sreedharan Managers Ajay Adhikari, Chetan Acharya Pooja Chhabra

Intel

8&9

President & CIO — IT Applications, Reliance Industries C.N. Ram

Interface

15

Microsoft

IFC

Head–IT, HDFC Bank Chinar S. Deshpande CEO, Creative IT India Dr. Jai Menon Director (IT & Innovation) & Group CIO, Bharti Tele-Ventures

Mark eting and Sales VP Sales (Print) Naveen Chand Singh VP Sales (Events) Sudhir Kamath brand Manager Alok Anand Sukanya Saikia Marketing Siddharth Singh, Priyanka Patrao, Disha Gaur Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar, Chetna Mehta, B.N Raghavendra, Delhi Pranav Saran, Saurabh Jain, Rajesh Kandari, Gagandeep Kaiser Mumbai Parul Singh, Rishi Kapoor,Pradeep Nair, Hafeez Shaikh Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

5

Arvind Tawde

SAS

3

Manish Choksi Chief-Corporate Strategy & CIO, Asian Paints

Seagate

53

M.D. Agrawal Dy. GM (IS), Bharat Petroleum Corporation Limited Rajeev Shirodkar VP-IT, Raymond Rajesh Uppal Chief GM IT & Distribution, Maruti Udyog Prof. R.T. Krishnan Jamuna Raghavan Chair Professor of Entrepreneurship, IIM-Bangalore S. Gopalakrishnan CEO & Managing Director, Infosys Technologies Prof. S. Sadagopan Director, IIIT-Bangalore S.R. Balasubramnian Exec. VP (IT & Corp. Development), Godfrey Phillips Satish Das CSO, Cognizant Technology Solutions Sivarama Krishnan

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited,

10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: N. Bringi Dev. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

Executive Director, PricewaterhouseCoopers Dr. Sridhar Mitta MD & CTO, e4e S.S. Mathur GM–IT, Centre for Railway Information Systems Sunil Mehta Sr. VP & Area Systems Director (Central Asia), JWT

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

V.V.R. Babu

10

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 10

Group CIO, ITC Vol/3 | ISSUE/10

4/2/2008 4:59:19 PM


new

*

hot

*

unexpected

S T U D Y Can you see your way to wasting less time? One new study says yes: organizations that upgrade their employees' standard-format monitors to widescreen displays can realize productivity gains equivalent to 76 extra work days a year per worker. The 'Productivity, Screens and Aspect Ratio,' study, was conducted by the University of Utah and was sponsored by NEC, a maker of computer monitors. Ninety-six university staffers, faculty and students broken in three different computer aptitude sets — novice, intermediate and advanced — participated in the study, which took into account the time it took to complete set spreadsheet and editing tasks, editing performance and monitor preference, among other factors. All three groups were significantly more productive using 24-inch-or-

larger widescreen monitors (1920x1200 resolution, or larger) compared to 18-inch displays (1280x1024 resolution), according to the research. More specifically the study found that upgrading workers' 18-inch, standard format monitors to a 24-inch widescreen display cut the average time it took them to complete such tasks by more than 30 percent. Other findings: Large widescreen or dual-monitor configurations are better suited for work that involves multiple documents or varied applications. 24-inch widescreen displays are better suited for text editing than both single standard format (17-inch and 19-inch) and dual standard format (17-inch and 19-inch) monitor configurations. Dual-widescreen configurations in 22-inches or larger are better for

IllUStratIon by U nnIkrIShnan a V

Widescreens Boost Producttivity

spreadsheet editing than single widescreen or standard format displays. Net annual cost savings of using 24-inch widescreen monitors in place of 18-inch monitors is Rs 8.4 crore a year for 250-employee companies and about Rs 17.2 crore for firms with 500 staffers. —By Al Sacco

Quick take

Rajiv Seoni on Working Hours W o r k - l i f e b a l a n c e A CIO’s job comes with an unsaid prerequisite of being the ‘last man standing’, literally. Be it an ERP implementation or a network glitch, the CIO is expected to be always around, no matter what time it is. Does that mean nine to five is true only on paper? Kanika Goswami spoke to Rajiv Seoni, CTO, Ernst &Young and this is what he had to say:

Do Indian CIOs work too hard? I don’t think so. There are a whole lot of other jobs in the company where people are putting in an equal amount of work, if not more. The CFO, head of HR, head of marketing and sales also put in many hours of work. So, as long as other CXOs also put in long hours, CIOs should too? It comes with the territory. There is no such time when you can say you are totally switched off. But it also applies to a lot of other roles.

Vol/3 | ISSUE/10

What keeps CIOs so long at work? IT is very demanding in terms of time. For example, if a network goes down and people can’t access email, there is a huge impact on business. Similarly on the application front, if the ERP system is down, manufacturing totally stops. And with it so does the complete factory. Now in these circumstances, the requirement from the CIO has become that much more critical. That appears to be one reason why sometimes CIOs spend too much time at work. How can CIOs get home on time? You need a proper structured organization with clearly defined roles and responsibilities that can be delegated properly. You also need a group to look after all the operational and day-to-day issues. And the CIO himself should look after strategic content and business relationships.

Rajiv Seoni REAL CIO WORLD | A P R I L 1 , 2 0 0 8

11


Do You Plan to Move to WS 2008? M i g r a t i o n Microsoft recently launched Windows Server 2008. After five years of Windows 2003, this new kid on the block is eliciting strong responses, both positive and negative. Is it time to migrate to WS 2008? Kanika Goswami spoke to a few of your peers and this is what they had to say:

“Until and unless some great features or demand pushes us, we will not migrate to WS 2008. However, we will explore its new features like selfhealing etcetera.” trendlines

Parvinder Singh VP & Head-IT Service, Max New York Life Insurance

“We will internally test server attributes and wait for the software to stabilize in the market. If it takes care of auditing, compliance and is easy to manage then we might migrate.” Sachin Jain Head IT & CISO, eValueserve

“WS 2008 supports more enhancements done to Active Directory, Internet Information Security

and Terminal Services. Improved security and ease of management is an advantage. We are planning to migrate in May this year.”

SATYANARAYAN. B VP & CIO, DIMEXON DIAMONDS

Lend Your

Voice

Write to editor@cio.in 12

Trendlines.indd 12

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Who Moved

my tools? A lack of IT risk management tools is exposing companies to greater risks than necessary, although help will arrive soon, according to one expert. The field of IT risk management is far from new, but there are few mature management tools because regulations have only recently forced companies to evaluate which threats will be the biggest, and how best to protect the company from them. "IT risk is really difficult to quantify, because you don't have the experience today. There is also not enough data to calculate it or even how to do it," said Urs Fischer, vice president and head of IT governance and risk management at SwissLife, who attended the European Computer Audit Control and Security Conference in Stockholm recently. "Everyone at the conference is saying it's something you have to do," said Fischer, adding that when you ask them how to do it, no one has a good answer. Instead managers have to rely on their own gut feeling. "Because it's a gut feeling, you can make big wrong assessments,"said Fischer. Good risk management can save money, according to Fischer. But wrong assessments can lead to increased costs, and quite simply bad security. IT risk management is also especially challenging because of the very fast paced nature of security. "It changes quickly. Something that was true one, or two years ago isn't true today. To keep up is very difficult," said Fischer. But help is on the way. The IT Governance Institute, part of the group that organized the Stockholm conference, is developing a framework to simplify IT risk management. "It will come out this year, and be freely available. It will show managers and IT people how they could approach IT risk management", said Fischer. "I think it will be a big success, because people are looking for it. There is a pent up demand," said Fischer. There are also tools on the way. "Vendors SAP, Oracle, and Microsoft are all working on tools that go in the direction of suits for governance, risk, and compliance," he said.

I T M ANA G E M EN T

—By Mikael Ricknäs

Vol/3 | ISSUE/10

4/3/2008 9:42:59 AM


More r Companies re Ba an Socia cial Ne etwo works s In one example, Wood cited a case where a user visited a fake MySpace page where they were served up a pop-up ad designed to look like a Microsoft software update. When the person clicked on the pop-up, they were taken to an illegitimate site that tried to install malware over JavaScript. The report, which according to a spokesman polled most of MessageLabs' 16,000 customers, also sheds some light on other consumer technologies, such as Gmail. Spam from Yahoo still leads the way, claiming 90 percent of the spam sent from consumer-based e-mail services, according to MessageLabs. The report echoes the worries IT leaders expressed in CIO's recent survey-based story, the Nine Consumer

TrenDlineS

A report released by MessageLabs, a UK-based security vendor, found that nearly 20 percent of organizations blocked social networking and dating sites in February due to concerns about employee productivity and malware. In addition, the number of websites blocked by filters was nearly 47 percent, which, according to MessageLabs, should spur IT departments to update their electronic use policies to reflect newer Web 2.0 technologies. "Organizations need to raise awareness about the risks of these sites," says Paul Wood, a security analyst with MessageLabs. "Some of the policies are not up to date."

inTerneT

Technologies CIOs Fear. Nearly 10 percent of IT decision makers told CIO that they viewed social networks such as Facebook and MySpace as the biggest consumer technology threat to their organizations. Approximately 18 percent cited consumer-based e-mail like Hotmail, Yahoo and Gmail as the greatest threat to their organizations, making it second only to USB devices. IT departments will have to re-evaluate their electronic use policies to include social networks and other new Web 2.0 technologies, Wood says. "It's not just about e-mail anymore," he says. "People need to know how to conduct themselves on blogs, IM and social networks." If IT institutes better electronic use policies that educate users about the sites that they visit, better security will follow, Wood argues. "It's more of a management issue than a technology issue," he says. —By C.G. Lynch

Why Employees Misbehave

16%

60%

91%

Rank ethics training as a positive influence on promoting ethical behavior.

Say that job dissatisfaction is a top reason why people make unethical work decisions. Compensation and flexible work schedule are key factors leading to satisfied employees.

Of employed adults say that workers will more likely behave ethically when they have a good work-life balance.

Vol/3 | ISSUE/10

Trendlines.indd 13

Info graPhICS by P C an ooP

how can companies best promote ethical behavior by employees? according to recent research, your first thought shouldn’t be training. It should be helping your staffers strike a good work-life balance.

Source: CIo research REAL CIO WORLD | A P R I L 1 , 2 0 0 8

13


B Y l aU r i a n n e M c l aU G h l i n

Virtualization Management:

New Rules, New Benchmarks

TrenDlineS

You may be doing a terrific job getting your data center virtualized but, as with every IT project, you still need metrics to show the business how well things are going. There is, however, one big problem with that: the discipline of virtualization management is still in its infancy. Many enterprises only rolled out virtualization to production machines (rather than testing and development machines) in 2007. And while market leader VMware has offered management tools from the get-go, other vendors are just now starting to compete in that arena. A recent study by IDC (a CIO sister company) urges IT leaders to benchmark their virtualization management efforts and examines some early metrics that may help. And now's the time to make managing your virtual infrastructure a priority, especially as you allocate IT budget and staff, says IDC research director Stephen Elliot. Otherwise, you won't be able to optimize virtualization results or savings, or develop a strategic plan for the future. For instance, what does your virtualization management team look like? According to IDC, 15 percent of IT groups are creating a dedicated team to manage the overall virtualization effort, bringing together experts from the various IT disciplines. However, 85 percent of enterprises are creating their management group inside their server and/or storage teams. This may not be the best approach. Experts say you need to create a team that also includes network and security gurus. Remember, while virtualization can reduce the number of boxes in your data center, it doesn't eliminate all the associated management challenges. In fact, it can just compress the time that the IT group has to identify and solve performance problems, says IDC's Elliot.

Best Practices 1

think cost t

2

think process t

3

think Strategy t

a you project roI, remember to allocate as budget for virtualization management and security tools.

If your enterprise is using IItIl or another framework for managing It process, make your virtual infrastructure part of those plans. Virtualization will only increase as a percentage of your overall It environment in the future.

Virtualization will become a highprofile part of It's work rather quickly. business-side demands for improved business continuity and for new applications will mean that for many enterprises, virtualization management will become a strategic project within two years of initial deployment.

Lean Staff Big Savings How lean is your virtualized data center? the average VM-to-administrator ratio, or average number of virtual images per administrator, is:

1:200

How much money are you saving? the average savings for an It group that deploys formal processes and solutions (such as ItIl-based processes) for managing their virtual infrastructure is:

rs 40 lakh to

rs 80 lakh a yEar

Source: IDC 14

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/10


Application performance concerns and vendor lock-in were also preventing some enterprises from using SaaS. But the number of IT executives who have at least some interest in hosted software indicate to Herbert that IT involvement in SaaS projects is poised for a big increase. "It's not like that 84 percent [that haven't deployed SaaS] is sitting there and saying 'there's no place for software-as-aservice in our organization,'" she says. SaaS applications are typically for general business tasks like human resources, there are now hosted applications designed specifically to help IT staffers manage an enterprise's technology, she says. Nearly half of SaaS users were using HR tools, 38 percent were using collaboration software and 36 percent were using CRM. More findings from Herbert's survey: North American companies are twice as likely as European ones to adopt SaaS.

Hosted software is most commonly used by the energy, utilities, retail and services industries. SaaS vendors have improved customization and integration capabilities but haven't caught up to packaged software vendors in this regard. Pricing is a concern: many buyers of hosted software believe the service-based model is more expensive in the long run. Security concerns are holding back adoption. Many customers worry about whether a vendor has adequate hosting and backup facilities, or think a hosted application will give untrained business users too much control over roles and access rights. —By Jon Brodkin

Illustration by ANIL T

trendlines

S U R V E Y Users seem to be ahead of IT when it comes to embracing softwareas-a-service. A new Forrester survey of more than 1,000 IT decision-makers in North America and Europe found that 16 percent of enterprises had adopted SaaS as of 2007 — an increase from 12 percent the previous year but still a small minority. Actual enterprise adoption of SaaS might be much higher, though, because business units often deploy hosted applications on their own, sometimes seeing it as a way to free themselves from relying on IT, says Forrester analyst Liz Herbert. While 16 percent of Herbert's survey sample were using or piloting at least one SaaS application, another 46 percent were planning a pilot or interested in having one, according to the Forrester report, 'Competing in the Fast-Growing SaaS Market.' About 37 percent had no interest in software-as-a-service. Executives who aren't interested in SaaS pointed to concerns about integration, total cost, lack of customization and security.

