Alert_DEC2011.indd 18
11/18/2011 12:03:38 PM
From The Editor-in-Chief
‘Even as top management expects CIOs to be more business savvy, business
The NonTech Gambit Do a CIO and his team really need to be techies?
managers are getting more clued into IT, and organizations are beginning to outsource a significant amount of their internal IT…’. I’d written these lines in this column in May last year. Then I’d asked whether the CIO role could justify its existence in future. More on that later. For now, let me tell you about Ratnakar Nemani. A cost accountant by training, Ratnakar emerged as the CIO at VST Industries, because he asked for the role. He went on to navigate his organization through what might be considered the contrarian course of insourcing. This might be regarded as tilting at windmills had it not been for how successful the maneuver was. While this would be enough to gain plaudits (indeed, Ratnakar and VST were CIO 100 Honorees this year for this very project), With technology what impressed me most was that becoming increasingly Ratnakar looked within VST’s business resilient the focus has managers not IT professionals to re-build moved from technology to his ‘IT team’. A smart move, since he its business impact. could now insource without adding to headcount and get domain and process experts whom he could depend on to tightly couple business and IT. They did require additional training. But at the end, VST got a non-techie CIO with a largely non-techie IT team running its ERP better than the vendor to which this function had been outsourced (See our cover story Against the Grain on Page 30 for more on this). Should we be so astounded at this? A while ago, Peter Sondergaard, Gartner’s senior VP of global research, said that “certain functions may be taken as aspects of the business, so that the remaining traditional IT functions will have to focus increasingly on efficiency and well-defined levels of service.” In a roundtable not so long ago, I’d asked whether any business manager could aspire to a CIO’s role. While you can imagine the ruckus that followed, a few CIOs did make the point that with technology becoming increasingly resilient and dependable, the focus was indeed moving away from technology towards its business impact, and thus, CIOs need not necessarily be technologists in future. VST has shown the way that future is a lot closer than many of us have envisioned it to be. Prepare to deal with this. I await your thoughts on this issue. Write in and let me know.
Vijay Ramachandran Editor-in-Chief vijay_r@cio.in
2
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Content,Editorial,Colophone.indd 2
Vol/3 | ISSUE/23
10/16/2008 1:27:07 PM
content OCTOBER 15 2008‑ | ‑VOl/3‑ | ‑issuE/23
I Ph PhO O t O by SrI Sr I Vat V atS S a ShanDI Shan DIlya lya
Ratnakar Nemani, CIO & SAP Practice Head, VST Industries, decided to bring IT back home. The move would require him to re-invent himself — twice.
In-Sourcing
Executive Expectations
COVER sTORy AGAINsT ThE GRAIN | 30
VIEW FROm ThE TOp | 36 Anand Agarwal, CEO Sterlite Technologies, talks about how IT can ease the challenges his company will face as it attempts to make it into the world’s top-three companies in its space.
Conventional wisdom has it that outsourcing improves efficiency. And that outsourced functions should stay out. VST Industries didn’t listen and is now reaping the benefits.
C OVE OVEr: r: DESI DESIgn gn by b I n ES h S r EED EEDharan haran
3 0
Feature by Kanika Goswami
Interview by Kanika Goswami
IT Management 20 IT mIsTAKEs TO AVOID | 44 Find out how many of these IT shortcuts you’ve taken. Feature by Neil mcAllister
Staff Management ANGRy IT WORKERs: A TICKING TImE BOmB? | 48 Thanks to increasing pressure, impossible demands and longer hours, IT workers are slowly becoming victims of a short fuse. Feature by Dan Tynan
more » 6
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
VOl/3 | ISSUE/23
content
(cont.) departments Trendlines | 13 Study | Supply Chain Disruptions On the Rise Quick Take | Animesh Singh on KM Voices | Does SaaS Make Sense? Virtualization | Hitting a Virtual Security Blind Spot Security | Staff Showing Signs of Risky Behavior Opinion Poll | The Tools They Use at Work Internet | Hackers Gain Access to 200,000 Sites Study | Gen-X Consumers Challenge Business Storage | Google: King of Efficient Datacenters Survey | Culture Shock Awaits Offshore Alternative Views | Should You Build Or Buy?
Essential Technology | 60 CRM | Open Source CRM: More Control, Less Cost
By Bill Snyder Pundit | Giddy Up ROI!
By Bruce Schneier
From the Editor-in-Chief | 2 The Non-Tech Gambit
By Vijay Ramachandran
NOW ONLINE
4 0
For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in
c o.in
Case Study Insuring Incentives | 40 In the fiercely-competitive insurance industry, sales force loyalty is hard to come by. ING Vysya Life had over 40,000 such agents and went off the beaten track to implement an incentive management system that could keep them loyal.
2 5
Feature by Sneha Jha
Applied Insight Is it Time to Reset Your IT Strategy? | 22 Running IT as a business has its benefits and its pitfalls. Here’s how you can go from managing IT efficiently to exploring it strategically. Column by Chris Potts
10
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Content,Editorial,Colophone.indd 10
Vol/3 | ISSUE/23
10/16/2008 1:27:18 PM
AdvisorY BoArd
AdverTiser index
AbNASH SINgH PublISHeR louis D’Mello ASSOCIATe PublISHeR alok anand ed ITORIA l edITOR-IN-CHIef Vijay ramachandran exeCuTIVe edITOR Pankaj Mishra ReSIdeNT edITOR rahul neel Mani ASSISTANT edITORS gunjan trivedi, t Kanika goswami
President, It t Operations & Center of Excellence, UCb Pharma
CHIef COPY edITOR Sunil Shah COPY edITORS Deepti balani, Shardha Subramanian
23
global head-Internal It, t tata Consultancy Services
Avaya
4&5
ANweR bAgdAdI
Canon
IFC
Cisco
39
AlOk kumAR
Senior VP & CtO, CFC International India Services ARuN guPTA Customer Care associate & CtO, Shoppers Stop ARVINd dT TAwde
ASHISH k. CHAuHAN
CReATIVe dIReCTOR Jayan K narayanan
President & CIO — It applications, reliance Industries
leAd deSIgNeRS Vikas Kapoor, anil V K Vinoj K n, Suresh nair girish a V (Multimedia) SeNIOR deSIgNeRS Jinan K Vijayan, Jithesh C C Unnikrishnan a V Sani Mani (Multimedia) deSIgNeRS M M Shanith, anil t, Siju P P C anoop, Prasanth t r PHOTOgRAPHY Srivatsa Shandilya PROduCTION mANAgeR t K Karunakaran
rural Shores CHINAR S. deSHPANde CEO, Creative It India dR. JAI meNON group CIO bharti Enterprise & Director (Customer Service & It), bharti airtel
CA
3
IBM
IBC
Microsoft
BC
Polycom
8&9
Rittal
29
Sify
15
Tata
7
mANISH CHOkSI Chief-Corporate Strategy & CIO, asian Paints m.d. AgRAwAl
eVeNTS VP rupesh Sreedharan mANAgeRS ajay adhikari, Chetan acharya Pooja Chhabra
11
C.N. RAm
dY. PROduCTION mANAgeR t K Jayadeep mARk eTINg A Nd SA l eS VP SAleS (eVeNTS) Sudhir Kamath geNeRAl mANAgeR nitin Walia ASSISTANT mANAgeR Sukanya Saikia mARkeTINg Siddharth Singh, Priyanka Patrao, Disha gaur bANgAlORe Mahantesh godi, Kumarjeet bhattacharjee b.n raghavendra delHI Pranav Saran, Saurabh Jain, rajesh Kandari gagandeep Kaiser mumbAI Parul Singh, hafeez Shaikh, Kaizad Patel JAPAN t tomoko Fujikawa uSA larry arthur; Jo ben-atar
CommScope
VP & CIO, Mahindra & Mahindra
d eS IgN & PROduCTION leAd VISuAlIzeR binesh Sreedharan
1
Aujas
VP-hr & Process architect, britannia
CORReSPONdeNT Snigdha Karjatkar TRAINee JOuRNAlISTS Sneha Jha, Saurabh gupta
AMD
AlAgANANdAN bAlARAmAN
Chief Manager (It), bPCl
Xerox
19
RAJeeV V SHIROdkAR CIO, Future generali India life Insurance RAJeSH uPPAl Chief gM It & Distribution, Maruti Udyog PROf. R.T. kRISHNAN Jamuna raghavan Chair Professor of Entrepreneurship, IIM-bangalore S. gOPAlAkRISHNAN CEO & Managing Director, Infosys technologies t PROf. S. SAdAgOPAN Director, IIIt-bangalore S.R. bAlASubRAmNIAN Exec. VP (It & Corp. Development), godfrey Phillips SATISH dAS CSO & Director ErM, Cognizant t technology Solutions
Corrigendum In September 15, 2008 issue, the cost of Wipro bPO’s project (Pg 143), should have read rs 15.8 crore over four years. the correct designation of Sanjeev Kumar (Pg 103) is head-It, Philips Electronics India (lighting Sector). hDFC life Insurance’s CEO & MD (Pg 53) is Deepak Satwalekar. State bank of India’s gM-It (Pg 131) is S.K. Sehgal. and the MD of reliance life Sciences (Pg 124) is Mukesh ambani. the errors were inadvertent and deeply regretted. — Editor-in-Chief
SIVARAmA kRISHNAN All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.
Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.
Executive Director, PricewaterhouseCoopers dR. SRIdHAR mITTA MD & CtO, e4e S.S. mATHuR gM–It, Centre for railway Information Systems SuNIl meHTA Sr. VP & area Systems Director (Central asia), JWt V.V.R. bAbu
This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.
group CIO, ItC
12
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
VOl/3 | ISSUE/23
new
*
hot
*
unexpected
Supply Chain Disruptions On the Rise to go in figuring out solutions for potential problems. The study investigated current activities across various supply chain risks and revealed that less than onethird of companies are actively managing each individual risk. Areas included import and export compliance risks, raw material shortages and price risks, demand fluctuations, product quality associated risks, financial risk and environmental disasters. "From a CSO point of view, cargo security is one part of risk. Companies really have to make sure, for instance if companies are importing, they have to ensure not to import from restricted, embargoed countries," she said. "It's hard for trade compliance professionals to make a case in this instance because it's hard to make a case on avoidance of potential penalties." —By Joan Goodchild
IllUStratI on by MM Shan Ith
S t u d y For companies trying to grow their global operations, supply chain demands and risks make it an uphill battle. The majority of organizations are fumbling along the way, according to a new report from research firm Aberdeen Group. Aberdeen surveyed 138 companies about their supply chain risk management practices and priorities and found that over the past year, 58 percent of companies suffered financial losses as a
result of supply chain disruptions. And, despite their concern about security and smooth operation of their supply chains, many companies are still at the early stages of thinking about supply chain risk management. "Because of changes over the last few years, like product quality issues and customer demands, there needs to be an understanding that companies need to be much more proactive in managing all risks, " said Viktoriya Sadlovska, a research analyst in the Global Trade Management Finance group at Aberdeen. More than a third of companies polled reported unexpected customer demands and shipment demands in the last year. Other supply chain disruptions commonly seen were supplier capacity that did not meet demand, and delayed damaged or misdirected shipments. Most of the businesses surveyed still have a long way
Quick take
Animesh Singh on Knowledge Management I t m a n a g e m e n t Knowledge management (KM) has always been important for organizations. And with data explosion, KM has gone higher up on the priority list. Saurabh Gupta spoke to Animesh Singh, VP-Operations, Brickred Technologies, and here’s what he had to say:
How important is knowledge management for an organization? Knowledge Management has existed ever since we started gathering and disseminating data. In this world of data explosion, the role of KM becomes extremely important. Although KM is quite an old concept, it is not just restricted to discussion boards and other similar modules. Organizations can benefit on many fronts after successfully deploying KM. Is KM being taken seriously in India? KM practices, to a certain extent, do exist in India but their scope is limited. I doubt if many Indian firms have designations like CKO (Chief Knowledge Officer) and tools like CoP (communities of practice — considered as an important
Vol/3 | ISSUE/23
KM tool). However, keeping KM’s importance in mind, I think more and more companies will start embracing it in a more logical sense. What's your take on implementing a KM solution? There are three critical components that one should consider while implementing a KM solution: people, process and technology. Success or failure of any new initiative or a change management process depends on the people involved with the project. While it is important to have the right processes in place, it is equally important to have them monitored and measured to track their progress. Finally, it is technology that is key enabler.
Animesh Singh
What do you think are the benefits of KM? KM provides a better decision support system. It does not limit itself within an organization — it can be extended across the industry. Hence, benefits may range from new and better product development to higher customer satisfaction. And when we use this knowledge, the benefits cannot be restricted to one area. REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 8
13
Does SaaS Make Sense? Software-as-a-Service (SaaS) has lived past its hype cycle and is beginning to gain popularity among technology heads. Snigdha Karjatkar spoke with your peers across different verticals to find out whether they planned to join the SaaS crowd. Here is what they had to say:
d e l iv e r y
“With business rules changing everyday, a SaaS model is more aligned with business needs. Also, it saves investing large sums and allows a true measurement of ROI.” trendlines
Dhiren Savla CIO, Kuoni Travel Group, India
“We would like to give software-as-aservice more time. The decision to use this model depends on the complexity of operations.” Ravikiran Mankikar GM-IT, Shamrao Vithal Co-operative Bank
“I would choose to use this model because it gives me complete
visibility and the ability to scale. I think the service model is more viable for SMEs than larger enterprises.”
Hitting A virtual security Blind Spot V i r t u a l i z a t i o n A majority of companies have little or no security in place for their virtual systems. That is a scary statistic revealed in a survey of attendees at the recent VMWorld 2008 conference in Las Vegas. Shavlik Technologies which surveyed nearly 300 IT virtualization and security specialists at the conference, believes the survey demonstrates the high uptake of virtual machines (VM). "In general, we are finding that 99 percent of customers plan to add VMs now or in the near future," said Neil Butchart, MD at Shavlik EMEA. "It makes so much sense to deploy them, and now we see datacenters full of VMs." Despite this, Shavlik is concerned that for the majority of companies, security for VM is falling by the wayside. The survey found that more than 80 percent of IT managers rated securing their virtual machines as 'very important to critical,' yet only 35 percent of those surveyed actually have security in place for virtual systems. When asked how they were responding to the requirement to secure virtual environments, 32 percent said that they had no security scheme in place while 38 percent were currently evaluating solutions for virtual security. Only 35 percent were using an existing security/ compliance package. "We deal with a lot of companies every day in EMEA that seem to have forgotten that the same security risks apply for virtual hosting as with physical machines," said Butchart. "Virtual machines are still connected physically to the network, and so long as you have any connection, then you have a possible compromise or risk." Respondents were also asked to rate the importance of centralizing configuration management for virtual and physical systems, and 99 percent rated this category as 'important to critical.' "There is no difference between physical and virtual machines, it is the same risk and the same problem," Butchart insisted. He feels a lack of education among professionals is mostly to blame for overlooking virtual security, especially considering the skill shortage for virtual environments at the moment.
