January 15 2008 by Sreekanth Sastry

Alert_DEC2011.indd 18

11/17/2011 4:12:02 PM

From The Editor-in-Chief

As he lay dying on a summer’s day in 323 B.C., Alexander the Great was asked

The Inheritors Having a formal succession plan is the key to moving ahead as a CIO.

whom would his successor be. The Macedonian emperor is said to have wearily turned to his generals and said that his empire would go to the strongest among them. Within a couple of years, the empire that had been carved out by the world’s first professional army over a dozen years of hard campaigning, self-destructed. A series of battles and assassinations later, Alexander’s relatives were dead; his legacy split three ways among the generals who survived. The empire that stretched from Egypt to Greece to Persia to Punjab was no more. In hindsight, the brilliance in strategy and tactics that made Alexander an undefeated military commander on the field of battle were nowhere on display. Granted, he was only 33 years old — not the age you think The kind of behavior you of handing over the baton. But having want to nurture will have to lived a life of uncertainty and violence be in sync with where the in equal measure, it was always going organization wants to go. to be a question of ‘when’ and not ‘if’. In this, the Macedonian’s vision was perhaps clouded by delusions of immortality. A CIO I know very well, looks at each organization he is associated with as a four-year project. A few months ago, he shared how his department’s organizational structure had evolved over the past few years. I was impressed with his efforts to radically change the way the team was structured, identify those with leadership potential and to specifically mentor them to take the organization ahead. He also decided on the kind of behavior to nurture that would be in keeping with the changes to the organization as a whole that the management envisioned. And, he built this into a part-formal, part-informal mentoring process. He recently moved over to another assignment. The transition to his team and its leaders was not only seamless but also painless. I needn’t have asked him what he was upto these days, for he predictably replied: “Well, over the next four years…” In the end, Alexander’s legacy was wiped out because despite a bunch of A-grade generals, he had no inheritors, no one who could take the Macedonian empire and build on it. Have you planned out how your second-line will take over from you? Are you fostering tomorrows CIOs? Write in and let me know.

Vijay Ramachandran Editor-in-Chief vijay_r@cio.in

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 2

Vol/3 | ISSUE/05

1/12/2008 5:46:30 PM

content JANUARY 15 2008‑ | ‑Vol/3‑ | ‑issUe/05

Prakash Pawar says that his early training in team-building and delegating responsibility helped when he had an accident.

3 2

Business Continuity

Executive Expectations

COVER sTORy | RunnInG On PROxy | 26

VIEW FROM THE TOP | 36 Ajay Kela, MD & COO, Symphony Services, says that IT can make a difference in an industry that thrives on innovation.

I PHOtO by SrIVAtSA S HAn dIlyA

Intrex CIO Prakash Pawar always kept his team in the loop. One violent moment in Mumbai revealed its benefits. Feature by Balaji narasimhan

Interview by Kanika Goswami

Applied Insight THE ARCHITECTED BusInEss | 20 Before you design a modern IT architecture, you have to understand your business model. Column by Charlie Feld

IT Complexity

COVEr: dESI gn by PC AnOOP

CuREs FOR COMPLExITy | 46 Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate complexity of IT as it enables new business. Feature by Galen Gruman

more » 6

J a n u a R y 1 5 , 2 0 0 8 | REAL CIO WORLD

VOl/3 | ISSUE/05

content

to Click Alternate Views | Is Linux to Be or Not to Be?

Essential Technology | 53 Mobile Security | No More Lost Laptop Drama

By Galen Gruman Pundit | Nightmare on Scope Creep St. By Michael Hugos

From the Editor-in-Chief | 2 The Inheritors By Vijay Ramachandran

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Case File Pulling It Together | 32 Three years ago, ITC looked into the future and didn’t like what it saw. Multiple systems across 10 businesses weren’t giving the organization the business agility it needed. It decided to join the dots. A pretty picture of connectedness and access emerged.

2 2

Feature by Kanika Goswami

IT and the Law Law & Order | 40 Now that e-mail and electronic documents have attained the same evidentiary status as paper, CIOs need to standardize processes for e-discovery. Feature by Judi Hasson

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 8

Vol/3 | ISSUE/05

1/12/2008 5:46:37 PM

ADVISORY BOARD Ma nagement

Publisher & editor N. Bringi Dev

CEO Louis D’Mello Editor ia l Editor-IN-CHIEF Vijay Ramachandran

assistant editor Gunjan Trivedi

Special Correspondents Balaji Narasimhan Kanika Goswami SENIOR COPY EDITOR Sunil Shah

Abnash Singh

Avaya

4&5

Group CIO, Mphasis Alaganandan Balaraman Vice president, Britannia Industries

British Telecom

Alok Kumar Global Head-Internal IT, Tata Consultancy Services

D-link

24 & 25

Anwer Bagdadi Senior VP & CTO, CFC International India Services

Copy Editor Shardha Subramanian

Advertiser Index

Emerson

Arun Gupta Des ign & Production

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan Vikas Kapoor; Anil V.K Jinan K. Vijayan; Sani Mani Unnikrishnan A.V; Girish A.V MM Shanith; Anil T PC Anoop; Jithesh C.C Suresh Nair, Prasanth T.R Vinoj K.N; Siju P

Photography Srivatsa Shandilya

Production T.K. Karunakaran

T.K. Jayadeep

Customer Care Associate & CTO, Shopper’s Stop

Singapore Michael Mullaney

Events VP Rupesh Sreedharan Managers Ajay Adhikari, Chetan Acharya Pooja Chhabra

VP & CIO, Mahindra & Mahindra Ashish K. Chauhan President & CIO — IT Applications, Reliance Industries C.N. Ram

IBM

IBC

Lenovo

Microsoft

IFC

Head–IT, HDFC Bank Chinar S. Deshpande CIO, Pantaloon Retail Dr. Jai Menon Director (IT & Innovation) & Group CIO, Bharti Tele-Ventures

Mark eting a nd Sa l es VP Sales (Print) Naveen Chand Singh VP Sales (Events) Sudhir Kamath brand Manager Alok Anand Agm (South) Mahantesh Godi Marketing Siddharth Singh Bangalore Santosh Malleswara Ashish Kumar, Chetna Mehta Delhi Pranav Saran; Muneet Pal Singh; Gaurav Mehta Mumbai Parul Singh, Chetan T. Rai, Rishi Kapoor,Pradeep Nair Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar

Fujitsu Arvind Tawde

Manish Choksi Chief-Corporate Strategy & CIO, Asian Paints

Sify

14 & 15

M.D. Agrawal Dy. GM (IS), Bharat Petroleum Corporation Limited

VSNL

Rajeev Shirodkar VP-IT, Raymond Rajesh Uppal Chief GM IT & Distribution, Maruti Udyog Prof. R.T. Krishnan Jamuna Raghavan Chair Professor of Entrepreneurship, IIM-Bangalore S. Gopalakrishnan CEO & Managing Director, Infosys Technologies Prof. S. Sadagopan Director, IIIT-Bangalore S.R. Balasubramnian Exec. VP (IT & Corp. Development), Godfrey Phillips Satish Das CSO, Cognizant Technology Solutions Sivarama Krishnan

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited,

10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: N. Bringi Dev. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

Executive Director, PricewaterhouseCoopers Dr. Sridhar Mitta MD & CTO, e4e S.S. Mathur GM–IT, Centre for Railway Information Systems Sunil Mehta Sr. VP & Area Systems Director (Central Asia), JWT

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

V.V.R. Babu

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Content,Editorial,Colophone.indd 10

Group CIO, ITC Vol/3 | ISSUE/05

1/12/2008 5:46:37 PM

new

C I O R O l e The time for talking about bringing business skills into technology jobs is over. Hiring managers in 2008 expect to find IT professionals with as much business acumen as technical know-how. What they're seeking is the IT hybrid — which can be defined as a professional who can combine technical expertise with extensive knowledge of a functional business area, industry watchers say. "Hybrid jobs require IT professionals to sit down at a business meeting and be able to predict and deliver the technology the business will need to meet its goals and go about implementing it," says David Foote, CEO and chief research officer at Foote Partners. "The premise of IT/business hybrid roles started at the CIO level. In 2008, you will see it as far down as the operations people."

hot

unexpected

One position, Robert Half Technology says will be hot in '08 is the messaging administrator. The position would encompass administering and maintaining systems for e-mail and wireless devices that access e-mail remotely, and it will require knowledge of messaging technologies. Other hybrid roles hiring managers are looking to fill range from SOA integration specialist to IT process manager to converged network engineer. The trick for IT pros is learning how their technical knowledge serves the business — and learning to convey that to hiring managers. "We continuously hear from the industry that there are not enough of the 'right-skilled' people for IT positions that have been open for too long," says Neill Hopkins, VP of skills development at CompTIA. "We are seeing more job-role identified skills than technologyor certification-defined positions. People want an IT professional that is not only technically competent but that has business skills on the resume alongside certifications." —By Denise Dubie

ImagI ng by bI nESH SREEDH aRan

IT Pros Go Hybrid in 2008

Quick take

Subramanya C. on Compliance l e g a l Compliance for security is a major concern for CIOs. Added to this, CIOs also have to manage vertical-specific compliance. Balaji Narasimhan spoke to Subramanya C., VP-technology and CISO, Hinduja TMT, to see how he tackles the issue.

Has compliance added to the complexity of your operations? I see compliance as a part of my job. So, I don't think that it has added anything extra. In any case, compliance is important for information security. I dedicate about 25 percent of my time for security and compliance. Should a CIO handle compliance, or should companies hire a Chief Compliance Officer for this purpose? It all depends on the vertical. For instance, in manufacturing, there are no issues if a CIO handles compliance. But, if you take a BPO like ours, it tends to get a little more complex because a lot of other verticals are involved. In such cases, a dedicated CCO may make more sense.

Vol/3 | ISSUE/05

How does your organization manage compliance? What processes should organizations follow? Here, compliance is managed jointly. I’m also the CISO and have overall responsibility for compliance. I have one dedicated person in my team who handles security and compliance from the IT perspective. We also have to manage compliance from a process angle. For this, we have quality control people, and they also manage process-related compliance issues.

Subramanya C.

What is the best way to enforce compliance? I would not use the word enforce. You need to educate people about the pros and cons of non-compliance and its risks. Do newer technologies like SOA, Web 2.0 and mashups make compliance easier or more difficult for companies? These technologies you have mentioned are tools and they will help you to ensure compliance. I'm sure that such technologies will help companies to enable compliance and not hinder it. REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

Are You Smug About Web 2.0 Security? W e b 2 . 0 Forrester says you’re probably over confident about how prepared you are for Web 2.0 security. Their survey showed that 97 percent of enterprises say they’re ready to tackle Web 2.0 security issues, yet 79 percent also reported frequent attacks from malware. Is Web 2.0 security really hitting CIOs blindside? Sunil Shah asked three CIOs.

“People are facing problems. That’s what I’ve heard from peers. The research seems right. We don’t use Web 2.0 but I know people are waiting for Web 3.0, which will hopefully resolve these problems.” trendlines

Atul Bansal Head-IT, BLA Industries

“The study is correct. There’s a lot of over confidence from organizations. People feel that they can meet a challenge when they haven’t even given it thought. Today, Web 2.0 security is a topic of conversation.” Tridib Bordoloi Head-IT, Indian Express Newspapers

“It’s hard to generalize. I think Indians are more cautious than

that. They don’t just jump into new technologies. They’re practical. Maybe, Web 2.0's adoption rate in India is an indicator.” S.K. Sharma

Executive Director & CIO, Engineering Projects, India

Lend Your

Voice

Write to editor@cio.in 12

Trendlines.indd 12

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Asleep and Yet Always On In most organizations, the relationship between facilities and IT infrastructure is one that needs work. This underlines the importance of how facilities can add value to IT infrastructure. Wi-Fi sensors could be the tendon that connects the two by conserving more power and reducing infrastructure costs. GainSpan, an offshoot of Intel, has developed a Wi-Fienabled sensor, an integrated system on chip that provides intelligent power management for battery operated devices. The biggest advantage of this application is that it adds years to the life of a sensor battery. “The device has a temperature sensor and a light sensor. We can add two more — motion and humidity sensor — and it can also be used for two more — carbon dioxide and carbon monoxide,” says Vijay Parmar, President and CEO of GainSpan. For BMS (building management systems) to add more value to the CIO’s ROI, various systems need to talk to each other. GainSpan is working on partnerships that will be developing the middle-ware for these translations, to ensure a smooth flow of operations with the Wi-Fi sensor they have developed. To get the device up and running, the company needs an interface of the Wi-Fi system with the scalar system that controls HVAC and security. The sensor requires no extra connectivity. In fact, connectivity is not even required to be very high end. “One of the benefits is that the sensors are very small, only about eight bytes of data. A month worth of data from all our sensors will probably be less than a normal e-mail,” Parmar says about the connectivity requirements, ”so we don’t really effect the bandwidth much, and we can work on very slow connections as well.” “From an enterprise perspective,”Parmar adds, "the biggest advantage that the sensor offers is energy efficiency.” For the CIOs this is an ideal marriage of facility and IT infrastructure. “Infrastructure investment is not small and you have to figure how to get more value out of the same investment. Besides, air quality improvement and integrating security into the network is also aided by these sensors,” he says. The sensor could find great value across verticals. It could be used in hotels, in hospitals, commercial buildings and should be an integral part of building automation, adds Parmar. All it needs is an extra overlay services coded on an existing network.