SaaS

No Takers for SaaS

Wanted: Best practices The need for best practices knowledge was identified by 16 percent of respondents as the top IT security challenge affecting organizations today, according to a recent survey of 322 IT security professionals, undertaken by the Canadian Advanced Technology Alliance in partnership with Microsoft. Coming in a close second was data protection, cited by 15 percent of respondents, followed by access management, cited by 13 percent. "The lack of best practices being one of the primary challenges was certainly one we weren't anticipating when we started this study," said Kevin Wennekes, CATA's vicepresident of research. "We knew it would be an issue, but for it to be identified at the top as an overarching challenge came as a bit of a surprise to us." Also surprised was Francis Ho, executive officer at the Federation of Security Professionals in Toronto, who expected both data protection and access management concerns to rank higher than best practices. "It's certainly a surprising result because there's so much information out there, with a lot of good server hardening guides research

16

Trendlines.indd 16

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

to be found all over the Internet," Ho said. "Data protection is one that should definitely be high on the list as everybody is concerned about information leaving the organization today. In the old days, everything used to be paper-based but now you can make a copy of a file and port it off to your iPod Nano without a trace." Another finding indicated that IT security professionals believe that their organizations don't put enough emphasis on IT security challenges and often react after the problem arrives on their doorstep. "I see a lot of basic processes like simple hardening of servers that still isn't being done as the norm, so while some organizations get it, many others don't," Ho said. "Larger organizations tend to understand security better and it also depends on the industry." To address these issues, CATA recommended that the industry develop industrywide best practices, establish a research series of IT security professional perspectives reports and undertake a study to determine the value of an IT security skills set. —By Rafael Ruffolo

Vol/3 | ISSUE/10

4/3/2008 9:43:01 AM


the ever growing digital universe

S e c U r i T Y Businesses where staff uses Excel spreadsheets to develop applications quickly and cheaply aren't paying enough attention to the operational risks they run — especially when the spreadsheets link to back-end systems. "Microsoft never intended Excel to be an enterprise application. Users are today placing undue trust in Excel, and errors go undetected for a long time," said Ewen Ferguson, senior manager at risk consultancy Protiviti, in a presentation at the European Computer Audit Control and Security Conference in Stockholm. Today, companies are even using Excel as an interface to their ERP systems, something that worries Ferguson. "I think it's a misconception that anyone can build well-designed spreadsheets, and that's a part of the problem," he said. Poor use of spreadsheets can lead to financial losses, directly or indirectly. Ferguson illustrates how easy it is for things to go wrong with an example from real life. An employee at a company developed a spreadsheet that tagged some cells in pink to indicate they should be included in a particular calculation. He then turned the spreadsheet over to someone else, who after a while came back and said it didn't work. "He didn't like pink so he changed to a different color, which broke the spreadsheet," said Ferguson. For companies that want to tackle their spreadsheet problems, there are solutions. Protiviti, for example, has developed a framework to simplify the task. It has four stages, starting with the identification of critical spreadsheets, and ending with the implementation of controls. There are also a number of vendors that sell Excel-specific products, including ClusterSeven and Compassoft. With Compassoft Enterprise companies can manage and control spreadsheets based on a risk policy, automating the discovery and prioritization of spreadsheets. ClusterSeven Enterprise Spreadsheet Manager monitors important spreadsheets so that you can trust their integrity.

the digital universe in 2007 stood at 281 billion gigabytes and with an annual growth rate of almost 60 percent, it is projected to reach nearly 1.8 zetta bytes in 2011, according to IDC. a zettabyte is a one, followed by 21 zeroes or ten to the twenty-first power. the IDC survey the Diverse and Exploding Digital Universe: an Updated forecast of Worldwide Information growth through hrough 2011, highlighted an accelerated growth in worldwide shipments of digital cameras, digital surveillance cameras, and digital televisions as well as a better understanding of information replication trends. the digital universe in 2007 was equal to almost 45 gigabytes (gb) of digital information for every person on earth — or the equivalent of over 17 billion 8 gb iPhones. other fast-growing corners of the digital universe include those related to Internet access in emerging countries, sensor-based applications, data centers supporting 'cloud computing' and social networks comprised of digital content created by many millions of online users. Meanwhile, the survey pointed out that a person's 'digital shadow' — digital information generated about the average person on a daily basis — now surpasses the amount of digital information individuals actively create themselves. the digital shadow includes names in financial records, names on mailing lists, web surfing histories or images taken by security cameras in airports or urban centers. the digital information created by people includes taking pictures, sending emails, or making digital voice calls. the study reported that enterprise It t organizations that gather the information comprising people's digital shadows have a tremendous responsibility for the security, privacy protection, reliability and legal compliance of this information. according to IDC, approximately 70 percent of the digital universe is created by individuals, yet enterprises are responsible for the security, privacy, reliability, and compliance of 85 percent. "the burden is on It t departments within organizations to address the risks and compliance rules around information misuse, data leakage and safeguarding against security breaches," said chairman, president and CIo of EMC Joe tucci. t

—By Mikael Ricknäs

—by Jack loo

SToraGe

Not ot So o

Vol/3 | ISSUE/10

Trendlines.indd 17

REAL CIO WORLD | A P R I L 1 , 2 0 0 8

TrenDlineS

Il lUStratI o n by MM Shan It h

Excel-lent

17


Martha Heller 

Career Counseling

The Longest Interview Three CIOs on how to make the most of an interim job and turn it into a permanent one.

M

Illustration by MM Shanith

ost of us thrive in relatively defined structures where we understand the parameters within which we can act, succeed or fail. As such, we are typically very uncomfortable in liminal states — when we are neither here nor there, neither in nor out, neither fish nor fowl. CIOs who are in acting or interim roles must exist in this gray area, often for protracted periods of time while performing Herculean feats of turnaround, firefighting and influence. Whether you're a number two with a shot at the top or a consultant brought in on an ad hoc basis, the odds of getting the full time job are typically not great for interim CIOs. It's relatively easy for an external candidate to convince a hiring committee that he will do great things in the future. An internal candidate has to do great things in the here and now. And while an external candidate can paint a beautiful picture of future alignment and prosperity, an internal candidate has no choice but to expose the current and ugly truth about an IT organization. So how do you shift from acting to in charge? To find out, I checked in with several CIOs who successfully made this transition. Follow their tips, and you may find yourself happily erasing the 'interim' from your office door. Don't be a baby-sitter. In July 2006, ICG Commerce, a procurement outsourcing provider, hired Rick Bunker for a weeklong consulting engagement on IT management strategy. "I gave my report and figured I was done," he says. About a month later, a new CEO joined the company and asked Bunker to present his findings once again. The CEO liked what he heard and asked Bunker to consult as an interim CIO for a three-month assignment. "Two months into my consulting engagement, when

18

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Coloumn The Longest Interview.indd 18

Vol/3 | ISSUE/10

4/2/2008 11:31:36 AM


Martha Heller

Career Counseling

it was time to finish up or begin a new statement of work, they asked me to take the permanent role," he says. Interim CIOs are often asked to babysit an organization and leave the major strategic moves to the permanent CIO. Bunker warns against allowing your role to be defined this passively. "If your CEO tells you to keep things calm before the new person starts, you're in a terrible position," says Bunker. "Your peers will see you as ineffective — and they are the real decisionmakers as to whether or not you'll get the job." When Bunker joined ICG, the company was transitioning from a product to a services strategy, and the IT organization was misaligned to the new business model. In his first two months on the job, Bunker restructured the organization, adopted an agile programming methodology and set up a new technical training program. So how do you react when a CEO tells you to stay in the box? "If your boss tells you that you can't re-organize or fire people, then develop strategies for transformation and present them as what you believe should be done," he says. "Develop a strategy and sell it, even if you can't execute." Put a premium on trust. "When you work as an interim CIO in a consulting capacity, people can be very forthcoming with you because they consider you outside the political fray," says Bunker. "When you make the switch from interim to permanent, it can be a real shock to people who have spoken more openly with you than they would have if you were a full time employee." If you want your peers to support your permanent appointment, you need to make it clear when you're acting CIO that they will be able to trust you should you wind up in the permanent role. Pay attention to the step below peer-level. Consultant Jim Ward was named acting CIO of logistics company Pacer International in December 2006. He was asked to run IT as the company conducted an external CIO search. Five months later, the company's CEO asked him to take the full-time job. When Jim took the interim job, he was not planning to work full-time, but he liked the company and the challenges it faced, so he decided to accept. His advice: while it is true that the opinions of your C-level peers are a critical factor in determining whether you are right for the position, you cannot ignore the next level down. "I spent much less time with senior management than I did with the business getting things done," he says of his interim period. "If you're helping managers run their businesses, they will filter that message all the way up. If the managers are not happy with you, you will probably not get the job." Be prepared to work for a new CIO. When the CIO of Covance left the drug development services company in June 2005, John Repko, then VP of global applications at the company, was named his interim successor and given the permanent role the following January. Not only did Repko need to survive an

external search, he was asked to participate in the selection of the permanent CIO. The situation was unique and challenging for Repko, but he defined an approach for himself and stuck with it. "I came up with a way to evaluate candidates where I drew a line and said if the candidate is a full step above me, I'll be big enough to be prepared to work for him or her," he says. "But if I didn't think I could learn something from this person, I would state my concern." Be sensitive to the reaction of your former peers. "You need to understand that not everyone will be happy for you,"

As an acting CIO, if you want your peers to support your permanent appointment, make it clear that they will be able to trust you later.

Vol/3 | ISSUE/10

Coloumn The Longest Interview.indd 19

says Repko. Colleagues who feel that they should have been selected for the interim assignment may not be your top supporters. "You cannot alienate your former peers," he says. "Be humble, ask their advice often and show them that you're in learning mode." Be visible. Soon after he was put in the interim position, Repko built a 30-60-90-day plan for the IT organization and hit the road. "I felt that it was critically important that the top leaders at Covance understood that I was in charge and was no longer the number two guy," he says. "I did that by going on a world tour to meet with all of the major business leaders and building a solid 30-60-90-plan and reviewing it frequently with my CEO and my peers." Think short and long simultaneously. In November 2006, consultant Rick Gehringer was invited to negotiate an outsourcing agreement for the Brookings Institution. By January, the relationship turned into a six-month interim CIO contract while the organization conducted an external CIO search. Two months into the search, which began in May 2007, Rick formally interviewed for the role and received an offer a month later. His advice? "Remember that you're doing the job they hired you for with one hand and interviewing for the permanent job with the other," he says. "You need to deliver a balance of short term successes, like resolving chronic infrastructure problems, with long term strategic vision." In other words, act like a CIO and you may just win the job. CIO

Martha Heller is managing director of the IT Leadership Practice at ZRG, an executive recruiting firm in Boston. Send feedback on this column to editor@cio.in

REAL CIO WORLD | A P R I L 1 , 2 0 0 8

19

4/2/2008 11:31:37 AM


N. Dean Meyer 

Applied Insight

What IT Really Means What's IT worth? If end users are to understand, you have to tell them exactly what they get for their money.

S

ome of you are sighing with relief that your budget process is over. But all who remember how painful the budget process was understand that a CIO's negotiating power is, to a great extent, determined by how well clients understand the value they get for the money. There are three components to the concept of value: understanding exactly what IT delivers, believing that the cost is fair and evaluating the contribution of those deliverables to the bottom line. Here's how you can build clients' understanding of IT's value.

What Do We Get for the Money?

Il lustratio n by MM Shan ith

In many cases, clients' poor perception of IT value is as basic as not understanding the full bundle of offerings that IT delivers. Sure, everybody knows that IT delivers essential services like desktop computers, network services, applications engineering and applications hosting. But that sounds simple. Many clients don't understand why IT has to cost so much just for that. The problem is, many IT departments don't clearly define the specific products and services they deliver for a given level of funding. Typically, there's a lot more in that bundle than clients know. When the specifics are defined, clients come to understand why IT needs the budget that it does. Explicitly defining IT's products and services also counters the less-honest outsourcing vendors who glibly offer to do 50 percent of what internal staff do for 80 percent of the cost, implying a 20 percent cost savings. One can see the fallacy in that claim only if IT can clearly define all the products and services that it delivers. There are two steps required to understand the exact list of products and services that the IT budget pays for. 20

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Coloumn What It Really Means.indd 20

Vol/3 | ISSUE/10

4/2/2008 12:29:18 PM


ApplieD iNsight

Vol/3 | ISSUE/10

Coloumn What It Really Means.indd 21

RESOURCES | ESSENTIAL TECHNOLOGY | GOVERN | TOP VIEW | COLUMNS |

The next question related to value is: Am I getting a good deal? Is the IT department delivering its products and services at a cost that's competitive?" Answering this question requires benchmarking against the market. It's not enough to compare the internal IT budget to other companies using statistics like percent of revenues or total cost per desktop. This doesn't take into account the unique configuration of technologies within the company, or the unique needs of the business. For example, your company may be spending more on IT because it's using technology to gain strategic advantage, not because the IT department is more expensive. The only way to demonstrate that internal IT is a good value is to compare the cost of products and services, like to like. IT must be able to answer the question, "What would this exact bundle cost if bought from vendors rather than staff?" The easiest, but least accurate way to assess this is to benchmark the entire bundle all at once. This involves adjusting industry average IT expenditures based on the attributes of your bundle that make you unique, such as the number of servers, users and transactions.

FEATURES

Is the Price Fair?

WebExclusive

First, IT must publish its product and service catalog. The catalog must be comprehensive, and at a level of granularity that portrays specific client purchase decisions. It's not sufficient to define high-level categories, which don't portray all the many things IT does within each category. For example, 'e-mail' is too broad. A fully defined catalog would distinguish a basic e-mail account, extended storage and BlackBerry forwarding as three distinct services. Second, IT must define exactly what subset of that catalog the budget pays for, and in what quantities. For example, it might forecast the cost of basic e-mail for everybody, extended storage for only the customer service department, and BlackBerry forwarding only for executives. And it might forecast the cost by application for each major project, for necessary repairs and patches, and for discretionary enhancements. Breaking out the budget in such a way makes it clear exactly what IT delivers (and, by implication, what it doesn't). Said another way, the budget must forecast more than spending by expense code (such as travel, training or licenses) for each manager. It must include the full cost of all clients' purchase decisions. I call this a 'budget by deliverables'.