Sanjay Mittal
Head-IT & Systems, VIP Industries
Lend Your
Voice
Write to editor@cio.in 14
Trendlines.indd 14
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
—By Tom Jowitt
Vol/3 | ISSUE/23
10/15/2008 3:20:13 PM
Staff Showing Signs of Risky Behavior A security study has identified the most common mistakes committed by staff, many of which can lead to data leaks. The Cisco global security study was carried out by InsightExpress, and it surveyed 1,000 IT professionals across ten different countries (US, the UK, France, Germany, Italy, Japan, China, India, Australia and Brazil), in order to evaluate security and data leakage implications. "There were a couple of surprises in the study," admitted John N. Stewart, chief security officer at Cisco. "Even in today's day and age, you can be surprised by the most basic security lapses." "Companies must realize that in a slow economy, people are busy providing for their families first, then their communities, and then their businesses," he added. He suggested that companies should have funds available to help staff in financial difficulties, to remove the temptation for them to steal company secrets for profit. One of the most common issues is users adjusting their security settings. No real surprise here, but the study found one in five staff have altered their security settings on their work machines so as to access
trendlines
Security
unauthorized websites. When asked why, 52 percent said they simply wanted to access the site, whereas a third said it was no one's business. And users it seems are still accessing unauthorized applications, with seven out of 10 IT professionals admitting that staff accessing unauthorized applications and websites, has resulted in as many as half of their companies' data loss incidents. Twenty-four percent of staff admitted to verbally sharing sensitive corporate data with outsiders, including friends, family and even strangers. Other bad behavior identified include unauthorized network/facility access (two of five IT professionals said they had dealt with staff accessing unauthorized parts of a network or facility in the past 12 months); sharing corporate devices (44 percent of staff said they share their work devices with other non-work people, without supervision). And even basic security precautions are being ignored, with at least one in three employees leaving their computers logged on and unlocked when they're away from their desk. With data losses on the rise, it is no surprise then that 22 percent of staff admitted to carrying corporate data
on portable storage devices outside of the office. Thirteen percent said they allow nonemployees to roam around offices unsupervised. Cisco recommends the following best practices for preventing data loss: Know your data and manage it well: know where it's stored, accessed, and used. Treat data as if it's your own: educate employees on how data protection is equal to money earned and money lost. Institutionalize standards for safe conduct: determine global policy objectives and create localized education tailored to a country's culture and threat landscape. Foster a culture of trust: employees need to feel comfortable reporting incidents so IT can resolve problems faster. Establish security awareness, education and training: think globally, but localize and tailor programs for regions based on threat landscape and culture. "Data protection requires teamwork across the company. It's not just an IT job anymore," Stewart said. —By Tom Jowitt
The Tools They Use at Work Techno-savvy Millennials (workers born after 1980) access Web 2.0 applications more frequently than other employees. Fewer than half say they stick to work-sanctioned products, according to a survey by Symantec. C u lt u r e
Facebook/ MySpace
75% 54% Millennials 16
Trendlines.indd 16
66% 13% Others
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Instant Messaging
46% 22%
Streaming audio/video
38% 18%
Photosharing applications
37% 17%
Gaming applications
Infograp hics BY pc an oo p
Personal e-mail
23% 14% Source:Symantec
Vol/3 | ISSUE/23
10/15/2008 3:20:14 PM
hACKERS GAIn ACCESS TO 200,000 SITES Several criminal gangs have acquired administrative log-in credentials for more than 200,000 Web sites — including the one used by the US Postal Service — and have used the compromised domains to attack unsuspecting users' PCs with a notorious hacker exploit kit, a researcher said. Ian amit, director of security research at aladdin Knowledge Systems, found and infiltrated a server belonging to a long-time customer of neosploit, a hacker toolkit used by cybercriminals to launch exploits against browsers and popular Web software such as apple's Quicktime or adobe Systems' adobe reader. amit uncovered logs showing that two or three hacker gangs had contributed to a massive pool of Web site usernames and passwords. "We have counted more than 208,000 unique site credentials on the server," said amit, "and over 80,000 had been modified with malicious content." the 80,000 modified sites were used as attack launch pads: each served up exploit code provided by the neosploit kit to any visitor running a Windows system that had not been fully patched. by examining the server logs, amit was able to identify the sites whose log-ins had been compromised. he is now working with law enforcement agencies in both the US and overseas, to tell site operators they need to change their administrative passwords, purge the malicious code and secure their sites. the only compromised site he would name was the US Postal Service's. also on the list were sites for governments and Fortune 500 companies, universities, and other businesses, including several unnamed weapons manufacturers. More than half the affected sites belong to European companies and organizations. "the server-based application that validated the credentials and then modified the sites was completely automated," said amit. "access to that application was restricted to about six or seven IP addresses, [so] it's clear that that access was intended only for the use of the criminals using the server." the groups apparently pooled resources, with site log-in information contributed by multiple users. amit was not, however, able to determine how the criminals came to the site credentials in the first place. It's possible, he said, that the log-ins were purchased from others, or harvested by a botnet dedicated to the job. but even with such clues, amit isn't confident that authorities might be able to identify the hackers: "as much as I'd like to be optimistic, I'm not fooling myself. they're using a software-as-a-service model, and it will be hard to track down all of them." —by Gregg Keizer Internet
Gen-X Consumers Challenge Business
trendlIneS
S t u d y A new wave of consumers from the millennial generation — consumers born between 1982 and 2001 — is causing a stir among companies. Most enterprises are struggling with how to adapt their businesses to serve these younger customers, according to a new global survey. The survey was done by the Economist Intelligence Unit (EIU) and Genesys, an Alcatel-Lucent company. EIU is the business-to-business arm of The Economist Group, which publishes The Economist. The global survey looked at how millennial consumers will impact the customer experience, asking C-level and senior executives from around the world how they are creating a customer experience to attract and retain millennials.
IllUSt ratIon by Un nIKrIShn an aV
Among the key findings are: — Investment strategies are shifting to favor millenials: companies are debating heavily whether to invest more in catering to next-generation consumers. Forty-two percent believe they should tilt towards younger customers, while 39 percent would shift towards baby boomers and generation X. — The time to act is now: most companies (54 percent) have not yet set their strategies or marketing for millennials even though they overwhelmingly agree that such steps are needed. Seventy-five percent say millennials will impact their organization as consumers in the next three years. — It's an Enterprise 2.0 world: most companies have a sophisticated understanding of what it would take to adapt, but are not ready to change their customer engagement model by leveraging social networking, peer marketing, better online support, text messaging, and blogging. The report highlights the urgent need for businesses to invest in new modes of customer communication and to tailor their approaches to match customer preferences. Of the 164 executives who took part in the survey, 30 percent were from the Asia Pacific, 29 percent came from North America and 31 percent from Europe. The rest were from other parts of the world.
—By Subatra Suppiah
Vol/3 | ISSUE/23
Trendlines.indd 17
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 8
17
Google: King of Efficient Datacenters
trendlines
S t o r a g e Google's leadership on the Web stems partly from its powerful datacenters, which allow it to provide lightning-fast search results while keeping energy costs to a minimum. Google uses a metric called PUE (power usage effectiveness), to measure its datacenter efficiency. It gives a ratio of the total power consumed by a datacenter to the power consumed by the IT equipment used in the facility. For example, a PUE of 2.0 indicates that for every watt that directly powers the IT equipment, an additional watt is used to cool and distribute power to that IT equipment. In a report to the US Congress in 2006, the Environmental Protection Agency estimated that the typical enterprise datacenter had a PUE of 2.0 or higher. It also forecast that by 2011, datacenters employing state-of-the-art techniques such as liquid cooling could reduce their PUEs to 1.2. Google said that it has achieved that PUE as the average across all of its datacenters, and that one of them operates with a PUE of 1.13. "Today we are operating what we believe to be the world's most efficient datacenters," Urs Hölzle senior vice president , Google wrote in his blog post. Google starts its energy push with designing better servers, which typically waste a third of the energy they consume
before any of it reaches the components. The company uses highly efficient power supplies for the servers and efficient voltage regulators on the motherboards. It said it also strips out components that it doesn't need, like graphics chips, and designs computers and server racks to use as little fan power as possible. The company says it saves 30 (about Rs 1,200) and 500kWh per year for each server, and puts 300kg less carbon dioxide into the atmosphere. For its datacenters it focused on cooling, which can account for up to 70 percent of the overhead in energy use. It uses water evaporation to minimize the use of its chiller equipment, which is basically a large air conditioner for the datacenter. It showed a photograph of a large cooling tower in Oregon that it uses for water evaporation. "With cooling towers, our datacenters spend most of their time running in a mode called 'free cooling.' This means the chillers are off. Free cooling isn't technically free, but it is really inexpensive and really efficient," the company said. —By James Niccolai
Companies that are globalizing their operations or outsourcing work to offshore locations shouldn't overlook behavioral and cultural differences when developing their security riskmanagement plans, according to a survey of IT managers and end users in 10 countries. The survey results show that employee behavior can vary by country and culture and have a direct bearing on the threats posed to corporate data. "As you globalize and move into new regions that you haven't worked in before, you really need to understand the cultural differences", said Marie Hattar, Cisco's vice president of network and security solutions. A total of more than 2,000 people — about half of them IT decision makers — were polled in the US, the UK, France, Germany, Italy, Japan, China, India, Australia and Brazil. Many of the countries haven't experienced the same level of worm mass mailings, denial-of-service attacks other IT security threats that S u rv ey
18
Trendlines.indd 18
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
companies in the US have been dealing with for years, Hattar said. As a result, she added, there sometimes appears to be more tolerance in other countries for enduser behavior that would be considered risky in the US. Meanwhile, 39 percent of the end users polled in Brazil and 20 percent in India admitted to sharing sensitive information about their jobs with family members and friends; another 8 percent and 7 percent, respectively, said they had shared such data with absolute strangers. In contrast, the number of respondents in the US who acknowledged that they had done the same things was 16 percent and 2 percent. Compared with workers in other countries, a significantly larger proportion of end users in China (42 percent), Brazil (26 percent) and India (20 percent) altered the security settings on their company-issued laptops. Just 2 percent of those surveyed in the US said they had done that. Sometimes, Hattar said, the security risks that companies
face stem from cultural attitudes that can differ from country to country. In some countries, for example, there is a greater tolerance for employees tailgating behind other workers when entering secured facilities, or for verbally sharing sensitive information with others, she said. "You need to better understand the dynamics of the country you are doing business with, and ensure that your policy is localized," she said. —By Jaikumar Vijayan
Illust ration by un n ikrishn an AV
Culture Shock Awaits Offshore
Vol/3 | ISSUE/23
10/15/2008 3:20:19 PM
alternative views B Y S a u r a b h G u p ta
should organizations build or buy? Build vs Buy
“When a product is created in-house, a relationship is
built between the creator and the user and this makes
for a better product.” Vishnu Gupta CIO, The Calcutta Medical Research Institute.
trendlines
Developing products in-house is better, when it comes to solutions that are
Photo by Srivatsa Shandilya
specific to an organization or vertical. Often, products for specific business needs in a specific vertical are not available. For generic functions, it is better to buy but for solutions that are going to cater to unique business needs of an organization, it is always a good idea to build a solution. For about 50 percent of activities, like healthcare operations, there are no products available in India which suit the standard processes of the industry. If you look at waste management, there are no options but to develop solutions internally. The applications that are used need to be tailored according to the requirements of the organization and in such a scenario it is best to build applications in-house. Creating applications in-house has several advantages. Since there is ample knowledge of the processes in the organization, the functionalities of the application are finetuned to go together. This leads to a finetuning of the processes as well, leading to not only a robust IT team but also a robust organization. When a product is created in-house it is not only the IT department which supports the building process, but also the entire organization. Here a relationship is created between the creator and the user which makes for a better product.
20
Trendlines.indd 20
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
“It is almost impossible for an internal IT team to match the industry experience and resources of a vendor.” Tarun Pandey CTO, ING Investment Management
I believe in buying products that are available in the market, as developing a product internally is a long and tedious process. Often, users are not clear about what they need. If there is a standard product available which suffices for even 80 percent of the requirements then the remaining 20 percent can be managed by customizing it. IT is an enabler of business and it helps the business achieve required results. With increasing competition, businesses need to have faster and agile systems. No user has the time to sit down with an IT person and explain his requirements. Developing an application requires an immense amount of interaction with users and this is almost impossible. Also, with homegrown IT solutions it is very difficult to cope with changing user requirements. Buying a product almost always means faster deployments. It is almost impossible for an internal IT team to match the industry experience and resources of a vendor. The expertise and knowledge of a vendor with regard to upgradations and changing requirements is of great help and that aids in maintaining a fine balance between managing the core businesses and the IT team. Buying a product might require a huge initial investment but that is compensated by a shorter gestation period and lesser maintenance cost.
Vol/3 | ISSUE/23
10/15/2008 3:20:30 PM
Chris Potts
Applied Insight
Is it Time to Reset Your IT Strategy? Running IT as a business has its benefits and its pitfalls. Here’s how you can go from managing IT efficiently to exploring it strategically.
A
rallying call of corporate strategies for IT in recent years has been to run the IT department ‘like a business’. When the technology-centric first generation of IT strategies reached a point of diminishing returns, this next stage was both inevitable and beneficial. With the bulk of IT spending shifting from investment in new technologies to maintaining existing ones, applying sound business discipline has kept that spending under control and has driven a focus on IT operational performance and efficiency. But with these benefits come pitfalls, especially if you take the IT-is-like-a-business approach too far. The danger exists because your IT department isn't a business. It is a part of a business: a significant contributor to a value chain, not a self-contained value chain of its own. And the harder you try to create a separate value chain for IT, the harder it becomes for IT to become integrated with the business.
What to Watch Out For
Il lustratio n by unnikrishn an AV
A strategy founded on running IT like a business will reach a point of diminishing returns. Innovative companies have moved to the next-generation strategy, in which the CIO's purpose is not necessarily to run a traditional IT department at all. Her primary role is to provide corporate leadership to business functions. The drive for IT to manage themselves in more businesslike ways followed the technology-centric strategies that ended once the 21st century got into its stride. People learned that technology deployment alone does not guarantee business success. As executives called time on deploying IT at any cost, technologycentric strategies gave way to ones founded on IT operational efficiencies: IT departments would deliver more for less. 22
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Coloumn - 01 - Is it Time to Reset Your IT Strategy.indd 22
Vol/3 | ISSUE/23
10/15/2008 2:39:33 PM
Chris Potts
Applied Insight
There's a world of difference between running IT ‘like’ a business, and running it ‘as’ one. The first means adopting a businesslike mindset and financial disciplines. The second means competing for revenue and investment in an open market, and going bankrupt if you run out of cash. The benefits of running IT in a more businesslike way are well known. However, alongside the benefits, there are also risks. The most damaging to the CIO's longer-term strategy is any attempt to run the department as a separate business rather than just running it in a more businesslike way. There's a world of difference between running the IT department ‘like’ a business, and trying to run it ‘as’ one. Running IT like a business means adopting a businesslike mindset, processes and financial disciplines. Running it as a business means competing for revenue and investment in an open market, and going bankrupt if you run out of cash to cover your liabilities. What happens if a CIO attempts to run her department as a business? Colleagues in other departments will say that IT wants to be treated like a supplier. In that case, contributing to corporate and business strategies will be a heroic, uphill battle rather than IT's core contribution to the enterprise. Then there are other pitfalls. The company's business units will be reluctant to fund any investment by IT in anything that looks like branding, marketing, selling or upgrading the management systems that support the IT department's own productivity. Why should they? One of the primary cost advantages of an internal department is that it doesn't require all the capabilities a real supplier needs to compete in the open market. So the CIO is caught. She has placed herself in competition with bona fide external suppliers but without access to the investment that they have in order to compete as an equal. In the long term, the IT department will find itself in a corner from which escape is difficult. It lacks the means to compete with real IT suppliers and has separated itself from the business that it is meant to be part of. This is when taking 'IT department as a business' too far seriously undermines the next generation strategy for IT.