Infrastructure

—By Kanika Goswami

Vol/3 | ISSUE/05

1/12/2008 12:47:28 PM

Who's Most Vulnerable to ID Theft? often from a business, rather than through a family member or friend, from the person's home, or online. Ninety percent of the victims who suffered financial losses were financial services companies or individuals, with some overlap between the two categories. Banks suing TJX alleged that thieves stole 9.4 crore account numbers, more than twice the number TJX originally reported, according to the Boston Globe. Security experts considered the TJX data breach to be the largest ever reported. TJX estimates a settlement with consumers who were victims of the breach would cost around Rs 1,024 crore, though analysts think the final tally may hit Rs 4,000 crore. Other findings include: In 45 percent of cases, offenders used stolen IDs to obtain credit. One-third

used them to get cash, and 23 percent used them to conceal their own identities. Perpetrators used the Internet to steal identities in only 20 percent of all cases. However, researchers said they did not have enough data to draw conclusions about whether online theft is becoming more common than earlier in this decade. The more organized the thieves were, the more victims lost. In 57 percent of cases, a single defendant stole an average of Rs 9 lakh. Victims' losses rose to an average of Rs 17 lakh in the 23 percent of cases in which there were two conspirators. Rings of five identity thieves, accounting for 17 percent of cases, captured more than Rs 33.6 lakh from their victims on average. Three-fourths of offenders were between the ages of 25 and 49. Slightly over three-fourths were born in the US. â&#x20AC;&#x201D;By Elana Varon

trendlines

Data S e c u ri t y As the data breach case against retailer TJX unfolds in court, a study by the Center for Identity Management and Information Protection at Utica College, New York, finds that retailers are most vulnerable to identity theft by employees, and that financial services companies are the most likely businesses to suffer losses from identity theft-related crimes. Researchers studied data supplied by the US Secret Service in 517 cases it investigated between 2000 and 2006. Although most identity theft cases against companies were perpetrated by outsiders, among 176 cases that were inside jobs, 44 percent targeted retailers. No matter who perpetrated the crime, investigators reported individuals' personal information was stolen most

Piggyback IT 43 % will spend

16-30%

17% will spend

31-45%

15% will spend

46-60%

Infrastructure is what business rides on. What portion of their budgets will Indian CIOs allocate to infrastructure in 2008?

Imaging by unn ik rishn an AV

18% will spend >15% of their budgets

8% will spend <60% Source: CIO Research

Vol/3 | ISSUE/05

Trendlines.indd 13

REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/12/2008 12:47:30 PM

WInnIng WIRElESSly Wireless is everywhere. y you just can't see it. and that's a problem for the retail industry, where wireless equipment in both the back rooms and show rooms are ever present today. but just how secure are they? new research by Retail Systems Research (RSR) partner Steve Rowen depicts the growing dependence on wireless technologies and the monumental risks they pose. "In the store, wireless devices have made for enhanced consumer experience, better customer service and accurate, costeffective transmission of transaction and inventory data," Rowen writes in the the Safe without Wires: The Value of Securing Wireless Technologies report. "In the supply chain, particularly the distribution center, wireless technologies have proven incredibly valuable, helping convert data transmissions and operational events into highly efficient processes." but this has come at a cost — one needs to look no further than the massive TJX customer data breach. What's worse, Rowen says, is that those with motive and technological savvy "have identified retailers' lackadaisical treatment of data flow as a viable opportunity," Rowen writes. "Theft of retailers' customer data is no longer just for 'hacks’, it has become very big business." Here are his suggestions to tackle the problem: Elevate the conversation. "The most successful security programs are those which gain the interest of C-level executives — early on," he writes. "This process will slightly vary from one retailer to another, but is commonly bound by a joint presentation of the company's current — and needed — security status to the board of directors." Speak the right language. "While compliance is the goal which most retailers are currently focusing on, decision -makers and line-of-business personnel do not care about technology. by focusing on business drivers, wireless proponents can speak the language needed to realize the benefits of secure wireless solutions," Rowen notes. "This can be accomplished by addressing benefits in productivity, benefits in customer service, benefits in marketing. The ability to attain a higher level of customer centricity will always be viewed with greater interest." Set clear objectives in achievable pieces. "Due to the urgency to sure up existing technologies and meet industry mandate deadlines, there is no shortage of quick-fix solutions to the customer data security dilemma," he writes. "However, winning retailers consistently demonstrate a calm and calculated approach, avoiding the fruitless hair-on-fire trap, steadily tackling one attainable goal at a time." —by Thomas Wailgum 16

Trendlines.indd 16

j a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Doing Your Job Could Be a Security Threat s e C u R I t y An informal survey conducted by RSA from Boston and Washington D.C., reveals that trusted insiders can easily expose sensitive company and client information simply by doing their jobs. Every day, people come into contact with sensitive or confidential information. Whether they're employees, contractors, suppliers, partners, visitors or consultants, these insiders can unwittingly expose data through carelessness, working around security measures or following inadequate security policies. RSA says a third (35 percent) of respondents have felt the need to work around their organization's established security policies and procedures — just to get their job done. Sixty-three percent of respondents send work to their personal e-mail addresses to access them from home. Doing so leaves the messages and data vulnerable during transmission, as does storing them on an unsecured machine. E-mail poses other risks. Consider the documents and e-mails your company sends — would you want that information made public? More than half of those surveyed access their work e-mail accounts via a public wireless hotspot; 52 percent access their work e-mail via a public computer. Mobile devices are also a concern. According to RSA, 65 percent of respondents frequently or sometimes leave their workplace carrying a mobile device such as a laptop, smartphone or USB flash drive that holds sensitive information related to their jobs including customer data, credit card numbers, company financials and competitively-sensitive information like product plans. Of those surveyed, 8 percent have lost a mobile device that contained corporate or organizational information. At two-thirds of respondents' companies, wireless connections are available in conference rooms and guest offices; of those, 19 percent reported that access to the corporate network is completely open and no credentials are required. Common courtesy also plays a role in insider breaches. Convicted social engineer Kevin Mitnick and con man Frank Abagnale often relied on it to (literally) get their foot in the door. The survey revealed that 34 percent of respondents have held a secured door open for someone they didn't recognize; 40 percent were let into the building by someone who didn't know them. —By Shawna McAlearney

I n f O R M at I O n

Vol/3 | ISSUE/05

IllUSTRaTIon by mm SHanITH

tRendlInes

MObIlIty

Soon, your World in an iPod “More importantly, if this trend continues, and the cost of storage continues to decrease, we estimate that somewhere around 2020, all the world’s content will fit inside an iPod, and all the world’s music would sit in your palm as early as 2015,” Cassidy surmised, “rendering the CD format unnecessary.” “We estimate that everyday somewhere around 65,000 new videos are added to YouTube, 100,000 blogs — it’s just staggering if you look at the rate at which content is being produced,” she said. Another factor that "makes this a right time for innovation and

change is really the ubiquitousness of connectivity," Cassidy pointed out. “Whether it’s through WAP or through SMS text messages, or whether it’s through voice — the ability of people to ubiquitously connect with information at an unparalleled rate, is another key factor driving this point in our evolution.”

tRendlInes

In the foreseeable future, all the world’s content will fit in the palm of your hand, according to Google, which made some fascinating IT predictions at the recent Captains of Industry Conference held in Singapore. The forecasts came from Sukhinder Singh Cassidy, the vice president of Google’s Asia Pacific and Latin America Operations. She told the audience that, since 1982, the price of data storage has fallen by a factor of 3.6 million. “To put that in context for you, if gas prices fell by the same amount, today a gallon of gas would take you around the earth 2,200 times,” she said.

I n n O vat I O n

—By Ross O. Storey

Issuing Bus Tickets Goes from Clip to Click

Vol/3 | ISSUE/05

Trendlines.indd 17

and it contains coded information that the company said would reduce forgery. Charges are taken from customer accounts on the go north East website. Passengers can use a debit or credit card to load money onto an account before they use the text system. go north orth East said it was also considering installing bar-code scanners on its buses to read barcode versions of the 'ticket texts' and replace verification by drivers. but the company's commercial director, martin Harris, said the firm first wanted "to find out whether passengers feel comfortable with this method of buying tickets." He said the system "speeds up the time it takes people to board our buses and helps us run a smooth, efficient service." —by leo king REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

Il lUSTRaT Io n by P C an oo P

I t Transport firm go north orth East is rolling out the Uk's 's first mobile phone bus ticketing system, using a system developed with IT services business atos tos origin rigin and mobile ticketing company Swiftpass. Under the new txt2go system, customers of go north East, which is the largest bus company in the north orth East of England, will be able to order a ticket by text message. after fter a passenger sends a text to a specific number, a 'ticket' code is sent to that passenger's phone to show to the driver when they board a bus. The system purports to enable passengers to buy a ticket while waiting for their bus to arrive, and avoiding the need for cash. Each ticket is locked to the handset it was ordered from so that it cannot be transferred to another phone, COnsuMeR

alternate views

B Y K a n ik a Go s wa mi

Is Linux to Be or not to be? Windows VS Linux

“I do not subscribe to the belief that all software should be out in the open. Many small Indian software product companies should sell their software." Prof. Jhunjhunwala IIT Chennai

trendlines

The Linux Vs Windows debate is not

P hotos by Srivatsa Shandi lya

an Indian one. It comes from outside. Of course, in India, it is considered good to have as much software in the public domain as possible, because it may serve important and noble societal goals. But I do not subscribe to the belief that all software should be out in the open. Many small Indian software product companies should sell their software, first in Indian markets and then in the world market, earning from their products and services. The Indian issue is affordability. The use of Linux as opposed to Windows is one’s choice. I find Windows very user friendly. I do not have to worry about compatibility each time I come up with new software or each time I upgrade my Windows. The other day, my team spent a whole day trying to install software; I had to go back to the version which we used four years back, to make it work. Such problems are less with Windows. This is because it is better supported software. Someone in India needs to take up Linux and work on it to make it user friendly — not for techies, but for ordinary people. They will be able to do this, if they could sell their product and make some money to cover their costs (small companies do not earn enough from providing services within India). Unfortunately the Linux license is such that they can make money only on services, not by selling an improved product.

Trendlines.indd 18

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

“At Axis Bank we use Linux for phone banking and our credit card applications. These are non-core banking but core

business applications are critical to us." V.K.Ramani President-IT, Axis Bank (erstwhile UTI Bank)

At Axis Bank we use Linux for phone banking and our credit card applications. These are non-core banking but core business applications and are critical to us. As far as we are concerned, credit cards form a major application. We have had no problems with Linux, so far. It is heavily focused on the server side, not on the application side. Our core banking application is Finnacle, which is a bought application, and that is already working on UNIX platform, so we did not migrate it to Linux. We did not want to move to Linux only because everybody was. However, when we decided to evaluate the operating system for our phone banking and credit card applications, we had an option, we chose Linux. The user-comfort level is important to us. Yes, technically, a good technical person can work on any system. But we look for sustainability, maintenance, application and supply of qualified people on a continuous basis. In the industry, Linux is being accepted widely because there are a lot of other cost advantages attached to it. Linux is also a good platform on which one can grow. But acceptance has to travel downwards to application developers. Today, the condition of support is better; IBM now supports a Linux version, too. There are interoperability application manageability issues. But I feel it can be handled if there is adequate user support and back end reliability. I know that some nationalized banks have totally gone in for Linux. Of course, no other industry has caught on in such a big way. But yes, it is making steady inroads.

Vol/3 | ISSUE/05

1/12/2008 12:47:33 PM

Susan Cramm â&#x20AC;&#x201A;

Executive Coach

The Strategy Acid Test Never approach strategy making as a purely analytical exercise.

Illust ration by MM Shanit h

f you had to, which would you choose: to be a great strategic thinker or a great strategy maker? The answer follows the same logic as the question, "Would you rather be smart or rich?" Most agree that it's better to be smart than rich since smart people can typically make money, but dumb lasts forever. Likewise, being gifted with a strategic mindset is worthless without the ability to mobilize organizational commitment around the resulting strategy. When CIOs are challenged with developing a strategy, I see time and time again the tendency to approach strategy making as an analytical rather than an emotional process. As a result, there is more focus on ensuring the right content than the right commitment. To illustrate this point, let's take a look at the typical IT approach to strategy making. Either by calendar or inclination, the CIO decides it is time to develop a strategic plan. She tasks one of her brightest staff members to make it happen within the next three months. The staffer solicits the input of the other IT leaders and defines a scope that is challenging but doable within the prescribed time line. Broad participation is required, of course, so the staffer arranges for the CIO to announce the initiative as one of the organization''s top priorities and to attend the launch meeting. Now, the strategy-making process begins. The plan calls for joint business-IT strategy making to define the business context and the implications to IT-enabled capabilities. Once there is a good understanding of the needs of the business, the process will shift to defining how to meet those needs â&#x20AC;&#x201D; from a technology and an organization perspective. It all 20

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Coloumn_Strategy with Oomph.indd 20

Vol/3 | ISSUE/05

1/11/2008 6:27:23 PM

Susan Cramm

Executive Coach

makes perfect sense until theory meets reality: gaining broad participation within the defined scope and timeline will be impossible — everybody is just too busy. So the staffer makes a critical (and fatal) decision: to shift from strategy facilitator to strategy doer. This way, the strategy will be completed on time to serve as input to the financial planning process. In the doer mode, the staffer conducts interviews externally and internally and drafts a document that meets the original scope. The CIO presents the strategy and, everybody nods their heads and gets back to business. Unfortunately, a lot of effort was expended but little strategy was made. The acid test of strategy is whether it informs and constrains decision making by compelling leaders to align their functional goals and day-to-day decision making to the goals of the enterprise. The only way to accomplish this is through communication and collaboration. The process of aligning people's hearts and minds is a difficult one that requires ongoing group discussion, and wrangling. No one can ‘do’ strategy for someone else — it's a leader's job and one that is done collectively, not individually. Let's help our staffer out and rewind our scenario to the point where it was clear that the strategy process was going to fail. What the staffer needs to do is to open a discussion with the CIO and IT leaders about how to complete this iteration of the strategy. Of course, we are talking about reducing scope by identifying the critical one or two issues that need to be addressed (for example, how to provide a 360 degree perspective of the customer across the enterprise). While we are helping out, let's also advise the CIO that she abdicated her strategy-making responsibilities by delegating them to the staffer. The accountability for strategy making is not a staff role but a leadership one. Leaders need to pave the way with their business counterparts and leadership team and, in turn, hold them accountable for making strategy with their staff and partners. Let's also encourage our staffer and make sure she understands that she has an important role in strategy making. Staff resources should be used for defining and managing the process, coaching others through it, and integrating and overseeing the results to ensure focus and quality. Those who are strategically gifted have a tendency to emphasize the quality of the idea over the quality of the commitment. Never approach strategy making as a purely analytical exercise or trade off gaining emotional commitment in the quest to ‘get it right’ or ‘get it done’. Strategy is never done. In the process of shaping and informing future decision making, it also must change to account for the new learning that occurs as those decisions are translated in to action.