NEWS |

N. Dean Meyer

Features Your Customer, Your Future For CIOs to truly become businesspeople, they need to start thinking about — and organizing IT for — their business customers. Law and Order Everyone admits that collaboration for innovation is good. It is also rare. And when it works, it’s beautiful. Losing Ground Now that e-mail and electronic documents have attained the same evidentiary status as paper, CIOs need to standardize processes for e-discovery. Read more of such web exclusive features at www.cio.in/features

Resources Whitepapers: Developing an IT Management Strategy For Success To achieve true IT success, businesses must adopt an IT management strategy that is simple... Stop Criminals from Using Your Site as a Gateway for Fraud This whitepaper explores the new Web 2.0 cybercrime landscape, examining new techniques and... Forrester Research Report: Tools that Fill a Critical Gap in... Many organizations invested in multi-channel customer service application suites, but critical.... Download more web exclusive whitepapers at www.cio.in/resource

Log In Now! CIO.in 4/2/2008 12:29:19 PM


N. Dean Meyer

Applied Insight

The only way to demonstrate the value of internal IT is to compare the cost of products and services, like to like. IT must be able to answer the question: what would this exact bundle cost if bought from vendors rather than staff? There are two problems with this approach. First, it cannot distinguish an inefficient IT department from an efficient one in a complex business. Second, the data does not tell you which IT product lines need cost reductions. A more accurate way to benchmark IT is by product, based on unit costs. To ensure fair comparisons with the market, IT should calculate rates for each item in its catalog ('service costing' as ITIL puts it). All costs (including all indirect costs) must be amortized into those rates. It's misleading to allocate fixed costs, and claim that rates based on only direct (or marginal) costs are competitive. But be careful not to amortize into rates any costs that are, in fact, entirely separate from the delivery of those products and services. One example is corporate-good services like policy, standards, oversight and technology advice (like the consumer report for PCs). These are services that have their own price, and should not be amortized into the cost of client products and services. Another is capital for IT-owned infrastructure. These costs should be depreciated, and only the depreciation expense goes into rates.

Value and the Bottom Line The final question of value is at the higher level: does IT contribute to business value? To optimize its contribution to the bottom line, IT must install processes that ensure two things: that the enterprise is spending the right amount on IT, and that the IT budget is spent on the right things. What is the right amount to spend on IT? The answer is certainly not found in industry averages of what others are spending, nor in what was spent in prior years. In technical terms, the optimal amount to spend on IT is determined by funding investments (from best to worst) until the marginal internal rate of return drops down to the weightedaverage, risk-adjusted cost of capital. In simple terms, the enterprise should fund all the good investments, and no more. Obviously, 'keeping the lights on' is a very good investment. Without it, the enterprise would grind to a halt. Beyond that, services and projects alike should be scrutinized to be sure they pay off. IT, in isolation, cannot calculate the ROI of its products and services. Only clients can vouch for the value they receive from their IT purchases.

What Can IT Do? Two Things First, IT can ensure that clients are in control of what they buy and are accountable for spending the IT budget wisely. This means implementing a client-driven portfolio-management process. 22

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Coloumn What It Really Means.indd 22

Note that portfolio management is far more than rank ordering projects on an unrealistically long wish list. Clients must understand how much is in their 'checkbook' (a subset of the IT budget), and what IT's products and services cost, in order to know where to draw the line. That is, they must work within the finite checkbook created by the IT budget as well as understand the deliverables that they will (and won't) get. Thus, true portfolio management is predicated on the above steps of defining IT's catalog, costing it, and presenting a budget in terms of the cost of its deliverables. Once all that is done, an effective portfoliomanagement process can be implemented. Second, even if clients know the costs of their purchases and are working within the limits of their checkbook, they'll make better purchase decisions if they understand the returns on technology investments. IT can help clients estimate ROI of their proposed purchases. The cost side of the ROI equation was handled by calculating a budget by deliverables and rates. The remaining challenge is to quantify the benefits. Cost-displacement benefits (which include both cost savings and cost avoidance) are easy to measure. The real challenge is measuring the so-called 'intangible' strategic benefits.

One Step at a Time In summary, the question of IT value is fully addressed when: 1. IT has defined its product and service catalog in detail, associated all its costs with its products and services, and calculated rates that can be compared with the market. 2. Clients understand exactly what they're getting for the money spent on IT, and indeed can control it by deciding what they will and won't buy from IT. 3. IT can help clients assess the value of their IT purchases by measuring the benefits. These three things are presented in order. The catalog must come first, and the costing must come closely on its tail (ideally through an integrated business planning process). This first step alone may settle questions of value in many organizations. Next, a client-driven portfolio management process can be implemented, one predicated on knowing the costs of all of IT's products and services, and how much of IT's budget is available for clients' purchases (the checkbook). Finally, as clients grow in their ability to manage the IT checkbook and begin looking for ROI calculations to fine-tune their judgments, IT can offer help with strategic benefits measurement. CIO Send feedback to this column on editor@cio.in

Vol/3 | ISSUE/10

4/2/2008 12:29:19 PM


Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM


s T r a T e sTraIghT U gy P

Everyone agree s that having a strategic plan fo a good thing bu r IT is t most CIOs ap proach the pro with fear and lo cess athing. In fact, t he majority of CIOs (and the enterprises the y work for) are faking it wh en it comes to strategic planning. Isn't it time we all go t real? By ST e p H a n Ie Ov e r By

Reader ROI:

What to do w hen business has no plan Why IT strate gy can't be m ade in a vacu um How to manag e a relationshi p with busine to create stra ss tegy

Places wh ere IT and th e business are you can barely so tightly alig tell the two ap ned art. Where co understand th rporate leader at IT is a stra s te gic asset and such. Where support it as the CIO is en co ur aged to spend of his time on the majority the Big Pictur e. If one works IT Wonderlan in that kind of d, getting a go od strategic pl is probably a an down on pa snap. per But the vast m ajority of CIO s work in plac business itself es where the may not have a clearly articulat corporate lead ed strategy. Whe ers don't care re too much for IT strategically. W , much less va here the CIO's lue it tim e is devoured operations an by day-to-day d there's little time left to look few months. If beyond the ne one lives with xt that kind of ta ctical IT reality , 24

A P R I L 1 , 2 0 0 8 | real cIO wOrlD

“Business p rocesses are like chil dren or parents. You have to manage them . You can't throw them out.” — S.N. Roy,

VP-IT, Cholaman dalam

MS General Insur ance Vol/3 | ISSUE/10


Cover Story | IT Strategy

y “If you choos e not to strategize fo r want of budgets t hen you are being re active, and that app raoch will certainly prove costly as you move along."

“Business d oes not tell us what we should do. They only tell us their plans. T he IT team decides wha t should be implemented to help the business tea m to fulfill its objective s.” — Prasad Dhum

al National IS Mana ger, DHL Express India

— Charles Padm akum

ar Director-IT, Arice nt Technologies

real cIO wOrlD | A P R I L 1 , 2 0 0 8

25


Cover Story | IT Strategy getting a good strategic plan down on paper is practically impossible. Which is to say that for most CIOs, putting together an IT strategic plan—that annual road map to guide IT through the next 12 months and beyond—is dauntingly hard. But while the odds may be stacked against the average CIO, the truth is that those IT leaders who don't master the art of strategic planning won't last long. "The purpose of the IT strategic plan is to improve the business-IT relationship. A CIO needs it to communicate with the business, to tell them that he understands the company's needs and to set expectations," says Alex Cullen, Forrester Research vice president and research director. "A CIO can't succeed without it." Michael Jones, CIO of the National Marrow Donor Program, calls it "the business case for IT." Here's how you can overcome the four most common obstacles to penning that increasingly critical document.

Business plan? What Business plan?

P HoTo By FoTo CoRP

T

he cardinal rule in developing an IT strategy is to connect it to the business strategy. "The business should have desired outcomes—market share gains, higher customer satisfaction levels, shortened cycle times," says independent IT analyst Laurie Orlov. "IT has to figure out where they factor into that." But for all the whining CIOs have had to endure about how IT needs to be more strategic, the businesses they support are often in even more dire strategic straits. "Businesses very often don't have a strategy. Or they do, but it's very high-level and vague. Or they reserve the right to change it. Or they have some strategies, but they don't apply to all the business activities taking place," says Forrester's Cullen. So CIOs operating in strategy-free organizations are off the hook, right? Wrong. "It's the ultimate cop-out for CIOs to say they can't do an IT strategy because the business doesn't have an articulated strategy," says Orlov. Fuzzy business goals present a challenge, but smart CIOs should see that as an opportunity. "People in the business are very focused on operations or other minutiae," says Dave Aron, vice president and research director for Gartner Executive Programs. "IT 26

A P R I L 1 , 2 0 0 8 | real cIO wOrlD

Cover Story - Jayan.indd 26

T I n a g n I k a M

y g e T a r T s wOrk

working ith IT strategy w be a business can lationship, suffocating re

sad but not for Pra nal IS Manager Dhumal,Natio dia, two DHL Express In t intertwined bu rands. separate for st

khalil gibran said it best when he made his observation on marriage: ‘And stand together yet not too near together/For the pillars of the temple stand apart,/ And the oak tree and the cypress grow not in each other's shadow.' When asked whether the IT department drives IT strategy or if business did, Prasad Dhumal, national IS manager, DHl Express India, says that both parties have strong involvement. “We are an MNC so the regional IT headquarters and regional business stakeholders like country managers, HR heads, business heads, and others have a strong say.” Dhumal says that the business give their plans to the IT team and tell them what they want. So, does this imply that the business forces the IT organization to deliver based on its own plans? Not so, asserts Dhumal. “Business does not tell us what we should do. They only tell us their business plans. The IT team decides what should be implemented to help the business team to fulfill its objectives.” The practice of allowing each department to do what it does best may seem like a no-brainer but this hands-off approach has one requirement: it entails that both parties

al

Prasad Dhum


Cover Story | IT Strategy regard themselves as equals in a marriage. It’s a hurdle that DHL has already crossed. And the proof is in the way RoI is justified. At DHL, Dhumal says that the IT team doesn’t have to worry about RoI — this burden falls on the business team. And it’s a responsibility business is willing to take because projects are a joint exercise between the business team and the IT team — and they both work hand-in-hand to deliver. To Dhumal, the issue of RoI is not very worrying because, as he says, “the IT strategy is based on the needs of the business.” Expanding on this, Dhumal says that a focus on planning ensures that business value is delivered. “We first start with a business priority, which is the key requirement for initiating any project. This is the stage where we need the highest clarity,” he points out. Once this is fixed, the IT team moves — independently — into tactical territory like a study of the required resources and the timelines that need to be adhered to in order to deliver business value. The upside to this approach: costs are not high on the priority list. “Only if high costs are involved do we require special approvals and sanctions before the project can get rolling,” explains Dhumal. He adds that meetings help ensure that rollouts stick to timelines. Once the system has been delivered, review meetings are held until the system stabilizes. The meeting schedules tend to vary — a project that is to be delivered over a six-month period may necessitate only fortnightly meetings, but weekly meetings may not be uncalled for when delivery has to be made within a month.

—Balaji Narasimhan

Vol/3 | ISSUE/10

Cover Story - Jayan.indd 27

can help the business articulate what will help it win and how IT fits into that. Then you go from just being an order taker to actually influencing overall strategy."

Opportunity Knocks

M

ichael Hites knew the lack of vision at New Mexico State University (NMSU) would be a challenge. "If you don't have the highest level plan in place, even the best IT strategic plan won't work," explains Hites. "I've seen it; I've lived it." When he became CIO in 2003, NMSU's plan was no different from any other school's. So Hites's first IT strategic plan was standard and risk-averse. IT plodded along doing good work but nothing particularly strategic. In the absence of a more ambitious university plan, there was nothing to anchor a real IT strategy, says Hites. "If you stick your neck out [in that environment], the university may or may not be behind you," he notes. But then a funny thing happened. After several years of bugging people about the lack of a strategic plan for the university, Hites last year was put in charge of strategic planning for the entire university and named vice president of planning and technology. Hites and his team have lots of great ideas—about Rs 60 crore worth of them, he says—but his organization is "funded to the tune of half a million a year." The question he's faced with each year is "how to spend that little bit to do something strategic. If the university has the ‘mom-and-applepie' strategy of ‘helping students succeed' or ‘increasing research,' anything you do is going to foster those objectives. And you can never be sure you're making the right choices. But if a university steps out on a limb and says, ‘We will have best online education program in criminal justice in world,' then that becomes the strategic focus."

When IT Drives the Bus

I

t can be appropriate for the CIO to help push business along in terms of strategy," says Forrester VP and principal analyst Bobby Cameron. And that doesn't necessarily mean taking on a second job. When Kelly Clark joined Exante Financial Services, a financial services provider for the healthcare industry, he wanted to change the IT strategic planning process.

"Generally, it's done at the end of the year," explains Clark. "You look at the budget, see you have X number of dollars and figure out what you can do. It's reactive." Clark wanted a proactive process, a "business overlay that said, here's what the market is looking for, here's what we have, here's what we need." Exante had a business road mapping process but no business and systems strategy, so Clark told his CEO and CFO they needed one. And they bought it. "So off we went," says Clark. "We created an enterprise strategic plan and IT became a piece of that." Bethesda Lutheran Homes and Services (BLHS), a faith-based provider of services for individuals with developmental disabilities, was a couple years into a fiveyear organizational strategic plan when Brian Tennant became its CIO. But the plan was strategic in name only. "It was generic: be the best and grow by this amount," recalls Tennant. "But it was unclear why they picked the growth number or how they would measure it. And they hadn't paid much attention to whether it was on track. Nothing was grounded in reality." Frankly, that didn't matter much to Tennant at first. BLHS had acquired Good Shepherd Communities in 2005, which increased its size by two-thirds, and there was a "whole pile of modernization to do," recalls Hites, including adjusting the core ERP system. Even with an overarching business strategy, IT's mission was clear: integrate and upgrade. Now that all that work is wrapping up, Tennant knows it's time to create a plan to guide his department of 10 through the next three to five years. But Tennant's not waiting for the 105-year-old organization to come up with a new five-year plan specific enough to guide IT; he's helping shape it. "I see myself as a member of the senior management team who just happens to be in charge of IT," says Tennant. "So I'm taking the opportunity to weigh in early and weigh in on all disciplines, not just my own." Senior leaders, Tennant included, are vetting the new plan with the board, operating divisions, donors and families of those to whom they provide aid. The goal is to create what they're calling "strategic positioning statements," such as attracting a younger demographic as REAL CIO WORLD | A P R I L 1 , 2 0 0 8

27

4/2/2008 4:58:01 PM


Cover Story | IT Strategy donors or expanding services or creating financial stability. "I'm already starting to think about how IT will fit into those goals," says Tennant.