From Efficient to Strategic After the technology-centric strategy, then the efficiency-centric one, the strategic IT focus is now on exploiting technology to create new business value. Today's successful CIO is one that is primarily valued as leader of a corporate strategy in which the company is an ‘expert customer’ of IT. Managing operational delivery of IT services in a businesslike way is simply expected, if the CIO still does it at all. Unless the company is already an expert customer of IT, its people will need strategic leadership from trusted colleagues who do not have a vested interest in supplying technology services. 24
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Coloumn - 01 - Is it Time to Reset Your IT Strategy.indd 24
If the IT department is behaving as a business supplying IT services, then who can everyone trust to provide the strategic leadership that the next generation of IT strategy demands? A CIO who is trying to run IT as if it were a separate business will need to rethink her operating model. What have others done? They divided their department's activities into two groups: core capabilities and services. Core capabilities are those IT-related activities that the company must have in-house and that make the company an expert customer of technology. Services are the activities that the company can choose to either keep in-house or outsource. Naturally, the CIO's own activities should be included under core capabilities rather than services. Now the CIO can benchmark her company's core IT-related capabilities against the models of other innovative companies. In particular, the company should excel at enterprise architecture (not just its technology components) and investing in business change. Together, these are the engine of strategic investment and value creation, both for IT and everything else. And they should be supported by robust sourcing to spend that investment wisely. The CIO may find her IT department's strategic influence is low because these core capabilities are weak, missing or not integrated enough with their equivalents in the wider company. Then the CIO faces a major choice. Does she primarily develop the necessary capabilities within the IT department, or elsewhere in the company? If IT is perceived to be operating as a supplier, the first of these options is not realistically open to her. Therefore the CIO is faced with developing the core capabilities outside of the IT department. As she is the executive leader of those capabilities, which means she may need to give up day-to-day control of IT service delivery and concentrate on corporate strategy. That is indeed what some CIOs have done. They have established a corporate-level team that develops and leads the company's strategy and capabilities as an expert customer of IT, with no accountability for day-to-day delivery of IT services. Instead, accountability for IT operations is in the hands of a CTO or equivalent, who reports to an operations executive such as the COO. Depending on the extent of which IT services are outsourced, the IT operations function may one day report to the Chief Sourcing Officer. This model, which separates the corporate strategy for IT from operational service delivery, may not suit everyone. But as we explore the options for maximizing IT's strategic contribution, it's essential to know it exists. CIO Chris Potts advises companies on corporate and IT strategy as a director with the IT consultancy Dominic Barrow. Send feedback on this column to editor@cio.in
Vol/3 | ISSUE/23
10/15/2008 2:39:33 PM
N. Dean Meyer
Project management
Building Project Management Success It doesn't take a project management guru to manage complex projects. Instead, give responsibility to the people who know best how to do the work.
Y
our IT department is taking on a complex project and it looks like half the managers in IT are going to be involved, one way or another. This project needs world-class teamwork and project management. But based on past experience, applications developers don't seem to be up to the challenge. Sure, they're great engineers but they don't seem able to pull all the pieces together and manage the entire project. Too often at your company, teams haven't formed or haven't worked well, and IT struggles to deliver large projects like this one.
Should Your Project Manager Come From the PMO?
Illustration by ANIL T
Your instinct might be to appoint a ‘super project manager’ from your project management office (PMO). Language is very important here. The term ‘project manager’ means the individual who's accountable for delivery of the project — in this case, the delivery of a new application. Translating this into the language of business, the client ‘buys’ an application from the PMO, which in turn gets help from various other managers (such as applications engineering, Web engineering, database management system engineering, and server engineering). In other words, the PMO is selling to clients (whether or not money changes hands) a product (the application) that is in another group's domain. That means when projects are difficult, the PMO takes over delivery of other managers' lines of business. This approach leads to a lack of clear accountability — the opposite of good project management practices. Who is really responsible for the end-to-end delivery of applications? Is it normally the applications group, but sometimes the PMO?
Vol/3 | ISSUE/23
Coloumn - 02 -The Secret to Successful Project Teams.indd 25
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 8
25
10/15/2008 2:40:29 PM
N. Dean Meyer
Project management
How do clients know where to go for what, and whom to hold accountable for results? If the PMO really is the project manager (accountable for delivery of the whole thing), is its staff qualified to make hard and quick decisions. Remember, PMO staff may be project management gurus, but they're not experts in app engineering. Thus, they're not qualified to make technical decisions. Sure, PMO staff is quick to point out that they get input from others. But the project manager is accountable for delivery of the project, so the project manager has to have the ultimate authority to make project-related decisions. This is not vesting authority with the people best qualified to wield it. Further, the manager responsible for running app engineering isn't really in control of his or her line of business. An entrepreneur owns a business. The applications development manager cannot really be an empowered entrepreneur when the PMO takes over and delivers its products. Clearly project management gurus are critically important on large, complex projects. But making PMO staff the accountable ‘project manager’ raises as many questions as it settles.
And the neat thing is, each supplier is a project manager for its subcomponent. Thus, the final project manager — in this case, the car assembly plant — only needs to worry about managing its next tier of suppliers. Breaking project management down into chunks eliminates the need for those scarce super-project managers who can control what every individual throughout this long supply chain does every hour of the day. Applying this approach within IT organizations is equally straightforward. There are only three rules:
Breaking project management down into chunks eliminates the need for those scarce super-project managers who can sometimes control what every individual does every hour of the day.
Look to the Market for a Better Approach Excellence in project management requires neither confusing accountabilities nor disempowered entrepreneurs. Applications developers sell applications, big and small. In our current example, they are the right choice for project manager, indeed the only choice in an empowered, entrepreneurial culture. "But," you ask, "in the past, they've struggled with big, complex projects; how can we address that problem?" Consider the root cause. Most problems in teamwork aren't due to a lack of understanding about what skills are needed on the team. Most applications developers know whose help they need to execute their project, and know exactly what services and subcomponents they need to buy from others. In most cases, the real problem is the lack of a process within the organization for getting that help. The difficulties may also stem from a lack of the discipline required to be confident that others will deliver their pieces of the project reliably without lots of oversight. Similarly, most problems in project management are not due to a lack of skill in managing projects. Remember that applications developers are entrusted with smaller projects all the time. The mistake is to expect one person to manage and control the activities of a large project team. Consider the challenge of managing a very complex project, like building a car. This is a project that involves thousands, maybe tens of thousands, of people. The car assembly plant ‘buys’ completed engines from another plant that does nothing but build engines. It buys tires from another company altogether, one specializing in that field. 28
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Coloumn - 02 -The Secret to Successful Project Teams.indd 28
First, everybody is the prime contractor (i.e., the project manager) for products and services within his or her line of business; and nobody sells products or services outside their line of business (not even the PMO). Second, the number one job of a prime contractor is to line up needed subcontractors. This involves working with peers to gain commitments for deliverables, not people. Third, everybody is accountable for delivering their products and services. This degree of integrity is based on two more principles: never make a commitment for others. And never make a commitment you can't keep.
How It All Plays Together Now back to our original example. The client wants to buy an application. Regardless of complexity, it's clear that the prime contractor is the applications development group. And let's not forget one very important subcontractor: in any line of business, a project manager can (and should whenever needed) subcontract to the PMO for project planning services, project management advice and project data administration. In this way, excellence in the discipline of project management is available to any project in any line of business. Just remember, to avoid confused accountabilities and disempowerment, the PMO serves as a subcontractor, not the prime. By getting the processes right, an IT organization can have excellence in teamwork and project management without the need for disempowering super-project managers. Market-based processes that identify a prime and subcontractors, combined with the practice of subcontracting for deliverables rather than just people, make large-scale project management within everybody's capabilities. CIO Send feedback on this column to editor@cio.in
Vol/3 | ISSUE/23
10/15/2008 2:40:29 PM
Cover story | insourcing
AgAin s
THe Gr a T
Reader ROI:
The challenges of insourcing How to build an internal team Why insourcing can be a first step to selling internal expertise
30
O C T O B e r 1 5 , 2 0 0 8 | REAL CIO WORLD
he painting says it all. Dominating Vazir Sultan Tobacco’s boardroom is an original print of the erstwhile Nizam of Hyderabad inaugurating the company’s formation in 1930. Even today, the company exudes an old-world charm that its name conjures up. It’s stone walls are a throwback from another time. It’s a company where tradition is respected. As it turns out, that’s not the only thing that gets attention at VST. Underneath its distaste for chrome, glass and anything loudly modern, VST’s been busy pulling off an IT feat few other modern companies have attempted. In an era when outsourcing has become a stock-in-trade practice, when managements — fed on a healthy dose of strategy-speak and cost cutting — are salivating over what they can outsource next, to insource seems contrarian. But it’s making sense to VST. The bold decision has fixed nagging problems and created a more agile company. In fact, the arrangement has worked so well that its IT team has begun to contribute to the company’s bottom-line. Strangely enough, this was all achieved by an accountant — not a career CIO.
Vol/3 | ISSUE/23
PHOTOs By srivaTsa sHandilya imaGinG By Bines H sre edH aran
Conventional wisdom has it that outsourcing improves efficiency. And that outsourced functions should stay out. VST Industries didn't listen and is now reaping the benefits. By KaniKa Goswami
n st
r ain
Faced with falling service levels, Ratnakar Nemani, CIO & SAP Practice Head, VST Industries, decided to bring IT back home. The move would require him to re-invent himself — twice.
Cover story | insourcing OutsOurCing Heyday An affiliate of British American Tobacco, the Hyderabad-based Vazir Sultan Tobacco (today known as VST Industries) manufactures cigarettes in the small segment (less than 60 mm in length). Their bestknown brands include Charminar, Charms, XL Filter and Shaan. While the major part of the Rs 340-crore company’s revenues flow in from cigarettes, it also has a presence in the non-manufactured and cut tobacco market. (India is the world's second largest producer of tobacco and VST appears in all tobacco-related market research studies). VST’s 1,100-strong workforce manufactures 33,000 million sticks of cigarettes a year. When Ratnakar Nemani, a qualified Cost Accountant, joined VST in 1992, he was shown a solidly vintage office with white walls, clean lines and tall ceilings. From there he watched a company in the midst of a transition. VST, which has been conversant with IT since computers were first introduced, found IT sucking at its feet. Over time, as the company grew more dependant on IT, every department became its own IT expert. Soon, VST was running all its operation across 20 offices in isolation. “We were struggling to get [data] for financials or decision-making,” says Nemani, who is today CIO and SAP Practice Head. An ERP running across various business processes was in order. But, there were doubts within the organization whether they had the in-house skills to pull off such a complex project. “Before the ERP, we had 12 people with expertise in the old standalone business applications. It was tough decision to upgrade and integrate the standalone business apps with the current group — or go ERP with new people,” Nemani says. At the back of their mind, what worried management was an attrition VST couldn’t solve. The idea of running an ERP with an IT team whose numbers waxed and waned was frightening. N. Sai Sankar, Finance Director and Company Secretary, remembers thinking that outsourcing was a good idea since “we noticed that people kept changing and we needed to ensure that we didn’t lag behind with our [ERP roll-out] schedule.” Outsourcing would also allow VST to concentrate on business. Hiring a vendor, back then, made sense all around. 32
O C T O B e r 1 5 , 2 0 0 8 | REAL CIO WORLD
So, in late 2001, the ERP got off its feet. Eager to get their act together, the teams worked swiftly. Nemani, who was part of the finance department then, was embedded into the ERP team. By April 2002, six modules covering finance and control, production and planning, sales and distribution, materials management and quality management were complete. “We took the big-bang approach,” Nemani remembers. A year later, Nemani was charged with VST's outsourced IT. He oversaw the implementation of the People Information & Payroll System and the Tobacco Inventory Management System. By 2004, VST had outsourced all its IT processes to three vendors and began enjoying 99.5 percent uptime (from 90 percent earlier). These were good times, Nemani remembers. VST became a training center for his vendor’s new employees (VST has asked not to disclose its vendor's name) and skill retention was easy. “The vendorcustomer relationship became a partner relationship,” he recollects. Carried by this momentum, VST's corporate office was moved to thin clients, resulting in increased security and a 30 percent cost reduction.
But just as things were going well, the first signs of breakdown appeared. Support started to suffer. Critical situations did not receive sufficient attention. Nemani remembers how the vendor struggled to hold on the people whose skills ran VST’s operations. “One of our basic premises for outsourcing was that the vendor might have better retention policies. But our vendors faced similar problems,” he says. As the vendor replaced its people more often, Nemani says that a breach in process knowledge opened up. “When it comes to [ERP], it’s not enough to have only technical know-how, domain knowledge is important in solving real-time problems. This was perhaps the reason why during some extremely critical times, we had less support than we needed.” Soon, routine processes like the printing of invoices began slowing down, holding the business to ransom as goods were stopped from leaving the factory. In a bid to get work done, members of each department, led by Nemani, began to takeover, learning to resolve ERP issues on their own. Nemani became stronger in his belief that they might as well run the ERP themselves.
“Nemani has been involved in [IT] right from the start, so we thought an opportunity should be given to him [to insource].” — N. Sai Sankar
Finance director and Company Secretary, VST Industries
Vol/3 | ISSUE/23
Cover story | insourcing In the meanwhile, poor support was taking a toll on VST’s Tobacco Inventory Management Systems, an application at the heart of the company. The repercussions began to be felt among the 15,000 tobacco farmers who had associated themselves with VST and were crucial to business. Then, in 2006, the Union budget, which was held on the last working day of February, required all companies to amend their taxes. “We had to revise all our invoices for taxes because our trucks had to leave the factory with new prices,” remembers Nemani. With no support from his vendor, Nemani was left to deal with the problem himself. “I was up till 2 AM at the factory and there were about 30 trucks lined up outside the factory. I worked 72 straight hours to ensure that invoices were made and that the trucks kept moving,” Nemani says. That was the last straw.