Vol/3 | ISSUE/05

Coloumn_Strategy with Oomph.indd 21

Reader Q&A Q: How can we create a strategic thinking organization in which everyone understands the strategic position (the all-out pursuit of cost leadership or differentiation) and how to contribute towards it? A: Those at the top must lead by example by

demonstrating strategic thinking skills and creating opportunities for others to get involved and learn through experience. Relevant skills include visioning, creating new opportunities by reframing challenges or ideas, and translating concepts so they can be heard by others. A collaborative, ongoing strategy making and objectives setting/monitoring process, one that starts at the top and cascades down, can go a long way in creating an organization where everyone understands the strategy position and how they can support it. Q: My CIO asked me to take on strategic planning with our business unit managers but they do not take me seriously in this role. Several have declined my planning meetings. How can I talk to my CIO about laying the groundwork with his peers so that I am able to move this process forward? A: Assuming you are in a staff role, it sounds like your

CIO is trying to get you to do the work that he and the rest of his line IT leaders should be doing. Instead of focusing externally to the business partners, focus internally and facilitate agreement with the CIO and other IT leaders regarding how strategy should be made and their involvement in the process. Part of this process will call for business partners to make strategy with the IT leaders they already know and trust, due to past, productive working relationships. It's impossible for anybody, including the CIO, to confer this credibility to you. Be cautioned that if your IT organization has trouble delivering tactically, business partners will be reluctant to participate in strategy making. If this is the case, drop the word, ‘strategy’, and get the CIO and IT leaders engaged to define the issues and get busy building credibility by addressing business partner concerns. CIO

Susan Cramm is founder and president of Valuedance, an executive coaching firm in San Clemente, California. Send feedback on this column to editor@cio.in

REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/11/2008 6:27:23 PM

Charlie Feld

Applied Insight

The Architected Business Before you design a modern IT architecture, you have to understand your business model.

ost major organizations claim to have a service-oriented architecture (SOA) plan. Not to have one would be old-fashioned. However, successful implementation of end-to-end data and business processes integration requires not only a technology architecture but also a parallel business architecture. You simply can't have a modern business model without modern processes, software and infrastructure that are tightly integrated. But in most enterprises, this integration between IT architecture and the business model remains poorly articulated. I call this the CEO/CIO dialogue gap. This gap exists to some extent because of the relative ‘newness’ of IT as a discipline. Professions like finance and manufacturing have matured over hundreds of years, with principles, structures and a body of knowledge that are well understood by business leaders. However, IT has been part of the commercial landscape for only four decades. During the last 10 years, some CEOs and CIOs have been able to close the dialogue gap. However, in today's flatter — even upside down — world, competition is much harder and business moves much faster. In such exhilarating and dangerous times, strong leadership really matters. There's no longer any room for miscommunication between business and IT.

Critical Alignment The struggle for business/IT alignment is decades old. But today, the stakes are much higher because technology is becoming fully integrated into every facet of customer, supplier and employee interactions. The challenge for CIOs is multifaceted. First, they must grasp the competitive business context of their enterprise and understand the durable processes that drive the business 22

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Coloumn The Architected Business.indd 22

Vol/3 | ISSUE/05

1/11/2008 6:28:16 PM

Charlie Feld

Applied Insight

versus organization structures that are perishable. Then they must be able to build a realistic multiyear modernization plan for the enterprise and establish process, data and investment governance structures with the executive team. Finally, CIOs must be able to articulate the value of the above to their business constituents continuously and with passion. This is a tall order, but it's critical for the success of a modern enterprise. In the past, we could get away with shortterm commitments and much less discipline because we were funding and executing projects that were contained within a business function and limited to a specific technology. But today, most business processes require real-time integration of data and applications. If the business and IT integration model and investment strategy are not well-understood, aligned and managed over time, you could end up with poor business results, dissatisfied customers and out-of-control IT expenses. For example, building customer-driven self-service processes with Web-enabled applications that use real-time data requires a rock-solid and secure infrastructure. This type of ‘always on’

SOA-type implementations have exponentially increased the complexity and risk of IT. These are exciting times for our young profession. business model built on SOA has become core to industries like airlines and banks. It has an upside: because there are fewer people between the customer and the service they require, service delivery costs are lower and the customer experience is more inviting. However, the downside is if your systems go down, service collapses and there are not as many people to run interference on customers' behalf. In addition, dissatisfied customers can switch between companies more easily because their relationships are not personal. One ATM or website is the same as any other unless you can attain intimacy through the electronic portal. Similarly, a fully integrated global supply chain makes your company more efficient with lower fixed costs. But if it ever goes down, your product flow stops within hours because you've eliminated inventory at every level. There is both value and risk when technology is woven into the business fabric. In addition, the always-on infrastructure is costly. The expense comes from its intensity — the volume of transactions it has to support and the number of devices such as kiosks, PDAs and pervasive edge devices like RFID tags connected to it. The value of these investments needs to derive from reducing labor, improving customer service, gaining market share, or dramatically improving supply chain and operations productivity. In other words, your IT investments must be aligned with the economics of your business.

Vol/3 | ISSUE/05

Coloumn The Architected Business.indd 23

The Business-IT Architecture There are time-honored principles for aligning IT with your company's economic model, starting with an understanding of the business architecture. This business architecture includes: Industry context, consisting of changes to the competitive landscape Business context, consisting of the company's approach to revenue growth, margin expansion, cash flow and quality The business model, which is how the company is organized and governed to deliver value Business processes, or how operations work end-to-end to deliver results The IT architecture must be well-aligned with the business architecture and designed to deliver consistent quality over time. To do so, you must have an application and data architecture that is mapped to durable business processes and technology that is appropriate to the scale at which the company operates. In addition, the IT organization must reflect how the business is organized, and a governance process must be defined to manage investment decisions and trade-offs. A good example of alignment between the business architecture and IT comes from my experience as CIO at Burlington Northern Santa Fe Railway in the mid 1990s. Our lessons there — managing in a rapidly changing competitive environment — remain true. The business leadership realized after deregulation of the railroad industry that its competitors were not the other railroads, but rather the trucking companies. Railroads historically moved coal and grain — commodities that were not schedule-dependent. Whether we delivered on a Monday or a Thursday didn't matter that much. Anything that was schedule-sensitive went to the truckers. The competitive insight we had was that if you could run a high-velocity, reliably scheduled railroad, you could take back market share. That vision drove our subsequent investments in processes, organization and technology. In other words, the notion of building a 21st-century railroad led us to harmonize the business and IT architecture and our governance processes. The keys to winning with IT today are no different than they were 40 years ago. You need to get alignment right, design the business and its enabling technology with an end-state in mind and deliver new capabilities in an evolutionary way. However, the speed of business has accelerated and the stakes are enormous. SOA-type implementations have increased exponentially the complexity and risk of IT. There are no silver bullets, but there are great lessons and technological innovations. These are exciting times for our young profession. CIO Charlie Feld is the former CIO of Delta Airlines, Burlington Northern Santa Fe Railway and Frito-Lay. He is currently the senior executive vice president of applications services with EDS. Send feedback on this column to editor@cio.in

REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/11/2008 6:28:16 PM

Prakash Pawar says that his early training in teambuilding and delegating responsibility helped when he had an accident. 26

Cover Story.indd 26

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/05

1/12/2008 6:05:08 PM

Cover Story | Business Continuity

By Balaji Narasimhan

What happens when a CIO has an accident? How does his team and the organization cope with the sudden loss? Can a stand-in drive IT strategy?

Running on

P hotos by Srivatsa Shan dilya IMAGING BY pc anoo p

Proxy Vol/3 | ISSUE/05

Cover Story.indd 27

On November 18, 2003 at 10 PM, Prakash Pawar, founder and CTO of Intrex India, had an accident. On that night, as he went out to pick up a few things from a nearby store, Pawar was stalked by a huge, unchained German Shepherd, which was being taken for a walk. As Pawar faced the dog, he was only 50 feet away from the safety of his building’s elevator. “While I decided whether I should make a run for the lift or wait for the dog’s owner to see me and do something, the German Shepard was already charging,” recalls Pawar. He didn’t want to provoke the dog and yet keep an eye on it, so he tried walking backwards. It was a decision that still affects his life. As he retreated, he fell and smashed the back of his head on a concrete floor. “I was out cold, and stayed pretty much like that for 24 hours,” he says.

Reader ROI:

How to plan for succession Why keeping deputies up to speed helps Why people matter more than processes

REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/12/2008 6:05:09 PM

Cover Story | Business Continuity Pawar was taken to a hospital the same night. After the fall, he remembers being conscious for about 10 minutes and being taken home. As he narrated the incident to his wife and mother, he fell unconscious. His neighbor, whose dog was responsible for the accident, had him immediately admitted to the Holy Spirit hospital. At the hospital, doctors found some external swelling. However, closer examination revealed that Pawar had suffered from internal injuries and bleeding. Doctors said that, as with most head injuries, it was very difficult to predict whether he would live. The fact that the hospital was only three kilometers away and that he was treated within a halfhour of the accident, worked in his favor.

Your

Succession Toolbox Get help capturing employee skill sets and experience. A report by Aberdeen Research notes that 62 percent of companies operate their succession planning in a paperbased, spreadsheet format. Take for example when the CIO of Juniper Networks, Alan Boehme, had a car crash: the organization worked largely on that model. Boehme says he hopes to implement an HR solution from Oracle’s PeopleSoft that will help capture more employee data. Other companies might consider similar systems when forming a comprehensive plan, but Kevin Martin, an Aberdeen analyst, notes that there are very few vendors dedicated solely to developing software for succession planning. However, here’s a list of ERP and Human Capital Management (HCM) software that he says could help: ERP Solutions Oracle (PeopleSoft) Infor Human Capital Management Solutions SilkRoad Technology Softscape SuccessFactors Meta4 Sapien

—C.G. Lynch 28

Cover Story.indd 28

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

The Impact

he next morning, news of the accident reached the Intrex office. While Pawar lay in an intensive care unit, his colleagues started their Tuesday morning coming to terms with his absence. The impact of losing the head of IT — even temporarily — cannot be underestimated by any company. But this was especially true for Intrex, which was going through a period of discovery and growth. In 2003, Intrex was three-years-old and was in the midst of launching its flagship product: the Itz Cash Card. At that stage, the diminished power of its senior executive circle hurt. “We had much bigger issues to tackle on a day-to-day basis. We had started the process of launching the project just three months before my accident.” The project was trying to introduce multi-purpose cash cards of various denominations (Rs 100, Rs 250, Rs 500) to consumers. The cards could be used to purchase goods and services from affiliated merchants. Consumers could buy the card online and have it mailed to them. Because the card could be used to shop online, to pay for bills and online games, the project was IT-intensive. On the other end, merchants could affiliate themselves to the card online. Back then, the concept was relatively new — all of these reasons made Pawar indispensable. At the time of the accident, although they had a pilot ready, the company faced continuous teething problems. The issue was compounded by the fact that, with the exception of sales, marketing and finance, Pawar handled everything else at Intrex. “Prakash has been with the (Itz Cash) project since its inception,” says Shekher Shrivastava, VP-marketing, Intrex. “At start-up, a project is riddled with all kinds of challenges. Conceptualizing the business model and translating it into technology was relatively an easier task for him being an IT professional. The bedrock of Itz Cash’s success has been its successful IT implementation.”