Starting from Scratch

A

sk Vicki Petit, vice president of information services for KI, a Rs 2,800 crore office furniture manufacturer, what word she associates with IT strategic planning and she doesn't miss a beat: "Work," she answers, with a sigh. Petit faced a double challenge when she became KI's IT leader eight years ago. KI didn't have a business strategy and no one had ever thought about creating one for IT. Forrester's Cullen gets lots of calls from CIOs every year around springtime, and about half of them are just like Petit, starting from scratch. (The other half are dissatisfied with their current plan.) "[CIOs] all know they need one, but they're not sure what it is or what they want to achieve or where to start," says Cullen. Petit spent her first few years on the job waiting for the business to decide what its strategic plan was. But what it delivered wasn't a plan; it was a tome. She waded through KI's 200-page "corporate strategy book" searching to find something that IT could align with. "The business strategy was communicated in mostly operational objectives," says Petit. She wanted to create a long-term road map that would guide IT beyond the next year but it was difficult to tie that to the nitty-gritty tactical goals that passed for business strategy. Still, Petit knew she had to put some kind of stake in the ground, if only to make the following year's strategic plan a little easier. And every year since, she's put an IT strategic plan on paper, updating it and grading the IT department on its progress after six months, improving the process as she goes. And now her boss, the CFO, requires a similar strategic plan each year from all departments. "Oh they love me," she jokes. But the plan has proven invaluable. "We can use what's in there to help us justify IT's direction or say no to a project instead of just reacting to what users want." George Lin also had to go from zero to 60 on strategy. When he became CIO of Dolby 28

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

Cover Story - Jayan.indd 28

Laboratories, he found a "fairly rudimentary" IT plan in place. But unlike Petit, he benefited from what he characterizes as a very strong business strategic planning process. Dolby has a multiphase 'funnel' approach to strategic business planning. All the good ideas generated by the company's more than 1,000 employees come in and the senior management has a governance process for narrowing them down to a manageable number of initiatives for the year. Lin plans to introduce a similar process within IT, inviting broad input into the strategic plan and putting in place a "business infrastructure steering committee" to select those with the most promise. "It's what I've done everywhere I've been," says Lin, who previously held IT leadership roles at Advent Software, Documentum and EMC. "The IT strategic planning process should tie into the existing business strategic planning process. That creates buy-in from the business."

Without that, Lin says IT suffers. "Before I became a CIO, I saw the downside of an IT organization whose strategic plan was not aligned," says Lin. "IT was putting a lot of good effort into projects the business didn't want or appreciate. It becomes a morale issue," he says. Tennant plans to mirror BLHS's new business strategy process when he creates the organization's first-ever IT strategic plan this year. Those "strategic positioning statements" the corporate team was developing? IT will have some, too. "They won't be, ‘We're going to grow our staff 25 percent' or ‘We'll upgrade to Watson version 9.0' like it has been,'" says Tennant. "It could be, ‘We're going to move in the direction of self-service,' which could apply to our staff or the people we serve or our vendors. Or ‘We're going to leverage adaptive technology to improve the lives of the people we serve.'"

Keep

t I f o t u O Money

What part does financial planning play in the creation of IT strategy? Financial planning is an essential and integral part of any strategy creation and execution exercise. I say this, because most strategic planning exercises involve an analysis of the current expenditure and will require to be revamped to support a new strategy being rolled out. Having said that, a strategy should be driven by vision, which some people call their roadmap. It should be aligned to business and its needs. Can strategy be driven by budget? I would say not. On the contrary, your budget should be a support to help implement your action plan, which is based on your strategy. But doesn’t getting funds then become a problem? Especially if business thinks IT isn’t focused enough on budgets? This is not easy given the current situation, which demands better management of costs if not cost reduction. But I would also add that it is not as tough as people think — if your strategy is spot on and in line with the needs of business. The strategy should be able to highlight business benefits and what it will bring to the company. It

Vol/3 | ISSUE/10

4/2/2008 4:58:01 PM


The Dangers of Going It alone

K

I's Petit was happy to have created her first IT strategic plan in 2003 but she knew it wasn't ideal. She had come up with her own idea of what IT should focus on, with little business input. "The first pass was really just internal to IS in order to create some principles for how we wanted to operate and specific objectives," says Petit. But, as Orlov warns, "IT strategic planning can't be done in a vacuum. The CIO can't just have an offsite and brainstorm what to do." Petit understood that and has been trying to tie IT's strategic plan to business goals, such as they are. "It was a tough transition to make," admits Petit. "But the IT strategic plan is more or less the only vehicle we have to communicate the value we provide to the company so we

don't want to be seen as off there on our own island doing our own thing. "A better model would be to work with functional leaders and get their take on what we should be doing," Petit acknowledges. Petit's not involved in crafting business strategy, but she's got a way around that. "We've built a stakeholders' chart and we've starting meeting with them. We ask them: what are you measured on? What affects your business? We're getting more twoway communication going." Contrary to popular belief, a CIO doesn't have to have the proverbial 'seat at the table' to involve the business in IT planning. In fact, says Cullen, involving the business in IT strategic planning "is a way to earn that seat." "One of the big mistakes made when it comes to creating an IT strategic plan is that people model it after a kid who goes off into his bedroom to do his homework and

then shows it to his teacher the next day," says Gartner's Aron. "You have to engage the business throughout the process of creating the plan." Lin has created IT-business partner roles at Dolby to get input on strategy year-round. "It happens not just on the executive levels but throughout the company. And not just once a year at budget time," says Lin. This year IT wanted to set IT infrastructure standards for the company as part of the annual plan. "Instead of IT making the decision, we asked the business infrastructure steering committee to delegate people to a standards subcommittee," Lin relates. With that kind of model, Lin no longer has to sell his strategic plan to the business. Now, "The committee we present it to is actually involved in creating it," he says. If the business isn't involved, the most well-intentioned, well-conceived IT strategic plan can go south in a hurry. "You

PH oTo o By S R IVATSA S HA NDIlyA

Cover Story | IT Strategy

akumar, charles Padm ricent Director-IT, a , cautions Technologies ey do

tting mon CIOs against le en it’s time to the talking wh tegy. draw out a stra

should also be supported and sponsored by the leadership team. There is an urgent need to strategize especially when you are under pressure to reduce costs. why hy is it important to focus on strategy and not funds? Because if you choose not to strategize for want of budgets then you are being reactive, and this will certainly prove costly as you move along. Today's business models are more dynamic, your customers and their needs are also changing rapidly. Ask your business groups, they will echo this idea that your customers are increasingly asking for a lot more — for a lot less. This indicates that there is a never-ending need for speed, efficiency and productivity — all of which are simply the opposite of being reactive. Every company spends money. So why not spend money smartly? Aligning your spend, in line with your strategy is definitely a smart move. And remember: not all strategies need more budgets, some may just need a realignment of your expenses. —Kanika Goswami

makumar

charles Pad

Cover Story - Jayan.indd 29

4/2/2008 4:58:04 PM


evaluating IT strategy how good an ith the

PHoTo By CHANDRoo

Cover Story | IT Strategy show the plan to the business, they nod their head, say, ‘Sounds like a good plan you've got there, go do it,'" says Forrester's Cullen. "Meanwhile they're thinking, ‘Why'd you tell me this? It doesn't involve me at all. And don't ask me for money for it because it's not linked to business needs.'" Devoting 10 pages of the strategic plan to IT's goals for Web 2.0 might seem like a good idea within the IT department. Problem is, the CFO you're presenting it to is upset that his e-mail box is restricted to 100 megs and "you end up with the thing CIOs are most afraid of when they present their plan: people scratching their heads," says Cullen. Hites now holds an annual IT planning conference at New Mexico State every October, meeting with a crowd of about 100 IT and university leaders. Last fall, they spent a lot of time talking about what Facebook and MySpace meant for the school and whether the curriculum should be integrated with such social networking sites. The conferences are something he started at the Illinois Institute of Technology. "Before that, we did planning only internally," says Hites. But that generated "some tension and was interpreted as, central IT wants us to do this while we want to do this other thing," says Hites. "It was ineffective." Bringing the business into the strategic planning process doesn't have to be as formal a process as Hites's. Jones of the National Marrow Donor Program does it by having conversations with stakeholders. "I talk to people from the C level on down to the basement. I ask them how things are operating, what works well, what doesn't work well," he says. He then asks people in IT the same questions, which either validates his accumulated information or reveals disconnects that need to be explored. These conversations help Jones "connect what's in the IT plan to the everyday needs of the business." "The CIO can go to peers and say, ‘What do you expect from IT?' ‘What's 30

A P R I L 1 , 2 0 0 8 | real c IO wOrlD

Cover Story - Jayan.indd 30

r U O y T s e T Tegy sTra

ssible w is can be impo eria it has to number of crit f way a variety o meet and the it. S.N. Roy, consumers view andalam MS VP-IT, Cholam nce has General Insura . his own gauge

how do you sit down and evaluate an IT strategy? y you don’t. At least according to S.N. Roy, vice president-IT, Cholamandalam MS General Insurance. The straightshooting, hands-on IT leader says “I have an allergy to such phrases.” It isn’t strategy that makes Roy break out into a rash — he just believes that the best way to evaluate it is by observing it in action. “The proof of the pudding lies in its eating,” he points out, echoing the words of Susan Cramm (founder and president of Valuedance, an executive coaching firm) in her column The Strategy Acid Test (www. cio.in/columns/viewArticle/ARTIClEID=3866636) True to style, he puts forth an example. Way back in 1992, he says, he started pushing his management to consider SAP. “I made a formal proposal only in 1994,” he recalls. But it was only in 1998 that the management agreed. The customization was started in May 1999, along with activities to fix the y2K problem. After 11 months, in April 2000, it went live, which only goes to show that IT strategies and their implementation take time to mature. They also take time to evaluate, which is probably why Roy scoffs at attempts to evaluate them academically. His test of an IT strategy? Time. The ERP implementation was a product of a strategy and “it has been running without any hitch for almost eight years now,” he says. To him, anything that stands the test of time, especially in these days of turbulent change, is a success. And the other test? It meets business needs. “In the eight years that the SAP implementation has been running, the group has tripled its turnover and quintupled its profits,” he asserts. like ike all IT strategies, formal or not, Roy’s required constant tweaks to stay relevant to the business and the times. It’s a truism that is reflected in Roy's SAP implementation. He says he made it (both SAP and the strategy) work by basing himself on a few parameters and narrowing down. This decreased customization to make the ERP behave in a manner similar to the existing legacy system and increased business-IT alignment. “Business processes are like children or parents,” says Roy philosophically, “you you y ou have to manage them. you y can't throw them out.” —Balaji Narasimhan

s.n. roy

4/2/2008 4:58:08 PM


Cover Story | IT Strategy the importance of technology?'" says Cullen. "If the answer is, ‘I don't know what I want because I don't know what you're capable of,' then that may be the focus on the IT strategic plan this year: defining the role of IT." "If you walk in with a blank sheet of paper, you may walk out with a blank sheet of paper," says Aron. "Instead say, ‘We think you're in this kind of business, this is what it will take for you to win and this is what IT can do to help you. Is that right?' "It's not bad to get it wrong," Aron adds. "Sometimes a wrong or controversial hypothesis will get them talking." For example, a bank CIO could walk in to the VP of customer service and say, "From what I understand, the bank is going to succeed based on its superior understanding of the customer so we think IT should focus on analytical customer relationship management." That VP may say, "No, we're going to win those customers by being low-cost." Now the CIO has something solid around which to build an IT strategic plan.

excuses, excuses

G

iven the choice between creating an IT strategic plan and having a root canal, many CIOs would choose the endodontist. "No one would say they love doing it," says Orlov. "[But] it's a pause for thinking and a divergence from reacting and responding." However, many CIOs find it impossible to pause. "I hear that a lot: ‘I'm too busy with the day-to-day.' ‘I spent time on that last year and it was pointless,'" says Forrester's Cameron. And with the increasing complexity in IT, the dread surrounding strategic planning has grown. "At the moment, you have these three tectonic plates converging in IT: the need for growth and innovation, continued cost discipline as a result of the credit crunch and IT's changing role in the business," says Aron. "With those three things pushing against each other, strategic planning can get very complicated." But if strategic planning is like getting a root canal, remember: you endure the pain now in order to prevent a greater agony later on.

Vol/3 | ISSUE/10

Cover Story - Jayan.indd 31

"[Strategic planning is] the one tool CIOs can use to communicate the value of IT," says Orlov. "It's something that can shore them up and arm them when people challenge them about what IT is doing. So you have to set aside some quality time for that." During her last six-month evaluation of IT's progress, Petit gave her department an A for being a lost-cost, high-value provider of IT services but a D on working with the product development team to incorporate technology into KI's furniture products. "We had a goal

2nd

On the list

of skills most

pivotal to being a successful CIO is strategy say CIOs. Source: State of the CIO 2007

to have an innovation group within the IT department and that hasn't happened," says Petit. "We spend a lot of time operationally and less time looking into the future." Not surprisingly, Petit has trouble making time for planning. "It's a struggle," she says. "It's so easy to get dragged back into daily operations because we're staffed so lean and mean." To fight that pull, Petit keeps a bar chart taped to her computer screen tracking how much time she's spending with other managers, talking to external peers, meeting with vendors. Anything not project- or operations-related counts. The goal is to hit 32 hours a month, or 20 percent of her time (although she tracks it in minutes, 1,920 of them) spent planning. "In bigger companies, where the CIO role is more strategically focused and people wear one hat, strategic planning is probably a lot easier," she guesses. "But in

small to mid-sized companies, we have to wear a lot of hats." Her boss, in theory, supports her efforts to spend more time thinking strategically. "But when it comes down to whether you're going to do something about strategic planning or the network is down," she says, "you're going to take care of the network." Exante's Kelly says that if strategic planning is important, IT needs to put its money where its mouth is. "Often the problem is financial," Kelly says. "Everything is focused on capital expenses." Kelly says he has invested in people and processes to make sure the IT strategic plan remains a priority. "You need a dedicated team," he says. "Most organizations don't assign IT strategic planning to someone as a full-time job. Hence it doesn't become a discipline; it becomes a burden." But Kelly made strategic planning the full-time responsibility of his directors. "Once the positions were open," he says, "we found people were itching to do it." "Someone in IT should be thinking about IT strategy most of the time," agrees Orlov. "And their job the rest of the time should be making sure they're connected to everything that's going on in the business." If an IT leader (or his reports) can set aside extra time for strategic planning now, the theory is that it will become an organic part of their lives and interactions, less like a series of appointments that you'd just as soon cancel.

and It Will Get easier

I

f you did a strategic plan for the first time last year, you'll find that this year it takes less time. And next year will be even better," says Cullen. "You can focus more time on discussions with people and less time on the mechanics of putting it together. "It could even become the part you like best about your job because that's where you can talk about what you want to do and why it matters to the organization." And that's fun. Which is why strategic planning isn't really like a root canal. Root canals have no fun parts. cIO

Send feedback to editor@cio.in

real cIO wOrlD | A P R I L 1 , 2 0 0 8

31


Putting The

Price War to Rest

By Balaji Narasimhan

Every company wants to establish its brand as a household name, but few succeed. And they succeed because they follow an age-old, time-tested formula: building credibility. Sometimes IT can do that for you. 32