AgAinst THe TIde His presence — not only at crucial junctures such as these — but throughout the project, made it easier when Nemani asked VST’s management to let him bring the company’s IT back in-house. “After they outsource, most companies don’t bother. In our case, while 100 percent responsibility had gone to our outsourcing partner, my responsibility grew to 200 percent just to ensure nothing went wrong.” In that sense, Nemani says, he was always at the helm. Clubbed with the fact that outsourcing was not really an option any longer, Nemani asked for a chance to run it himself. “When VST cannot avoid risk by outsourcing, we thought that we could convert that risk into an opportunity,” he says. But that decision could not have been easy for VST’s management: as bad as the situation seemed, changing horses mid-stream could have only been a daunting proposition. Factor in that they were going to entrust the backbone of their business to an accountant and Nemani’s request must have seemed absurd. To their credit, VST’s management looked at the problem practically and showed boldness at a critical time. They gave Nemani the nod to bring VST’s IT back inhouse — but not before they put him through due diligence. “When I offered to takeover IT, I was interviewed by Sankar over two days. He wanted to get to the bottom of: ‘why do you want to get into IT?’ He wanted to be sure because there were so many potential issues. I think I convinced him when I told him that he could replace me if I didn’t do well in IT,” Nemani says with a smile. It was a bluff VST’s management never intended to call, mainly because they were not going to risk their business — and the additional Rs 1.4 crore that Nemani requested for — on sheer bravado. Nemani was categorical about his ability to deal with the insourcing move. And he pointed to his track record to prove it. “When the CEO asked me how I would manage, I told him ‘I’ve already been part of this process for four years. We were already doing all of the work when they were not supporting us’,” he remembers saying. It helped that Nemani garnered support from his direct superior, Sankar. The Finance Director and Company Secretary says that he had seen Nemani’s grow from a finance personnel to an IT evangelist. “He has been involved in the [IT] operation right from the beginning, so we thought an opportunity should be given to him. Initially, we were a bit skeptical, but his confidence helped,” says Sankar. That wasn’t the end of it. Management knew it was crucial that Nemani had an IT team to back him up. Before VST had outsourced, it had an IT
Vol/3 | ISSUE/23
Bringing it Back Home
Safely l ly
Ellen Barry, CIo at the Metropolitan Pier and Exposition Authority in Chicago, successfully brought outsourced IT functions back in-house. She offers these tips to minimize the risk of insourcing: Perform a detailed business analysis of the costs and benefits of insourcing, including the strategic value of insourcing and the potential risk. Develop a detailed transition plan defining effective processes for taking back each function. Work with internal IT professionals to validate all assumptions, plans and risks. Consider employing the best of the outsourcer's staffers. They coud reduce your risk. look at the risks associated with the role each outsourcer staffers in the delivery of service through the transition. Make plans to minimize any potential for security breaches or service degradation. Include the IT governance team, the business unit heads and management in decision-making. Keep the decision process confidential. If the outsourcer becomes aware of a potential change, the relationship could be damaged — which can be particularly serious if you decide not to go through with the insourcing. Explain to the outsourcer why you want to insource and the need for it to continue to provide services through the transition. If the outsourcer has performed well, provide assurances that its reputation will be upheld. Communicate with internal customers about the decision and the plans for transition, and maintain close communication throughout the transition. Collocate internal staff with the outsourcer's staff during the transition to ensure that service-delivery processes are understood and that the outsourcer will continue to work in good faith during the transition. Provide incentives as appropriate to the outsourcer to minimize the anxiety over the contract change, and be sure that all terms and conditions of the contract remain in place until full transition occurs. Continually evaluate each aspect of the transition until it's completed, focusing on any areas of risk. Keep all business units advised of progress. Stay focused on the value of the opportunity despite the difficulties. —Alan R. Earls
01 02 03 04 05
06 07
08 09 10 11
12 13
REAL CIO WORLD | O C T O B e r 1 5 , 2 0 0 8
33
Cover story | insourcing department that was 20 people strong. Over time their strength had dwindled to three. Once again, Nemani took the road less traveled. He banded together a team made up of representatives from functional areas — not IT professionals. Much like his own experience, members of other departments had also found ways to work around the vendors — building expertise along the way. “They are not LOB (line-of-business) heads,” says Nemani, “but business experts, the second or third level of each department. And even they had enough confidence.” His unusual approach, however, could cut one of either two ways: by using business experts who needed ERP training, the business could take off — or the lack of IT training could spell disaster. By making business processes more important that IT, Nemani was opening up a new model: one in which IT, it seemed, would take a back seat.
POint Of No ReTuRN In the meanwhile, business was moving at full steam. To meet VST’s competition head-on, management required IT to be more than a support function, they needed IT to step up its game. VST needed new ERP functionalities for treasury and risk management and the company also needed
“The whole company watched my team and me , wondering whether we were up to the job.” — Ratnakar Nemani
CIo & SaP Practice Head, VST Industries
34
O C T O B e r 1 5 , 2 0 0 8 | REAL CIO WORLD
to bring the Tobacco division under the ERP. By this time, VST’s ERP was five-years-old and was ready for an upgrade. “We wanted contemporary technology working for us,” says Nemani. VST’s management turned to Nemani and pointed out that if he wanted to handle IT, he would need to bring it back in-house and upgrade to the next version of ERP — at the same time. To meet the new challenge, Nemani decided he needed to hire more people from outside — and again the bias was on people with functional knowledge. “We had recruited people who had five-plus years of functional experience with one year of ERP exposure. In one instance, we recruited one person who worked at the Nagpur ordnance factory. He has many years of domain knowledge but knows nothing about ERP. We trained him in SAP, and his business processes expertise did the rest.” Nemani recruited six people and provided them with three months of intensive training in SAP. Hiring and training, he says, still worked out cheaper than the outsourcing package — by almost 20 percent. As Hyderabad’s evenings got chillier, the city geared up for festival season. Dussehra and Id were round the corner and Diwali
wasn’t too far. While almost everyone logged off early to shop for the festivities, Nemani’s team was putting in extra hours at work. It was make-or-break time and the team knew it. The slightest trip up could mean the end of everything Nemani had promised. “The whole company watched my team and I, wondering whether we were up to the job.” It wasn’t easy, Nemani recalls. “October 17, 2007, was the last working day (given the holidays and the weekend) before the upgrade went up on Monday morning (October 22). At that point one of my team members quit, asking to be relieved immediately,” Nemani remembers. As hard as it was, Nemani knew that the team would cope. “At VST, we do not allow people to hold work at ransom. Nobody is indispensable. As a CIO, I knew [the ERP upgrade] would work — with or without him. I was sure we would manage with the in-house team.” Manage they did. Nemani’s team successfully completed the upgrade. The new version went live at the appointed time, and everyone breathed a sigh of relief. But even as Nemani validated the confidence that was placed in him and his team, the last few days had taught him a lesson: attrition — the problem that had crippled vendor — had been insourced with the company’s ERP. In his endeavor to fight attrition, Nemani says he has support from across the organization. “We were all confident — not only the CIO/CFO but also all the team heads — that we are one team.” Nemani also made one thing clear with his vendor: that there would be poaching of each other’s people for six months after the ERP was insourced. “Today, we have enough backup, so at any point in time, anyone leaving cannot really spell trouble,” he says. Today, Nemani maintains a good relationship with his vendor — partially because they still handle other parts of the outsourcing deal. But, also because Nemani made it a point that there would be no bad blood between them. He isn’t just taking the high road. He says he empathizes with his vendor’s attrition problem. In fact, after a recent employee satisfaction survey, Nemani’s outsourcer found that its happiest employees were those stationed at VST. Nemani’s cordial relationship with his vendor has another reason: they taught him
Vol/3 | ISSUE/23
Cover story | insourcing how to fulfill his new role as a vendor – and he’s gentlemanly enough to acknowledge it. “I have to say, all that I’ve learnt about this business [consultancy] is what I have learnt from my vendor,” he says.
uP And away VST’s success with the ERP implementation prompted other users with similar problems to approach them for consulting. In January 2008, VST set up an IT Projects Wing (VSTITPW) and offered SAP services to other organizations based in Hyderabad. One of them is the Rs 576-crore Hindware Sanitaryware Indutries (HSIL). “We started interaction with VST in December last year. After a brief session to get them to understand our setup, we got them on board,” says B.K. Venkatram, DGM-IT, HSIL. “We implemented SAP in October 2006, but sometimes we need support. Before we decided on them, our IT team went to their site, saw their installations, and met all the people in charge of their modules. We thought them capable and decided to take on VST’s services to run our SAP ERP,” adds J.K. Somani, VP, HSIL, which has drawn up a one-year contract for three years. Part of the reason that HSILtook on VST — even though it is not an IT company — was because VST had already undergone all the troubles Hindware faced. That means Nemani can predict challenges and have ready solutions. In his bid to make ITPW a revenue generation center, this will be a sizeable plus-point. “I understand both the vendor’s end as well as the customer’s. That gives me an edge. I can tell the customer, what can be done and what can’t be done and what not to expect from SAP. I know the ground realities,” Nemani says. Nemani’s first-hand experience is bringing more people to his door. In May this year, Priya Foods signed up VST ITPW as a consultant for their SAP practice. “We were looking for someone who had gone through what we were facing. We checked out a few software services companies but they could not understand our process. When we went to met the [VST] team, they explained to me some issues that they had resolved for their organization and we were quite impressed,” says J.V.V.S.N.S. Prasad, manager IT at Priya foods.
Vol/3 | ISSUE/23
“We were looking for someone who had gone through what we were facing. When we met the [VST] team, we were impressed.” — J.V.V.S.N.S. Prasad Manager-IT , Priya Foods
Priya Foods faced some real challenges: their invoices, both inward and outbound had a huge number of line items and taxations lists. “Passing bills was troublesome. Because we have so many raw materials and the purchasing scenario is so complicated, we have long calculations. Then bills had to be broken down according to payments. The manual mode made things very difficult. We also had problems when there were changes in taxes. Or we had cases when our people entered Rs 32 instead of Rs 0.32. These had a huge impact financially, we are talking about lakhs of rupees,” Prasad explains. While an ERP solution could solve these problems, getting user buy-in was hard because users thought they would lose their jobs. “In my company, as in many others, the thought of an ERP can be a bit unnerving for personnel down the line,” says Prasad. Nemani fixed that problem personally. “I found great support when Ratnakar himself spent time with my people to take care of change management. He told us to leave the room, gathered my users and explained to them how [ERP] worked,” Prasad remembers. The meeting went well. Prasad says he felt his team’s comfort levels increase. He says it had everything to do with how Nemani can
speak a language everyone understands. “He addresses himself to how any change should be managed down the line, not only ERP. He gave my team confidence,” Prasad adds. Nemani doesn’t want to stop now and Sankar, the Finance Director and Company Secretary, too, sees more opportunities. “One is in the SME segment. With the kind of expertise we have, we could generate some revenue and keep growing. But this is still in the initial stages and we are trying to learn how we can better the service side.” The SME focus, he says, comes from the fact that many of these companies are family-run and mindset is very important. That said, Sankar refuses to refer to VST’s IT team as a business unit. “We are still in the initial stages, making a revenue center out of it is still a new idea,” he says. Which is fine with Nemani. The fact that what he started is accepted is a good-enough beginning. It wasn’t too long ago, after all, that people thought his ideas were outlandish – a little how like not everyone could initially accept a Gujarati lawyer named Mohandas Gandhi, and we know how that ended. CIO
Kanika Goswami is assistant editor. send feedback on this feature to kanika_g@cio.in
REAL CIO WORLD | O C T O B e r 1 5 , 2 0 0 8
35
VIEW
from the TOP
Anand Agarwal, CEO, Sterlite Technologies, talks about how IT can ease the challenges his company will face as it attempts to make it into the world’s top-three companies in its space.
Powering Ahead
by Kanika Goswami Anand Agarwal, CEO of Pune-based Sterlite Technologies, wants IT to help his company become one of the top-three manufacturing giants in its segment by 2010. Sterlite, which is already India’s biggest manufacturer of power transmission conductors and optical fiber cables, exports its products to 30 countries in Europe, Africa and Middle East. As the company evolves, it will have to deal with newer challenges brought about by competition and market complexity. However, Agarwal believes that operational efficiencies and customer intimacy — powered by IT — will provide Sterlite with the required momentum to become a global giant.
CIO: How critical is IT to a manufacturing enterprise such as yours?
View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.
36
O C T OB E R 1 5 , 2 0 0 8 | REAL CIO WORLD
View from the Top.indd 36
Anand Agarwal: Sterlite Technologies is a leading global manufacturer of wire and cable solutions for the telecom and power industries. In our quest for business excellence, we try to build transparency within our systems, thereby enhancing value to our stakeholders. Ensuring a high level of automation in our business processes, through IT, has been a key company-wide focus area. Also, our products are manufactured in semi-batch process, wherein the quality of a batch can be judged by the quality of the previous batch. Hence, it is extremely critical
to have real-time information on each subprocess, and this is only possible with a robust IT platform. For Sterlite, IT is critical in the creation of competitive advantage and in the optimization of our business processes. This enables growth and allows us to improve our relationships with customers.
On a day-to-day basis, what is technology’s contribution to helping Sterlite achieve its goals? Sterlite’s vision is to be among top-three manufacturers in the world by 2010, in terms of market share for all our business lines. In order to achieve this vision, adequate business intelligence is pivotal. We
Vol/3 | ISSUE/23
10/15/2008 2:42:38 PM
Anand Agarwal expects I.T. to: Reduce business complexity Improve relationships with customers and partners Help his company become one of the top three manufacturers by 2010
have enabled our workforce to be ‘always connected’ to the Internet and in-house IT platforms through computers, laptops, Blackberrys and Internet data cards. Through the IT applications available within Sterlite, we have been successful in keeping abreast with information and best practices related to markets, products, technology and competition.
India’s manufacturers face stiff competition from
Vol/3 | ISSUE/23
View from the Top.indd 37
other Asian countries. How do you compete? We have focused on our core competencies to ensure that we are amongst the lowest cost producers of all our products. This has been done by vertical integration and intelligent manufacturing. All our products have core linkage from the very basic natural resource — we manufacture optical fibers from naturally occurring silicon ore and we manufacture aluminum conductors from basic aluminum.
Our continuous focus is on achieving value addition from one form to another by expending minimum resources in terms of energy or chemicals. This helps reduce cost and pollution and helps use less energy and conversion agents. We effectively use IT to integrate manufacturing across the various stages of conversion as well as in reporting and controlling/optimizing the use of conversion agents. We believe we have a unique edge with this approach on a global basis and we continue to work on this and such
REAL CIO WORLD | O C T OB E R 1 5 , 2 0 0 8
37
10/15/2008 2:42:41 PM
View from the Top
differentiators to ensure that Sterlite and India continue to be a big manufacturing hub for all the products that we sell globally.
Can your CIO help? Sterlite Technologies received the CIO 100 Award 2008 for its innovative use of IT in manufacturing. Sterlite has implemented a unique end-to-end traceability platform that is integrated with our ERP platform for the entire manufacturing chain at its power conductors facilities. The system ensures end-to-end traceability of raw material and intermediate products that are used to produce finished products. The system was initiated on the basic premise that automation has the inherent benefits of data integrity and data reliability. Since data is automatically entered into the ERP servers from scanned barcodes, Sterlite has also been able to free up a significant amount of valuable manpower, who can now perform more value-added activities, rather than data entry. It has also simplified inventory management and enhanced customer support.
As CEO, do you think IT helps manage complexity? IT helps by reducing complexity, bringing about standardization and facilitating communication throughout the organization. IT merges different information silos into a common pool of information. It ensures that everyone talks a common language in the enterprise as far as data is concerned.
How do you manage remotely located manufacturing units? We have one instance of our ERP for all the locations wherein all users are governed by the same checks and balances. We believe we have implemented a robust platform with a very high degree of quality of service with all users being connected on a high-availability, redundant mesh network. 38
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
View from the Top.indd 38
“We believe getting things done the ‘firsttime-right’ is crucial. Hence, quality and IT are at the very core of all that we do.” — Anand Agarwal We have a total of six manufacturing facilities located at Aurangabad, Silvassa and Haridwar. Their manufacturing processes are independent of each other, but all other business processes (finance, banking, treasury, among others) are consolidated. IT has been able to integrate our business processes and bring a geographically-spread operation on a single platform. Today, distance and location are no longer a constraint. Our executive management can assess the health of the business wherever they are or whenever they wish to. Moreover, from a customer support perspective, it is very important to have end-to-end material and process traceability for the entire manufacturing value chain. Our integrated ERP platform enables us to do this efficiently.
In your pursuit to align complex business processes and IT, what challenges do you expect to face? Within Sterlite, we use a combination of SAP and Oracle as unified platform for most of our manufacturing and financial
processes. However, we acknowledge that there are some functional areas which require external interfaces such as effective CRM (customer relationship management), PMS (performance management system) and BMI (business measurement index) modules. Although we are still in the process of evaluating these external modules, we believe that our biggest challenge will be to achieve a high degree of seamlessness between platforms to make the system userfriendly and provide the necessary return on investment.
What about IT’s role in achieving operational excellence? Based on industry and customer requirements, we strive to develop a portfolio of quality products and services, through the effective use of IT and Six Sigma and a sustained focus on Intellectual Property and the environment. That is our business mission at Sterlite. Hence, quality and IT are at the very core of all that we do. We believe that getting things done the ‘first-time-right’ is crucial for operational excellence. Six Sigma methodologies integrated with IT initiatives have helped us to operate at very high compliance levels.