The Aftershock

he fact that the Itz Cash Card was partially an IT-product hadn’t escaped Pawar and he made sure that he was prepared when the worst happened. Work at Intrex didn’t suffer as much as expected because of a simple reason: Pawar’s immediate tier of direct reports — five people — were always marked on all important communications, and therefore, were always in the loop. Which was fortunate for Pawar who was facing six months of a very sensitive situation. Pawar was discharged from the hospital 15 days after the accident, but was advised bed rest for a full month. “The medicines continued for the next three years, he says, “and five to ten percent of the problems associated with

Vol/3 | ISSUE/05

1/12/2008 6:05:10 PM

that terrible day still persist.” He says, for instance, that he still cannot enjoy most of the rides at Essel World (an amusement park in Mumbai.) While he missed work for just a few weeks, health problems persisted and for the first three months, he only spent an hour or two at the office, and half-a-day for the next three months. “Before the accident, my team and I worked around 12 to 16 hours a day to make this dream a reality. I was so passionate about this project that, 15 days after the accident, in spite of the doctor's advice for complete bed rest, I used to come to the office for one hour every day during the first month. When the doctor advised me to work for one hour every day, I started working for half a day, and so on,” he says. But, in spite of Pawar’s commitment, he could not work full time for six months. His lifelong belief in team spirit carried him through. “From the initial days of my career, I have always believed in team building and in delegating responsibility. This really helped and worked fantastically,” he says. Pawar also thanks his team members for helping him make a successful comeback. “I was very jittery during this time and all my team members tolerated me,” he says, and goes on to add that his departmental colleagues proved their mettle by holding the fort in his absence. In a philosophical vein, he says that the accident he suffered also proved that the whole team — and not just the captain — matters.

not aware after they leave

Most people are of what transpires an organization. I, however, got to see the impact of

Who's Watching Your Back

ut what about clout? As a C-level executive and founder, Pawar carried a lot of credibility — something that is hard to pass on. Pawar says this wasn’t an issue. He adds that it has to do with the way he positioned himself in his team. Elaborating, he says, “My role in most cases is very strategic. I am more of a coach than a leading player. I am only hands-on in emergencies or when I want to demonstrate to someone that I can do something with my own hands.” Most of the time, he says, his deputies manage projects under his guidance. While he personally handles HODlevel emotional issues in person, his people manage projects themselves. This style of functioning was present both before and after the accident. “Even today, I don't carry my laptop home and avoid using a PDA to download e-mails. This ensures that day-to-day issues are addressed down the line by my staff,” he points out. While this definitely puts more pressure on Pawar’s staff, he feels that it is necessary. “Ours is a mission critical system, and hence needs to work 24 x 7 x 365. Because of this, people need to take responsibility and live upto the

Vol/3 | ISSUE/05

Cover Story.indd 29

my absence first-hand.

— Prakash Pawar

Founder & CTO, Intrex India

expectations of business when a problem arises,” he says. So, in his organization, escalations are more the exception than the norm. “For us, every problem that is escalated to my level is an opportunity to close loop holes.” The proof that Pawar’s system works? His immediate reports say that the going was smooth in his absence. “Though the circumstances were unexpected, we didn’t have a panic situation. Interaction with our director and other toplevel management increased, but other than that and busier workdays, things were close to normal. Support from senior management during this time was great,” says Craig Lewis, senior manager–IT. Ashish Ladhani, manager–IT, who also reports to Pawar, says, “It was a sudden and unexpected situation. However, as far as work was concerned, there were no serious issues. Only in cases where documents needed to be signed were there slight delays, since Pawar was not always physically present in the office.” More proof of the success of this approach can be found in the fact that no had to take on an exceptional burden while Pawar was away. Pawar says that his whole team rose to the occasion and work did not suffer. Systems and procedures were already in place, and his people knew who would handle what when he was absent. These procedures had already been tested in the past whenever he was on a long tour or on a vacation. And things didn’t change radically even after Pawar came back. “A designated number two as well as a number three, namely Lewis and Ladhani, were always in place, even before the accident. All important mails are always marked to both of them,” says Pawar.

Creating That Second Line

hese deputies had been mentored by Pawar, whose style revolves around discussing his own mistakes with them, and then telling them what to avoid. He says that he also concentrates on bridging any gaps. REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/12/2008 6:05:10 PM

Cover Story | business Continuity At one level, the efficacy of the systems and processes at Intrex are borne out by the fact that Pawar’s opinions on succession planning haven’t changed even after the accident. Elaborating he says, “My belief in succession planning has only been strengthened. One can never be sure of the future. Generally, you are not aware of what transpires after you leave an organization. However, I got to see first-hand the impact of my absence. To ensure that the organization does not suffer, succession planning should always be followed.”

Pawar, who also used to head HR for a former company, has also learnt more about this aspect after the accident. “We are a small company and turnover of good people has always been a great concern to us,” he points out. But he says that his company addresses this issue positively. This means that they try their best to ensure that good people don’t leave. “But, in the eventuality of someone leaving, the HOD and the HR department need to have a plan ready with multiple options. This is also part of succession planning,” he says.

Keeping the Continuum

KeY SucceSSion

Planning Tips Expert advice on how to leave your business in a position to move forward when the predictably unpredictable occurs. 1. Extend succession plans as far down the chain as possible. When a disruption occurs, “it cascades through the entire organization,” says Kevin Martin, an analyst with aberdeen berdeen Group. “you “y you should be prepared at every level, two to three people deep.” 2. Encourage people to step in for others during vacations. this builds expertise. “It’s like trying to tell if someone can ride a bicycle when you’ve never seen them ride,” says William J. rothwell, a consultant who deals with hr management and succession planning. “an “ excellent way to find out is to let them ride the bicycle for short distances.” 3. Assess employee skill sets. this could prevent you from having to go into the market and overpay for talent you might already have in-house. “there “ are so many skills in demand,” says Sam bright, an analyst at Forrester research. “If you have to go outside, you’re going to pay a premium. y you need to know what you have in-house.” —c.G. lynch l

Pawar’s experience has also helped him to see both sides of the succession planning coin. “In management terms, succession planning is meant to safeguard the company's interest if a person is not available for a job,” he avers. But he also understands why succession planning is critical for the growth of a person as an individual because, he says, unless a current job can also be effectively handled by someone else within a company, a person can't be promoted. 30

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

awar can stand by his plans because they have worked well — on more fronts than one. Talking about the Itz project, he says: “what started as a the project has now been rolled out into an independent company, which received funding worth Rs 40 crore from Matrix Partners and Intel Capital. At the last Microsoft Innovation Summit held in Bangalore, Itz Cash was projected as one of India's most innovative products.” Having gone through what he has, Pawar has some advice for other CIOs who might have to go through something similar. “Take your doctors’ advice for bed rest more seriously compared to what I did in the interest of office work. Do not to risk your own life and put your family in trouble in the long run,” he says. Should succession planning be limited only to CXOs and others in top management? Pawar feels that this is unwise. “In real life, a car can stop working due to engine failure, tire puncture, or even a problem with a single nut or bolt. The same applies to an office environment. Hence, succession planning is important at all levels,” he says. As a solution, he thinks that, in some cases, business continuity can achieved by going the outsourcing route, having a database of employable people, going the contract labor route, or using group resources. But all the things that Pawar has learnt have not been of positive. Candidly, he admits that things would have been different if the incident had not occurred. “I do not have the same guts and energy now,” he says truthfully, “I might have succumbed to the injury.” But one thing that helped him to pull together professionally was the strong bond with his company. On an emotional note, he says, “My company and I are never two entities. When that happens, I will be somewhere else.” He adds, “After working for companies such as Bennett Coleman , Jet Airways and CMS Computers, I wanted to do something big with my own hands, end-to-end. I got that opportunity with Itz Cash and the Essel group.” “‘Do your best and prepare for the worst’ is my motto an individual,” he concludes. CIO

Special correspondent Balaji narasimhan can be reached at balaji_n@cio.in

Vol/3 | ISSUE/05

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Case File

pulling it tOgether Three years ago, ITC looked into the future and didn’t like what it saw. Multiple systems across 10 businesses weren’t giving the organization the business agility it needed. It decided to join the dots. A pretty picture of connectedness and access emerged.

Reader ROI:

How IT can benefit business processes The importance of a single operating system in reducing bottlenecks How a centralized infrastructure helps in providing real time access to all business units

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

s businesses expand, so do communication and information availability needs. Business 101. But, when a company makes Rs 19,840 crore a year, nothing is simple. So, it was at ITC, one of the world’s ‘Best Big Companies’ according to Forbes. Although the company is known primarily for its tobacco and FMCG interests, it is a conglomerate of 10 different businesses. These businesses include units that produce paper, branded apparel, greeting cards, incense, software, among other things. It’s a big, diversified company. It also operated in silos. And its rapid growth was working against it because its multiple computing infrastructure kept expanding to keep pace with growth. Someone needed to shoe this horse. That challenge fell to V.V.R. Babu, group head-IT. His job was to unify all applications and processes across locations to ensure that everyone and everything under the ITC banner were located on one single platform.

10 Businesses with One spear Project Trident, Babu’s needle that would thread all these businesses together, is a comprehensive IT architecture and management plan that

Vo L/3 | ISSUE/05

Imag Ing by anIL T

By KaniKa Goswami

was conceived in 2005 to accomplish just that. The project is expected to take care of the current and future information and computing requirements of ITC’s businesses. It is already making available all the information and application processes among over 550 ITC offices. ITC has over 20,000 employees, excluding 6,000 e-Choupals located across eight Indian states. This size of operation created problems for the IT team at ITC. No shipments could be made if the ERP was down. Anywhere. Initially, a WAN was set up to connect all business locations, including servers, desktops and laptops. The whole MIS infrastructure was geared to ensure that hardware and software support was provided to all users. Even though best-fit ERPs were implemented, humans duplicating computing efforts drained resources and made the entire IT infrastructure inefficient. The project started by identifying business processes that would benefit the most from the new project. “This initiative was designed and implemented keeping in mind the competitive advantage it would provide to the most vital sections of the business — manufacturing, sales and customer support,” says Babu. With inputs from different teams at ITC, in addition to the IT team, the project was finally ready in April 2005.

VoL/3 | ISSUE/05

The new implementation consisted of a VPN that connects over 550 locations (including rural and remote sites) through telecom links using leased lines, ISDN lines, VSATs, RF links, etcetera. This VPN uses MPLS to ensure greater business continuity and reduced operational costs. Two state-of-the-art data centers in Bangalore and Kolkata were set up to handle enterprise mail messaging for 8,000 users. These data centers house six separate ERP systems and web-based applications. Enterprise-class HP servers and EMC storage are used for a three-site

V.V.R. Babu, group head-IT, ITC says that Project Trident provides for vital sections of the business: manufacturing, sales and customer support.

data recovery mechanism. This ensures 99.95 percent uptime and near nil data loss in a disaster. A centralized IT infrastructure management system administers the entire IT infrastructure that comprises application hosting and support, IT security, mail messaging, database administration, automated backup and archival, etcetera. ITC had earlier outsourced its NOC but after Project Trident, this has been brought back in-house. In addition, an enterprise management system (EMS) for centralized server and network management, software distribution and patch management have been implemented. The system uses a comprehensive IT security setup with three layers — gateway, network and desktop — that ensures complete integrity of the infrastructure. This security system offers a comprehensive cover, complete with firewalls, intrusion detection system, and anti-virus software. Babu is happy with the system, given that security was one of the top priorities in the implementation of Project Trident. The project also offers an IT service delivery platform on an SLA basis. ITIL/ITSM frameworks were implemented to ensure standardized best practices in infrastructure management as well as services delivery REAL CIO WORLD | J a n u a r y 1 5 , 2 0 0 8

PhoTo by SrIVaTSa ShandILya

Case File

InfograPhICS by UnnIK rIS hnan aV

Case File Implemented in the fourth quarter of 2006, the project cost ITC Rs 100 crore upfront and Rs 20 crore annually. But Project Trident enabled the timely rollout of enterprise-wide applications, while not compromising on the integrity of the networking processes. All of ITC’s managers, decision-makers and team leaders have access to any application, at any point in time, wherever it is located. The primary goal of the implementation is to give real time access to all business units, leading to a definitive competitive advantage in terms of information and processes availability. “Our primary goal in this project was to secure comparative advantage in the marketplace for ITC’s businesses,”says Babu. It’s goal that seems to have been met. “Project Trident has helped reliable realtime video interactions with all our field operations for quicker decisions and instant cross-fertilization of experiences across the country,” says S. Sivakumar, chief executive, ITC Agri Business. The infrastructure, in his opinion, is “ensuring superior performance of our enterprise and Internet applications that link four million farmers through

Data Will find A Way SAP Server at Kolkata

If the SAP server in Kolkata goes down, data is sent to the SAP DR site in Bangalore.

If service provider 1 is affected, data is routed via another provider to reach the server in Kolkata.