Case Study.indd 32

A P RIL 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/10

4/2/2008 3:04:43 PM


Case File

Illust ration by ANIL T

E

stablishing a brand name is a task that Keeping the few companies do well. And, according to Bed- Bugs Away those that have, if there’s one thing that’s “The most important challenge was to enable our dealers harder it’s sustaining a brand. to retain their margins,” says Mankotia. But, in addition, the That is because it takes more than just IT team also had to track sales up to the customer level and wisdom to understand what’s needed to build a customer database. stay on top of the brand game. And more often than not, This was the only way it could revive customer confidence it isn’t about building another fantastic product, but in the brand. knowing the pulse of the customer. One of the things that stood in the way of the IT team With competition at its peak and demand on the rise, was the fact that they had to manage with a home-grown companies are trying to push each other out of the way ERP system, and this meant that they had to customize it to reach where it matters — promising to deliver time themselves without much help from the vendor. and again. Promising to be different, promising the Mankotia says, “There is no off-the-shelf product that world to the consumer. caters to our requirement. Right from the order placement up But some companies promise to deliver just a good to the stage when it is sold to the end customer, all business night’s sleep. transactions are recorded in the system. We have been using And that’s what Sheela Foam — the company that this system for almost seven years.” owns the Sleepwell brand of mattresses — is known for. With the homegrown ERP — which they call Founded in 1972, it has over 10 manufacturing units, Greatplus — they have not only automated their 50 exclusive distributors and over 1,700 dealers across entire production process right from procurement to the country. production, but have also successfully integrated it with But over the past few years, heavy discounting among their external channel partners. channel partners attempting to sell volumes had become a serious problem. This price war wasn’t doing very A Short Siesta much good to consumer confidence in the product. A Mankotia’s team also decided to use a simple mechanism standard price is among the most basic requirements for data management: SMS. “This is the most simple and associated with a brand. innovative way for controlling MOP and for tracking and And worse, all the discounting among the channel maintaining stock at the location of the distributors and the partners was hitting authorized dealers who were now dealers without spending too much,” he says. unable to retain their margins because customers, being Mankotia goes on to explain that the system tracks customers, went to the lowest seller. Thus, selling the product movement all the way from the factory to the brand was becoming difficult for authorized dealers. customer. “It maintains data on the stock at our factories, at “Selling mattresses depends on referrals from the distributors’ godown and the dealers’ godown”. customers and the dealer’s word,” says Rakesh Chahar, Tagging is done with the aid of a unique product serial CEO, Sheela Foam. Since referrals from customers number, which is bar coded. With each dispatch, an SMS is are not very high, the company had to depend on its sent to the distributor about the material that is dispatched to dealers. “To make a dealer recommend Sleepwell, it is him. “The stock of finished goods at our factory is reduced and important that he retains a reasonable margin in selling stock with the distributor is updated. When the distributor the product,” he points out. sells a product to a dealer, then the distributor’s The company needed to enforce the MRP Reader ROI: stock is reduced and dealer’s stock increases. All of its product. This is what led Sheela Foam this is recorded by our ERP system,” he says. How to win customer to explore options in IT, and thus the project So what’s new? The innovation of using confidence to control MOP (market operating price) SMS comes into play when the dealer makes How IT delivers was born. And the man responsible for its a sale to an end customer. When the dealer margins implementation was Pertisth Mankotia, sells a mattress to a customer, he uses his own Why simplicity head-IT, Sheela Foam. mobile phone to SMS the product serial number matters

Vol/3 | ISSUE/10

Case Study.indd 33

REAL CIO WORLD | A P RIL 1 , 2 0 0 8

33

4/2/2008 3:04:44 PM


five points for each transaction made, and this along with the customer’s mobile number to a can be redeemed by him after a period of time. number belonging to Sheela Foam. “This SMS is fetched by our database, where the system checks the entire transaction. Within two Fighting Insomnia minutes of the SMS being received, the system SNAPSHOT Sheela Foam spent about Rs 2 crore on automatically informs the dealer and the Greatplus, and it went live in January 2007. customer, through SMS, about the ‘Successful But the rollout was not as smooth as Sheela Foam Guarantee Validation’ and the MRP of the expected. Distributors and dealers resisted Employees > 2,000 product,” says Mankotia. the new system because they felt that Sheela Thanks to the rapid proliferation of mobiles Foam would have full control over their Turnover (2006 — 07) in remote and rural areas, the system can be stocks. They also feared that if the company Rs 500 crore implemented in any place where a mobile tried to rigorously monitor the MOP, then Distributors phone can work. the dealers would not be able to sell the 50 According to Mankotia, the biggest advantage product properly because the customer price Dealers of using SMS as a means to transfer data is that would go up. > 1,700 the dealers are not forced to install computers In order to address these fears, Mankotia Head – IT — it is more than sufficient if the distributors says that Sheela Foam conducted several Pertisth Mankotia get their hands on a phone. All that the dealers workshops, group meetings and one-to-one have to do is use SMS to complete transactions discussions with various distributors and from their side. dealers to explain to them the long-term benefits of the Since the system has a bird’s eye view of the entire entire system. In order to show the seriousness of the transaction of the mattress — moving all the way from initiative, the CEO and the head of sales and marketing the factory to the distributor to the dealer — it is able to personally attended all meetings and workshops in order authenticate the genuineness of the dealer. The dealer gets to strengthen confidence among distributors and dealers.

Infographics BY binesh sreedharan

Case File

Bridging The Yawning Gap How Sheela Foam uses SMS to verify the authenticity of a dealer.

Winning customer confidence is one of the reasons behind SleepWell’s 40% growth.

Customer goes to a Sheela Foam dealer but he is uncertain about the authenticity of the dealer.

34

Case Study.indd 34

A P RIL 1 , 2 0 0 8 | REAL CIO WORLD

Sensing the uncertainty, the dealer messages the product’s serial number alongwith customer’s mobile number to Sheela Foam.

Within minutes, both customer and dealer receive the product’s MRP and the ‘successful guarantee validation’ on their mobiles.

Vol/3 | ISSUE/10

4/2/2008 3:04:47 PM


Case File Thankfully, their efforts paid off and the project became a success. Before the project, registring for a guarantee could take many months and the company paid approximately Rs 15 per guarantee registration. “Now, the guarantee is registered in just two minutes and we are spending only 40 paisa on the SMS,” says Mankotia. This difference in cost has been passed on to the dealers, and naturally they are happy — especially since the number of guarantees has gone up from around 500 per month before implementation to around 10,000 per month.

For a Good Night

A Bed Time Story The system has been in operation for over a year now, and Mankotia says that Sheela Foam has not made any major changes in the application. “But our major concern is connectivity uptime. Initially, distributors were operating through the Internet, and many times connectivity was a constraint. However, the problem has been resolved. We have now brought them into our MPLS network,” points out Mankotia. In 2008, Mankotia has some ambitious plans for his project. Right now, Sheela Foam has extended Greatplus partially to its distributors. “As a step forward, we are in the process of launching our Greatplus Distributor’s Lounge to almost all our distributors. This will record all their business transactions and provide all our

Vol/3 | ISSUE/10

Case Study.indd 35

“Discounting is a huge problem in the consumer durable industry in India. No one has gone to this extent to control market operating price.” — Pertisth Mankotia Head – IT, Sheela Foam

distributors a business advantage that is similar to what is enjoyed by us today,” he says. Using this system, Sheela Foam hopes to reach out to all its dealers and allow them to place orders online with distributors. “These will get translated into distributor orders and will appear as outstanding orders in our books,” says Mankotia, who goes on to add that, “dealers will be able to know their online order position and they will be able to track materials movement and get more market insight.” Another advantage of the improvements being made, says Mankotia, is that, with the information on materials movement, Sheela Foam will also be in a position to efficiently monitor the delivery of goods from the distributors to the dealers. “In short, with the Greatplus Distributor’s Lounge, we are creating a totally synchronized environment, right from the order placement by our dealers all the way up to the sale of the product to the end customer,” says Mankotia. The Greatplus Distributor’s Lounge will become operational from April, 2008. Look who’s getting a good night’s sleep at Sheela Foam. CIO

P hoto by Srivatsa Shandilya

The dealers are happy and Sheela Foam is pleased. But the IT team is more than glad. Mankotia says, “Discounting is the biggest problem in the consumer durable industry in India. No one has gone to this extent to control MOP. We have controlled sales through unauthorized dealers, stopped infiltration, controlled selling to non-dealers, controlled interdealer competition by giving heavy discounts, and also built a strong customer database for the future.” Mankotia is also pleased to point out that “guarantee registration through SMS is an unique and innovative method that no one as per our knowledge has ever done in the country.” Mankotia takes pride in the fact that the company has got a competitive edge in the market, as they are able to track stocks and can replenish them within a shorter timeframe. But ultimately, all IT projects need to reflect on the bottom-line. Mankotia says that the sales of Sleepwell mattresses have shown a growth of approximately 40 percent during the financial year. While the full credit for this cannot be taken by the IT team, “The project has made a significant contribution towards this growth,” he says. Anupam Srivastava, the head of sales, is thrilled by the impact that the SMS system has had on the customer. “We are able to win the confidence of customers in our product because, immediately after the purchase of a Sleepwell product, the guarantee is registered through SMS,” he says.

Assistant editor Balaji Narasimhan can be reached at balaji_n@cio.in

REAL CIO WORLD | A P RIL 1 , 2 0 0 8

35

4/2/2008 3:04:52 PM


R. Seshasayee, MD, Ashok Leyland, says IT masks the auto major’s mammoth size. It also gives it innovation and agility — allowing it to go places more compact firms typically reach.

The Hand Behind

The Wheel By kANIKA GOSWAMI In a country with one of the largest and busiest rail systems in the world, Ashok Leyland’s buses carry more people than the entire Indian rail network. It’s a statistic that proves the auto giant’s leadership, but it also says a lot about its dedication to staying a leader and its resistance to resting on its laurels. And in the last few years, it has had more reason than ever to sit back and let the market drive in the profits. With the buoyant economy, the robust growth of freight carriers and the Supreme Court’s strict enforcement of payload restrictions, the enterprise could have gone with the flow and still kept investors happy. It didn’t. While the commercial vehicle industry grew at 33 percent, Ashok Leyland grew 37 percent. How does it do it? In an industry rife with competition, Ashok Leyland has to imitate the reaction time of smaller, more agile companies. R. Seshasayee says that it stays ahead with innovation. And IT makes that possible. Ashok Leyland stands by five values: being international, speedy, innovative, ethical and value creating. Seshasayee elaborates how IT helps the company meet these needs.

CIO: What is IT’s place at Ashok Leyland?

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

36

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

View from the Top.indd 36

R. Seshasayee: Obviously, IT is very important to us. To use an automotive metaphor, I’d say that if people were the main engine for movement and growth, IT is the transmission. IT is the system through which the power of people is transmitted into movement — the

organization’s movement. IT has been pretty important to our set up. Over the last several years, we have evolved our IT architecture from a purely transactionbased architecture — which was our starting point — to a stage where IT is integral to product development and our marketing strategies. IT is totally interwoven into the DNA of the company.

Vol/3 | ISSUE/10

4/2/2008 11:51:38 AM


View from the Top

R. SeShaSayee expectS I.t. to: help the organization reach out to a much larger universe of customers Bring what customers think is valuable to the R&D team help create a more energyefficient plant Integrate the organization into a tighter unit create efficiencies for clients – and goodwill for the organization

How have you optimized your processes and has this had an impact on costs? Yes, of course. If you look at the last nine years, there is no doubt that we have achieved cost optimization. We started this journey about 10 years ago when we put together a long-term IT strategy. That roadmap has become integral to the profit plan of the company. Since then, we have had 30 percent growth in production and sales. Return on

Vol/3 | ISSUE/10

investments has also moved steadily upwards during this period — without a single year of backtracking. We’ve had steady improvements year after year on all parameters related to asset and inventory turnaround. This progress has also shown up in manpower productivity analysis. None of this would have been possible without making IT an integral part of our growth strategy. At a sublime level, the results are evident. And, at more specific levels, the use of IT has certainly enabled us to take

critical action with regard to inventory — and with fairly impressive results. It has also improved our efficiency in terms of logistics since we have a hundred thousand vehicles moving around the country.

What about innovation? How has it contributed to the organization? One of the interesting things we have today is a huge program that connects

REAL CIO WORLD | A P R I L 1 , 2 0 0 8

37


View from the Top

thousands of mechanics directly to us. We are looking at state-of-art-technology using voice recognition, etcetera. With this, we will be able to reach out to a much larger universe of customers — not necessarily direct customers — but indirect ones like mechanics and retailers. That’s a part of our innovation, and while we are still studying it, it is most likely to be Web-based technology. Also, we were one of the first few in the industry to have supply chain automation. We have an active portal, which enables all our suppliers to appraise vendor quality for themselves. It allows complete transparency; everybody can access information on the transactions of the company and so on. It’s an active portal.

Does IT help with product innovation? For product innovation, customer connect is very important. We have an initiative that we are currently de ploying, which tracks various customer segments by mapping the use of our vehicles across them. We identify various value drivers and capture it on a Data Management Service (DMS). We want to ensure that this data is part of the value delivery process. It’s a fairly ambitious project but right now we have completed the first module of the DMS rollout. Eventually, it will morph into a tool for marketing to assess our value delivery.

Ashok Leyland's unit in Ennore, Tamil Nadu is a model of energy-efficiency. How did the CIO contribute? We have a fairly elaborate process. Most of the manufacturing units have installed networking units for energy meters with an automated system to track and monitor energy consumption. The result is that data is delivered at the shop floor and energy monitoring is interwoven into shop 38

A P R I L 1 , 2 0 0 8 | REAL CIO WORLD

View from the Top.indd 38

part of an evolution, so what was subject to an ROI test 10 years ago is now a precondition for any business strategy.

“Initiatives like ERP should not be assessed. We don’t look at accounting from an ROI perspective. These are the foundations of the business. ” — R. Seshasayee management practices. This is only possible because of instantaneous information.

Do tech investments at Ashok Leyland need to prove ROI? Obviously, every investment has to have ROI. Before we embark on major initiatives like CRM (customer relationship management) or PLM (product lifecycle management), we assess these investments and forecast their benefits. But I would like to point out that there are quite a few initiatives that — although are subject to ROI assessment today — become mandatory later. For example, today, I don’t think anyone can even question whether ERP should be assessed. We don’t look at accounting and finance from an ROI perspective. These are the foundations of business. This is

How does your CIO reinforce your market strategy? Or product development? Broadly, there are three roles that our CIO performs. One is to be integral to the process of integration development. For example, take product development. He is so closely involved in the PLM implementation that I can’t think of the product development function being carried out without his involvement. He is pretty much a part of that kind of functional process improvement. In the same vein, there’s also what we call customer connect — the CRM. It’s not your standard CRM package. It’s a tailor-made program and it is another project where the CIO is involved. Another role the CIO plays is bringing industry-specific IT innovations to the organization’s notice. He is like a window; a source through which knowledge comes into the organization. Of course, he is not necessarily the only person to introduce new ideas, but the CIO has a big role here. The third function the CIO serves is providing and managing our huge IT infrastructure. We are hugely dependent on the entire IT infrastructure. It’s a truism that you only remember the IT team when there’s a 10-minute connectivity problem. The fact that our CIO is running our huge infrastructure without breakdowns — and making sure that IT isn’t only noticed by its failures — is, I think, the biggest challenge that he meets successfully.