Finally, does your CIO play a significant role in Sterlite’s business decisions? At Sterlite, we have a core management team that meets at least once a month to evaluate the evolving needs of our business. This core team comprises functional heads from operations, finance, marketing, IT, HR and purchase, to create a holistic view of our business. As a policy, our corporate decisions are not unilateral, but a result of healthy debate and unbiased evaluation of initiatives to improve productivity and efficiencies. CIO Kanika Goswami is assistant editor. Send feedback on this interview to kanika_g@cio.in
Vol/3 | ISSUE/23
10/15/2008 2:42:42 PM
Trendline_Nov11.indd 19
11/16/2011 11:56:19 AM
n I c g e n n i t r
s ive
Ins u
Case File
In the fiercely-competitive insurance industry, sales force loyalty is hard to come by. ING Vysya Life had over 40,000 such agents and went off the beaten track to implement an incentive management system that could keep them loyal. But it soon found itself hanging in mid-air – until boldness came to the rescue. By Sneha Jha
40
Case Study.indd 40
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Vol/3 | ISSUE/23
10/15/2008 2:45:58 PM
Case File
“Companies that outperform their rivals are the ones
Illust ration by pc an oop
which find the circumstances they want, and if they don’t, strive to create them.” Sitting in his sixth floor office, Ravishankar Subramanian, director IT and corporate services of the Rs 1,159-crore ING Vysya Life Insurance, recalled the words of his superior at a previous organization. It made a lot more sense now. At ING Vysya Life, like most other insurance companies, In a highly-competitive industry that believes in the this vital data was managed on Excel sheets — a system survival of the fittest, following the herd can mean death. the company used since its inception in 2001. Needless to Subramanian knows how competitive the insurance say, this information was plagued by inaccuracy and a lack industry can be. It demands innovation — innovation that of transparency. can create the circumstances your organization needs. The sales support team had to answer frequent queries But Subramanian knows he can’t get there alone. Not and address the grievances from the field force. They when the business depends on a multitude of people — had to explain to the agents why they did not make it to a people who don’t cater exclusively to you. And, in insurance, particular scheme. those people form the very spine of the organization: the “The problem was that as there was no proper sales force. communication throughout the process, at the end of the These agents are the pivotal link between the company day when the payment was made the sales force wondered and its customers. In the insurance business, agents are how the support team arrived at it. It was a very people not on company rolls. They work freelance, often for hungry process. This would waste a lot of time of the sales multiple insurance agencies. They are guerillas who support team,” says Subramanian. work for the highest price. Insurance companies have But that was just the tip of the iceberg. learnt the hard way that keeping them satisfied is critical; give them a reason to sell your product over others. It all boils down to incentive schemes. Invalid Policy Incentives and loyalty are definitely two intimately Established in 2001, ING Vysya Life is the insurance associated issues. wing of the ING group and is headquartered in “We need to keep the sales force energized by coming up Bangalore. It has over 5,000 in-house sales managers, with frequent incentive schemes, which need to be different. 40,000 freelancing advisors selling insurance, and it We can’t have the same scheme running for a very long also availed the services of alternate channel partners time otherwise they will lose interest. So, we need to come — like banks — to promote their products. In order to up with new schemes based on the company’s objectives,” keep the freelancers motivated the company needed to says Subramanian. come up with frequent incentive schemes, which had to Every insurance company has its own set of incentive be innovative and attractive. schemes. These range from monetary incentives to club But ING Vysya Life were not the only ones trying to do memberships and free trips. this. With so many players in the market, all The sales people need to be aware of the Reader ROI: selling the same products, insurance companies How to deal with your need to keep modeling their incentive schemes schemes well in advance, so that they know vendor being bought how much they need to achieve in the next week to create that difference. out or two before the incentive scheme closes. The “Companies need to diversify distribution Why automating sales support team, who are directly employed channels to deepen the process of processes can cut by ING Vysya Life, need to communicate this product penetration. In a bid to combat down attrition information to the sales force. The sales support commoditization, insurers add new products The importance of team also needs to monitor the working of the and services to their product portfolio. But being bold to gain a sales agents. while doing so they should ensure that their competitive edge
Vol/3 | ISSUE/23
Case Study.indd 41
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 8
41
10/15/2008 2:45:58 PM
Photo by Srivatsa Shandilya
Case File communication with the field-force must address this complexity,” says Y.V.D.V Prasad, director, business development, ING Vysya Life Insurance. As the company expanded its reach across multiple channels; delivering accurate, relevant and timely information became a monumental task. It was hard to meet the growing demand for transparency in information — both for the company and the sales force. Whenever the company came up with a new scheme, or added a new feature to the existing schemes, the sales force needed to be informed. And the only communicator between the freelancing sales force and the sales support team was an inaccurate, manual and opaque excel sheet. “Market conditions demanded constant change in incentive designing to engage and entice distribution channels. We wanted to ensure auditable and accurate payment of incentives,” says Subramanian. The manual system had few modeling facilities thereby limiting innovation in designing incentive schemes. Relying on
that was beginning to prove dangerous for the company. ING Vysya Life needed an incentive management system to automate the process and bring in transparency. And they needed it fast.
“We evaluated ready-made packages in the market. These were inflexible and did not meet our requirements in features, availability and SNAPSHOT modeling capabilities. We ING needed something that was Vysya Life rapidly configurable and Insurance would work with minimum Play It by Headquarters: Bangalore IT resources,” explains the Rules Subramanian. Subramanian and his team Revenue: Rs 1,159 crore The company formed a explored all the possibilities cross-functional team, which available in the market and Employees: 7,771 comprised two to three peop then zeroed in on a rules le each from IT, business and engine — a novel concept for Branches: 265 sales support. The hunt for a the insurance industry. vendor began. A rules engine is a The search ended at the doorstep of graphical business rules development YASU Technologies, a Hyderabad-based environment that reduces maintenance and rules management systems firm. YASU enhancement costs by cleanly separating was just the perfect fit for ING Vysya Life. business rules from application code. It But this was not a clear case of build or comes with productivity enhancements that buy. It involved a little of both. “We used detect errors and conflicts automatically. some of the resources from YASU to build But Subramanian was not sure where the software and then when the IT team to go for a rules engine that would fit became proficient with it, it took over his requirements. the project and is now taking care of the incentive schemes,’ says Subramanian. Proud with the implementation, and the fact that he took his company to a level few insurance companies in India have managed to reach, Subramanian was beginning to rest on his laurels. Blissfully unaware of what the future had in store — a future that was going to give him sleepless nights.
“Market conditions demanded constant change in incentives to engage and entice distribution channels. So, we needed to come up with new schemes. ” — Ravishankar Subramanian
Director IT & Corporate Services, ING Vysya Life Insurance
42
Case Study.indd 42
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Sudden Death Like other success stories with a twist, ING Vysya Life’s story was no different. Just when Subramanian and his team were finding their feet with the new system, they were hit by a storm in the form of a software giant. YASU Technologies was bought over by SAP, leaving ING Vysya Life in a lurch. There was an initial wave of frustration. As a consequence of the acquisition, the senior team at YASU was replaced and they could not see the company through the implementation. Everybody was anxious that this could hamper the project. At this nascent stage, sturdy support from its implementation
Vol/3 | ISSUE/23
10/15/2008 2:46:02 PM
Case File
A Premium Policy
The rules engine not only creates more incentives for third-party sales people but also made ING Vysya Life Insurance more transparent and and efficient. The sales support team will save 1.2 hours a day normally spent on manually compiling and communicating incentive schemes.
ING Vysya Life’s can now double its incentives budget to Rs 70 crore — with the same workforce.
The time taken to design an incentive scheme has come down from 10 days to
Contest related queries have reduced by
over 50 percent
Vol/3 | ISSUE/23
Case Study.indd 43
the rules,” says Subramanian. At the same time the company wasn’t sure if SAP would support them. With so many issues mounting on him, Subramanian was down but not out. “We were left high and dry. The end users had to engage in a lot of self-learning because after the implementation partner failed to extend its support to the end users, they had to repose their trust in the notion of ‘learning by doing’. They threw themselves at the problem with a passion that I have rarely seen. They were bullish about this because they were convinced that they would emerge richer by the experience. It was a self-propelling situation,” admits Subramanian.
Rising From the Ashes The system has offered several competitive benefits. It has led to enhanced process efficiency, data accuracy, transparency and reduced dependence on IT. The system is now able to design, devise, model and run incentive plans on its own. This has helped the sales support team communicate effectively across channels. No manual work of calculating
contest outputs is required now. Thereby avoiding incorrect payouts to the sales force. By linking the rules engine to the existing reporting application, communicating the results to the field has become an easier and efficient exercise. Post-implementation the sales support team saves 1.2 hours a day on manual compilation and communication of scheme outputs. It also has a dedicated resource to reply to queries pertaining to MIS sent to the field. This has reduced the contest related queries by 50 to 60 percent. Now that the project has brought in more benefits than it promised, it has infused confidence in Subramanian, “Having proven that the rules engine can work for us, we are ready to make the next big investment. Even if we have to buy a much bigger and a little more expensive rules engine we will go ahead and do that,” reveals Subramanian. CIO
Infographics BY pc anoop
partner was of paramount importance. This had an adverse effect on the go-live date of the project. “We wanted the system to be up and running by December 2007. But it got postponed to March because we did not get support from our partners. We had to reschedule the project and delay the go-live by three months. We would have had large incentive schemes running on the system during the peak period of January, February and March. The fact that we could not do that was a small setback because then we had to wait for the next peak period,” says Subramanian. Another cause of concern was the fact that ING Vysya Life had no industry parallels or benchmarks that they could follow, as the project was unique. The company did not have a precedent to show its end users. “We could not show them an example of a company where this kind of an approach had been adopted so we could not show them how it would work. We had to show them some small prototypes how the rules engine would work, how the rules would be defined, how easy it would be for them to define
a week
Sneha Jha is correspondent. Send feedback on this feature to sneha_jha@idgindia.com
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 8
43
10/15/2008 2:46:04 PM
IT T MIsTA T ks TA k tO avOid Everyone bends the rules a little — it's human. But these lapses add up. The first step to getting your IT organization back on track is acceptance of the problem. Find out how many of these IT shortcuts you’ve taken. By Neil McAllister One thing hasn't changed over the years: IT's capacity to fall prey to misguided practices, given the complexity of the responsibilities involved. So in the spirit of ‘forewarned is forearmed’, here are 20 mistakes that today's IT departments would do well to avoid. The names have been changed to protect the guilty, but the lessons learned are plain to see.
01
OverzealOus PasswOrd POlicies
A clear and consistently enforced password policy is essential for any network. What good is a firewall when an attacker only needs to type ‘password’ to get in? But strict password security cuts both ways. If your password requirements are too complex and draconian, or if users are forced to change their passwords too 44
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Reader ROI:
Tips on making IT management easier What shortcuts your IT managers should stop taking The price of bad IT management
Vol/3 | ISSUE/23
IT Management often, your policy can have the opposite of its intended effect. Users pushed to the limit of remembering passwords end up writing them down — in a drawer, on a Post-It, or on a piece of tape stuck to their laptop's keyboard. Don't undermine the ultimate aim of your password policy by insisting on unrealistic requirements. Besides, passwords are so 2004. If you want strict access control today, think multi-factor authentication.
02
MisManaging the datacenter
System administrators aren't exactly known for their neatness, but in the datacenter, order is essential. Spaghetti cabling, mislabeled racks, and orphaned equipment can all cause big problems. Careless provisioning can easily lead an administratorto reconfigure the wrong server or reformat the wrong volume, so keep things tidy (and always double-check your log-ins). Good systems housekeeping also means getting production servers off engineers' desks and out of their hiding places in the basement. Managing those assets is IT's job, and it should shoulder the burden with diligence and gusto. Make sure your CFO understands the importance of maintaining a datacenter that's large and well-equipped enough to grow with the business without turning into a jungle.
03
lOsing cOntrOl Over critical it assets
Senior management has a request: "The marketing team needs to run ad-hoc SQL queries against the production database." It's simple enough to implement, so you grudgingly make it happen and move on. Next thing you know, poorly formed queries are bringing the server to its knees before every Thursday's marketing meeting. Your next assignment? "Fix the performance issue." Backseat drivers are a hazard; handing over the keys to someone who can't drive can be fatal. The experience and judgment of IT management plays a crucial role in all decisions related to IT assets. Don't abdicate that responsibility out of a desire to avoid confrontation. A bad idea is a bad idea, even if business managers don't realize it.
04
treating ‘legacy’ as a dirty wOrd
Eager young techies may hate the idea that mission-critical processes are still running on systems their grandparents' age, but there's often good reason for IT to value age over beauty. Screen-scraping isn't as sexy as SOA, but an older system that runs reliably is less risky than a brandnew unknown. Modernizing legacy systems can be expensive, too. For example, the State of California expects to spend US$177
Vol/3 | ISSUE/23
million (about Rs 708 crore) on a revamped payroll system. And according to one IDC study, annual maintenance costs for new software projects typically run into the millions. In these days of tightened IT budgets, don't be in too much of a hurry to make your dinosaurs extinct before their time.
05
ignOring the huMan eleMent in security
06
creating indisPensable eMPlOyees
07
raising issues instead Of Offering sOlutiOns
Today's network administrators have access to a dizzying array of security tools. But as hacker Kevin Mitnick is fond of saying, the weakest link in any network is its people. The most fortified network is still vulnerable if users can be tricked into undermining its security — for example, by giving away passwords or other confidential data over the phone. For this reason, user education should be the cornerstone of your site security policy. Make users aware of potential social engineering attacks, the risks involved, and how to respond. Furthermore, encourage them to report suspected violations immediately. In this era of phishing and identity theft, security is a responsibility that every employee must share.
As comforting as it may be to know that a single employee understands your systems inside and out, it's never in a company's best interests to let IT workers become truly indispensable. Take, for example, former City of San Francisco employee Terry Childs, who was eventually jailed for refusing to reveal key network passwords that only he knew. In addition, employees who are too valuable in specific roles can also get passed up for career advancement and miss out on fresh opportunities. Rather than building specialized superstars, you should encourage collaboration and train your staff to work with a variety of teams and projects. A multi-talented, diverse IT workforce will not only be happier, it will be better for your business, too.
Are your warnings of critical vulnerabilities falling on deaf ears? Identifying security risks and potential points of failure is an important part of IT management, but the job doesn't end there. Problems with no apparent solutions will only make senior management defensive and dismissive. Before reporting an issue, formulate a concrete plan of action to address it, then present both at the same time. To win support for your plan, always explain your concerns in terms of business risk — and have figures available to support your case. You should be able to say not just what it will cost to fix the problem, but also what it could cost if it doesn't get fixed. REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 8
45
IT Management
08
lOgging in as rOOt
One of the oldest rookie mistakes is still alive and well in 2008. Techs who habitually log in to the administrator or ‘root’ account for minor tasks risk wiping out valuable data or even entire systems by accident, and yet the habit persists. Fortunately, modern operating systems — including Mac OS X, Ubuntu, and Windows Vista — have taken steps to curb this practice, by shipping with the highest-level privileges disabled by default. Instead of running as root all the time, techs must enter the administrative password on each occasion they need to perform a major systems maintenance task. It may be a hassle, but it's just good practice. It's high time that every IT worker took the hint.