MPLS VPN Telecom Service Provider 1

the e-Choupal network in a large implementation and secure environment.” adhering to deadlines to Project Trident has also ensure that the project did added value to ITC’s food not get delayed,” says Babu. business. “We have a plan to To do that a two-member SNAPSHOT grow at 60 percent every year. project management office ITC This means adding more was set up to coordinate EmPLOyEES 20,000 and more demand-servicing the various activities of the entities (manufacturing project and avoid delays. PROjECT COST rs 100 Crore locations, warehouses) to In the implementation of our rapidly growing supply Project Trident, there were E-CHOuPALS 6,000 chain. We already have 70 a number of non-IT teams such locations spread across involved. While the IT team OffICES +550 the country. Because of predominantly worked Project Trident we are in a on the architecture and HEADquARTERS Kolkata position to plug-and-play or identifying technologies, the IT-enable any new location commercial and financial within a matter of one to two teams stood by to create weeks. With connectivity, backed by data RFPs and seal deals. An engineering security, we can use SAP to create stock team helped with the construction visibility across the entire supply chain. and modification of infrastructure This is vital for us,” says Ravi Naware, to accommodate the new systems, as chief executive, ITC Foods. well as all other utilities for data center facilities. In addition, external vendors were brought in to finalize technologies. Bumps On the rOad More vendors were part of the training Implementing an architecture that process. Vendors like HP helped in the integrated multiple applications by initial conceptualization and training of multiple vendors was the biggest challenge the ITIL / ITSM framework to ensure best faced by the IT team at ITC. “The second practices in processes for infrastructure challenge was co-coordinating between management and delivery of services. various teams who were involved in this The last leg of the implementation is a comprehensive helpdesk service that will SAP DR Site at Bangalore seamless cover all ITCs businesses. Here again, CA and HP provided EMS toolsets, that will help in monitoring, managing If both the SAP server in Kolkata and resolving issues related to the IT and the primary telecom provider infrastructure. are down, data can still reach the In the next stage, Babu and his team SAP DR site in Bangalore. plans to implement a BPMS (business process management systems) at a Six Sigma level. This will improve operational MPLS VPN efficiencies of the IT-shared services Telecom Service Provider 2 team. In addition, an active directory service, desktop standardization and single sign-on which will be usable across all ten business units of the company, are also being set up. These initiatives, though not a part of the original Project Trident, will nevertheless add value to the project User at remote utility for the IT services. CIO location Kanika Goswami is special correspondent. Send feedback on this feature to kanika_g@cio.in

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Vo L/3 | ISSUE/05

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

Firing Up

Innovation By Kanika Goswami The ashes of the dotcom bust became fertile ground for a new segment of technology companies: software development enterprises that provide tools and software for international giants. Symphony Software Services was one such opportunity. Set up in 2002, today, it delivers more than a thousand products to customers worldwide. Ajay Kela, the MD and COO of India operations, says that the technological innovations his engineers bring to the table are pivotal to the existence of many of his clients. At Symphony, IT breathes life into the innovation process and is instrumental in keeping innovators on the cutting-edge. As the industry moves into newer, more profitable areas, Kela believes that innovation must run deep and wide — both in and outside of IT.

How does Symphony use IT and where is it heading as a company?

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

View from the Top.indd 36

Ajay Kela: After the dotcom bust, huge amounts of fibre deployments and software that couldn’t be paid for, drove India’s BPO industry. Today, we believe that software development will go the way of manufacturing. A few decades ago, manufacturing was dominated by companies in the US and Europe. Then, components started going offshore and today, an IBM laptop is just an assemblage of components from different parts of the world. The same thing is happening to software development. Most companies that get funding in the Valley do not have the resources to do their own engineering.

They are major outsourcers. Twentyfive, out of a 100, of our clients are earlystage companies for which we form the engineering base. We are responsible for their entire product development — right from the whiteboard stage all the way to shipping. In five to 10 years, all engineering will be completely outsourced. It’s a very high-end market and India is moving up in it. Symphony operates in this high-end technology market. We do IT services for internal applications, and for BPOs — we are their revenue generating component. In our industry, IT is very crucial due mainly to three things. The first is IP protection. We own client IP, or at least have a very broad access to it. IT helps secure that access to keep compliance and anxiety levels in control. Collaboration is

P hoto by Srivatsa Shandilya

Ajay Kela, MD & COO, Symphony Services, says that IT can make a difference in an organization that promises to create value through innovation, collaboration and operational excellence.

Vol/3 | ISSUE/05

1/11/2008 6:32:05 PM

View from the Top

Ajay Kela expects I.T. to: Drive innovation Help smoothen the collaborative process Protect IP and reduce the anxiety levels of his clients

Vol/3 | ISSUE/03

View from the Top.indd 37

REAL CIO WORLD | d e c e m b e r 1 5 , 2 0 0 7

1/11/2008 6:32:07 PM

View from the Top

another, because our work is so dynamic that our teams need to collaborate all the time with teams at another end. I’m not only taking about project managers — we have 500 people for one of our clients sitting here and they all have to interact with the client. There’s a huge need for collaboration. The third thing is visibility. Because our clients send their revenue-generating activities to us here, an enormous nervousness builds up. These companies cannot afford a mess up here, so we have create visibility for their CEOs. Given the amount of concern our clients have, we have to provide complete transparency. Since they cannot keep coming here, IT helps. We have to rely heavily on technology.

What sort of compliance issues do you face and how do you deal with them? There are massive compliance issues, all tied to access to IT. Most are IP-related. To protect that IP we have ISO27000 certification that enables us to get the best global best practices to be implemented in the organization. It provides mass information access to our client — access to very sensitive information, the framework has a security provision, so it’s not violated.

You are entering into an agreement with Optimal Engineering. How will this benefit Symphony? Our business is in three areas, first is independent software vendors (ISVs), like Autodesk or Oracle. Then there is a second segment around e-commerce companies where software is mission critical. The third market we entered into recently is embedded software. Today, hardware devices are all being commoditized and software is the differentiator. Optimal had a very strong practice in the embedded space. In their segment they have a lot of expertise; it will be a strong relationship. 38

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

View from the Top.indd 38

“All software companies thrive and survive on the next bright new idea. We can succeed only if engineers innovate. The CIO is key here.” — Ajay Kela Symphony promises to create value via innovation, collaboration and operational excellence. How does IT help? Innovation is the bread and butter of our clients. The innovation our employees create keeps the companies of our customers in business. If our people fail to innovate, the companies our clients run will collapse. Innovative thinking needs exposure and this is where IT helps. Collaboration is also extremely core to our business. Our teams seldom work in isolation; our work is a continuously interactive process. Since our staff has to interact with other teams — and each other — collaboration is a key component to ensure quality deliveries. E-mail is okay, chat is better, but face-to-face is the best. Although we have exchange programs, face-to-face is not a scaleable model. So we

turned to IT to create a face-to-face from the desktop. Where operational excellence is concerned — no company can bring its products to the market if they are not actively using IT to optimize costs. Today, we have been very successful as a service provider. But it is hard to do software development from two buildings apart, let alone being separated by thousands of miles. You can only get that kind of expertise through knowledge management systems and best practices. Today, we produce like a factory. On an average, a software company ships one product release a year. Microsoft, for example, has one new release every four years — we had 1,000 releases this year. We have so many clients, many of whom are early-stage companies that cannot wait and e-commerce clients who update their websites on a weekly basis that we need to be much faster and more voluminous in our production. From an organizational perspective, I can safely say that we are far better than many others. Our organizational excellence is helping us break new business ground. We have an increasing amount of business from captives, who are asking us to handle their operations. Today, we have about 1,000 people who have given up their captives to us.

In an industry dogged by attrition, how do you tackle staffing and other HR challenges? In our industry there is mostly low-end work doing internal applications. Once you’ve implemented a SAP or an Oracle application for one client, doing just that can become monotonous. Senior people tend to get bored and begin to question the value they bring. Club this with the late hours people keep at BPOs, irate customers, and you have attrition rates in the range of 60 percent to 70 percent.

Vol/3 | ISSUE/05

1/11/2008 6:32:12 PM

View from the Top

However, we are very fortunate that we work on some of the world’s best products. If you are a software person, working on technology that is the crème-de-la-crème is encouraging. Today, we build the world’s best CAD product with Autodesk, we are partners with leading ERP providers like Oracle. The top two e-commerce companies are our clients, so our employees are working on worldclass products and enormous amount of satisfaction is derived from those brand names. And from the perspective of our employees, the freedom to innovate helps. Since they have to think of new ideas, they are not replicating their work everyday. That’s a key driver in our quest to keep talent here. And because we need to stay competitive, we identity our top performers to do cutting-edge work for our clients — about 25 percent of our people. Plus, we create a classy environment that replicates the environment of our US counterparts. We have five-star work environments including desk area that is far higher than the industry average. We also need to have a lot more freedom. We have an open culture and have monthly beer bashes followed by dancing where even I participate. All this to create an environment where employees are free to create and innovate.

How do you use IT to tackle the HR needs of your employees? We need to eliminate irritants at work, and the best way to do that is to provide all the necessary tools on an employee’s desktop. We have completely automated HR functions. The more these activities are automated, the more mind space our people will have to think. We also pushed hard for work-from-home because of time differences. Of course, our clients had issues with their IP being accessible

Vol/3 | ISSUE/05

View from the Top.indd 39

from people’s homes. So, we provided network access control protocols that limits their exposure.

SNAPSHOT

work for them, they use our expertise.

Revenue:

What steps is Symphony taking to strengthen its disaster recovery and business continuity capabilities?

Employees:

What role does your CIO play, given the company's focus on innovation?

Symphony Rs 400 crore* 3,000 +

Products released in 2006:

644

Our operations can succeed only if engineers can freely Year-on-Year Growth: innovate and the CIO is key 48% where this is concerned. All CTO: software companies thrive Dr Jerry Smith and survive on the next *2006 bright new idea. For that to Within a city we have happen, for our engineers to multiple sites, so if disaster innovate, they need to have strikes, we can rapidly access to clients as well as users. They replicate and move on. Most IP is stored in need to get under the skin of the client. We servers worldwide. So that doesn’t suffer. need technology to provide that access. But if something happens to an entire city, Examples of this include video-on-demand, we have presences in Bangalore, Pune, and chat interactions, work-from-home, Mumbai and we can switch over rapidly — knowledge management tools. We have a including shipping out our employees. We program built around IT called Symphony are moving into a multi-country set up so Orchestra. We have knowledge access that, if say, there’s a nuclear war in India, management on a portals and we created business can go on. portal on it for our clients. This is where we At the employee level, critical staffers store documents, provide an environment have succession planning — this extends for light discussions and a search engine to to the individual level, the building level, look through various portals. That’s also the city level and the country level. Data is how we capture best practices. actually replicated. We are also working around virtual management; this includes many-to-many Does Symphony use Open chats and IPTV. Again our clients treat our Source for development? employees no different from their own, so Are your clients using it? they have online meetings where they talk about their product roadmaps. We also We use Open Source for many have broadcasted meetings. developments and at many levels. I think The CIO is crucial to all these development Open Source is being embraced today, and activities, and as our business expands certainly by early-stage companies and and technology moves on, he or she will across the board, operating systems will play an increasingly important role in our be Linux, middleware application servers business processes. CIO on J-Boss, and so on. Many early-stage companies don’t want to invest in commercial software. We provide full support for this aspiration and we have a center of excellence around Open Source. Whenever our clients need Kanika Goswami is special correspondent. Send to find out if Open Source or Linux can feedback on this interview to kanika_g@cio.in REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/11/2008 6:32:14 PM

IT and the Law

La aw Now that e-mail and electronic documents have attained the same evidentiary status as paper, CIOs need to standardize processes for e-discovery. By Judi Hasson Reader ROI:

No one wants to be sued, that's for sure. But in today's litigious world, it is rare that

Order The importance of creating a retention and deletion policy Technologies that can support e-discovery processes

Why IT and legal must be joined at the hip

any company can escape a lawsuit in its business life. It is becoming the CIO's job to make sure, when the time comes, that IT is ready for the onslaught of directives to turn over all electronic documents in a legal case. and nd that's where the headaches start for any IT department that does not have a good e-mail retention and retrieval system. The need for better electronic record keeping evolved nearly a year ago, when the federal government overhauled its rules of civil procedure and made electronic documents an official part of the discovery process during a lawsuit. (It is only a matter of time before Indian courts take a similar view.) The rules for what is called 'e-discovery' that took effect December 1, 2006, make the production

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Vol/3 | ISSUE/05

IT and the Law of electronic documents as important as turning over hard copies of material in any legal case. Companies typically have 30 days to answer any e-discovery request (though the court may grant extensions) and face thousands of dollars in fines — not to mention risk forfeiting the case — if they fail to respond promptly. In this new world that marries the legal system with technology, the CIO is adding company archivist to his job description. IT departments must work with the legal department to come up with a plan that saves necessary e-mails and makes them easily retrievable. Yet there are few rules for setting up an electronic records management system, training employees to catalog their e-mail and creating a standard procedure so employees consistently follow the procedures to turn over electronic documents quickly. And so, many CIOs are still scrambling to organize

If your office has a personal e-mail policy, ensure employees know about it. It's okay to talk about your dog. But a disparaging remark about another company may haunt you. their corporate e-mail and keep track of these records in a comprehensive way. The key to compliance with e-discovery rules, say legal experts and IT leaders who have already tackled the problem, is to establish enterprisewide document management and retention practices for e-mail and other types of digital documents, then deploy the appropriate software to support them. "You can achieve a lot of protection, reduce your risk and reduce the cost of discovery by adopting reasonable, repeatable and scalable processes and tools," says John Rosenthal, a partner and co-chair of the e-discovery committee at Howrey, a Washington, D.C., law firm. Here are ways to get ready for the inevitable:

Five Rules of E-Compliance 1. Build a Team "The problem with e-discovery is that the first time it hits your radar screen is when the general counsel calls and tells you what the court wants," says Paul Zazzera, a consultant and former CIO at Time. To mitigate such surprises, IT and legal should work to develop processes, policies and tools for saving e-mail that everyone in the company follows. "A 42

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Feature - Law & Order.indd 42

CIO and the legal department should be fused at the hip," Zazzera says. And don't leave business leaders out of the discussion. "Too many CIOs think of litigation as something that belongs to the legal department," says Leslie Wharton, who heads the e-discovery team at the Arnold and Porter law firm. "Litigation is something that belongs to the company, and whether the company is a plaintiff or defendant, the company [as a whole] must be able to meet document preservation and production obligations." Such preparation makes you 'discovery ready', according to Mark Reichenbach, the former director of discovery and regulatory response with Merrill Lynch (now vice president, client and industry development with vendor MetaLincs), rather than needing to react to litigation or regulatory investigations when they come up. Some companies have even begun to appoint cross-functional e-discovery teams to address the issue, adds Zazzera, run either by IT or the general counsel's office.