What is ADES and how does it complement your capabilities? ADES (Ashley Design and Engineering Services) is a testing and engineering

Vol/3 | ISSUE/10

4/2/2008 11:51:42 AM


View from the Top

outfit focused on the automotive side. It’s a part of Ashok Leyland but serves third parties also. Ashok Leyland has its own dedicated product development and ADES is a separate outfit which takes work from outside. We have developed some critical competencies in ADES and when Ashok Leyland requires those critical competencies, we go to ADES.

Ashok Leyland is a leader in defence vehicles. How important is IT to this product line? We have a lot of new product development related to the defence business. One important part of defence is developing a fairly large number of variants and doing it quickly. Today, we have a large number of design, testing and validation tools, which are all IT-based. This means that we can simulate a lot of testing. I’d like to think our product development is pretty contemporary in terms of simulation — particularly with defence vehicles because quite often we have to predict behavior.

Where does the Indian auto industry rank against its global peers? In the last 10 years, there has been tremendous growth in India’s auto industry and it has been pretty much exposed to all contemporary technologies. Some of this is being used, others not. But, the Indian industry knows what is contemporary and useful. What’s being used is partly driven by what the customer wants. If you look at some of the comfort or safety issues, these are driven in part by legislation, in part by market needs. The Indian industry knows what is available on the shelf and, therefore, is in a position to employ a technology appropriately according to a market and a customer’s requirements.

Vol/3 | ISSUE/10

View from the Top.indd 39

That said, there are a lot of brakes. There is a chip of technologies which an Ashok sitting in there that gets Indian customer may not various systems to talk Leyland want, even if it is offered, for to each other and passes Revenue: reasons of cost or because information from one system Rs 83 billion (2006they are not relevant. There to another in order to make 2007) will always be a difference the vehicle more efficient. Number of employees: between the technology That’s a key element 12,125 requirement between a of competitive product Number of offices: customer in the US or Japan building and competitive 75, including five and a customer in India. business. In my view, even manufacturing units For instance, night vision with respect to automotive GM-IT: technology could be made electronics, which is N. Chandrashekharan ready for all bus operators based on an information in India, it could easily be technology platform, there made immediately available, but would are specific requirements in each market there be demand? that are related to each customer group. If you ask whether we are providing Therefore, it is important that we look the right choices to the customer for good at what is being developed, how it needs value, the Indian customer will definitely to be customized and how we can derive say yes. The Indian customer has as much competitive advantage. choice as any other customer globally and There’s another dimension IT he has all the technologies at his command. specific technologies. We also use IT The Indian customer is not being denied. for a different type of experiment: the transport exchange, for example. The business objective this exchange is to How will new industrybring shippers — those who want to send specific technologies goods — and the transport operators make a difference to your together on an electronic platform. We’ve processes and products got kiosks all over the country. There is over the next few years? a data transaction taking place between the shipper and the transporter and there I think there are two types of innovations are new price discoveries on freight, for that are happening in the IT industry. example, which benefit both. So, in effect, There is a broad spectrum of technology we are using IT to eliminate middlemen, improvements coming around, which and thus benefit our customers. That is a could be exploited with varying levels of very different use of IT in that it doesn’t success by various industries. RFID is an directly impact the business that we run— example. That technology could be used in but has ‘adjacent’ benefits. CIO some industries more productively than in others. We have used RFID to ensure that the right components are being issued to the assembly. When a technology is available, we push new frontiers to see how we can develop our own applications and capabilities. Second, there are specific information technologies for the automotive industry. Let’s take the automation of vehicles, for Kanika Goswami is special correspondent. Send instance — the electronic management feedback to this interview at kanika_g@cio.in REAL CIO WORLD | A P R I L 1 , 2 0 0 8

39

4/2/2008 11:51:42 AM


Virtualization

By Laurianne McLaughLin

VM Sprawl. Hypervisor holes. Rogue virtual machines. Network traffic gone bad. What are the biggest virtualization security risks now and how can you combat them? It's time to separate fact from fiction and get down to work.

Real Risks inside eveRy R Ry BOX O OX

Last year, the big question about virtualization in data centers was:

Reader ROI:

Tools for managing security in virtual environments The problem with rogue VMs Network risks explained

42

A P R I L 1 , 2 0 0 8 | Real CiO WORld

"How much money and time will this save us?" This year, the big question will be "How secure are we?" It's a very tough question to answer. A slew of vendors and consultants trying to sell security products and services have conflicting opinions about the risks and how to prevent them. Simultaneously, security researchers are hyping theoretical risks such as the possible emergence of malware targeted at hypervisors (a threat that has yet to appear in the real world). "There's a lot of noise out there on virtualization," says Chris Wolf, senior analyst for market research firm Burton Group. "It can be distracting." Adding fuel to the hype is the fact that many IT organizations say they prioritized operational speed over most other factors, including security planning, when they started creating hundreds of new VMs in 2007. (That's not surprising, when you consider that most enterprises started with virtualization on their testing and application development boxes, not their servers running core business apps.)

Vol/3 | ISSUE/10


Virtualization

"We're finding security is the forgotten stepchild in the virtualization build out," says Stephen Elliott, IDC's research director for enterprise systems management software. "That's scary when you think about the number of production-level VMs." According to IDC, 75 percent of companies with 1,000 or more employees are employing virtualization today. And through 2009, 60 percent of production VMs will be less secure than their physical counterparts, predicts Gartner’s VP Neil MacDonald. But much of the discussion about virtualization security has been flawed to date, says security expert Chris Hoff, because people often frame the discussion by asking whether virtual servers are more or less secure than physical ones. That's the wrong question, says Hoff, who blogs frequently on this topic and serves as chief architect for security innovation at Unisys. The right question, he says, is "Are you applying what you already know about security to your virtualized environment?"

viRtual PROBlems, Real sOlutiOns "People get wound up about theoreticals… when in reality there's a clear set of things you can do today," Hoff says. Certainly, virtualization does introduce some new security concerns, but first things first, he says: "We have to be pragmatic. Let's make sure we architect the virtual network as well as we architect the physical networking." As an example, he points to a virtualization management tool such as VMware's VMotion, which is helpful for moving VMs around in times of machine trouble, but which can also allow someone with admin rights to combine two VMs that, in the physical world, would have been carefully separated in terms of network traffic for security reasons. Some IT organizations are making a fundamental mistake right now: they're letting the server group run the virtualization effort almost single-handedly — leaving the IT team's security, storage and networking experts out of the loop.

Vol/3 | ISSUE/10

This can create security problems that have nothing to do with inherent weaknesses of the virtualization technology or products. "This is a perfect opportunity to bring the teams together," Hoff says. "Virtualization is 90 percent planning," says Burton Group's Wolf. "The planning has to include the whole team, including the network, security and storage teams." But the fact is, most IT teams ran fast with virtualization and now must play catch-up. What if you missed that opportunity to plan with all your experts, and you're starting to worry more as you expand your number of VMs and put higher-profile apps on those VMs? Luckily for you, no. "To catch up, start with a good audit of your virtual infrastructure," using tools or consultants, Wolf says. "Then you really have to work backwards." (Wolf suggests checking out audit tools from CiRBA and PlateSpin for this purpose.) Here are 10 positive steps enterprises can take now to tighten virtualization security:

Get vm sprawl under Control CIOs such as Michael Abbene, who runs IT for Arch Coal, understand the problem of VM sprawl full well: VMs take minutes to create. They're great for isolating certain computing jobs. But the more VMs you have, the more security risk you have. And you'd better be able to keep track of all those VMs. "We started by virtualizing very lowprofile test and development boxes," Abbene says. "Then we moved some low-profile application servers. We've been moving up as we've been successful. We understand we're increasing our risk profile as we do that." The company currently has about 45 production VMs, he notes, including Active Directory servers, and some application and web servers. How do you control server sprawl? One approach: make creating virtualized servers and VMs as disciplined as creating physical ones. At Arch Coal, the IT team is rigorous about allowing new VMs: "People have to

go through the same process to get a server, whether it's physical or virtual," says Tom Carter, Arch Coal's Microsoft Systems Administrator, who works for Abbene. For this purpose, Arch Coal IT uses a change control board (made up of a crosssection of IT staffers from disciplines like servers and storage, serving on a rotating basis) to say yes or no to new virtualized server requests. This means, for example, that people in the applications group can't just build a VMware server and start creating VMs, Abbene says — though he's had developers ask to do just that. VMware's VirtualCenter management tools as well as tools from Vizioncore can also help manage VM sprawl. Ignore VM sprawl at your own peril, says IDC's Elliott: "VM sprawl is a huge problem, causing lag times in the ability to manage, maintain performance and provision," he says. Also, unexpected management costs will arise if your number of VMs gets out of hand, he adds.

apply existing Processes to virtual machines Perhaps the sexiest aspect of virtualization is its speed: you can create VMs in minutes, move them around easily, and deliver new computing power to the business side in a day instead of weeks. It's fun to drive fast. But slow down long enough to think about making virtualization part of your existing IT processes, and you will prevent security problems in the first place, says IDC's Elliott. You will also save some management headaches later. "Process is important," he says. "Think about virtualization not just from a technology standpoint but from a process one." If you're using ITIL to guide your IT processes, for example, think about how virtualization fits into that process framework, Elliott advises. If you're using other IT best practices, look at how virtualization fits into those processes. One example: "If you have a serverhardening document (prescribing a standard set of security and setup rules for Real CiO WORld | A P R I L 1 , 2 0 0 8

43


Virtualization a new server)," Hoff says, "you should do the same set of things to a virtual server as to a physical one." At Arch Coal, Abbene's IT team does just that: "We take our best practices for securing a physical server and apply those to every VM on the box," Abbene says. Steps like hardening the OS, running anti-virus on every VM and patch management, keep those virtual boxes in tune with the same procedures used on physical ones, he says.

start With your existing security tools, But Be Critical Do you need a whole new suite of security and management tools for your virtualized environment? No. Starting with your existing set of security tools for the physical server and network world and applying them to the virtual environment makes sense, says Hoff. But

Press those legacy vendors to do more, and provide guidance for them." Jim DiMarzio, CIO at Mazda North America, follows this strategy in his enterprise. Like Arch Coal, Mazda NA runs VMware's ESX Server 3 software at the core of its virtualized servers and has been ramping up its number of VMs recently. DiMarzio says he expects to have about 150 production VMs running by March 2008. He's using the virtualized servers for Active Directory servers, print servers, CRM application servers and Web servers — the last being a missioncritical app since Mazda uses these Web apps to serve information to all its dealers, DiMarzio says. To secure these VMs, DiMarzio decided to continue with his existing firewall and security products, including IBM'sTivoli Access Manager, Cisco firewall tools, and Symantec's IDS monitoring tools.

IT organIzaTIons are makIng a fundamenTal mIsTake: they are letting the

server group run the virtualization effort single-handedly.

do press your vendors to tell you how they're keeping up with virtualization risks, and how they'll integrate with other products going forward. "There's a false sense of security in relation to adopting physical tools for the virtual environment," IDC's Elliott says. At the same time, he adds: "It's very early in the market," for new security tools designed with virtualization in mind. That means you must press your legacy and potential startup vendors a little harder than usual. "Don't assume the platform-level tools (such as VMware's tools) are good enough for you," Elliott says. "Look at the startups and the legacy management vendors. 44

A P R I L 1 , 2 0 0 8 | Real CiO WORld

At Arch Coal, Abbene and his team are sticking with the security tools they're already using, while also investigating tools from startups BlueLane and Reflex Security. "The [legacy] security and change vendors are trying to work hard to catch up and they're behind," Abbene says. BlueLane's VirtualShield product for VMware, for instance, claims that it can protect virtual machines even in cases where certain patches are out of date, as well as automatically scanning for possible problems, updating problem areas, and protecting against some remote threats. Reflex Security's Virtual Security Appliance (VSA), which Hoff describes

along with BlueLane's software as one of the few emerging products worth attention right now, essentially serves a virtual intrusion detection system (IDS), adding a layer of security policies inside the physical boxes where the VMs live. It could help block a hypervisor attack, among other possible future troubles, Abbene's team figures. Abbene says his IT group has also discussed adding a second internal firewall to further isolate the VMs, but he's concerned there might be a performance impact on the virtualized applications. IDC's Elliott cites a few other virtualization security tools worth examining: PlateSpin, known for physical-to-virtual workload conversion tools and workload management tools; Vizioncore, known for file-level backup tools; Akorri, known for performance management and workload balancing tools; and storage firm EqualLogic, recently acquired by Dell and known for iSCSI storage-area network (SAN) products optimized for virtualization.

love your embedded Hypervisor Maybe you've read about 'embedded' hypervisors already, but if you haven't, it's a term that IT leaders should understand. The hypervisor layer on a server serves as a foundation for housing the VMs. VMware's recently-announced ESX Server 3i hypervisor, designed to be very slim (32MB) for security reasons, uniquely does not include a general purpose OS. (And no OS means no OS maintenance chores.) Some hardware vendors such as Dell and HP have recently said that they'll ship embedded versions of this VMware hypervisor on their physical servers. In basic terms, an embedded hypervisor is safer because it's smaller, says IDC's Elliott. "The larger the code base, the larger the opportunity for breaches," he says. "This becomes part of your architecture decision." Embedded hypervisors will be a big trend going forward, Elliott says, and you can expect to see them from most server vendors, as well as some companies that haven't played in this space before. Phoenix Technologies, a market leader in the BIOS

Vol/3 | ISSUE/10


software field, recently announced that it's getting into the hypervisor game, starting with a product called HyperCore: it's a hypervisor for desktop and laptop PCs that will let users turn on the machine and use a basic Web browser and e-mail client without waiting to boot Windows. (HyperCore will be embedded in the machine BIOS.) Competition and innovation in the hypervisor market would be good for enterprises, Hoff says. The end result could be companies slugging it out to deliver the slimmest, smartest hypervisor software. "Whether it's Phoenix or someone else, there's a very interesting battle of these hypervisors becoming the next great OS," Hoff says. A smaller attack surface isn't the only benefit of an embedded hypervisor. Mazda's IT group is looking forward to upcoming Dell servers with embedded hypervisors for VMware ESX server, says Kai Sookwongse, IT systems manager, LAN/Server for DiMarzio at Mazda. "One of the features we're waiting for with Dell's embedded ESX is all the VM images can be on the SAN," Sookwongse says. "When we start up the server, it can boot up from the image on the SAN." This centralizes administration and security and also means Mazda could order a server without a disk if it wants, for physical security concerns, he notes.