09
teetering On the bleeding edge
With public beta programs now commonplace, the temptation to rely on cutting-edge tools in production systems can be huge. Resist it. Enterprise IT should be about finding solutions, not keeping up with the Joneses. It's OK to be an early adopter on your desktop, but the datacenter is no place to gamble. Instead, take a measured approach. Keep abreast of the latest developments, but don't deploy new tools for production use until you've given them a thorough road test. Experiment with pilot projects at the departmental level. Also, make sure outside support is available. You don't want to be left on your own when the latest and greatest turns out to be not ready for prime time.
10
reinventing the wheel
There's no better way to ensure IT agility than to take charge of your own software needs. But too often, companies employ software developers only to squander their talents on the wrong projects. You wouldn't write your own Web browser or relational database. Why, then, do so many companies waste energy building custom CRM apps or content management systems, when countless high-quality products already exist to fill those needs? In-house software development should be limited to projects that confer competitive advantage. Functions that aren't unique to your business are best handled with off-the-shelf software. Failing that, start with an open source project and tweak it to meet your requirements. Redundant development projects only distract from genuine business objectives.
11
lOsing track Of MObile users
Networked tools make it easy to push security updates, run nightly backups, and even manage software installation for users across an entire organization — provided, of course, that their PCs are connected to the corporate LAN. But what about users who spend most of their time off-site? 46
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Mobility and telecommuting have changed the game for systems management, network security, and business continuity. Laptops that lack current security patches are a prime vector for malware. Files that are never backed up can mean countless hours of lost productivity. And what will happen to your sensitive data in the event of theft? Automated IT policies offer no reassurance if road warriors can slip through the cracks.
12
falling intO the cOMPliance MOney-Pit
13
underestiMating the iMPOrtance Of scale
14
MisManaging yOur saas strategy
When it comes to complying with SarbanesOxley, HIPAA, and other regulations, too many companies fall back on the Band-Aid method. But throwing money at nebulous compliance objectives only drains funds that might otherwise be used for more tangible projects. While a critical regulatory deadline may necessitate a quick compliance fix in some cases, overall it's best to take a holistic approach. When planning your compliance strategy, think in terms of global policies and procedures, rather than point solutions targeted at specific audits. Aim to eliminate redundant procedures and manual record-keeping, and focus on ways to automate the compliance process on an ongoing basis. To do otherwise is just throwing good money after bad.
You may think you've planned for scalability, but chances are, your systems are rife with hidden trouble areas that will haunt you as your business grows. First and foremost, be mindful of process interdependencies. A system is only as robust as its least reliable component. In particular, any process that requires human intervention will be a bottleneck for any automated processes that depends on it, no matter how much hardware you throw at the task. Also, cutting corners today is a sure recipe for headaches tomorrow. As tempting as it may be to piggyback a departmental database onto an underutilized Web server or let an open workstation double as networked storage, resist. Today's minor project could easily become tomorrow's mission-critical resource, leaving you with the unenviable task of separating the conjoined twins.
Salesforce.com proved that SaaS (software as a service) has real legs in enterprise computing. When compared to traditional desktop software, the on-demand model offers customers a low barrier to entry and virtually no maintenance costs. Little wonder, then, that a growing number of software vendors have begun offering hosted products in numerous software categories. If you haven't at least considered SaaS options, you're doing your business a disservice.
Vol/3 | ISSUE/23
IT Management Too much SaaS, on the other hand, can become problematic. Hosted services don't interoperate as well as desktop software, and the level of customization offered by SaaS vendors varies. Remember, SaaS is just a business model — it isn't really a bargain if the software itself is immature.
15
nOt PrOfiling yOur cOde
Relative performance is a perennial debate among programmers. Does code written for one language or platform run as well as equivalent code written for another? Here, software development dovetails with carpentry, as it's often the poor craftsman who blames his tools. For every application that suffers due to an underlying flaw in the language, countless others are rife with poorly designed algorithms, inefficient storage calls, and other programmer-created speed bumps. Locating these trouble spots is the goal of code profiling, and that's what makes it so essential. Until you've identified the slowest portions of your code, any attempt to optimize it will ultimately be fruitless. Because who knows? Maybe the problem isn't your fault after all.
16
failing tO virtualize
If you aren't taking advantage of virtualization, you're only making things harder on yourself. Virtual machines were a key selling point of early mainframe computers, but today similar capabilities are available on industry-standard hardware and operating systems, often at no additional cost. Stacking multiple VMs onto a single physical machine drives up system utilization, giving you a greater return on your hardware investments. Virtualization also allows you to easily provision and de-provision new systems, and to create secure sandbox environments for testing new software and OS configurations. Some vendors may tell you that their products can't be installed in a virtualized environment. If that's the case, tell them bye-bye. This is one technology that's too good to pass up.
17
Putting tOO Much faith in One vendOr
It's easy to see why some companies keep going back to the same vendor again and again to fulfill all manner of IT needs. Large IT vendors love to offer integrated solutions, and a support contract that promises 'one throat to choke' will always be appealing to overworked admins. If that contract has you relying on immature products that are outside your vendor's core expertise, however, you could be the one who ends up gasping for breath. Rarely is every entry in an enterprise IT product line created equal, and getting roped into a subpar solution is a mistake that can have long-term repercussions. While giving preferential consideration to existing vendor partners makes good business
Vol/3 | ISSUE/23
sense, remember that there's nothing wrong with politely declining when the best-of-breed lies elsewhere.
18
PlOwing ahead with Plagued PrOjects
Not every IT initiative will succeed. Learn to recognize signs of trouble and act decisively. A project can stumble for a thousand different reasons, but continuing to invest in a failed initiative will only compound your missteps. For example, the Federal Bureau of Investigation wasted four years and over $100 million (about Rs 400 crore) on its Virtual Case File (VCF) electronic record-keeping system, despite repeated warnings from insiders that the project was dangerously off-track. When the FBI finally pulled the plug in 2005, VCF was still nowhere close to completion. Don't let this be you. Have an exit strategy ready for each project, and make sure you can put it in motion before a false start turns into a genuine IT disaster.
19
nOt Planning fOr Peak POwer
Sustainable IT isn't just about saving the planet. It's also good resource planning. When energy costs spiral out of control, they threaten business agility and limit growth. Don't wait for your datacenter to reach capacity to start looking for ways to reduce your overall power consumption. From CPUs to storage devices, memory to monitors, energy efficiency should be a key consideration for all new hardware purchases. And don't limit your search to hardware alone; software solutions such as virtualization and SaaS can help consolidate servers and shrink your energy footprint even further. The result will be not just a more sustainable planet, but a more sustainable enterprise.
20
setting unrealistic PrOject tiMetables
When planning IT projects, sometimes your own confidence and enthusiasm can be your undoing. An early, optimistic time estimate can easily morph into a hard deliverable while your back is turned. For that reason, always leave ample time to complete project goals, even if they seem simple from the outset. It's always better to overdeliver than to overcommit. Flexibility will often be the key to project success. Make sure to identify potential risk areas long before the deadlines are set in stone, particularly if you're working with outside vendors. By setting expectations at a realistic level throughout the project lifecycle, you can avoid the trap of being forced to ship buggy or incomplete features as deadlines loom. CIO
Send feedback on this feature to editor@cio.in
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 8
47
Angry IT Workers:
By Dan Tynan
With increasing pressure, impossible demands and longer working hours, IT workers are slowly becoming victims of a short fuse. It’s an anger that is sweeping across companies — causing more damage than employers realize. Is it time to defuse the bomb?
48
Feature -02.indd 48
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
Vol/3 | ISSUE/23
10/15/2008 2:48:13 PM
Staff Management
It was 9:30 on the morning of March 4, 2002, and something
was terribly wrong at the offices of PaineWebber UBS. Computers in branches all over the country began showing disc errors. A logic bomb buried deep within the machines had wiped their hard drives clean, preventing 17,000 brokers from making trades. "It was six months after 9/11," says Keith Jones, co-principal of Jones Dykstra and Associates, a computer forensics and expert witness firm. "Back then if anyone so much as sneezed, you thought 'terrorism.'" The IT staff located the backups and restored the first batch of machines. They got wiped again. The logic bomb had propagated to the backups. The brokers gave up on their computers and went to their other backup plan: paper and pencils. UBS tech staff ultimately figured out how to bypass the bomb and restore computer access, but it was weeks before the company was back to normal. More than $3 million (about Rs 12 crore) in damage had been done. The culprit: Roger Duronio, a 60-year-old sys admin. Unhappy about not receiving compensation he'd been promised, Duronio planted the logic bomb on more than 1,000 Unix machines. He then shorted the company's stock, hoping to capitalize financially as PaineWebber's share price dropped. Instead he was convicted of computer sabotage and securities fraud. Other cases speak less of revenge and more of IT workers simply cracking under stress — such as the saga of Terry Childs, a network admin for the city of San Francisco who became frustrated by his manager's lack of technical expertise and withheld administrative access to parts of the city's network. Either way, disgruntled IT workers — battered by interminable hours and impossible demands — pose a greater threat than ever. "People don't realize just how much access senior IT people have," says his Brian Dykstra, Jones' partner. "The vast majority of system admins don't abuse their privileges — even if they wanted to, they're too busy. But when someone does go over the edge, they have the ability to do a great deal of damage." And the consequences can be devastating.
"The last thing any IT pro wants is a downed system," Dykstra says. "That just means more work. But the thing we see over and over again is that IT is always drastically understaffed. You go into companies and find two or three admins responsible for 600 users. It's easy to understand what gets them to their snapping point." Staff reductions have stripped many IT staffs to the bone, forcing those that remain to double or triple their workloads. The piling on of work can demoralize the people charged with keeping the business going, says Laurent Duperval, president of Duperval Consulting. "I recently spoke to an IT colleague who was explaining to me that he had to work 75 hours last week to help complete a project," Duperval says. "The project has a strict deadline that must be met. It had original requirements that have since been expanded, but no extra resources (people, money, or time) have been allocated. Basic message? 'I don't care about you as an individual; the project comes first. Just do it, no matter what the cost to your health.'" It isn't only about the wages, work-life balance, or job security. What many IT workers want most from their employers is respect — for both their expertise and for the value they bring to the organization. "One of the biggest things to cause IT pros to feel undervalued is a lack of appreciation for the skills they're bringing to the table," says Joel Evans, co-founder of Geek.com, a news site. "They're misunderstood in a professional sense. You have some manager who runs Ubuntu on his home PC and thinks he knows all about Linux. He looks at Net admins and thinks 'they just maintain the network' without having any idea what that really entails."
Geeks Are From Mars, Suits are From Venus
The problem runs deeper than a mere lack of appreciation. Geeks and suits don't walk the same walk, talk the same talk, or even eat lunch in the same rooms. They have different motivations and seek different The most common tactic used by disgruntled geeks is widespread rewards. It can create a simmering discontent that may boil over. deletion of company data, says Dykstra. Sometimes the damage "The problem is not simply that IT people are disgruntled," says Bill is obvious, but other sabotage may be harder to detect. In one case, Pfleging, co-author of The Geek Gap: Why Business and Jones Dykstra and Associates was called in to help an Reader ROI: Technology Professionals Don't Understand Each Other and international market analysis firm that kept losing some Why are IT Why They Need Each Other to Survive. "The problem is that but not all of its e-mail. It turns out a recently fired techie workers angry geeks in general are one culture and suits are a different had set the servers to automatically delete messages Why is it important to culture. They're like oil and water. They have completely coming in from overseas. value your employees different ideas about what should be going on. The whole Dykstra adds that most IT workers are too professional How to save your situation is loaded with lack of respect and lack of trust on to take out their grievances on the systems they've worked company from insider-threat both sides," he says. so hard to maintain.
Illust ration by MM Shanith
What does IT want?
Vol/3 | ISSUE/23
Feature -02.indd 49
REAL CIO WORLD | O C T O B E R 1 5 , 2 0 0 8
49
10/15/2008 2:48:14 PM
Staff Management
Catch-22: Organizations could move from a
trust-based approach to a process-based one. But that could impact IT job security, which is often tied in to a geek's intimate knowledge of what makes systems tick.
For example, the business side usually assumes techies are lying to them, says Pfleging. "It's the Captain Kirk school of management. Scotty says it's going to take 48 hours to fix the warp engines, Kirk says you've got two, and somehow Scotty gets it done. But the real world doesn't work that way." Meanwhile, many techies think business people don't understand technology — and have no interest in learning. "It's frustrating for them to have to answer the same question over and over," he adds. "They get very irritated." There's no dearth of consultants urging IT to get more involved in the business — but you'll rarely find anyone urging the business to learn more about IT. "Nobody cares about the technical aspects of a solution or problem, except the geeks," says Duperval. "If geeks want to be taken seriously by management, they need to speak the language of the business." SourceForge community manager Ross Turk believes business professionals are starting to realize they need to meet the geeks halfway. "Most businesses are about technology these days," he says. "Being technologically competent is a differentiator." But while the suits control budgets, salaries, and the overall direction of the company, the geeks hold the keys to the economic engine. Without IT, there is no business. The question is whether unhappy IT pros will use that power toward their own ends. "I don't think techies ever doubted they had the keys to the car," says Pfleging. "Now the suits are starting to realize it. Back in the '90s, I talked to techies who were fully aware of the Y2K problem, but they were content to sit back and wait for it to all go to hell. Watching a suit go down in flames is entertainment for geeks."
Rewards and Recognition Organizations face a double challenge: how to keep their IT staff from going off the reservation, while gradually regaining control over technology? It's not easy. As the Terry Childs case showed, often a single person holds the key to the kingdom — and may be unwilling to hand them over to someone they deem less competent. Organizations need to move from a trust-based approach — where system admins are expected to wield their enormous powers with restraint — to a process-based one, says Jeff Nielsen, product manager for Symark. If IT admins have business reasons to access sensitive data, they can fill out requests stating their business reasons, Nielsen says. "Depending on the organization's approval process, the admins can get the password immediately or wait for approval from a supervisor, then do the work." Nielsen admits this may be seen by IT as adding unnecessary bureaucracy to an already arduous process. Worse, job security in IT 50
Feature -02.indd 50
O C T O B E R 1 5 , 2 0 0 8 | REAL CIO WORLD
is often tied directly to a geek's intimate knowledge of what makes the systems tick. Once the processes are well documented, the company may decide that position is no longer essential. It's a Catch-22 that's not going away soon. Another way to keep your geeks from wreaking havoc is to stop treating them like a commodity, says Roy Saunderson, president of the Recognition Management Institute. "Look at how most companies recruit," he says. "They need to understand they're not just hiring a body; they're getting significant expertise and talent for a job that can't be done by just anybody. They need to do a better job of coming up with rewards packages that are unique to the qualifications and expertise they're hiring." Dialog is also key, says Saunderson. The business side needs to understand IT's needs and communicate how IT contributes to the company's success. "I was talking to one company that surveyed its employees recently and discovered IT was not too happy. The senior leaders said, 'Whoa, we never intended this.' They opened up a dialog with IT, said, 'You're right, we're wrong. Here are some things we'll start doing based on your input.'" And if management won't listen, techies with in-demand skill sets can vote with their feet and find employers that speak their language, says Geek.com's Joel Evans. Startups and other tech-driven companies tend to understand geeks and value their input more than other vertical industries. "It has to do with recognition more than anything," says Evans. "Sometimes all someone wants to hear is 'Hey Terry, thanks for building us such a great network.' It doesn't even have to be public — geeks just want to know their work is appreciated." For example, three years ago, worldwide IT services provider Dimension Data realized it needed to recognize and reward its technical people as well as it does other employees, says Denise Messineo, Sr. VP of HR for the company's North American division. The company issued laptops with Webcams, so more of its outbound consulting force could teleconference into meetings, saving travel time. It offered more flexible work schedules and time off for training. It opened its annual sales conference to all employees and launched a marketing video that shows off the cool technology techies created. Next year, the company plans to launch a technology ‘hall of fame’. "When you think of any kind of recognition program for employees, you need to think first of your technical people, because they truly are the heartbeat of the organization," says Messineo. "If your systems go down, everyone's productivity stops. If you take care of IT first, everything else will fall into place." CIO Send feedback on this feature to editor@cio.in
Vol/3 | ISSUE/23
10/15/2008 2:48:15 PM
Trendline_Nov11.indd 19
11/16/2011 11:56:19 AM
EvENT REPORT
Presenting Partners
improving enterprise
Collaboration Some business-conscious CIOs approached the CIO Panel Discussion dais to share their concerns and experiences over unified communications — their insights could help you with your plans.