2. Meet the E-Shredder Not everything needs to be, or should be, retained. For example, if the statute of limitations has passed in a tax case or environmental issue, delete the associated records. Many companies keep data from legacy systems that are obsolete, so there's no business reason — and unlikely any legal reason — to have them around, observes Julie Brickell, associate general counsel at Altria Corporate Services, which handles tobacco litigation for affiliate Philip Morris USA. Defining what you should preserve is murky, however, and depends on what kind of business you're in. Most important, says Zazzera, is to have a consistent policy for what is permissible to delete — and what is not. Have the same rules for e-mail as for other electronic documents. "You really have to think through a policy about everything," Zazzera says. "What records youre keeping and how you are keeping them." Most companies will say that all electronic and paper documents generated by company employees on company property can become part of the e-discovery record. But there are gray areas. For example, if a person sends a personal e-mail using a company computer, should that be turned over in e-discovery? And if a person sends e-mail from his own computer about company business, can it be protected?

3. Know where the e-mails are Have a map showing the location of every e-mail you keep, and how to retrieve it. Make sure the IT department and business units know where to find the material. Howrey centralized all its e-mail servers in one data center in Ashburn, Virginia, including e-mail from its office in Taiwan, according to CIO Brian Conlon. Data from its offices in Europe is consolidated in London.

Vol/3 | ISSUE/05

1/12/2008 11:29:24 AM

IT and the Law

Your E-Discovery Tool Kit There's a burgeoning supply of e-discovery products and services gives CIOs a wide range of options. John Rosenthal, a partner and co-chair of the e-discovery committee at Howrey, a Washington D.C. law firm, says it may cost between Rs 4 crore and Rs 10 crore for a company to prepare for e-discovery, depending on the tools it needs. Paul Zazzera, a consultant and former CIO at Time Inc., says a large company with 10,000 employees for ‘entry level’ e-discovery tools and training that include basic e-mail retention and retrieval capabilities. “When you reach beyond e-mail, the number can quickly grow beyond Rs 4 crore,” he adds. A small firm might spend its money more wisely implementing better document management processes instead of technology. Because small companies (they hope) don’t face as many lawsuits as larger companies,

e-discovery experts say its more important for smaller enterprises to ensure that they save records in a consistent and reliable way. The bottom line, according to e-discovery experts, is that waiting until the last minute to deploy technology – when the e-discovery order comes – can be more costly than planning ahead. “We are all feeling our way,” says Zazzera. “Discovery is expensive.” Here are a few tools. Attenex provides tools for law firms to standardize e-discovery procedures. Zantaz, a subsidiary of Autonomy, supports discovery and review processes without requiring a reviewer to code or tag documents. Digital Mountain provides tools for collecting, processing

By storing all e-mail in just a few places, it's easier to comply quickly with discovery orders. The law firm also plans to apply technology to help it catalog paper files. In the next year, Conlon plans to deploy radio frequency identification (RFID) to find paper documents, which could make it much easier to search for hard copies of documents. In addition, make e-discovery compliance part of your due diligence if you are thinking about buying a company. Look at the e-mail storage plan of any potential acquisition to make sure you will be able to produce all electronic data without a glitch if there is a lawsuit down the line.

4. Train Your People Make sure everyone in the company knows what materials to keep and what to discard. "It is reasonable for a corporation to rely on employees to save documents that might be in litigation," says Howrey's Rosenthal. If you have a personal e-mail policy in your office, make sure employees know what kind of messages should never be sent from an office computer. It may be OK to talk about your dog or what's for dinner. But a disparaging remark about a person or another company may come back to haunt you. 44

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Feature - Law & Order.indd 44

and analyzing electronic data for law firms. Encase is a suite of products by Guidance Software to search and retrieve electronic data. It can find data across a network from a centralized location. First Advantage provides litigation support services including e-discovery and data recovery services. Stratify products include the Stratify Legal Discovery Service, which provides a search tool that can handle 300 documents an hour. The cost of these tools varies depending on size and sophistication of the system. Rosenthal says it may cost Rs 4 crore to Rs 10 crore for a company to prepare for e-discovery, depending on the tools it needs.

—J.H.

All e-mail, both personal and corporate, creates a potential litigation risk, says Patrick Oot, Verizon's director of electronic discovery. "Employees should realize the lack of privacy in e-mail. If executives imagine their e-mails blown up on a highway billboard, that's exactly how it looks at trial," Oot says. He offers a general rule: "Never put anything in an e-mail you wouldn't want your mother to read."

5. Technology is Your Friend Get used to the idea that supporting e-discovery is a necessary expense. You'll pay a premium if you wait until a lawsuit hits before you prepare to comply. There are e-discovery tools designed to meet the needs of any company, from startups to large multinationals. How much you spend has a lot to do with how much litigation you usually face. You also have a choice whether to outsource instead of deploying the technology yourself. But a basic system includes search and retrieval software as well as archiving capabilities, says Zazzera. None of this glamorous or fun But it is necessary. CIO Send feedback on this feature to editor@cio.in

Vol/3 | ISSUE/05

1/12/2008 11:29:25 AM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

IT Complexity

Cures for Complexity By GALEN GRUMAN

It’s called Moore’s Flaw, the flip side of the famous axiom that has driven the furious pace of IT innovation for several decades. Moore’s Law (in one of its many formulations) states that computing capability increases 1 percent per week. Moore’s Flaw posits that keeping up with this flood tide of innovation quickly becomes too difficult (and too costly) for anyone to manage. “IT complexity acts as a significant tax on IT value,” says Bob Zukis, a partner at PricewaterhouseCoopers. It’s those organizations that “have managed complexity out of their environments that are reaping the value from their IT spends.” Even more important, businesses that successfully address complexity can be more agile because their systems don’t get in the way of business process change. “When you reduce complexity, you increase your ability to implement new solutions,” says André Mendes, CIO of the Special Olympics. “Complexity leads to brittleness and high costs,” notes Frank Modruson, CIO of Accenture. “But if you get your technology cleaner, you can serve the business more easily.” 46

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Feature - Cures for Complexity.indd 46

Vol/3 | ISSUE/05

1/11/2008 6:43:11 PM

IT Complexity

Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business.

Vol/3 | ISSUE/05

Feature - Cures for Complexity.indd 47

Reader ROI:

What contributes to IT complexity Why driving simplicity is complicated How consumer technology should be managed

REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/11/2008 6:43:12 PM

IT Complexity Today, CIOs stand in the path of a fire hose spewing complexity. And many are getting soaked.

The Complexity Add Within IT, factors that add complexity include outsourcing, adopting Web and consumer tech, support for mobile workforces, developing and managing technology architectures and governance for those workforces, and ensuring security in a distributed environment. Outside of IT’s direct control, complexity is increased by the requirements of compliance, the need to support global business, and the speed and depth of access to information demanded by your customers and your partners. CIOs can — with difficulty — handle these challenges individually, one at a time. But in the real world CIOs face many, if not all, of these challenges, all at once, over and over. “That’s why you need a strategy to keep complexity out of the environment,” Modruson says. The challenge of complexity is exacerbated by the fact that many organizations have technology systems that have been built up over time or acquired or complicated by waves of vendor consolidation. For these companies, moving forward requires an almost archaeological effort to unearth, understand and work with all these layers of technology. This digging causes the delays that frustrate business executives and CIOs alike whenever change or progress is needed, says Mark McDonald, group VP for Gartner executive programs.

Special Olympics CIO Andre Mendes: "When you reduce complexity, you increase your ability to implement new solutions."

Worse, basic changes in business are making complexity challenges harder than ever. “I don’t see an end to complexity. Technology continues to change, and business demand for services continues to grow,” says Wal-Mart CIO Rollin Ford. Some CIOs have figured out ways to escape the complexity trap. They reduce complexity where possible; they live with what remains; they still invest in new technologies that can lead to business success. 48

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Feature - Cures for Complexity.indd 48

But there’s no silver bullet. You can’t buy simplicity. And you can’t hand off the problem to a service provider. The truth is that you need a strategy that reduces complexity, and you need the tactical ability to implement that strategy up and down your organization. Although there’s no single formula that will work for everyone, IT leaders and consultants have identified four broad principles for reducing complexity: first, make process central to your IT organization’s approach to technology. Second, you need superior governance of both the technology infrastructure and the business-IT relationship. Third, everything you do must have simplicity as the default expectation. Fourth, your efforts must be ongoing. Complexity is not something you get rid of. It’s a battle you wage every day.

First Cure: Process-Driven Architecture Key to managing complexity is an architectural approach, says Patty Morrison, CIO Motorola, and it should be mapped to business needs. “You very, very much need to have an end-state architecture in place — a description of where you’re headed,” she says. That architecture cannot simply be for the IT infrastructure — the network, the data flow to and from the ERP systems, the security checkpoints, the application monitors, and so on. IT-oriented architectures tend not to take into account the flexibility needed to support changing business processes. Rather, Morrison says, the CIO’s architecture has to be driven first by key business processes. Imagine what a failure a plane’s design would be if its creators didn’t take into account that different customers may have different uses for the planes — some desiring multiple classes, some looking for different cargo-passenger ratios and some serving long-haul destinations. Ignoring these would result in a plane that flew but couldn’t adapt to its customers’ needs. In the same way, a business with a technology architecture that isn’t created in service of current and anticipated business needs will be limited in what it can do. Change will require expensive retrofitting of technology to handle what the architecture hasn’t anticipated. At Motorola, Morrison ensures that her architecture accommodates and anticipates business goals by using business process management (BPM) principles and an enterprise reference architecture to define a common language for business and IT. The enterprise reference architecture is a broad set of blueprints that shows the business, operations and systems layers. This approach also ensures that business-IT conversations don’t devolve into throwing requirements over the wall, an approach that usually adds complexity in two ways. One is that IT fulfills the business’s requirements outside the overall architecture, often leading to multiple ways of doing the same thing. These processes must be reconciled, which requires custom interfaces for other systems that no one realized would be affected. The other complexity comes from IT’s interpretation of those over-the-wall requirements. It usually misses something, leading to multiple rounds of rework that make the system more complex. By contrast, the architecture-based approach at Motorola “creates a rich, interactive, high-quality conversation around real solutions, not abstracted requirements,” says Morrison.

Vol/3 | ISSUE/05

1/11/2008 6:43:19 PM

IT Complexity But, she acknowledges, it’s not easy to achieve this state. It requires that business units think beyond their immediate needs and work with other units toward a common approach. “The hardest thing for IT to do is to get business units to agree on a common way to do something,” says Morrison. That takes maturity in working across silos. Without it, business units end up clamoring for their own unique variants of, say, customer information. And that adds complexity. With the architectural groundwork established, Motorola uses modeling tools first to design the desired business processes and then to simulate and test various technological approaches to delivering them. For example, Motorola used this approach to reduce part qualification cycle time — a process of evaluating which suppliers’ parts meet the quality, cost and other requirements for planned Motorola products — from 28 weeks to seven weeks in 2006 while improving visibility and controls over the process. Having an enterprise reference architecture doesn’t mean an organization has an immutable plan. Because both business and technologies change, you can’t always have a multi-year plan for a specific result, says Mack Murrell, VP of IS at Dow Chemical. For example, you shouldn’t develop a service technician scheduling system that depends on a specific wireless network, or is limited to servicing only the kinds of products you currently offer. Instead, “you want a set of options within your target,” he says. For example, you would ensure the application is networkagnostic and supports both always-on connections and intermittent connections. You would not hard-code product specifications but would instead rely on a metadata approach that supports a range of possible product characteristics, and could support a variety of data types (say, video and PDF) even if they’re not needed today. That requires an architecture that anticipates and enables change. To do this, Dow deconstructs its enterprise architecture into discrete subsets (such as purchasing, plant maintenance and pricing) and layers (such as business system, technical and products). Dow uses structured enterprise architecture methods and service-oriented architecture approaches to manage the subsets and the changing relationships among them within the overall architecture. Dow has a group of IT and business staff whose job is to track these subsets and make sure they conform to the overall architecture — or adapt the architecture if that’s what’s needed.

Second Cure: Good Governance Ironically, as Accenture CIO Modruson notes, “Complex things tend to be easier to design and deploy.” Many enterprises justify Rube Goldberg-type systems by saying they need them now and promising themselves that they’ll clean up the technology later. But “later never happens,” Modruson says dolefully. Strong central governance can help. “Organizations that have effective IT governance by and large have lower levels of IT complexity,” notes Gartner’s McDonald. That’s why CIOs and their business partners must have strong governance “about what really impacts our customer, with business a key part of that decision structure,” says Michael Vincent, CIO of global financial services provider ING.