don't Over-assign Rights to vms Remember that when you give admin-level access to a VM, you give access to all the data on that VM. Think critically about what kind of accounts and access your staffers in charge of backup tasks need, Burton Group's Wolf advises. Compounding the problem, some thirdparty vendors will actually give outdated advice with regards to VM security around storage and backup issues, Wolf adds. "Some vendors are not even following VMware's best practices for VMware Consolidated Backup themselves," he says. Arch Coal makes it a point to limit admin access to its VMs overall, says Paul Telle, information security administrator, noting that his security colleague Tom Carter and

Vol/3 | ISSUE/10

on the Virtual Threat Horizon CIos os must learn to distinguish real from theoretical risk. "There hasn’t been a significant security breach in virtualization, not a public one," says IDC analyst Stephen Elliott. "At some point, you have to figure it's a matter of time." IT leaders must deal with virtualization security the same way they've dealt with numerous other threats: budgeting, planning, tools, process and vigilance. But those IT leaders must also be able to separate the real threats from the theoretical ones, and that's not always easy right now. So what’s real and what’s not? For starters, there's been a lot of talk online and at some conferences regarding the possibility of hypervisor malware and hypervisor weaknesses. last summer, a security consulting firm called Intelguardians Network Intelligence argued that it may be possible for a hacker to "break out" of a VM's guest operating system and into the host oS of a server. This invites the possibility of installing rootkits and other malware, Intelguardians argues. other researchers discuss the possibility of a 'Blue Pill' attack, which uses a virtual rootkit to hide in the hypervisor, cloaked by today's security tools. But Blue Pill “never really materialized," says Chris Wolf, a senior analyst at Burton Group. He says the hypervisor threat is 'exaggerated.' More troubling perhaps, says Chris Hoff chief architect for security innovation at Unisys, is that IT has real trouble seeing into the traffic running between VMs. A more immediate problem is figuring out the division of duties among IT personnel as access to more VMs gets loaded into management consoles. That's the kind of security issue a CIo should worry about before worrying about Blue Pill, he says. of course, the more high-profile and mission-critical the apps that you virtualize are, the greater the risk. "We've recognized that the risk is expanding," Abbene says. "What we could live with one year ago we won’t be able to live with six months from now." —l.M. Carter's boss are among a very small group with those rights. Application developers get minimal access. "Our application people have access to a share, or the minimum access…not access to the OS," Carter says. This helps control VM sprawl while increasing security.

Watch How you Provision storage Some enterprises are overprovisioning storage on SANs today, says Wolf. It's not that you're provisioning too much storage overall; it's that you may be letting the wrong VM's share a part of the SAN, he says. If you're working with VMotion, VMware's tool for moving VMs around, you're assigning some zoned storage in

SANs. But you may want to make that storage assignment more granular, as you would in the physical world, Wolf advises. Looking forward, N-port ID virtualization — a technique that lets IT assign storage to just one VM — is an option worth investigating, Wolf says.

ensure Good isolation across network segments As enterprises go virtual, they shouldn't ignore security-related network traffic risks. But some of these risks can inadvertently be overlooked, especially if IT leaders fail to bring networking and security staffers to the table while doing virtualization planning. "A lot of organizations simply use performance as the metric of how to Real CiO WORld | A P R I L 1 , 2 0 0 8

45


Virtualization Viridian server virtualization software consolidate," Wolf says. (When evaluating product, Wolf adds. which application servers to co-locate as VMs on one physical box, IT teams tend to first focus on how performance-hungry monitor for 'Rogue' those application servers will be, since vms on desktops and you want to avoid asking any one physical laptops box to bear too much load.) "They forget Servers are not your only worry. "The because of security restrictions on network greatest threat is on the client side — rogue traffic that they shouldn't locate these VMs VMs," Burton Group's Wolf says. What's together," Wolf says. a rogue VM? Remember, Wolf says, your For example, some CIOs are deciding users can download and use a free program not to allow any virtualized servers in the like VMware Player, which lets a desktop or DMZ (also known as laptop PC user run any demilitarized zone, the VM created by VMware subnetwork that houses Workstation, Server or external services to the ESX Server. Internet, like e-commerce Many users now like servers, adding a buffer to use VMs on a desktop between the Net and or laptop to separate the LAN). pieces of work, or work If you do have some and home-related VMs in the DMZ, you activities. Some people 1,000 or more employees may want them on use VMware Player physically separate to run multiple OSes who are employing network segments from on the machine; say virtualization today. some of your other using Linux as a base Source IDC systems, say a critical OS but creating a VM Oracle database server, for running Windows Wolf says. apps. (IT teams also At Arch Coal, the IT team thought about can also use VM Player to evaluate virtual the DMZ from the start, Abbene says. appliances — software products shipping They've deployed virtual servers on the configured as a VM.) internal LAN but nowhere public facing. "Often, those VMs are not even at the "That was a key early decision," Abbene right patch level," Wolf says. "Those says. For example, the company has some systems get exposed to your network. secure FTP servers and some servers And now all of these unmanaged OSes can doing lightweight electronic commerce in float around." the DMZ; it has no plans to introduce VMs "There's a lot of risk you're adding there," there, he says. Wolf says, noting that the machines running rogue VMs could spread viruses — or worse — to your physical network. For example, Worry about he says, it would be very easy for someone switches to load up a DHCP server to give out fake When is a switch not a switch? IP addresses. That's effectively a denial of "Some virtual switches behave like a hub service attack, he notes. At the very least, today: every port is mirrored to all the other you're going to waste IT resources trying ports on the virtual switch," Burton Group's to track down the problem, he says. "It Wolf says. Microsoft Virtual Server, in may even be simple user error introducing particular today, presents this problem, services to the production network." Wolf says. VMware's ESX Sserver does not, How can you prevent against rogue nor does Citrix XenServer. "People hear the VMs? You should have controls around term 'switch' and think isolation exists. It who gets VMware Workstation, for starters really varies by vendor," Wolf says. (since it's needed to create the VMs). IT can Microsoft has said the switch issue will also use a group security policy to prevent be addressed in Microsoft's upcoming

75%

The percentage of companies with

46

A P R I L 1 , 2 0 0 8 | Real CiO WORld

certain executables from running, such as those needed to install VM player, Wolf notes. Another option: do periodic auditing of user hard drives. "You want to look for machines with VMs and flag them for follow up by IT," he says. Has this become yet another point of contention between users and IT, where savvy users want to use VMs at work the same as they're doing at home? Not yet, Wolf says. "IT departments for the most part have ignored it," Wolf says. If you do want to allow VMs on user machines, tools such as VMware's Lab Manager and other management tools can help IT control and monitor those VMs, he notes.

Remember virtualization security at Budget Planning time "Make sure to allocate budget for virtualization security and management," IDC's Elliott says. You may not need to break it out in your security budget, Arch Coal's Abbene notes, but your security budget overall had better have enough funds for it. Also, be careful of security costs as you do virtualization ROI calculations. "You may not see a reduced spend in security," just by virtualizing more and more servers, Hoff notes, because you will need to apply some of your existing security tools to every VM that you create. If you don't anticipate this expense, it could eat into your ROI. According to Gartner, it's a common mistake right now. Through 2009, some 90 percent of virtualization deployments will have unanticipated costs, such as security costs, affecting ROI, according to MacDonald. The benefits of virtualization are easy to see and easy to calculate. But unless you understand virtualization’s risks, and those attendant costs, those easy calculations may be dead wrong. CiO

Laurianne McLaughlin is technology editor. Send feedback on this feature to editor@cio.in

Vol/3 | ISSUE/10


Telepresence: Making Geography History Is telepresence the new way enterprises can go green? What are the issues that CIOs need to address before their companies embrace video conferencing? As the CIO panel ponders this, what emerges is the fact that there is more to telepresence than the cost of travel — or the cost on the environment, for that matter.

A

telepresence system, said Dietmar Wendt, president, Nortel Global Services, is not just about productivity — it is also about going green. While going green is good for the environment, it is also excellent for companies because it means higher productivity, higher employee satisfaction, and most importantly, higher customer satisfaction. “When employees no longer have to congregate into an auditorium for a large meeting, but instead can view the meeting on their desktop, this increases productivity and reduces the need to travel to an office,” he said, Therefore he said that this is one of the best opportunities to reduce both business cost and environmental cost. Going green is something that is very close to Wendt’s heart. He pointed out that every computer in the enterprise that is left on for 15 months emits a ton of carbon dioxide and said that this is one good reason why enterprises sho uld share these computers through a hosted or managed services model. “The IT staff

Executive Sponsor

47

Event Report.indd 47

APRIL 1, 2008 |

CIO

CUSTOM PUBLISHING

4/2/2008 4:41:53 PM


Events required to support these computers also add to your cost, both financial and environmental,” he said. Outsourcing your network allows for more focus on your core business, said Wendt. “By outsourcing your network and operations to a managed services provider, you reduce the hardware footprint at your office and reduce the need to have staff in the office to support it,” he pointed out. Wendt was also gung-ho about application services offered by telepresence solutions. He felt that an excellent example of how telepresence can add value to an enterprise is in the area of new e-learning technologies that allow for immersive, collaborative online learning experiences that — previously — could only be had by traveling to a common location. “And as a fantastic by-product, we can also unleash the powerful productivity and potential that comes with being more aligned with natural forces rather than unnatural cumbersome workarounds,” he said. Some companies believe that a telepresence system cuts only the cost of travel, but Wendt begged to differ. “While

“The telepresence experience encourages more frequent meetings, which then increases collaboration.” — Dietmar Wendt President, Global Services, Nortel the evolving capabilities of telepresence enables immersive, real-time virtual face-to-face meetings, without the high costs of travel, the financial savings of traveling is not only found in the cost of the plane ticket, but also the opportunity cost of resource travel time,” he said. He went on to add that, these savings apart, “the true-to-life telepresence experience also encourages more frequent

meetings, which increases teamwork and collaboration.” In this case, why aren’t companies falling over themselves trying to implement a telepresence system? Wendt said that there are a total of four barriers for this, the first being cost, which stems from the misperception that telepresence must be a ‘rip-andreplace’ activity. “In fact, many companies can substantially reduce the cost of telepresence by simple upgrades to their existing videoconferencing systems. Teleconferencing must be sold as a solution rather than a product,” said Wendt.

What's in the Way? The second is the amount of bandwidth required to transport video. The fact is that the bandwidth only needs to be as high as the desired quality of the experience, observed Wendt. This is followed by complexity. “Most businesses don't know much about videoconferencing technologies and don't want to have to invest in this skill set — and this is why turnkey solutions are becoming so popular,” he said.

From left: Chandrashekar Nene,VP-IT, Kingfisher Airlines; Titus Gunaseelan, VP-IT, India Infoline; Satish Joshi, Executive VP, Patni Computer Systems; Sanjay Prasad, Head-Technology Services, Citigroup Services

48

Event Report.indd 48

APRIL 1, 2008 |

CIO

CUSTOM PUBLISHING

4/2/2008 4:41:59 PM


Finally, Wendt said that businesses don't want to invest in a proprietary technology that will not work outside of their network. Therefore, he felt that many businesses are looking for standards-based solutions. “Out of all of these perceived barriers, I believe the complexity barrier is the one that is most vexing to businesses and the one that is largely impeding the adoption of telepresence solutions,” said Wendt. Wendt said that he believed that vendors should make telepresence systems turnkey and plug-and-play if they wanted to ensure that its true potential was realized quickly. Standards are also critical, he said, because standards-based solutions will ensure that organizations can quickly achieve the critical mass required for inter-business interactions as well. Spelling out his ultimate vision, Wendt said: “The challenge that we put forth to ourselves and others in the industry is to make using telepresence as simple as using a whiteboard marker.”

Focusing on the Wrong Green After Wendt finished with his presentation, Vijay Ramachandran, editor-in-chief, CIO, said that the chief focus of telepresence was not the technology, but what business expects to get out of it. To this V. Subramaniam Manikkam, AGM-IT, Henkel CAC, replied that he was not very sure about the business benefits and the priority with which telepresence needed to be addressed. To that, Wendt reiterated that it was indeed a wise decision to invest in telepresence, but conceded that there could be a need to change some business processes in order to make telepresence work for an organization.

As an example, he said that, just as companies have rules for travel that dictate who can travel, similarly, they should also come up with rules that deal with who can use telepresence and who cannot. He also stressed on how telepresence can help organizations go green. Vijay then wondered if CIOs are looking at telepresence from a green angle or not. In response, G. Rajagopalan, CIO, Tata Power, said that for over two years his company has been looking for a sustainable platform that can enable telepresence. He said that the first problem was defining telepresence. “Is it about just two people communicating,” he asked. “Or, do you want to say that in your organization, you must setup a system that will allow six people to communicate?” Detailing his experience with videoconferencing, he said, “Whenever I have tried to organize a communication interaction, it’s a nightmare for my infrastructure.” P.A. Kalyansundar, GM-IT, Bank Of India said that the issue boiled down to the fact that technology is changing very fast. While agreeing with Rajagopal’s assertion that it is a nightmare for the infrastructure people, Kalyansundar was also worried about how one could get users to adopt videoconferencing. “People need to have the right mindset,” he observed. “By the time people have adopted, you find that the technology has changed and something new has come,” he said.