“With uC, the medium of communication gets less importance over the primacy of the message." Prodyut Bora, National Convenor-IT Cell, BJP
Unified commUnications (UC) is not just about bridging
“blending channels of communication is a problem, as there's a mismatch between security and organizational needs." alok kumar, Sr. VP–IT, Reliance Infosolutions
communication gaps in an organization; it is also about tangible business benefits, hard ROI and extensive collaboration. With the benefits that UC offers, the technology has garnered a lot of interest. IT leaders are beginning to understand and adopt the technology to boost their communication systems and to use it to power their bottom-lines.
rolling out the red Carpet for uC Stating the way in which UC entered the organization and then became a crucial part of the business, Avinash Arora, Director-IS, New Holland Tractors, said, “When our employees spread out to rural areas, we realized there was a need to communicate with them and get timely information on a regular basis. To keep our system updated, it was necessary to extend ERP and workflow applications to our business units. Doing this would have cost us a huge sum of money and the
EvENT REPORT
infrastructure requirement would have been really large and complex.” He continued by saying, “Then we looked for an option to communicate with our people without changing much in our infrastructure. And unifying communication channels occurred to us as one solution. Now the sales person can easily feed in Natraj akella dealer data get his details Leader-Collaboration & SaaS businesses via a mobile phone. It has for Lotus, IBM streamlined the whole logistics process in which we do our business. The time taken by logistics of documents which was in days, has now been replaced by minutes. And we did this without building any special infrastructure and my ERP is still up-to-date all the time. This is how we communicate data for timely decision making.” Prodyut Bora, National Convenor-IT Cell, BJP said, “I look at communication from two angles — the message and the medium. The message needs to be of supreme importance. It was distressing to know that it was always the medium that was coming in the way by stealing most of the limelight. A wall always remained between different mediums of sending the message and this obstructed them from meeting. Now, when the party started automating itself, the first thing we rolled out was e-mail, for the leaders in the party. But as we started rolling this further down the hierarchy, we found that the usage was not very popular as most of these people were in the field. It is then that UC came to light when we were facing a challenge to enable our party members to enjoy the benefits of communication. We made it a point that the medium becomes of less importance than the primacy of message. And this was made possible through UC.” Karan B. Singh, A AvP-IT, BSES, said, “A good trend that’s emerging is that the people now rely on IMs and other options that are provided by UC for sending and receiving messages. The discussion that takes place is good for the business and decision-making. This way more people are getting involved in business issues and collaborating. It improves efficiency as well.”
overComing the hurdles voicing his concerns on the adoption of technology, Alok Kumar, global head internal IT, TCS, said, “We have got voice, video and data converged in to one and we are building applications over our e-mail system. With message and chat options built on your desktop you can find all the employees with the click of a button. Just one click can get you in to a vOIP or in a meeting. Only telepresence is the area that has been
“even choosing a big bang-approach to uC can help, provided you have prepared your blueprint correctly." a Nash arora, Director-IS, New Holland Tractors avi
“through the uC platform more people are getting involved in business issues and collaborating. it improves efficiency." karaN B. siNgh, AVP-IT, BSES
“With message and chat options built into your desktop, you can find all the employees with the click of a button." alok kumar, Global Head Internal IT, TCS
EvENT REPORT
making a difference green it and unified communications are not merely buzzwords that have created hype in the industry — they have fundamentally changed the way an organization works. different organizations take various steps to ensure they save through cutting down expenses in their datacenters. For instance, a software services giant in South India is using energy-efficiecnt networking equipment in its datacenters, and it looks forward saving Rs 1.3 crore over five years in lower electricity bills. ICICI Bank went forward with virtualizing and consolidating 230 servers down to merely five servers. Now the company’s annual operating expenditure savings on power, space and cooling is about Rs 1.57 crore. When it comes to savings through green IT, the talk usually revolves around cutting operating costs in datacenters. Datacenter operating expenses account to only 2 percent of the total IT expenditure in an organization. So it’s the larger 98
percent part of the expenditure that goes unexplored and needs more attention. Indeed, there are some CIOs who have looked beyond the datacenters to reduce their operating costs and show some tangible benefits. Some have innovatively contributed to this by saving on paper like they did at Indian Rayon where the number of printers was reduced by a staggering amount and most of the reports were made available online. Bank of India that was facing extended power cuts at its rural branches opted for solar panels to power them. Consilium Software, a company in Bangalore that chose telecommuting as a mode of operating, has seen its infrastructural requirements go down by 48 percent, traveling costs by 31 percent
and commuting costs by 80 percent. The interesting thing is that Consilium's people are plugged in via UC, which makes it work for them, thus enabling them to collaborate and work without the boundaries of time and space. People are really becoming innovative with UC; some are trying to just fix their networks, others want collaboration. CIOs who have UC underway, talk about hard ROI and tangible benefits when it comes to cost savings, improvement in productivity, collaboration between workers, better control over business processes, dispersed workforces becoming mobile, empowering this class of workers and much more. This is the time when the IT leaders should go ahead and show how they can pull a lot more out of their systems by tweaking their
isolated so far from UC. So if I have to get in to Bora of the BJP said, “We were facing a challenge videoconferencing then I will have to dial a separate while extending our communication channels to number. We need to look for solutions to integrate each member of our highly populated party. The even these applications.” challenge was the lack of technical awareness He added, “Another issue is that we need to abide amongst the members who could not use to government regulations, like we can’t mix CUG computers or laptops. Then we started thinking and PSTN, thus we can’t call external numbers of a blackberry replacement but that wouldn't from our laptops or desktops. If I am restricted have been feasible. Through an Open-source in some manner to do so then that means we are push e-mail tool we can now send and receive not using the benefits of UC fully and it is partially an email on commodity handsets in the form of implemented. Once this is allowed then it would an SMS. This doesn’t even require any technical ensure hundred percent usage of the technology. knowledge.” Alok Kumar, Sr. vP–IT, Reliance Infosolutions Discussing how much risk and reliability UC said, “Blending different channels of communication can offer to the systems running on it, Kumar sajaN Paul Leader-Enterprise Core Sales is a problem, because there is a mismatch between of TCS said, “To keep our system robust is the Engineering-Asia, Nortel security needs and organizational needs. For part of our networking strategy. We have offices instance, in refineries communication only through across the globe, so instead of having separate radio phones is allowed for reasons of security. It lines for them what we did was to go with MPLS vPN kind of technologies to ensure that there is no single point of becomes spoilsport at times. Another reason because of which we have failure. The topology was worked out in the beginning itself. The not been able to unify every kind of communication channel is that most system has been built to be robust and up all the time, if one route of the user population in the organization is not that tech savvy as to fails the other route is available.” adopt all the changes so fast.”
EvENT REPORT
stiCking to legaCy When asked, how he opts to roll out UC in his system, R. Muralidharan, CIO, Syntel, said, “We have taken this forward in the form of pilots applied on a couple of functions. We do This keeping in mind that we also have our legacy systems. Some technologies in legacy Neelesh marathe systems are outdated so Principal Consultant Asia, Nortel we take it forward with great caution. For such cases the best approach is to take it forward with pilots.” In this regard, Kumar of Reliance Industries said that they take legacy systems by default; it is one of their USPs. So far they have not faced a problem regarding what to do with their legacy systems. They know that if they want to adopt any technology, it has to build around their legacy systems as they are indispensable to them.
roadmap to uC Discussing the modus operandi of introducing UC to his organization, Kumar of TCS said, “When going ahead with implementing some technology, all decision-makers should be involved in analyzing what kind of applications, portals, network infrastructure, solutions and equipment the system requires. While doing all this you also need to think if you want to keep your legacy system, or refresh it based on how much you utilized it in past few years. All these things need to be decided in advance, including security on what is to be allowed and what is to be disallowed.” Adding to this Arora of New Holland Tractors, said, “In my opinion, now technology has matured enough that going for a big bang-approach could help, provided that you have made your blueprint correctly. In our organization there is no compartmentalization, the communication and computing guys are trained to work hand-in -hand. This makes it easier to go for deploying the technology in the whole system at one go. For this the whole mindset also needs to be changed.” Muralidharan of Syntel said, “We don’t go for a massive rollout of any technology including UC; a pilot takes place first and for this we carefully select an appropriate group of people. We have employees who are tech savvy and we expect them to experiment with features. This group can help get proper feedback of the system. At the same time you also need to select a group that
“We opted to roll out uC in the form of pilots, keeping in mind that legacy systems are very important to us." r. muralidharaN, CIO, Syntel
“it will be a little difficult for small businesses to fully acquire uC solutions on their own as they are too expensive." t.P. aNaNtheswaraN, Head-IT, Mumbai International Airport
doesn’t know much about this technology, give them a little training on how to use this and get to know how readily the pilot is being accepted.
uC for small players When asked if a small company or a startup should go for UC roll out on their own or should seek some help, Kumar of Reliance Industries said, “Small companies should not do this on their own as it won’t give them any cost benefit. For bigger organizations it’s important to have their own systems as it leads to cost benefits and total control over the system. Small organizations can’t afford it. This decision also depends on the competency of the organization. So, if the company is small, but has the competency to handle it on its own then they should go forward with their own UC systems.” In this regard, T.P. Anantheswaran, Head-IT, Mumbai International Airport, said, “I think at this point of time the UC solutions are very expensive. It will be a little difficult for [small companies] to fully acquire such resources on their own.”
EvEnT REPORT
Presenting Partner
projecT
FaIlure noT an opTIon IT leaders at the CIO Roundtable discuss ways to drive better business outcomes by ensuring every project deployment is a success. “IT needs to understand how business is growing and keep track of all the developments to follow it closely." Alok kumAr, Global Head Internal IT, TCS
“To achieve IT Business alignment, we focused on the financial aspect of projects, disaster management and ensured back up." S. HAriHArAn, Sr. VP-IT, i-flex Solutions
With it budgets the W Way they are, organizations just can’t afford to take project failures lightly. CIOs have a large number of operational limitations, so it is not always possible for them to experiment. They have no option but to follow the herd and take the regular track of following the standard management processes. The only way out for them usually is getting project management consultants and software providers on board to avoid the chance of any project failure and spread accountability.
EvEnT REPORT
Some innovative CIOs are coming up with key points of delivering the projects that help them ensure the success of a deployment. They are reshaping the way they look at projects. They understand how important it is to include business needs in planning. Talking of the disparity between business and IT, Alok Kumar, global head kAmAl DuTTA internal IT, TCS, said, “Often Director, HP Software IT fails to understand many business needs properly, and this is made clear from most of the project failures. IT needs to understand how business is growing. Once we do that, we need to arrive at solutions and define ROI. After this, we have to ensure that users buy it. Budget issues are secondary and one needs to look into these things to contribute in a meaningful way.” He added, “Understanding customer requirements is very important. It’s because the expectations and change management are the issues that CIOs have to deal with. Setting up a project management office often helps track the delivery of a project. Risk analysis is also a very important function. Often the biggest concern that CIOs face is cost escalation. In many of these cases, talking to the investment officer helps analyzing risks better, thus reducing the chances of cost escalation.” Ajay Kumar Dhir, CIO, Jindal Stainless, added, “There is a growing gap between business and IT. We need to break down functional IT and we need to evolve from being a service provider to being a strategic partner.” T.G. Dhandapani, CIO, TvS Motors Company, said, “In order to be successful, we first need to define success and failure. I think IT is separate from business. Why should we call IT a service? There has to be clear ownership from IT, it is only then that the gap between expectations and delivery can be bridged. IT departments should start monitoring projects for a longer time.” Kumar of TCS, points out that this is why he feels that pre and post rollout monitoring is also very important. “The question is: should project ownership be with business or with IT? There is no point in blaming business users for the failure; the responsibility also lies with IT. What is important is a component based architecture for projects. It is very important to train management in order to move into an assembly line mode.” v v. Sundar, CIO, T.v v. Sundram Iyengar & Sons, said. Dhandapani of TvS Motors, feels that making documentation a habit is also important. “Every project should be well documented in
“There has to be a clear cut ownership from IT departments, it is only then that the gap between expectations and delivery can be bridged." T.G. DHAnDApA p ni, CIO, TVS Motors Company pA
“Should project ownership be with business or with IT? There is no point in blaming business users for the failure; the responsibility also lies with IT." V. SunDAr, CIO, T.V. Sundram Iyengar & Sons
“We need to break down functional IT and we need to evolve from being a service provider to being a strategic partner." AjAy A kumAr DHir, CIO, Jindal Stainless Ay
EvEnT REPORT
addressing business-it gap With itiL V3 a framework for best practices in IT service delivery as businesses seek to bring down operational costs and explore new revenue opportunities apart from driving competitive advantages, CEOs are looking to CIOs to help them drive a growth agenda, supported by strategic initiatives such as SOA and Web-enabled services. However, businesses are asking IT to fund these projects through additional resources already present in the IT organizations — the budgets are either flat or growing only incrementally. IT leaders or CIOs need to address these needs by balancing demands of business and IT. While business wants more agility, alignment and intelligence, IT wants modern, flexible architecture and consolidation. There are different IT frameworks, which help a CIO achieve some of these goals in a holistic fashion. Some of them deal with compliance (SOX, BASEL II, HIPAA), guideline (COSO), performance (COBIT) and best practices (ITIL). Of these, ITIL is perhaps the most comprehensive one as it helps to put all practices in action, and with its ability to benchmark the projects against the available best practices. ITIL works in conjunction with other frameworks such as COBIT and COSO to help a CIO manage entire ecosystem effectively. By addressing the entire service lifecycle, ITIL v3 3 breaks down functional
IT silos to deliver positive business outcomes by aligning IT applications, strategy and operations. Through better governance, ITIL demonstrates business value of IT by significantly reducing the cost of IT operations. ITIL v3 also reflects the evolution of IT from a mere service provider to a strategic partner. In contrast, ITIL v2 was more focused on operations. ITIL v3 extends the scope of ITIL framework by embracing IT and business service management, strategy and operations. Business Technology Optimization brings together service strategy, design, operation and transition in a unified fashion. By focusing on business-IT alignment and integration, BTO provides a unified view of consolidated demand through quality management, performance validation and policy-based
ITIl V3: It reflects the evolution of IT from a service provider to a strategic partner.