Vol/3 | ISSUE/05

Feature - Cures for Complexity.indd 49

Consumer Tech:

The New Complexity Add As if things weren’t complicated enough… The nutty pace of technology change is old news, but now a whole new stream of change is aimed at the CIO: the consumer technologies that increasingly are being used by both employees and customers. “In a few years, 100 percent of people in the most attractive demographic — 18- to 35-yearolds — will be digital natives, and their expectations are being set in that environment,” says Mark McDonald, group VP for executive programs at Gartner. That means MySpace, Facebook, iPods, iPhones, Google Maps, instant messaging, blogs. And the list goes on. The problem with consumer tech is that it’s rarely designed with enterprise systems in mind, so to fit it into the enterprise architecture adds complexity. An iPhone, for example, doesn’t have disk encryption, creating a security hole. “For consumeroriented technologies, one of the biggest issues is data security since these technologies are so easily lost or stolen,” says John Petrey, CIO of TD Banknorth. “There’s added complexity to support the various technologies used to connect and sync with corporate systems.” The key to embracing consumer tech in the enterprise is to change the terms of engagement, McDonald says. After all, what the CIO wants is a consistent set of processes and technologies to manage; whether they come in the form of an iPhone, BlackBerry or Treo shouldn’t matter. McDonald cites the wireless LAN market as a historic example. Once there was a reliable standard (802.11b), enterprises could manage the technology, and wireless devices became commonplace. McDonald admits that consumer tech vendors, as they jockey for lock-in advantage, don’t really adhere to such standards — and their customers couldn’t care less. But he sees a tipping point emerging where such standards will be developed either by vendors seeking to broaden their sales or by decisions CIOs make that push the vendors to respond in kind. CIOs need to assume that many consumer technologies will become mainstream in the enterprise, just as the Web has. “I like to think of it as an opportunity to reduce, not add, complexity,” says Motorola CIO Patty Morrison. “Enterprises that leverage consumer technologies allow their people to better manage the convergence of personal and professional demands. These are the enterprises that will win. “It really changes the existing paradigms of end-user services within the enterprise,” she says — challenges such as integration and security notwithstanding. — G.G. REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/11/2008 6:43:19 PM

IT Complexity Having that fundamental business understanding — and a common view of it in both business and technology leaderships — provides the CIO with the ability to make decisions that prevent unnecessary complexity and also enables him to more accurately assess the costs and benefits of any desired technology. It enables him, Vincent says, to figure in the impact of complexity not just on deployment but also on maintenance and integration, which consumes about 70 percent of IT’s budget. It also allows him to gauge how a technology will affect future changes to both the business and the IT infrastructure. “This customer focus helps show which requests are too complex for the value provided,” says Vincent. Of course, CIOs are always under pressure to respond quickly to business’s urgent priorities, and an IT leader will inevitably need to make some complexity trade-offs for truly critical demands. But you can’t let that pressure subvert the principles of good governance. “If we find ourselves living in a ‘get it done’ mode for extended periods, the red flag goes up,” says Wal-Mart’s Ford. By having a seat at the executive committee table, Ford can make sure the red flag is not ignored. This joint IT-business approach to decision making should also extend to decisions on what technology products and services are purchased — even for technologies that the CIO is not directly responsible for managing, says John Petrey, CIO of financial services provider TD Banknorth. “In some cases, a business unit might go out and contract for services such as Salesforce.com. That starts out as a silo with no messaging or integration with existing apps. But later, that messaging or integration becomes desirable and then the complexity factor for IT rises,” Petrey says. What seemed like an isolated technology ends up needing to connect to core systems, requiring retrofit work. The CIO’s involvement in these outside-of-IT decisions can help ensure conformity to standards and architectures, says Petrey, reducing current or future complexity issues. “You want to look for the best fit to business needs and minimum complexity through the governance process,” he says. When evaluating the complexity implications of any business or IT effort, CIOs will need to accept, in some cases, more complexity than is ideal because of the business benefit, says Vincent. For example, ING is buying various transaction systems in its fastgrowing Asian operations to handle a surge in demand. And although ING is re-architecting some of its global systems for more common processes and technology, the Asia business can’t grow if it has to mark time while that effort is completed. Vincent knows he’ll need to rework the Asia operations eventually, but that will cost ING less than the revenues it might miss by waiting. Understanding this trade-off up front ensures that the price of the complexity-add is apparent early on, preparing the ground for later investments that will be needed to clean things up.

Third Cure: Default to Simplicity “It’s harder to do simple, but it’s better to do simple,” says Accenture’s Modruson, because the more difficult task of simplifying the design up front results in easier implementation down the road. 50

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Feature - Cures for Complexity.indd 50

Motorola CIO Patty Morrison: "You need to have an end-state architecture in place — a description of where you're headed."

In 2005, Morrison says, she had 60 customer data models. That made application and business process integration extremely difficult. Then the business requested an accounts receivable project, and Morrison used it as a driver to simplify those 60 data models. “We established a global common customer master data model; we didn’t make it optional. All projects now use it as a blueprint,” she says. “The result is we now work on one customer master. It’s just a massive reduction in work and overhead, and an improvement in agility.” It’s easy to end up with unnecessary complexity due to technological and business-process diversity, notes Fifth Third Bancorp CIO Raymond Dury. “Each additional technology wasn’t a tipping point; it was just one more thing. But at some point you realize you’ve reached a tipping point where simplifying is a benefit.” “Mature companies need disciplined teams and change controls to minimize the risk [of increasing complexity]. That’s why they’ve failed in the past; they don’t look at the lifecycle,” says Wal-Mart’s Ford. But driving to simplicity can be tricky. It’s hard to get resources to revamp older systems or to pay for the initial architectural efforts. And the work can take years. “It can’t take too long; otherwise people will seek exceptions. So you need to get resources fast,” Morrison warns. Some of those resources need to come from your internal savings, some in the form of business investments. Internal savings typically come from two areas: efficiencies and vendor management. CIOs can achieve efficiencies — and reduce IT complexity along with costs — through a variety of tactics, including disciplined data management, employing change-control techniques to their application development and integration efforts, using Six Sigma techniques for post-deployment defect management, increasing automation, deploying cost-savings technologies such as virtualization, outsourcing some technologies, “ruthlessly” standardizing (using Accenture’s Modruson’s adverb), consolidating duplicate technologies and retiring older systems. “When you do things rationally, you can actually cut the budget,” says Special Olympics’ Mendes, as he discovered when, as CIO of PBS a few years ago, he cut the interconnection asked from the federal government from Rs 708 crore to Rs 480 crore while, he says, introducing new technology that substantially improved services.

Vol/3 | ISSUE/05

1/11/2008 6:43:28 PM

IT Complexity The key area to focus on internally is your data architecture, says Morrison. “If you focus on master data — customer, pricing, bills of materials and so on — and get those very defined, the number of applications you have will become less of a complexity problem,” she says. That’s because much of the integration effort across apps involves managing all the point-to-point data transformations when apps interact. Having a consistent data architecture eliminates this effort by allowing one to use repeatable processes at the integration layer. That results in immediate and longterm savings that can help the CIO make other efficiency and simplification investments. Two approaches to achieving savings and simplification — technology consolidation and retirement — can be tricky, notes Peter Ruggerello, VP of applications development of pharmaceutical distributor AmerisourceBergen, because there are often undocumented dependencies between what you want to keep and what you want to get rid of. That’s no reason to shy away from getting rid of technologies that are no longer needed, but it does require mapping dependencies — and keeping the map updated — so you can remove the older technologies more efficiently when the time comes, Ruggerello suggests. Accenture spent plenty of effort when it replaced 450 financial applications with a single SAP ERP instance, and migrated 277 of its 280 business apps to a single platform. More recently, it undertook the same consolidation effort with its recruiting systems, replacing 46 with one. “Today, we have just one of anything,” Modruson says. “Even though it was hard to get there, what we have today is a lot better,” says Modruson. The cost of IT as a percentage of net revenue has been cut in half, he notes, with a 'significant' portion coming from reduced complexity. Paradoxically, achieving savings through consolidation isn’t achieved merely by consolidating. “You can take 30 inefficient data centers and create three inefficient data centers from them,” warns ING’s Vincent. “What takes the most time [to do it right] is figuring out what your target is. Only with that in place can you optimize the operations,” he says. The easily appreciated benefits of consolidation include reducing license costs (by reducing the number of licenses you need) and personnel (by having fewer data center managers). But these savings are finite. Once you achieve them, you’re done. You can accomplish more by, for example, moving to different types of servers or adopting new approaches such as virtualization. But these require thinking first about what the future needs of your organization are likely to be and how changes to your processes might anticipate them, or at least not get in the way, Vincent says. Savings through vendor management typically come as a result of consolidation, Fifth Third’s Dury notes. The basic equation, he says, is simple: “If you’ll share these efficiencies with us, you’ll get more of our business.” Savings — and simplifications — can also come from educating your vendors about your architecture, says ING’s Vincent, “so they don’t bring incompatible products to the table.” Another way

to use your vendors to reduce complexity is to challenge each one to identify two existing products that you can eliminate by buying their one, says Gartner’s McDonald. Such internal improvements cannot be undertaken just for IT’s sake. The real goal remains serving business’s changing needs by having a responsive, flexible technology base.

Fourth Cure: Continuous Improvement Required It can be tempting to try to buy your way out of complexity by outsourcing as much of your IT as you can get away with or by adopting big-ticket platforms from any one of a hundred vendors that will swear they can solve all your problems. “We went ERP in 2000. It simplified our landscape by getting rid of legacy systems. We cleared out the old and brought in the new,” recalls Anthony Bosco, CIO of engineering and facilities management firm Day & Zimmermann. Bosco believes that having a fairly closed technology system or platform encourages simplicity because it discourages the addition of single-point technologies. However, enterprises have multiple needs, which means multiple systems. And new technologies means added complexity, Bosco concedes, especially where they duplicate some of each other’s processes. “It worked for a while,” he adds, but the complexity started creeping back as the business’s new needs required new technologies not anticipated by the ERP developers. “The ERP systems of today

Some organizations embark on a simplification effort every five years or so. In theory, this can work. But this lets the problem fester, leading to users workarounds that contribute to more complexity.

Vol/3 | ISSUE/05

Feature - Cures for Complexity.indd 51

are the legacy of tomorrow,” Bosco sums up. He’s handling this by tying each platform to a specific set of business needs, such as ERP for financial management and e-commerce for online transactions. He enforces a disciplined set of links among them to prevent complexity caused by use of duplicate processes. A seductively easy fix for complexity is to hand over your technology to someone else. That’s a bad idea, says Bernard 'Bud' Mathaisel, CIO of software outsourcing provider Achievo. When a company is stable, says Mathaisel, it’s more efficient and costs less to manage welldesigned key infrastructure in-house. Outsourcing makes sense when a company is in transition, such as during a merger, or in a period of high growth, and you don’t have the human or management resources available. “That’s worth the premium cost,” he says. Outsourcing, unfortunately, may not reduce complexity so much as shift it, notes John Baschab, president of management services at consultancy Technisource: “Outsourcing turns a technical challenge into a management one.” REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/11/2008 6:43:28 PM

IT Complexity

The Highest Complexity Factor: Your Job

And outsourcing per se won’t fix overly complex subsystems. Sounding an ironic note, Ramesh Dorairaj, head of application management services at Mindtree Consulting, says that “offshoring It may seem as if the complexity burden has become too great to bear. merely arbitrages inefficiency at a lower cost.” But CIOs have been there before, says Accenture’s Modruson, and Some organizations follow a cyclical approach to dealing with not only have they survived, they’ve thrived: “In the 1980s, everyone complexity. Every five years or so, they embark on a simplification stitched together networks from multiple technologies. Things have effort to reset the technology base to something that can be gotten better as technology complexities have collapsed.” used as a platform for future growth. In theory, this can work, For example, CIOs used to worry about what network technology especially for industries that have boom-and-bust cycles; the bust to choose; now it’s all IP-based and no longer something on which times are when you can make the investments for the next boom CIOs need to focus. Similarly, server technologies have collapsed into a period. But this approach has three flaws, says Daryl Plummer, few well-known quantities that CIOs can rely on. “These are standard chief of research for emerging trends and process management at platforms I don’t have to worry about,” says Special Olympics’ Mendes. Gartner. One is that enterprises rarely invest when times are tight. “I can target business value instead.” Two is that it requires a large shift in skills and priorities that’s “A decade ago, we moved to new technologies quickly because the hard for people to handle. Three is that waiting lets the problem old ones weren’t so good. But now we can be more measured because fester, leading to workarounds by users that will contribute to what is now the old stuff does work,” Modruson says. complexity down the road. What’s changed is that the complexity has migrated. As parts of “Occasionally, the window for big-project change does exist — the IT environment became standardized, such as networks, other maybe 5 percent of the time,” says Mathaisel. “Take advantage of it issues replaced it, such as securing porous enterprise boundaries when you can. But 95 percent of the time you’re really talking about and managing massive data sets in a world where budgeting for incremental change. You do what you can today and deal with the rest downtime for maintenance and backup is simply not acceptable to on a later cycle.” the business. And emerging process-management approaches such There’s also bigger risk for large-scale retrofits embarked on as service-oriented architecture that promise to reduce the complexity during down times, warns Walof application integration Mart’s Ford. It’s precisely during and development introduce the tough times that the business complexities elsewhere, such as in Reducing the comes to IT for help. So counting change management and testing, on simplifying your technology notes TD Banknorth’s Petrey. environment then is probably A more fundamental shift not realistic. has been away from a focus on The best approach is to make infrastructure technologies to Enterprises that simplified two aspects of their financial the work of simplification ongoing, technologies that deliver business systems – having high standardization, such as a says Dow’s Murrell. “Look in every processes. The IT infrastructure unified chart of accounts, and common applications, area to see what’s redundant,” continues to pose its own such as a single ERP system – spent 23 percent he recommends. That doesn’t complexity challenges, but it’s now less on their finance efforts. Enterprises that necessarily mean doing anything just table stakes — part of the CIO reduced complexity in additional areas to simplify the technology cans job — and why business needs averaged an extra 21 percent you’ve opened. “You may make CIOs who are both business- and in savings. a decision to leave the worms in process-oriented. there due to the cost or the delay to CIOs must play at several levels value,” Murrell says. But you should document what could have been simultaneously, addressing both business and IT needs, keeping simplified and why you didn’t make the effort, so the next time that the systems running while ensuring that their technology strategy particular can is opened it’ll be easier to determine if that’s the right supports business operations, promotes innovation and provides time to get rid of the worms. competitive advantage in a changing environment, says Michael Ultimately, says TD Banknorth’s Petrey, you need to reduce Farber, a VP at consultancy Booz Allen Hamilton. “It’s a 3-D chess complexity in the legacy technology you’re not retiring. “If you don’t,” board,” he notes. he says ominously, “the consequences to your business will come at a At most companies, “the CIO ends up at the tail end of things,” point not of your choosing. stuck with complexities caused by others, says Dave Zink, client “It’s not a sexy thing to do,” he continues, “and the business doesn’t executive at consultancy EquaTerra and former CIO of CBS. “But see the value in it, but if you let it go, you’ll end up with complexity and when companies have elevated the CIO to the right level, they are fragility.” Not a good combination. less likely to have complexity.” Staging simplification efforts over time is a critical strategy for Let's hope that they have a CIO who can play a mean game of success, argues Vincent: “Take bite-sized, digestible chunks; otherwise, 3-D chess. CIO you’ll choke. Replace a brick at a time, not a whole building.” Send feedback on this feature to editor@cio.in

Complexity Tax

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

Feature - Cures for Complexity.indd 52

Vol/3 | ISSUE/05

1/11/2008 6:43:30 PM

Essential

technology Haven't encrypted your laptop fleet yet? There's no excuse for that choice anymore. Check out today's smart strategies for improving laptop security â&#x20AC;&#x201D; before the next machine disappears.