What the Business Wants Sitting beside Rajagopal, Dipak Sahoo, VP-IT, Bharti Axa Life Insurance Company, said that one had to consider the business need first. “The business need is to communicate with partners and customers. Next, you have to look at the pain point —

From top: G.N. Nagaraj, Sr. VP & CTO, Reliance Money; M.D. Agarwal, DY. GM-IS (Refinery), Bharat Petroleum Corporation; R. Muralidharan, CIO, Syntel; Prasad Dhumal, Head - IT, DHL Express India

Event Report.indd 49

4/2/2008 4:42:02 PM


Events

From left: Dipak Sahoo, VP-IT, Bharti Axa Life Insurance Company; V.Subramaniam Manikkam, AGM - IT, Henkel CAC; Sanjay Mittal, Head-IT, Navin Fluorine International; Pankaj Sindhu Director-IT, Fulford (India)

and the pain point, most of the time, is that the video conference system doesn’t work.” Giving an example, he said, “Sometime back, when I was setting up a conference between Paris, Hong Kong, Australia, and India, it didn’t work — Murphy’s Law at its best.” The lesson he has learnt from this is that, irrespective of the technology — audio conferencing, video conferencing or telepresence — the critical issue that CIOs need to consider is, does it work? “People are not going to use these technologies if they don’t work,” he said flatly. Pankaj Sindhu Director-IT, Fulford (India) wanted to approach the problem differently. “I want to see how it will be used by my business first, and then, once this is clear, I want to see how to make it work technically,” he said. He also added that two reasons why he was interested in video conferencing were the environmental impact and business drivers like collaboration, travel time, efficiencies, and others. “It would be good to have

CIO

CUSTOM PUBLISHING | a p r i l 1 , 2 0 0 8

Event Report.indd 50

quantifiable measures on both these points,” he said.

business requirement, the expectation issue was also critical. He said that his CEO was an avid follower of technology, and so, the moment telepresence came, Getting Buy-in his CEO started using it. “But eventually, I Giving the example of telemedicine, he think that it is not an issue of technology said that it could enable somebody in a adoption, it is the implementation that remote location to consult a physician in poses the challenge,” he said. another part of the globe for, say, an eye The take of Chandrashekar problem. “How to ensure efficiencies in Nene, VP-IT, Kingfisher Airlines, on such a setup is of great importance for telepresence was that one should pay me,” he said. attention to the telepresence room and G.N. Nagaraj, Sr. VP & CTO, Reliance the technology that revolves around it. Money, felt that, from the perspective of “You still need to talk to the external world using the bandwidth of the external world,” he pointed out. “This means that you have to pay attention to such problems.” He felt that this is because, if the user were to see any problems — like blurred images — then the user will feel that videoconferencing may be affecting performance. “If they feel that there is a danger that poor videoconferencing will affect their productivity, From left: P.A. Kalyansundar, GM-IT, Bank Of India; they would rather take a G. Rajagopalan, CIO, Tata Power flight,” he concluded. 50

4/2/2008 4:42:27 PM


Essential

technology For better deals and stronger relationships, combine IT, legal and procurement experts in a vendor management office.

Vol/3 | ISSUE/10

Essentisl Tec.indd 51

From Inception to Implementation — I.T. That Matters

GettingYour Vendors to Flock Together By Galen Gruman Vendor Management | Keeping track of bids, vendor performance, previous contract

terms, alternative providers and technology differences was taking too much time for Bernard 'Bud' Mathaisel as he settled in as CIO of electronics manufacturer Solectron in 1999. Many of Solectron’s vendors were also customers, which just complicated the job politically. Seeking a more disciplined approach, Mathaisel partnered with Solectron’s assistant procurement officer, Jeff Dixon, to create a virtual vendor management office (VMO) staffed by IT and procurement employees. “The result is that the CIO could be a decision maker without having to run the process,” Mathaisel says. Now CIO of manufacturing outsourcer Achievo, Mathaisel brought that discipline with him. Likewise, Dixon has brought it to Cisco Systems, where he is now director of enterprise software and outside services for IT vendor management services. “We take care of the trees and let the CIO focus on the forest,” Dixon says. Dixon estimates a tenfold return in the staffing investments of a vendor management entity — from better deals through consolidated purchasing, and from avoiding the costs REAL CIO WORLD | A P RIL 1 , 2 0 0 8

51

4/2/2008 11:19:53 AM


essential technology

of straightening out piecemeal or shortterm deals later. “That doesn’t even count the intangible benefits, such as having a flexible contract or reducing supplier risk,” Dixon adds. Following a similar approach, Accenture CIO Frank Modruson says that his company has experienced significant savings. Creating a formal vendor management office is smart, says Marc Cecere, a VP at Forrester Research, yet many enterprises have not done so. A July 2006 Forrester survey showed that 47 percent had some sort of formal vendor management groups — but 90 percent of the rest had no intention of doing so. Such enterprises risk being at the mercy of savvier vendors, he warns. Most enterprises underestimate the need to actively manage their vendors, concurs Judith Hurwitz, president of consultancy Hurwitz & Associates. Their IT staffs often lose the perspective needed to ensure they’re getting the best value from the relationship, as the emotional connections nurtured by the vendor take

director for technology financing and management strategies at IDC. At many enterprises, the CIO has de facto responsibility for managing IT vendors, but the day-to-day reality is that individual departments, technology platform owners and project offices manage vendors for their local needs, perhaps tapping into corporate procurement and legal staff for some of the tactical contracts and pricing analysis. That can work in smaller companies with a small number of vendors, where the CIO or a few IT execs can keep the information in their heads, Cecere says. CIO Dan Demeter doesn’t want a vendor management organization outside the CIO’s domain at talent management firm Korn/ Ferry International. “They tend to treat IT sourcing as they do buying toilet paper,” focusing on price and not understanding the underlying technology issues. If you give [vendor management] away, you really take away a lot of the control, not just over prices and contract terms but over the relationship and support.”

Most enterprises underestimate the need to actively manage their vendors. Their ITstaffs often lose the perspective needed to ensure they’re getting the best value from the relationship. hold. “That’s why the vendors’ salespeople are paid so much,” she notes.

Why Bother With a VMO? With a vendor management office, your goal should not be to create a firewall between IT and the vendor, using a procurement group as a proxy, but to be smart and consistent within the enterprise about managing multiple aspects of any vendor relationship. That’s why a formalized approach that combines IT, procurement and legal people makes sense, says Joe Pucciarelli, program 52

Essentisl Tec.indd 52

A P RIL 1 , 2 0 0 8 | REAL CIO WORLD

But Demeter says that CIOs of large organizations need vendor management because of their scale. “It’s essential because of all the technical details,” he says, citing his previous experience at Citibank. The changing nature of technology procurement — from hardware and packaged software to provisioning of infrastructure, software and business processes as services — also supports the use of a more formal vendor management approach that crosses departmental boundaries, says Rob Watkins, CIO of food

38% of large

enterprises have a vendor management group. Source: Forrester Research

management company Compass Group, The Americas Division. “As you have more outsourcing providers that cross departments, there’s an opportunity to manage these relationships strategically,” he says.

Integrated Vendor Management You don’t want to make IT vendor management only an IT function or only a separate corporate function, says Dan McNicholl, chief strategy officer for General Motors’ IT organization. “You need to balance the competing goals, specialty skills and the broad relationship,” he says. Among several ways to institute a formal vendor management organization, the most common choice is a virtual approach: here, you assign procurement and legal staff to IT vendor management, and use IT 'account managers' to coordinate all aspects of specific vendor relationships and IT 'scouts' to assess technology and market trends that may change needs later. With this arrangement, you maintain the typical client relationships with the vendor, such as having engineers work with vendor support staff. “The vendor management needs to be ingrained at all levels,” says GM’s McNicholl, and then coordinated.

Vol/3 | ISSUE/10

4/2/2008 11:19:53 AM


essential technology

Although some CIOs worry that procurement staff only want to squeeze the last nickel from a vendor, Achievo’s Mathaisel believes they bring real value to the vendor management process. “You gain a rigor and a discipline that financial people naturally have,” he says. It makes more sense to create a virtual office than to establish a VMO as its own department, Mathaisel says. For one thing, financial and legal staff can rotate through the virtual group as part of their career development while maintaining a career path in their departments, he notes. These staffers often end up learning new skills that help them move into compliance activities when they return to finance, Mathaisel says. IT staff often have the same concerns. But when it’s safe to take on vendor management roles, the IT staffers often find new, unexpected opportunities, he says. Not every vendor or deal gets the attention of a vendor management office — nor should it, says Gary Plotkin, CIO of The Hartford’s financial services property and casualty division. The goal is not to build a bureaucracy but to devote management resources to those relationships that have the most impact or potential impact on enterprise strategy, he says. At The Hartford, Plotkin has a threshold of several hundred thousand dollars to determine what vendor relationships are managed through the formal vendor management process. There’s good reason to set thresholds of spend, says Accenture’s Modruson: “The rigor costs money, so you want to be proportional to the spend.” The Hartford assigns an IT manager to each vendor that surpasses the threshold. “That’s the go-to person,” Plotkin says. Some vendors whose business volume is very large get a senior vendor relationship manager, such as Plotkin or one of his deputies, assigned to them as well. A CIO or CTO can work directly with a vendor’s CEO or CTO in a way that, say, a network

Vol/3 | ISSUE/10

Essentisl Tec.indd 53

4/2/2008 11:19:57 AM


essential technology

operations manager can’t, so having multiple relationship levels is important, Plotkin says. Achievo’s Mathaisel, GM’s McNicholl, Cisco’s Dixon, Compass’s Watkins and Accenture’s Modruson follow the same basic model as The Hartford’s Plotkin.

More Benefit to Come Although enterprises that have a formal vendor management group clearly gain both monetary and strategic advantages, IDC’s Pucciarelli believes there’s still more value to be had — from better management tools. “The biggest procurement analysis infrastructure in IT is Excel,” he says. Some useful technologies in place for supply chain management are now being adopted for IT vendor management, Pucciarelli says. He expects more offerings in the next five years. But technology can only support your people and process, he adds. “You need a team that steps back and understands the business value,” concurs consultant Hurwitz. Why haven’t more enterprises formalized their vendor management practices? Some fear that top-down control will lead to excesses, such as confusing initial price savings with longterm value, says Forrester’s Cecere. And some companies are too small or have too few vendors to need more than a CIO’s focus on the issue, he says. Others don’t see vendors as entities to manage strategically, says Achievo’s Mathaisel: “If you want a master/slave relationship with your vendor, this is a waste of time.” The remaining enterprises should reconsider their opposition to the idea of formal vendor management, he says; “it is very much worth the effort.” CIO

Galen Gruman is a frequent contributor to CIO. Send

Getting Bang For Your Buck Service-level agreements and key performance indicators are are the most common ways to measure a vendor's performance. While they are quantitative, they're flawed because they measure only a limited perspective of the overall value expected from a vendor. To measure real value, IT must develop appropriate metrics that quantitatively measure the more intangible aspects of vendor performance. To holistically measure overall vendor performance and value, a ‘balanced scorecard’ is an ideally structured methodology. It looks at a number of weighted metrics both collectively and individually. From overall vendor performance measurement and value-for-money attributes, the balanced scorecard methodology examines four elements of performance: relationship, cost management, quality and delivery. Depending on the organization's needs and concerns, each of these elements will likely have multiple different measurements. In attempting to ‘measure the immeasurable’ through value-for-money metrics, each customer must seek out attributes that represent the most important considerations relating to commitment, flexibility and innovation. The following attributes can quantitatively measure value-for-money metrics. Commitment Number of account management visits Special access to new developments within the vendor's R&D activities Tours of vendor facilities Access to vendor's sensitive information Access to vendor subject-matter experts Quality of vendor-customer executive relationships Trust ratio = promises made by vendor + promises kept by vendor Flexibility Willingness or ability to respond to unanticipated demand Willingness to modify order entry systems or other vendor systems Flexibility of contract terms and conditions Ease of negotiation Willingness to change products or services to meet changing needs of customer Number of contract disputes Innovation Joint research, design and development Sharing by the vendor of business improvement strategies Customer ability to participate on vendor's customer advisory board Progress of vendor in achieving relevant industry certifications Continuous improvement ratio = ideas implemented by vendor / ideas suggested by vendor

—By Stephen Guth

feedback on this feature to editor@cio.in

54

Essentisl Tec.indd 54

A P RIL 1 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/10

4/2/2008 11:19:57 AM


Pundit

essential technology

Sleeping Laptops Risk Encryption A can of liquid nitrogen and sophisticated data hunting techniques, allow attackers to rebuild disk encryption keys. By Mario Apicella

Security | Just when you thought you could sleep easy with disk encryption, the Center for Information Technology Policy at Princeton University has proven that disk encryption is easy to defeat if your attacker is skilled and determined enough. When the laptop is in sleep mode, whatever is stored in memory remains in memory, including encryption keys. So what? The laptop asks for a password when anyone tries to use it. That’s where many people, including me, are wrong. As the Center for Information Technology Policy researchers explain, a bad guy can get to the encryption keys, bypassing the password as if it wasn’t even there: "The attacker will insert a special thumb drive into the laptop, yank out the laptop’s battery, quickly replace the battery, and push the power button to reboot the laptop. The encryption keys will still be in memory — the memory will not have lost its contents because the laptop was without power only momentarily while the battery was out." How can the encryption keys be still in memory after yanking the battery out? Some memory cards maintain 50 percent or more of their content intact for a minute after powering down, the researchers found. The study shows that using an air-duster upside down can lower the temperature of a memory card to -50 C. At that temperature, the cards they tested maintained a perfect or near-perfect image of their content for a minute or longer — long enough to copy the data in memory to another medium. At even lower temperatures, such as 56

ET-Pundit - 01.indd 56

APRIL 1 , 2 0 0 8 | REAL CIO WORLD

what you can attain by using liquid nitrogen, the researchers saw very little RAM reading errors after 60 minutes. Once memory content has been frozen, the attacker can boot from a thumb drive that contains a small OS kernel plus an app that will quickly copy whatever RAM content has not overlapped to the same USB drive. Stage three: using a data-sniffing app, the attacker is able to rebuild or retrieve the encryption keys and can now copy the content of your drive, in the clear, to another device. If you doubt any of what I just described, I urge you to read the report in its entirety. For example, the research team had no trouble building an app that could find or recreate keys from bits of data in memory: "To reconstruct an AES key, we treat the decayed key schedule as an error correcting code and find the most likely values for the original key. Applying this method to keys with 10 percent of bits decayed, we can reconstruct nearly any 128-bit AES key within a few seconds. We have devised reconstruction techniques for AES, DES, and RSA keys, and we expect similar approaches will be possible for other cryptosys." Mind boggling? I agree. The good news is that the techniques the researchers used are way over the head of the average crook. The bad news is that if you carry desirable enough data, your opponents will have a sufficient incentive to come after your laptop. So what now? The first, obvious, remedy is to always power off your laptop. Another suggestion is to evaluate carefully the

Memory cards keep 50 % of their data intact for a minute after powering down. encryption tools you use. By definition, software encryption tools will keep — and possibly leave for a long time — keys in memory in some shape or form. By contrast, a quick check with Seagate — which offers the Momentus FDE family of laptop drives with hardware encryption — triggered a response, from which I highlight this: "DRAM attacks to hardware-based full disk encryption (FDE) drives (this powers the Seagate Momentus 5400 FDE.2 drives for laptops) are not possible, because the cryptographic key never leaves the hard drive. The key is not stored in DRAM, but in the ASIC chip that implements the encryption algorithm, which is built into the drive." That's what Larry Swezey, consumer and commercial HDD director for Hitachi GST had to say. Hitachi offers optional hardware encryption on all Travelstar 2.5" drives: "When used together with the ATA HDD locking feature, encryption can prevent an attacker from gaining access to data. Even if the attacker were to physically remove the disks and read them on some specialized equipment such as that used by data recovery services, the data itself would be encrypted and hence not understandable." However, Swezey offered a note of caution about attacks to the DRAM content: "It is conceivable that the software will indeed have the drive password present in the system DRAM so the attacker can gain access to that password." CIO Send feedback on this column to editor@cio.in

Vol/3 | ISSUE/10

4/2/2008 11:15:50 AM


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.