order to avoid any complexity later,” he observes. Talking about the basic requirements for an IT project, Sundar of T.v. Sundram Iyengar & Sons said, “We need to identify areas for automation. We have to hunt for IT-enabled projects and see how we can facilitate businesses, because business facilitation is the key responsibility of all operational departments, and that includes the IT and technology departments.” S. Hariharan, Sr. vP-IT, i-flex Solutions, feels that IT business alignment is extremely important. He said, “To achieve this alignment,
repeatable apps. HP’s BTO offerings consist of centers across key domains of IT strategy, applications and operations. So why should enterprises move to ITIL v3 from ITIL v2? The key differences between version 2 of ITIL and version 3 is the inclusion of strategy, design and transition stages to service lifecycle management. This also helps in managing the projects more effectively. Another helpful solution is Project and Portfolio Management (PPM), which reduces risks associated with projects by providing much better visibility to management along with accurate metrics. It also enforces control processes (risk, issues, scope management), which in turn reduces the risk of not delivering projects on-time and on-budget. BTO leverages ITIL v3 to deliver IT staff productivity, IT staff efficiency and business effectiveness of the IT team. Since BTO solutions are a set of modular tools, a CIO can start anywhere within strategy, applications and operations, and then drive incremental efficiency. Operational efficiency can be achieved by building an overall workflow across the IT organization. What enterprises need today is the single version of truth when it comes to organizational data. CIO’s can help their organizations achieve this by leveraging the benefits of ITIL v3, together with BTO.
we made financial programs. Then we got involved in projects and this gave us an understanding of the line of business. Among other efforts, we also took up managing variety in business as a major challenge. We focused on disaster management and ensured back up. All this helped us to streamline our functions at the IT end.” Security is an important aspect and takes up a large part of a CIO’s responsibility. Satish Das, CSO & Director ERM, Cognizant Technology Solutions, is concerned about the security aspect. “Often, I have felt we
EvEnT REPORT
do not know how to manage security in such situations and simplification becomes difficult. Business continuity remains a cultural issue. We also have to take into consideration issues like electricity failure, attrition and governance.” Francis Rajan, Head ICT, Bangalore International Airport, explains how he dealt with the project of AjAy Alur building a new airport. “For Sales Solution Specialist, HP Software me the challenge was to build a greenfield airport. We went forward with a gap and risk analysis of the project. I created a common infrastructure and we went for a global tender. I adopted a multi tenant system,” he said. Das of Cognizant felt that CIOs also need to develop a culture where they effectively pass on the experience to their second line. A succession plan will help warn upcoming IT heads of what's coming. Kumar of TCS said, “This is why I stress on knowledge management. We have to figure out key process areas and uniformly execute key processes.” “We need to have project managers for every project, who should be responsible for carrying the project forward and should possess enough authority to be able to negotiate, precipitate and take decisions,” said, Sudhir K. Reddy, CIO, MindTree. “We should be able to make a choice between delivery and institutionalization. We should never underestimate usability and should have guarded flexibility,” Reddy further explained. CIOs also agreed that they should let flexibility go all the way and must make sure that they have a proper exit plan in place. Ravishankar Subramanian, director - IT and corporate services, InG vysya Life Insurance Company, said, “The lessons learnt from past project deployments should be documented properly so that it doesn’t require any induction. The need for this is on the rise and that is why companies are investing a lot on knowledge management.” Dhandapani of TvS Motors, shared TvS' strategy for information sharing in the form of a case study with details, to be passed on. “We make sure that after the completion of a project the taskforce involved in the process must write the QC story where both success and failure of the project are elaborated. This needs to be updated on the repository for everyone to see. The story is written only after the project reaches a maturity stage and the consequences are clear. This is documented after some amount of research is done.” This often helps to foresee pitfalls and plan projects well.
“We need to have project managers for every project who should be responsible for carrying the project forward." SuDHir k. reDDy, CIO, MindTree
“The lessons learnt from the past project deployments should be documented properly, so that it doesn't require any induction later." rAViSHAnkAr SubrAmAniAn, Director - IT and Corporate Services, ING Vysya Life Insurance Company
“While building a greenfield airport, we went forward with both a gap and risk analysis of the project." FrAnciS rAjAn, Head ICT, Bangalore International Airport,
“often I have felt we do not know how to manage security in such situations and simplification becomes difficult." SATiSH DAS, CSO & Director ERM, Cognizant Technology Solutions
Essential
technology IT leaders who can get past the idea that Open-source CRM software is cheap say they like the power and flexibility of owning their code.
60
Essentisl Tec.indd 60
O C T O B ER 1 5 , 2 0 0 8 | REAL CIO WORLD
From Inception to Implementation — I.T. That Matters
Open Source CRM: More Control,Less Cost By Bill Snyder Customer Relationship Management | A good CRM package does you no good
if employees aren't willing to use it. Case in point: IMA Financial Group, a medium-sized financial services company based in Wichita, Kansas. IMA had installed a commercial customer relationship management system that "was flexible, configurable and attractive on the front end," says business processes manager Jennifer Hallam. But the seeming advantage of a vastly configurable system was irritating her internal customers — and so only 10 to 15 percent of them were using it. "The old system simply had too many bells and whistles," she says. Even bringing in a developer to simplify the interface didn't do the trick, she adds. After a good deal of internal discussion, the 500-employee company moved users off the old system late last year (IMA has asked not to disclose the vendor's name) and installed ConcourseSuite 5.0, an Open Source CRM solution from Concursive (formerly Centric CRM). An Open Source application in a $80 million (about Rs 320 crore) company? "It was a hurdle to get the management team to accept Open Source; they didn't understand the
Vol/3 | ISSUE/23
10/15/2008 2:51:49 PM
essential technology
business model," says Hallam. But accept it they did, and the package has been adopted by 90 percent of the company's users.
The Right Fit forYou? The success of Open Source operating systems and middleware is an old story: Linux and tools such as Apache have long since moved from the fringes to mainstream adoption. But now, Open Source enterprise applications, including CRM, are beginning to show up on IT's radar screen, says Gartner analyst Laurie Wurster. According to a recent Open Source survey by CIO, 45 percent of the 328 IT leaders queried use desktop applications such as OpenOffice.org and 29 percent use opensource enterprise applications. The most popular of those enterprise applications are collaboration tools, CRM tools and ERP applications, according to the survey. To be sure, this is a nascent trend. Open Source CRM barely registers when industry watchers like Gartner compile market share charts. "We have to look at Open Source CRM the way we looked at Linux five years ago," says Wurster. And like the early adopters of Linux, the pioneers of Open Source enterprise
other large enterprises may need more features than those offered by the open source competition. If your company does fit the profile, there's quite a bit to be gained. Open Source CRM packages (including support and charges for premium editions) cost approximately 20 percent as much as corresponding commercial solutions, says Wurster. Since most of the code is open, the applications tend to be very customizable, run on any platform, and have a good, if not all-encompassing, feature set. Indeed, SugarCRM, the largest player in the category (Concursive is No. 2), has added more mobile features than many of its commercial rivals.
ABigTrust Question No CIO minds saving money, but some worry that Open Source software is, well, too cheap. That was part of the problem faced by IMA Financial's Hallam when she tried to get the 'OK' to deploy Concursive. "We view our software vendors as longterm partners. There was concern that they might disappear at some point," Hallam says. Ultimately, though, management was
Despite its roots,Open Source has moved well beyond the stage where it merely represented a cultural revolt against the software establishment. applications aren't yet a representative cross section of business. They tend to be companies that are medium-sized, often engaged in business-to-business commerce, and equipped with good in-house development skills. Enterprise adoption is not unknown; H&R Block, for example, is a SugarCRM customer. But that's something of an exception to the rule, in part because most big businesses already have a sizable commitment to an existing commercial CRM package. Also, transaction-heavy, consumer-oriented businesses and
Vol/3 | ISSUE/23
Essentisl Tec.indd 61
won over by the understanding that even if Concursive should fail, the Open Source code would still be IMA's and the Open Source community would continue to offer a measure of support. Despite its roots, Open Source has moved well beyond the stage where it represented a cultural revolt against the software establishment. Today, many Open Source companies keep a sharp eye on the bottom line by selling services as well as enhanced versions of their free-for-the-downloading community editions. Still, there's no getting around it. The economics of Open Source
29% of companies
who participated in a CIO study say they use open-source enterprise applications. The most popular of these tools is CRM. Source: CIO Research
are different. "Any CIO who considers Open Source to solve a critical business need will look at its commercial viability," says Ron Bongo, CEO of Corra Technology, a systems integrator specializing in Open Source. That's not always easy since the providers of Open Source CRM are privately held. But even the larger Open Source CRM companies are hungry for paying business, which means that a CIO considering a major deployment has a good deal of leverage. "SugarCRM had a passion to land us as a customer," says Evans Wroten, CIO of InterAct Public Safety Systems in Winston-Salem, North Carolina. Wroten had led deployment of Salesforce.com and Siebel CRM on other jobs. But having seen the success of Open Source infrastructure projects, Wroten was ready to listen to Sugar's pitch when the new management took the helm at InterAct following the acquisition in 2005. From an IT perspective, the company had been flying by the seat of its pants. InterAct lacked a central repository for customer REAL CIO WORLD | O C T O B ER 1 5 , 2 0 0 8
61
10/15/2008 2:51:49 PM
essential technology
information. Each sales rep had a separate stash of contact files and a spreadsheet of likely sales. "All of that information was stuck in silos," says Wroten. Disorganized sales contacts are bad enough. But the new managers found that making an accurate financial forecast was very tough. "They (the salespeople) would walk into meetings with estimates on a yellow legal pad," he says. A few items on Wroten's check list stood out as InterAct picked a new CRM vendor. First, of course, the application had to have the requisite features and had to fit into the existing infrastructure. "Since we had systems in place, we liked Sugar's open platform and its ability to write to other systems," says Wroten. In particular, the CIO needed to integrate the new CRM system with an existing customer support intranet written in ColdFusion. Wroten could do it with
licenses. In fact, openness and the right to modify the source code is a key advantage for tech-savvy companies willing to take on development tasks. But it could be a burden for small businesses with meager IT resources. Development languages, for example, become a key issue, says Bongo, the systems integrator. "Sugar is written in PHP, and for a lot of Java shops, that would be a non-starter," he says. Concursive, on the other hand, is Java-based, so for some organizations it would be the better choice, Bongo adds. If you can handle it, though, the flexibility of Open Source CRM is very powerful. At NetroMedia, a provider of streaming media services based in Victoria, British Columbia, the in-house IT staff transformed SplendidCRM's package into "a control panel for our entire business," says Matthew Carson, the Canadian company's founder
Unlike commercial software, Open Source code, is just that — open. In fact, openness and the right to modify the source code is a key advantage for tech-savvy companies willing to take on development tasks. SugarCRM, without resorting to expensive systems consultants often needed for commercial CRM deployments. InterAct's execs decided they liked the flexibility and openness of Open Source applications; other companies might not. "Think about the cost of building and maintaining your own features," suggests Sheryl Kingstone, director of enterprise research with the Yankee Group. "You have to understand what you are getting into."
Control Over Code a Plus Unlike commercial software, Open Source code, is just that — open. Users are free to modify and distribute most of it under any of the several commonly used Open Source 62
Essentisl Tec.indd 62
O C T O B ER 1 5 , 2 0 0 8 | REAL CIO WORLD
and CTO. NetroMedia, with nearly 500 customers in 77 countries, had been using Salesforce.com for several years, but had problems integrating new features the company needed. Carson looked at SAP, Microsoft, Accpac and others as well, and found them too closed for his taste. "Control is a big issue. You want to be able to write the (CRM) system around your business model, not the other way around," he says. Carson notes that his experience with SAP was several years ago, and it may have evolved the platform to the point that his earlier concerns no longer apply. However, he remains a SplendidCRM customer and expresses satisfaction with the deployment.
Control, in a slightly different sense, was a key issue for Axel Products, a testing lab in Ann Arbor, Michigan. As the business added customers, it was clearly outgrowing packages like Outlook and ACT, and was looking for a CRM application that would fit a six-person business. As he experimented with different software, company president Kurt Miller made an unsettling discovery. "I couldn't get our data, and that's hundreds of customers, out of ACT." Eventually, he did, but the lesson stuck. Miller settled on SugarCRM largely because it's built on top of MySQL, an Open Source database. "No matter what happens, I control my own data. Sugar could disappear and my data remains in MySQL for to do what I want," he says. No one would call either Sugar or Concursive a giant, but both have sizable user bases and are known to the IT analyst community. Concursive has extended its functionality into team collaboration; in fact the shift from its former name of Centric CRM was made to reflect the company's broader scope. Splendid has its partisans, but is admittedly quite small, and appeals to smaller businesses. There are scores more small Open Source CRM providers listed on sourceforge.net. Is Open Source CRM right for you? There's no one answer. Those apps save money, are flexible, and give you lots of control over your data and infrastructure. If your company has had good experiences with Linux, or an Open Source database like MySQL, you'll be in a stronger position to recommend Open Source CRM to your management team. If you're not ready to take the plunge, a pilot deployment might well answer your questions, without much strain on the budget. Or, give it another few years. Linux grew up; so will Open Source enterprise applications. CIO
Send feedback on this feature to editor@cio.in
Vol/3 | ISSUE/23
10/15/2008 2:51:49 PM
Pundit
essential technology
Giddy Up ROI! Getting back what you invest in security is becoming an imperative for CIOs. But is it time to take security ROI off its high horse? By Bruce Schneier security | Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one to boot, in order to be viable. It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And, in response, vendors are providing ROI models that demonstrate how their particular security solution provides the best ROI. It's a good idea in theory, but it's mostly bunk in practice. ‘ROI’ as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an
bottom-line positively. It shouldn't spend more on a security problem than the problem is worth. Conversely, it shouldn't ignore problems that are costing it money when there are cheaper mitigation alternatives. A smart company needs to approach security as it would any other business decision: costs versus benefits. The classic methodology is called annualized loss expectancy (ALE). Calculate the cost of a security incident in both tangibles like time and money, and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk. So, for example, if your store has a
reduce the chance of being robbed by 50 percent and one costs Rs 12,000 and the other Rs 28,000, the first one is worth it and the second isn't. The key to making this work is good data. If you're doing an ALE analysis of a security camera at a convenience store, you need to know the crime rate in the store's neighborhood and maybe have some idea of how much cameras improve the odds of convincing criminals to rob another store instead. You need to know how much a robbery costs: in merchandise, in time and annoyance and in employee morale. You need to know how much not having cameras costs in terms of employee morale; maybe you're having trouble hiring salespeople to work the
‘ROI’as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory. expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context. But as anyone who has lived through a company's vicious end-of-year budgetslashing exercises knows, when you're trying to make your numbers, cutting costs is the same as increasing revenues. So, while security can't produce ROI, loss prevention most certainly affects a company's bottom-line. And a company should implement only security counter-measures that affect its 64
ET-Pundit.indd 64
O C T O B ER 1 5 , 2 0 0 8 | REAL CIO WORLD
10 percent chance of getting robbed and the cost of being robbed is Rs 4 lakh, then you should spend Rs 40,000 a year on security. Spend more than that, and you're wasting money. Spend less than that, and you're also wasting money. Of course, that Rs 40,000 has to reduce the chance of being robbed to zero in order to be cost-effective. If a security measure cuts the chance of robbery by 40 percent — to 6 percent a year — then you should spend no more than Rs 16,000 on it. If another security measure reduces it by 80 percent, it's worth Rs 32,000. And if two security measures
night shift. With all that data, you can figure out if the cost of the camera is cheaper than the loss of revenue if you close the store at night — assuming that the closed store won't get robbed as well. And then you can decide whether to install one. With all the need for data, you can already begin to see why this model doesn’t work. To find out the other reasons read Bruce Schneier in our next issue. To be concluded CIO Bruce Schneier is a noted security expert and founder and CTO of BT Counterpane. Send feedback on this column to editor@cio.in
Vol/3 | ISSUE/23
10/15/2008 2:52:44 PM