Vol/3 | ISSUE/05

Essentisl Tec.indd 53

From Inception to Implementation â&#x20AC;&#x201D; I.T. That Matters

No More Lost Laptop Drama By Galen Gruman Mobile Security | Even before her state of California put a stake in the ground regarding public disclosure of data breaches, Christy Quinlan could see the wisdom in encrypting client data on mobile devices. Shortly after Quinlan became CIO of California's Department of Health Care Services in 2005, one of the agency's partners lost a computer. The contractor had to notify everyone who might have been affected, at a cost of several hundred thousand dollars: and while Quinlan's staff had not lost the laptop, they still spent much of the week before a holiday coordinating with the contractor to determine the possible scope of the security breach and then ensuring swift and proper notification. "Once information is on the loose, you can never get it back," Quinlan says. California eventually created a state law that required the public disclosure of data breaches (other states quickly followed). ironically, at the time of Quinlan's contractor incident, the state was still trying to figure out the right internal policies to protect data across its many agencies. After her experience, Quinlan decided she could not wait for that final internal policy, so she directed her staff to encrypt all data on the field force's 2,000 laptops within 30 days, which REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/11/2008 6:44:44 PM

essential technology

they did using GuardianEdge's software. California's law exempts encrypted data from requiring public disclosure, since the data would be inaccessible to thieves. Quinlan gambled that the statewide policy direction under discussion would ultimately be approved, and that even if she had to throw out her agency's specific system, the cost was justified because she was reducing so much risk by adding encryption. As it turns out, the encryption effort proved less difficult than she'd feared, thanks to systems and infrastructure already in place. The agency had recently updated its laptops to support Windows XP, providing sufficient computing and storage capabilities as well as an operating system to support enterprise-class encryption software. And the agency had a client management system in place to update users' laptops with new software and enforce encryption and other security policies automatically. CIOs should take Quinlan's experience to heart, says Paul Kocher, president and chief scientist of consulting firm Cryptography Research. "There are no excuses anymore,"

them or leave the company, and how to make passwords available to backup and client management software that run unattended. Both California's Quinlan and Simon Szykman, CIO of the National Institute of Standards and Technology, use whole-disk encryption, which protects all files on the laptop, even apps. This type of software used to slow down performance noticeably, causing some enterprises to move to filebased encryption instead. File encryption puts more responsibility on users to save their files to the right folders to ensure encryption. And, laptops built in the last several years can handle whole-disk encryption without hindering performance. "So why not protect everything?" says Szykman. Many enterprise-class encryption tools come with management tools that issue and reset passwords (often via Web-based self service to reduce help desk involvement). These tools also update encryption policies to laptops as they connect to the network. Many CIOs would prefer having their existing PC client management software handle encryption management, but IT

Encryption technology is now widely available and proven but there is one factor that varies from vendor to vendor and enterprise to enterprise: management techniques. Kocher says: encryption technology is now widely available and proven.

Management Hurdles CIOs implementing encryption on laptops (and desktops) should focus mainly on key management and user management strategies, advises Kocher. The encryption technology itself is mature: one factor that varies from vendor to vendor and enterprise to enterprise is management techniques. Main issues include deciding what should be encrypted, how to recover the passwords that unlock encrypted data when users lose 54

Essentisl Tec.indd 54

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

organizations are already used to having multiple consoles for anti-virus and backup. So if you can't get a tool that integrates into your client management system — and few do — then the hassle of adding one more console is still better than doing nothing. Ken Juneau, assistant VP and director of enterprise architecture services at American National Insurance, found that having a separate management console was not that burdensome for his PGP encryption software. California's Quinlan chose greater integration. For example, she uses the

46% of businesses

don't put encryption on portable devices, even after a data breach. Source: Ponemon Institute

Microsoft SMS client management tool to ensure that the current version of the encryption client is installed on every laptop, and applies encryption policies through the same Active Directory policy server that's used for everything else. She also integrated password management with her agency's single-sign-on service, so users have only one password to remember — and the help desk has only one to reset. But accomplishing this integration required more up-front development resources, she notes. None of these IT leaders has provided his or her backup or client management systems access to the encryption passwords, which would let them act on the users' laptops in unattended mode. Instead, users need to be attached to the network and logged in (which makes their data accessible) before backup and management tools operate. Above all, make sure that adding encryption does not add passwords for users to remember, says John Pironti, chief information risk strategist for IT services consultancy Getronic. You don't want users writing them down and taping them to their laptops. As he notes, "If someone gets the password, the encryption is meaningless." That's another reason why California's Quinlan ensured that the encryption software worked with the agency's existing

Vol/3 | ISSUE/05

1/11/2008 6:44:44 PM

essential technology

single-sign-on technology. NIST's Szykman uses the same approach.

The PDATime Bomb What's even more likely to get lost than a laptop? The increasing storage power of handheld PCs makes them a ticking time bomb, warns Getronic's Pironti. They tend to be used by executives who work with the enterprise's most critical and valuable data, and "these guys lose these things all the time," he says. The problem for CIOs: encryption software available for handhelds is not as effective as it needs to be, says Cryptography Research's Kocher, due to their relatively limited computing capabilities. The only consolation, Kocher says, is that handhelds don't store much data. That will be a bigger problem later. Meanwhile, IT should enforce password access to the devices. Although vendors promote remote-kill capabilities to wipe a stolen or lost handheld's data, Pironti notes that the devices are vulnerable before reported lost or stolen. Citing the unsatisfactory security situation, NIST is considering standardization on Research in Motion's BlackBerry devices, which have built-in data encryption capabilities, says Szykman. He'd prefer to be able to allow the device diversity that his users would like to have, and will continue to explore encryption solutions available for other vendors' offerings, he says, but one option that may emerge is not supporting other PDA platforms. Facilities service provider Aramark has standardized on the BlackBerry due to security concerns, says CIO of Aramark's global food and facility services businesses David Kaufman. A big BlackBerry advantage: "It has a consistent security model across all devices and networks," he says, so the tools are quite reliable. That wasn't the case for other handhelds he tested.

Insurance Will Cost Ultimately when you encrypt data, you're buying an insurance policy, which has several costs. The obvious cost is the up-front deployment spending, including software

Vol/3 | ISSUE/05

Essentisl Tec.indd 55

Guard Data on Portable Drives

Barely a week goes by without a headline story on the latest laptop data breach. But laptops aren't the only targets: The proliferation of portable USB hard disks and flash drives with huge capacity makes the loss or theft of critical data likelier than ever. A Computer Security Institute survey of 494 security practitioners in large organizations found that though about half of respondents had had a laptop or mobile device stolen, only two-thirds used encryption to safeguard the data on their portable devices. If these companies haven't bothered with encryption, smaller companies probably haven’t either. Why? Because it has been a pain for IT staff and employees. New hardware and software products, however, promise to simplify portable-drive encryption, making the task fast and transparent. Here are some: Many new portable drives come with encryption, but it is also available as an add-on from Cryptainer PE, Migo Portable Vault, or TrueCrypt (free). You just type in a password to access files encrypted with strong algorithms such as 256-bit AES or 448-bit Blowfish. These are simple and inexpensive options (as long as you don't lose your password). Since they are software-based, however, they slow things down, and can be breached by an infected host PC that captures the password. You could also lock your data with Windows' built-in encryption capabilities, namely EFS in Windows XP and BitLocker in Vista Ultimate. For better and faster protection, consider a drive with built-in hardware encryption, such as the new Apricorn Aegis Vault (80GB to 250GB), a USB hard drive with real-time 128-bit AES support, or the SanDisk Cruzer Professional (1GB to 4GB), a flash drive with 256-bit AES. Both allow you to create unencrypted drive areas for public access, and since they require no software, you can take them on the road easily. SanDisk also makes an Enterprise version of the Cruzer (1GB to 4GB), which allows central management of passwords. No matter how strong the encryption, security is only as strong as your password. Biometric devices are more stringent. Apricorn's Aegis Bio portable drive (80GB to 250GB) provides both a fingerprint reader and 128-bit AES hardware encryption, and La Cie's SAFE Mobile Hard Drive with Encryption (160GB) combines fingerprint access with 128-bit DES. Both devices allow up to five users. — By Becky Waring

licenses, installation, integration and often upgraded hardware. For example, NIST's Szykman had to replace a few laptops because their hard drives were too small and their CPUs too slow to handle the added demands of encryption. Then there's the several hours necessary to encrypt each drive the first time, which can disrupt user productivity. Increased requests of your help desk will be an ongoing cost, says Getronic's Pironti. Users will request more password resets, and IT will need to work harder to access encrypted data if the data or password gets corrupted. Aramark's Kaufman agrees: "There's more of a burden for my staff." CIOs can work to manage the costs of encryption deployments. At Aramark, Kaufman encrypted all laptops belonging

to what he considered the highest-risk departments — HR, payroll and health-care services — but he's encrypting other users' laptops only when they are replaced or require other IT services. "We want to have maximum security and minimum disruption," he says, so a riskbased trade-off is typically required. For these CIOs, encrypting sensitive data that can go missing just constitutes good policy. Encryption becomes another cost of doing business, says Kaufman: "Given the value of our data and the effect [of a breach] on our reputation, how could we not do it?" CIO

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | j a n u a r y 1 5 , 2 0 0 8

1/11/2008 6:44:44 PM

Pundit

essential technology

Nightmare on Scope Creep St. How you can wake up and stop projects from being late and over-budget. By michael hugos

| In spite of all the best practices and project management techniques, scope creep (resulting delays and cost overruns) has always been the biggest problem on most development projects. The only way we are going to solve the problem is to understand and deal with the underlying dynamic that creates scope creep in the first place. This dynamic has two drivers. The first driver arises from the fact that the more we analyze a situation, the more complexity we discover and the more complexity we add to the design of the

Project management

way too complicated making the chances of building it on time and on budget slim to none — and IT is almost always the party who gets the blame. The answer to this downward spiral is simple but counter intuitive. It starts by doing less analysis (not more), a lot less analysis than is usually thought necessary. Restrict analysis to only what the business people need right now; do not spend time speculating on what they may need a year from now. People know what they need right now because they’ve already thought about that and they can usually tell you in 30 minutes or less. It’s

their lives easier. Yes, they will thank you. And they will tell you they didn’t think you could get a system delivered so quickly, and they will start to trust you when you say there will be a phase two on the project. And then, after a few weeks, you start working with the business people on the next round of features they want to add to their system. They will have had time to work with what you just gave them, and they will see what they need next. Again you are only asking them to tell you what they need right away —not speculate about vague and complex possible future needs.

The answer is simple but counter intuitive.It starts by doing a lot less analysis than usually thought necessary — not more. system. The second driver arises from the fact that most business people have been through system development projects before and they know there will never be a ‘phase two’ on the project (in spite of what anyone says). They know they’re only going to get one shot, so they try to they push for everything they might ever need to be included in the first phase. These two drivers set up a selfreinforcing cycle that leads to an infernal, downward spiral of mounting problems. There is a palpable lack of trust between the business and IT people because of this. Inevitably, the design requirements call for a system that is way too big and 56

ET-Pundit.indd 56

J a n u a r y 1 5 , 2 0 0 8 | REAL CIO WORLD

when you start asking people about what they’ll need one or two years from now that things get complex. Because you focus only on the here and now, you can do less analysis and you can quickly design a system that gives people that handful of useful features they really want right away. And because the design is therefore relatively simple, you can also build the system very quickly and put it into production. If you can deliver a first version in a 30-45 day timeframe, you will totally surprise (and delight) business people. They will start using the system right away and they will thank you for making

This agile and iterative development approach is the way to side-step the otherwise inevitable scope creep dynamic. Now the business people will stop trying to think of everything they could possibly want and stop trying to cram all those features into one big release. And now, IT and business will be able to work together in a more cooperative, trusting and responsive manner. The infernal scope creep monster is thus defanged. And it’s really that simple. CIO Mike Hugos is CIO of Network Services and the author of Building the Real-Time Enterprise. Send feedback on this column to editor@cio.in

Vol/3 | ISSUE/05

1/12/2008 12:12:49 PM